title
CISSP Full Training Masterclass In 3 Hours | CISSP Training Video 2022 | CISSP Tutorial |Simplilearn

description
🔥Cybersecurity Postgraduate Program: https://www.simplilearn.com/vapt-vulnerability-assessment-penetration-testing-certification?utm_campaign=TempLink1&utm_medium=Descriptionff&utm_source=youtube 🔥Cybersecurity Bootcamp (US Only): https://www.simplilearn.com/cybersecurity-bootcamp?utm_campaign=TempLink1&utm_medium=Descriptionff&utm_source=youtube 🔥Cybersecurity Master's Program: https://www.simplilearn.com/cyber-security-expert-master-program-training-course?utm_campaign=TempLink1&utm_medium=Descriptionff&utm_source=youtube In this CISSP Full Training Masterclass In 3 Hours video, you will learn the importance of the CISSP certification, what exactly CISSP is all about, its domains, and who can take up this certification. This video will also provide a CISSP exam overview, along with a few sample questions. We take a look at the CISSP-CIA triad, information security and the technique of risk management. We then cover asset security before moving on to the sample CISSP exam questions. So let's begin this CISSP tutorial! The topics covered in this CISSP Training Video 2021 are: 00:00:00 Why CISSP? 00:01:55 What is CISSP 00:02:32 CISSP exam requirements 00:03:23 CISSP Domains 00:16:42 CISSP- CIA triad 00:19:07 Information Security 00:38:28 Risk Management 00:50:54 Asset Security 00:59:02 What is CISSP Exam 01:02:43 CISSP Exam Overview 01:11:28 Sample CISSP Questions 🔥 Enroll for FREE CISSP Course & Get your Completion Certificate: https://www.simplilearn.com/introduction-to-information-security-basics-skillup?utm_campaign=Skillup-CISSP&utm_medium=Description&utm_source=youtube 🔥IIIT Bangalore Advanced Executive Program In Cybersecurity (India Only): https://www.simplilearn.com/pgp-advanced-executive-program-in-cyber-security?utm_campaign=SCE-IIITBangaloreCS&utm_medium=DescriptionFF&utm_source=youtube ✅Subscribe to our Channel to learn more about the top Technologies: https://bit.ly/2VT4WtH ⏩ Check out the CISSP training videos: https://bit.ly/2YDcmTU 👉Learn more at: https://www.simplilearn.com/cyber-security/cissp-certification-training?utm_campaign=CISSP&utm_medium=Description&utm_source=youtube 🔥IIIT Bangalore Advanced Executive Program In Cybersecurity (India Only): https://www.simplilearn.com/pgp-advanced-executive-program-in-cyber-security?utm_campaign=SCE-IIITBangaloreCS&utm_medium=DescriptionFF&utm_source=youtube #CISSPFullTraining #CISSPMasterClass #CISSPTrainingVideo2020 #CISSPTrainingVideos #CISSP #Simplilearn ➡️ About Post Graduate Program In Cyber Security This Post Graduate Program in Cyber Security will help you learn comprehensive approaches to protecting your infrastructure and securing data, including risk analysis, mitigation, and compliance. You will get foundational to advanced skills through industry-leading cyber security certification courses that are part of the program. ✅ Key Features - Simplilearn Post Graduate Certificate - Masterclasses from MIT Faculty - Featuring Modules from MIT SCC and EC-Council - 8X higher interaction in live online classes conducted by industry experts - Simplilearn's JobAssist helps you get noticed by top hiring companies - Industry case studies in cyber security - Access to CEH Pro Version - 25+ hands-on projects - Capstone project in 3 domains - MIT CSAIL Professional Programs Community ✅ Skills Covered - Advanced Hacking Concepts - Network Packet Analysis - Ethical Hacking - IDS Firewalls and Honeypots - Security and Risk Management - Network Security - Software Development Security - Cryptography OSI and TCPIP Models - Identity and Access Management - Security Assessment and Testing - Trojans Backdoors and Countermeasures - Mobile and Web Technologies 👉Learn more at: https://www.simplilearn.com/cyber-security/cissp-certification-training?utm_campaign=CISSP&utm_medium=Description&utm_source=youtube 🔥IIIT Bangalore Advanced Executive Program In Cybersecurity (India Only): https://www.simplilearn.com/pgp-advanced-executive-program-in-cyber-security?utm_campaign=SCE-IIITBangaloreCS&utm_medium=DescriptionFF&utm_source=youtube For more information about Simplilearn courses, visit: - Facebook: https://www.facebook.com/Simplilearn - Twitter: https://twitter.com/simplilearn - LinkedIn: https://www.linkedin.com/company/simplilearn/ - Website: https://www.simplilearn.com Get the Android app: http://bit.ly/1WlVo4u Get the iOS app: http://apple.co/1HIO5J0

detail
{'title': 'CISSP Full Training Masterclass In 3 Hours | CISSP Training Video 2022 | CISSP Tutorial |Simplilearn', 'heatmap': [{'end': 891.386, 'start': 239.435, 'weight': 1}, {'end': 1619.96, 'start': 970.631, 'weight': 0.847}, {'end': 1949.188, 'start': 1696.849, 'weight': 0.751}, {'end': 2185.156, 'start': 2101.562, 'weight': 0.775}, {'end': 2593.387, 'start': 2257.385, 'weight': 0.835}, {'end': 2915.719, 'start': 2829.032, 'weight': 0.706}, {'end': 3075.155, 'start': 2989.73, 'weight': 0.754}, {'end': 3237.577, 'start': 3155.037, 'weight': 0.738}, {'end': 3562.465, 'start': 3314.613, 'weight': 0.705}], 'summary': 'This cissp training video covers cssp and cissp certifications, cybersecurity threats, risk management, security mechanisms, exam overview, linear exam details, asset management, identity access management, and security operations, emphasizing key concepts and providing insights into the certification process and exam preparation.', 'chapters': [{'end': 858.841, 'segs': [{'end': 57.994, 'src': 'embed', 'start': 28.175, 'weight': 4, 'content': [{'end': 34.699, 'text': 'what exactly CSSP is all about, CSSP exam requirements and the various domains in CSSP.', 'start': 28.175, 'duration': 6.524}, {'end': 40.062, 'text': 'We will also have an overview of the CSSP exam along with a few sample questions.', 'start': 35.299, 'duration': 4.763}, {'end': 42.044, 'text': 'For this training with me.', 'start': 40.623, 'duration': 1.421}, {'end': 49.208, 'text': 'I have our experienced cybersecurity specialist, Bipin, and together we will take you through the various topics in CSSP,', 'start': 42.044, 'duration': 7.164}, {'end': 50.769, 'text': 'all of this in under 3 hours.', 'start': 49.208, 'duration': 1.561}, {'end': 57.994, 'text': 'But before we begin, make sure to subscribe to our YouTube channel and hit the bell icon to never miss an update from Simply Learn.', 'start': 51.67, 'duration': 6.324}], 'summary': 'Overview of cssp exam and domains, with sample questions, in under 3 hours.', 'duration': 29.819, 'max_score': 28.175, 'thumbnail': 'https://coursnap.oss-ap-southeast-1.aliyuncs.com/video-capture/i6vKjSa20iw/pics/i6vKjSa20iw28175.jpg'}, {'end': 115.78, 'src': 'embed', 'start': 76.639, 'weight': 0, 'content': [{'end': 79.541, 'text': 'You might have also come across the CISSP certification.', 'start': 76.639, 'duration': 2.902}, {'end': 85.005, 'text': 'Let me tell you, this is one of the toughest and most in-demand certifications in the cybersecurity field.', 'start': 79.781, 'duration': 5.224}, {'end': 90.03, 'text': 'In the current times, managing information security in a company can be extremely challenging.', 'start': 85.405, 'duration': 4.625}, {'end': 96.277, 'text': 'With the advent of the internet and various other technologies, there is a large exposure to various security breaches.', 'start': 90.23, 'duration': 6.047}, {'end': 103.324, 'text': 'The presence of information security experts in-house helps organizations manage their IT processes in a better way.', 'start': 96.737, 'duration': 6.587}, {'end': 106.788, 'text': 'This is where a CISSP professional is in demand by employers.', 'start': 103.524, 'duration': 3.264}, {'end': 112.896, 'text': 'Compared to the other cybersecurity professionals, the demand for CSSP-certified professionals has grown rapidly.', 'start': 107.168, 'duration': 5.728}, {'end': 115.78, 'text': 'There are nearly 50, 000 job postings for this same.', 'start': 113.097, 'duration': 2.683}], 'summary': 'Cissp certification is highly in-demand, with nearly 50,000 job postings.', 'duration': 39.141, 'max_score': 76.639, 'thumbnail': 'https://coursnap.oss-ap-southeast-1.aliyuncs.com/video-capture/i6vKjSa20iw/pics/i6vKjSa20iw76639.jpg'}, {'end': 224.721, 'src': 'embed', 'start': 197.792, 'weight': 2, 'content': [{'end': 203.199, 'text': 'security auditors and chief information security officers can take up the CSSP certification.', 'start': 197.792, 'duration': 5.407}, {'end': 206.983, 'text': "Let's now move on to our next topic that is CISSP Domains.", 'start': 203.579, 'duration': 3.404}, {'end': 210.947, 'text': 'This entire certification is grouped into a total of 8 domains.', 'start': 207.283, 'duration': 3.664}, {'end': 218.595, 'text': 'The broad spectrum of topics included in CISSP ensure its relevance across all disciplines in the field of Information Security.', 'start': 211.247, 'duration': 7.348}, {'end': 222.099, 'text': 'Successful candidates are competent in the following 8 domains.', 'start': 218.935, 'duration': 3.164}, {'end': 224.721, 'text': 'They are Security and Risk Management.', 'start': 222.539, 'duration': 2.182}], 'summary': 'Cssp certification is for security auditors and cisos, covering 8 domains in cissp.', 'duration': 26.929, 'max_score': 197.792, 'thumbnail': 'https://coursnap.oss-ap-southeast-1.aliyuncs.com/video-capture/i6vKjSa20iw/pics/i6vKjSa20iw197792.jpg'}, {'end': 368.333, 'src': 'embed', 'start': 337.026, 'weight': 3, 'content': [{'end': 341.25, 'text': "Now that we have understood the CIA Triad, let's have a look at the GRC Trilogy.", 'start': 337.026, 'duration': 4.224}, {'end': 348.077, 'text': 'This trilogy is a structured approach adopted by organizations to align IT objectives with business objectives.', 'start': 341.671, 'duration': 6.406}, {'end': 349.879, 'text': 'First up, we have Governance.', 'start': 348.457, 'duration': 1.422}, {'end': 355.484, 'text': 'Such a program has motives like ensuring goals are achieved, providing strategic plans, and so on.', 'start': 350.299, 'duration': 5.185}, {'end': 359.388, 'text': 'Governance is taken care of by the senior professionals of an organization.', 'start': 355.704, 'duration': 3.684}, {'end': 361.629, 'text': 'Next up, we have risk management.', 'start': 359.828, 'duration': 1.801}, {'end': 368.333, 'text': 'Here, the organization looks into mitigating all types of risks such as investment, physical and cyber risks.', 'start': 361.889, 'duration': 6.444}], 'summary': 'The grc trilogy aligns it with business goals through governance and risk management.', 'duration': 31.307, 'max_score': 337.026, 'thumbnail': 'https://coursnap.oss-ap-southeast-1.aliyuncs.com/video-capture/i6vKjSa20iw/pics/i6vKjSa20iw337026.jpg'}], 'start': 4.281, 'title': 'Cssp and cissp certifications', 'summary': 'Covers an overview of the cssp certification, its importance, exam requirements, and domains, along with a glimpse of the exam. it also provides an overview of the cissp certification, its demand, requirements, domains, and key topics, with over 50,000 job postings for cissp-certified professionals.', 'chapters': [{'end': 50.769, 'start': 4.281, 'title': 'Cssp training overview', 'summary': 'Provides an overview of the certified information systems security professional (cssp) certification, covering its importance, exam requirements, domains, and a glimpse of the exam, presented by cybersecurity specialist bipin, within a duration of under 3 hours.', 'duration': 46.488, 'highlights': ['The training covers the importance of having a CSSP certification, CSSP exam requirements, and the various domains in CSSP. The training includes information on the significance of obtaining a CSSP certification, the prerequisites for the CSSP exam, and the different domains within CSSP.', 'The video tutorial offers an overview of the CSSP exam along with a few sample questions, presented within a duration of under 3 hours. The tutorial provides an insight into the CSSP exam, including sample questions, all within a concise time frame of under 3 hours.', 'The training is presented by experienced cybersecurity specialist Bipin. The training is conducted by cybersecurity specialist Bipin, ensuring expertise in the subject matter.']}, {'end': 858.841, 'start': 51.67, 'title': 'Cissp certification overview', 'summary': 'Provides an overview of the cissp certification, highlighting its demand, requirements, domains, and key topics, such as the cia triad and grc trilogy, with over 50,000 job postings for cissp-certified professionals.', 'duration': 807.171, 'highlights': ['CISSP certification is one of the toughest and most in-demand in the cybersecurity field, with nearly 50,000 job postings for CISSP-certified professionals. The demand for CISSP-certified professionals has grown rapidly, with nearly 50,000 job postings for the same.', 'CISSP certification requires a minimum of 5 years of work experience in information security, and candidates are recommended to clear basic and managerial level certifications before pursuing CISSP. CISSP certification requires a minimum of 5 years of work experience in information security, and candidates are recommended to clear basic and managerial level certifications before pursuing CISSP.', 'The CISSP certification comprises 8 domains, covering various aspects of information security, such as Security and Risk Management, Asset Security, Security Engineering, Communications and Network Security, Identity and Access Management, Security Assessment and Testing, Security Operations, and Software Development Security. The CISSP certification comprises 8 domains, covering various aspects of information security, such as Security and Risk Management, Asset Security, Security Engineering, Communications and Network Security, Identity and Access Management, Security Assessment and Testing, Security Operations, and Software Development Security.', 'The chapter discusses key topics such as the CIA Triad, GRC Trilogy, security policies, risk analysis, data classification, data management, cryptography, OSI model, firewalls, IDS, access control, and security assessment and testing. The chapter discusses key topics such as the CIA Triad, GRC Trilogy, security policies, risk analysis, data classification, data management, cryptography, OSI model, firewalls, IDS, access control, and security assessment and testing.']}], 'duration': 854.56, 'thumbnail': 'https://coursnap.oss-ap-southeast-1.aliyuncs.com/video-capture/i6vKjSa20iw/pics/i6vKjSa20iw4281.jpg', 'highlights': ['CISSP certification is one of the toughest and most in-demand in the cybersecurity field, with nearly 50,000 job postings for CISSP-certified professionals.', 'The demand for CISSP-certified professionals has grown rapidly, with nearly 50,000 job postings for the same.', 'The CISSP certification comprises 8 domains, covering various aspects of information security, such as Security and Risk Management, Asset Security, Security Engineering, Communications and Network Security, Identity and Access Management, Security Assessment and Testing, Security Operations, and Software Development Security.', 'The chapter discusses key topics such as the CIA Triad, GRC Trilogy, security policies, risk analysis, data classification, data management, cryptography, OSI model, firewalls, IDS, access control, and security assessment and testing.', 'The training covers the importance of having a CSSP certification, CSSP exam requirements, and the various domains in CSSP.', 'The video tutorial offers an overview of the CSSP exam along with a few sample questions, presented within a duration of under 3 hours.', 'The training is presented by experienced cybersecurity specialist Bipin.']}, {'end': 1722.824, 'segs': [{'end': 887.043, 'src': 'embed', 'start': 859.181, 'weight': 0, 'content': [{'end': 861.803, 'text': "Now let's move on to Malware as a Security Threat.", 'start': 859.181, 'duration': 2.622}, {'end': 867.186, 'text': 'Malware is a term which refers to malicious software viruses, ransomware and worms.', 'start': 862.043, 'duration': 5.143}, {'end': 874.052, 'text': 'We can also call Trojan virus as a form of malware which is capable of disguising itself as a legitimate software.', 'start': 867.586, 'duration': 6.466}, {'end': 879.016, 'text': 'Malware is basically a broad term that refers to a variety of malicious programs.', 'start': 874.592, 'duration': 4.424}, {'end': 884.2, 'text': 'One way to protect your software from malware is to always double check your downloads.', 'start': 879.576, 'duration': 4.624}, {'end': 887.043, 'text': 'Moving on to our next security threat, spyware.', 'start': 884.601, 'duration': 2.442}], 'summary': 'Malware encompasses viruses, ransomware, and worms. double-checking downloads is a key defense.', 'duration': 27.862, 'max_score': 859.181, 'thumbnail': 'https://coursnap.oss-ap-southeast-1.aliyuncs.com/video-capture/i6vKjSa20iw/pics/i6vKjSa20iw859181.jpg'}, {'end': 927.73, 'src': 'embed', 'start': 898.652, 'weight': 1, 'content': [{'end': 903.376, 'text': 'Those programs that secretly record all that you do on your computer are called spyware.', 'start': 898.652, 'duration': 4.724}, {'end': 907.579, 'text': 'It is always advised to turn on pop-up blockers to prevent spyware.', 'start': 903.656, 'duration': 3.923}, {'end': 909.601, 'text': 'Next up, we have Adware.', 'start': 908.2, 'duration': 1.401}, {'end': 913.244, 'text': 'Adware is also known as Advertising Supported Software.', 'start': 909.881, 'duration': 3.363}, {'end': 917.246, 'text': 'It is a type of malware that constantly displays ads and pop-ups.', 'start': 913.684, 'duration': 3.562}, {'end': 920.307, 'text': 'Some of such ads can also gather your information.', 'start': 917.586, 'duration': 2.721}, {'end': 921.407, 'text': 'At times.', 'start': 920.787, 'duration': 0.62}, {'end': 927.73, 'text': 'adware is not all that dangerous, but it is a hassle, as it is a gateway to unwanted advertising on the screen,', 'start': 921.407, 'duration': 6.323}], 'summary': 'Spyware records computer activity, turn on pop-up blockers. adware displays ads and gathers info.', 'duration': 29.078, 'max_score': 898.652, 'thumbnail': 'https://coursnap.oss-ap-southeast-1.aliyuncs.com/video-capture/i6vKjSa20iw/pics/i6vKjSa20iw898652.jpg'}, {'end': 973.114, 'src': 'embed', 'start': 944.169, 'weight': 3, 'content': [{'end': 947.791, 'text': 'This attack lures victims into handing over their confidential data.', 'start': 944.169, 'duration': 3.622}, {'end': 950.752, 'text': 'This attack takes place by tricking the human mind.', 'start': 948.011, 'duration': 2.741}, {'end': 955.834, 'text': 'The most common social engineering attacks are phishing, spear phishing and bailing phishing attack.', 'start': 951.012, 'duration': 4.822}, {'end': 963.077, 'text': 'Phishing attack is a practice wherein the hacker usually sends fraudulent emails which appear to be coming from a very trusted source.', 'start': 956.114, 'duration': 6.963}, {'end': 969.87, 'text': 'This is done to install malware or to steal sensitive data like credit card information and various other login credentials.', 'start': 963.624, 'duration': 6.246}, {'end': 973.114, 'text': 'Spear phishing attack is a variation of phishing.', 'start': 970.631, 'duration': 2.483}], 'summary': 'Social engineering attacks lure victims to hand over data, including phishing, spear phishing, and bailing phishing.', 'duration': 28.945, 'max_score': 944.169, 'thumbnail': 'https://coursnap.oss-ap-southeast-1.aliyuncs.com/video-capture/i6vKjSa20iw/pics/i6vKjSa20iw944169.jpg'}, {'end': 1619.96, 'src': 'heatmap', 'start': 970.631, 'weight': 0.847, 'content': [{'end': 973.114, 'text': 'Spear phishing attack is a variation of phishing.', 'start': 970.631, 'duration': 2.483}, {'end': 977.038, 'text': 'Here, the attacker targets a specific individual or a group of people.', 'start': 973.414, 'duration': 3.624}, {'end': 982.243, 'text': 'And in whaling phishing attack, wealthy, powerful and prominent individuals are main targets.', 'start': 977.438, 'duration': 4.805}, {'end': 985.807, 'text': 'Moving on to our next attack, we have SQL injection attack.', 'start': 982.563, 'duration': 3.244}, {'end': 989.671, 'text': 'SQL injection attack is a type of code injection attack.', 'start': 986.267, 'duration': 3.404}, {'end': 994.257, 'text': 'In a database driven website, the hacker manipulates a standard SQL query.', 'start': 990.032, 'duration': 4.225}, {'end': 997.701, 'text': 'It allows attackers to tamper with the existing data.', 'start': 994.837, 'duration': 2.864}, {'end': 1002.186, 'text': 'Here, malicious code is inserted into the SQL server to obtain information.', 'start': 997.921, 'duration': 4.265}, {'end': 1007.983, 'text': 'So in CISSP, as with every security course, we start off with the CIA triad.', 'start': 1002.918, 'duration': 5.065}, {'end': 1012.127, 'text': 'Now here CIA is confidentiality, integrity and availability.', 'start': 1008.143, 'duration': 3.984}, {'end': 1014.91, 'text': 'So it starts off with every security mechanism.', 'start': 1012.347, 'duration': 2.563}, {'end': 1019.694, 'text': 'When we talk about security and we want to keep things secure, what is it that we want to secure?', 'start': 1015.15, 'duration': 4.544}, {'end': 1024.638, 'text': 'It is the data of an organization that is the most valuable asset to the organization.', 'start': 1019.935, 'duration': 4.703}, {'end': 1026.481, 'text': "And that's what we want to secure.", 'start': 1024.839, 'duration': 1.642}, {'end': 1031.807, 'text': 'When we say that we want the data to be secured, we basically talk about three aspects for that data.', 'start': 1026.661, 'duration': 5.146}, {'end': 1035.07, 'text': 'The first and the foremost that the data needs to remain confidential.', 'start': 1031.887, 'duration': 3.183}, {'end': 1038.075, 'text': 'The second aspect that the data needs to be trustworthy.', 'start': 1035.211, 'duration': 2.864}, {'end': 1043.461, 'text': 'And the third concept that the data should be available to all authorized users when and where they require it.', 'start': 1038.275, 'duration': 5.186}, {'end': 1048.303, 'text': 'So, going back to the first point, when we say we want data to be confidential, what do we mean by that?', 'start': 1043.601, 'duration': 4.702}, {'end': 1055.006, 'text': 'By confidentiality we talk about that data being made available only to authorized users after you have authenticated them,', 'start': 1048.383, 'duration': 6.623}, {'end': 1060.128, 'text': "ensured or assured of their authenticity, and only then you're going to give access to that data, right?", 'start': 1055.006, 'duration': 5.122}, {'end': 1065.11, 'text': 'So even if you go into an organization, an organization has a hierarchy of governance, right?', 'start': 1060.328, 'duration': 4.782}, {'end': 1071.274, 'text': 'So only certain people with certain clearances or certain job titles can have access to certain amount of data,', 'start': 1065.53, 'duration': 5.744}, {'end': 1073.296, 'text': 'whereas other people may not have access to it.', 'start': 1071.274, 'duration': 2.022}, {'end': 1079.3, 'text': 'For example, a person working in the sales department will not have access to data that is accessed by the HR department.', 'start': 1073.476, 'duration': 5.824}, {'end': 1086.145, 'text': "Thus, that's what we are looking at classification of data and keeping it confidential, only making it available to those people who require it.", 'start': 1079.5, 'duration': 6.645}, {'end': 1093.693, 'text': 'When we say trustworthiness or the integrity of that data, the integrity is where the data has been altered, modified, removed,', 'start': 1086.365, 'duration': 7.328}, {'end': 1095.254, 'text': 'deleted by unauthorized people.', 'start': 1093.693, 'duration': 1.561}, {'end': 1102.342, 'text': 'So we want to prevent that, which means when we say we want the integrity intact, we want to ensure that only authorized people can modify,', 'start': 1095.294, 'duration': 7.048}, {'end': 1105.625, 'text': 'alter or remove data if they are allowed to do so.', 'start': 1102.342, 'duration': 3.283}, {'end': 1108.806, 'text': "So that's where the authorization and authentication comes into the picture again.", 'start': 1105.785, 'duration': 3.021}, {'end': 1112.128, 'text': 'And data needs to be available for me to safeguard data.', 'start': 1109.086, 'duration': 3.042}, {'end': 1118.09, 'text': 'I can just lock it up in a safe, throw the safe in the depth of an ocean and say that the data is secure because it cannot be leaked out.', 'start': 1112.148, 'duration': 5.942}, {'end': 1120.951, 'text': 'But that data is no longer available to authorized users.', 'start': 1118.37, 'duration': 2.581}, {'end': 1122.332, 'text': 'Hence, that data is useless.', 'start': 1121.072, 'duration': 1.26}, {'end': 1126.154, 'text': 'For me, data would have value when the data remains confidential,', 'start': 1122.512, 'duration': 3.642}, {'end': 1131.456, 'text': 'has its trustworthiness intact and is still available to all the users that are authorized to access it.', 'start': 1126.154, 'duration': 5.302}, {'end': 1139.483, 'text': 'So when we talk about security, we want these three aspects to be implemented on any and every digital asset that the organization has and does.', 'start': 1131.716, 'duration': 7.767}, {'end': 1147.25, 'text': 'Once these three points are guaranteed or at least assured to a certain extent, we can then say that the data or that particular asset is secured.', 'start': 1139.783, 'duration': 7.467}, {'end': 1149.812, 'text': "Moving on, let's talk about information security.", 'start': 1147.45, 'duration': 2.362}, {'end': 1153.493, 'text': 'Information security is the process of protecting data and information systems.', 'start': 1150.052, 'duration': 3.441}, {'end': 1157.855, 'text': 'So in the CIA, as we talked about it when we said what do we want to protect?', 'start': 1153.533, 'duration': 4.322}, {'end': 1164.918, 'text': 'We want to protect all the information assets, or the technical assets that we have from any of the vulnerabilities that can be identified.', 'start': 1157.995, 'duration': 6.923}, {'end': 1167.959, 'text': 'So we want to restrict unauthorized access and use.', 'start': 1165.038, 'duration': 2.921}, {'end': 1173.421, 'text': 'We want to restrict deletion, accidental or intentional if they have not been authorized to do so.', 'start': 1168.239, 'duration': 5.182}, {'end': 1177.002, 'text': 'Modification of data, so the integrity part and destruction of data.', 'start': 1173.681, 'duration': 3.321}, {'end': 1182.707, 'text': 'Destruction could not only be deleting data, but it could be something like ransomware where the data gets encrypted.', 'start': 1177.222, 'duration': 5.485}, {'end': 1183.748, 'text': "So it's still there.", 'start': 1182.867, 'duration': 0.881}, {'end': 1185.449, 'text': "It's just not accessible to you.", 'start': 1184.088, 'duration': 1.361}, {'end': 1189.973, 'text': 'Now, information security ensures the implementation of these following aspects.', 'start': 1185.769, 'duration': 4.204}, {'end': 1194.657, 'text': 'The first and foremost comes from information security policies, which is the governance aspect of it.', 'start': 1190.153, 'duration': 4.504}, {'end': 1203.865, 'text': 'The policies are designed to have a implementation of security in an organization that helps the business processes to be executed in a secure manner.', 'start': 1194.777, 'duration': 9.088}, {'end': 1205.566, 'text': 'Where are these policies coming from?', 'start': 1204.065, 'duration': 1.501}, {'end': 1212.768, 'text': 'They come from standards or guidelines which are globally available and based on which we can start developing our security policies.', 'start': 1205.746, 'duration': 7.022}, {'end': 1220.992, 'text': 'For example, if I want to develop a security policy in my organization, I might want to depend on frameworks like ISO 27001,', 'start': 1212.929, 'duration': 8.063}, {'end': 1222.372, 'text': 'COBIT or something similar.', 'start': 1220.992, 'duration': 1.38}, {'end': 1225.694, 'text': 'Once I have these standards set, I would come back to procedures.', 'start': 1222.552, 'duration': 3.142}, {'end': 1228.995, 'text': 'Procedures being how are these standards to be executed.', 'start': 1225.874, 'duration': 3.121}, {'end': 1236.177, 'text': 'For example, in my policies, I ensured that I want encryption of AES-256 to be implemented.', 'start': 1229.795, 'duration': 6.382}, {'end': 1243.48, 'text': 'or rather, in the policy I determined that we want encryption to be implemented on a data set based on the classification of those data.', 'start': 1236.177, 'duration': 7.303}, {'end': 1249.982, 'text': 'So in my policies I would determine how the classification is going to work, how data is going to be classified, on what parameters, and thus,', 'start': 1243.58, 'duration': 6.402}, {'end': 1256.104, 'text': 'once the data gets classified, we are going to come back to standards, where we say, if it is classified as confidential data,', 'start': 1249.982, 'duration': 6.122}, {'end': 1258.845, 'text': 'we want to use encryption to protect that data.', 'start': 1256.104, 'duration': 2.741}, {'end': 1262.688, 'text': 'and we want AES-256 to be utilized for encryption.', 'start': 1259.105, 'duration': 3.583}, {'end': 1267.351, 'text': "So how do we go about it? How do we implement the encryption? That's where your procedures come into the picture.", 'start': 1262.868, 'duration': 4.483}, {'end': 1270.973, 'text': 'Your guidelines are troubleshooting mechanisms, optional documents.', 'start': 1267.611, 'duration': 3.362}, {'end': 1273.475, 'text': 'So if somebody has trouble following the procedures,', 'start': 1271.093, 'duration': 2.382}, {'end': 1277.858, 'text': 'they might want to go into the guidelines and see how to troubleshoot the scenario that they are facing.', 'start': 1273.475, 'duration': 4.383}, {'end': 1283.822, 'text': 'Baselines are basically the minimum achievable target that you want to go with with these policies.', 'start': 1278.038, 'duration': 5.784}, {'end': 1288.404, 'text': "So let's say, when I say I want to have a baseline on a server where,", 'start': 1284.042, 'duration': 4.362}, {'end': 1294.408, 'text': 'for the server to be published onto the Internet or to be used in production environment, it has to meet a certain criteria.', 'start': 1288.404, 'duration': 6.004}, {'end': 1299.933, 'text': 'which means I can go back to the hardware and I can say the server needs a hardware configuration of X, Y, and Z.', 'start': 1294.588, 'duration': 5.345}, {'end': 1304.257, 'text': "Let's say a processor, a Xeon processor with 16 cores, 128 gigs of RAM.", 'start': 1299.933, 'duration': 4.324}, {'end': 1309.723, 'text': "So that's a baseline that I need for a particular server for it to be put into production environment for a particular use.", 'start': 1304.398, 'duration': 5.325}, {'end': 1313.164, 'text': 'Anything above that is acceptable, but nothing should go below that.', 'start': 1310.103, 'duration': 3.061}, {'end': 1314.525, 'text': 'Then comes the risk management.', 'start': 1313.304, 'duration': 1.221}, {'end': 1318.446, 'text': 'While we are implementing these policies, procedures, we have those standards in place.', 'start': 1314.585, 'duration': 3.861}, {'end': 1325.149, 'text': 'If we face any risk during that period or if we face any threat or vulnerabilities identified during this period.', 'start': 1318.727, 'duration': 6.422}, {'end': 1327.15, 'text': 'all these terms we are going to discuss in a little bit.', 'start': 1325.149, 'duration': 2.001}, {'end': 1331.412, 'text': "So when we identify vulnerabilities or threats, that's where our risks come into the picture.", 'start': 1327.33, 'duration': 4.082}, {'end': 1338.015, 'text': 'The risk management comes in saying okay, this is a risk that we have identified, and now how do we want to mitigate the risk?', 'start': 1331.592, 'duration': 6.423}, {'end': 1345.56, 'text': 'then the security organization comes into the picture the day-to-day activity of how security is to be implemented, and for all of these procedures,', 'start': 1338.015, 'duration': 7.545}, {'end': 1352.685, 'text': 'policies, baseline, standards to be implemented, to be ensured that they are to be assured that they are working properly,', 'start': 1345.56, 'duration': 7.125}, {'end': 1356.628, 'text': 'we need to make our employees aware that these policies exist.', 'start': 1352.685, 'duration': 3.943}, {'end': 1358.47, 'text': 'this is something that they need to follow.', 'start': 1356.628, 'duration': 1.842}, {'end': 1361.692, 'text': 'thus the awareness, or the security education comes into the picture.', 'start': 1358.47, 'duration': 3.222}, {'end': 1368.317, 'text': 'Here, the security education is more focused on helping employees adhere to the company policies and standards,', 'start': 1361.952, 'duration': 6.365}, {'end': 1370.458, 'text': 'rather than educating employees about security.', 'start': 1368.317, 'duration': 2.141}, {'end': 1372.62, 'text': "We don't want to make everybody an ethical hacker.", 'start': 1370.678, 'duration': 1.942}, {'end': 1379.645, 'text': 'We just want to ensure them or we want to assure the organization that everybody has been warned about policies, procedures,', 'start': 1372.64, 'duration': 7.005}, {'end': 1382.347, 'text': 'security requirements and they are going to follow those requirements.', 'start': 1379.645, 'duration': 2.702}, {'end': 1383.848, 'text': 'For example, a password policy.', 'start': 1382.467, 'duration': 1.381}, {'end': 1388.071, 'text': 'where you have to adhere to a specific password policy to ensure passwords are created.', 'start': 1384.028, 'duration': 4.043}, {'end': 1394.517, 'text': 'At the same time, there is another password policy which says that you should not share passwords with your colleagues no matter what.', 'start': 1388.312, 'duration': 6.205}, {'end': 1396.739, 'text': 'So for me, for my employees to follow,', 'start': 1394.697, 'duration': 2.042}, {'end': 1402.824, 'text': 'that I need to make them aware that these policies exist and there are repercussions if they do not follow these particular policies.', 'start': 1396.739, 'duration': 6.085}, {'end': 1405.787, 'text': 'so, coming back to the governance part, what is governance?', 'start': 1403.024, 'duration': 2.763}, {'end': 1407.068, 'text': 'since we have been talking about it,', 'start': 1405.787, 'duration': 1.281}, {'end': 1412.413, 'text': 'governance ensures that the security strategies are aligned with business objectives and consistent with regulations.', 'start': 1407.068, 'duration': 5.345}, {'end': 1413.814, 'text': 'so what does it guarantee?', 'start': 1412.413, 'duration': 1.401}, {'end': 1417.598, 'text': 'appropriate information security activities are being performed based on what?', 'start': 1413.814, 'duration': 3.784}, {'end': 1422.963, 'text': 'based on the policies that we have created, based on the standards that we have and the baselines that we would have created.', 'start': 1417.598, 'duration': 5.365}, {'end': 1425.534, 'text': 'so security has to be comparable, right.', 'start': 1422.963, 'duration': 2.571}, {'end': 1432.798, 'text': 'so if I say I have secured against particular attacks, the attacks have to be identified and then compared to those particular attacks,', 'start': 1425.534, 'duration': 7.264}, {'end': 1437.12, 'text': 'I can say I have mitigated these activities by having specific security controls.', 'start': 1432.798, 'duration': 4.322}, {'end': 1438.881, 'text': 'thus I can say that I am secure.', 'start': 1437.12, 'duration': 1.761}, {'end': 1445.644, 'text': 'the governance aspects keeps a watch on all these security controls to see that those security activities are ensured,', 'start': 1438.881, 'duration': 6.763}, {'end': 1449.826, 'text': 'are being implemented and are performing to the best of their abilities.', 'start': 1445.644, 'duration': 4.182}, {'end': 1453.008, 'text': "that's where your governance comes into the picture The risks being reduced.", 'start': 1449.826, 'duration': 3.182}, {'end': 1455.731, 'text': 'so the risk management also comes under the governance,', 'start': 1453.008, 'duration': 2.723}, {'end': 1461.856, 'text': "where you're looking at newly identified risks and you're then implementing security controls that would mitigate these risks.", 'start': 1455.731, 'duration': 6.125}, {'end': 1465.779, 'text': "Then you're looking at information security investments appropriately directed.", 'start': 1462.096, 'duration': 3.683}, {'end': 1472.445, 'text': 'So when I say I want a security control, which would be a firewall, IDS, IPS antiviruses, whatever is required,', 'start': 1465.879, 'duration': 6.566}, {'end': 1474.687, 'text': 'it needs to have a return on investment.', 'start': 1472.445, 'duration': 2.242}, {'end': 1477.369, 'text': 'which is acceptable for the organization.', 'start': 1474.907, 'duration': 2.462}, {'end': 1482.212, 'text': "You don't want to spend up too much of money in security, thus creating losses for the organization.", 'start': 1477.429, 'duration': 4.783}, {'end': 1486.934, 'text': 'When you say a business, a business objective is always to make money rather than lose money.', 'start': 1482.432, 'duration': 4.502}, {'end': 1494.179, 'text': 'So security should be a supporting feature to the business objectives, where the services are being provided by the business in a secure manner,', 'start': 1487.135, 'duration': 7.044}, {'end': 1499.422, 'text': 'in such a way that they can still have a positive return on investment on the services that are being provided.', 'start': 1494.179, 'duration': 5.243}, {'end': 1502.344, 'text': "and the executive management can determine the program's effectiveness.", 'start': 1499.562, 'duration': 2.782}, {'end': 1507.868, 'text': 'This is the major part, because we have to, even in any compliances audits, technical audits,', 'start': 1502.524, 'duration': 5.344}, {'end': 1513.613, 'text': 'we have to prove that whatever we have implemented actually works is effective, thus mitigating the risk.', 'start': 1507.868, 'duration': 5.745}, {'end': 1516.054, 'text': 'If your security controls are not effective,', 'start': 1513.773, 'duration': 2.281}, {'end': 1521.799, 'text': 'then you have just wasted a bucket load of money and have not achieved any security measures in your exercise.', 'start': 1516.054, 'duration': 5.745}, {'end': 1523.661, 'text': 'Moving on to security controls.', 'start': 1522.179, 'duration': 1.482}, {'end': 1528.787, 'text': 'Security controls are measures taken to safeguard an information system from an attack,', 'start': 1524.061, 'duration': 4.726}, {'end': 1532.972, 'text': 'basically for the CIA triad the confidentiality and integrity and availability.', 'start': 1528.787, 'duration': 4.185}, {'end': 1538.219, 'text': 'So security controls could be administrative controls, technical controls or physical security controls.', 'start': 1533.133, 'duration': 5.086}, {'end': 1543.121, 'text': 'What are administrative security controls? They would be policies, procedures that we have in place.', 'start': 1538.359, 'duration': 4.762}, {'end': 1551.544, 'text': 'So the password policy becomes an administrative control where the management has made everybody aware that the password needs to meet a particular complexity,', 'start': 1543.301, 'duration': 8.243}, {'end': 1555.205, 'text': 'should not be shared, and thus becomes an administrative security control.', 'start': 1551.544, 'duration': 3.661}, {'end': 1561.026, 'text': 'A technical security control would be where we are implementing this policy and thus, when I try to create a password,', 'start': 1555.385, 'duration': 5.641}, {'end': 1568.088, 'text': 'there is a software that maps the password to the complexity requirements, assures or ensures that the complexity requirements have been met,', 'start': 1561.026, 'duration': 7.062}, {'end': 1572.409, 'text': 'and thus allows the password to be accepted, or rejects the password, as the case may be.', 'start': 1568.088, 'duration': 4.321}, {'end': 1574.43, 'text': 'That is a security control.', 'start': 1572.95, 'duration': 1.48}, {'end': 1583.059, 'text': "A physical security control may be let's say a CCTV camera which you are going to use to monitor people and ensure that nothing untoward happens.", 'start': 1574.85, 'duration': 8.209}, {'end': 1588.885, 'text': "It's not only against physical crime but let's say access to a particular room where nobody is seen tailgating.", 'start': 1583.419, 'duration': 5.466}, {'end': 1597.253, 'text': 'Maybe monitoring a server room which is very well secured and ensuring that unauthorized people do not get access or, purposefully or intently,', 'start': 1589.666, 'duration': 7.587}, {'end': 1599.553, 'text': 'do not access that area at all times.', 'start': 1597.253, 'duration': 2.3}, {'end': 1605.215, 'text': 'So these are the three levels of security controls that can be implemented to enhance the security of an organization.', 'start': 1599.813, 'duration': 5.402}, {'end': 1607.016, 'text': 'Then we come to security policies.', 'start': 1605.555, 'duration': 1.461}, {'end': 1613.438, 'text': 'Policies is an overall broad statement produced by a senior management that dictates the role of security within the organization.', 'start': 1607.376, 'duration': 6.062}, {'end': 1619.96, 'text': 'For example, the password policy that we talked about, it just said that it needs to meet a certain complexity.', 'start': 1613.638, 'duration': 6.322}], 'summary': 'The transcript covers various cyber security attacks, the cia triad, and security measures including policies, procedures, and controls.', 'duration': 649.329, 'max_score': 970.631, 'thumbnail': 'https://coursnap.oss-ap-southeast-1.aliyuncs.com/video-capture/i6vKjSa20iw/pics/i6vKjSa20iw970631.jpg'}, {'end': 1012.127, 'src': 'embed', 'start': 982.563, 'weight': 4, 'content': [{'end': 985.807, 'text': 'Moving on to our next attack, we have SQL injection attack.', 'start': 982.563, 'duration': 3.244}, {'end': 989.671, 'text': 'SQL injection attack is a type of code injection attack.', 'start': 986.267, 'duration': 3.404}, {'end': 994.257, 'text': 'In a database driven website, the hacker manipulates a standard SQL query.', 'start': 990.032, 'duration': 4.225}, {'end': 997.701, 'text': 'It allows attackers to tamper with the existing data.', 'start': 994.837, 'duration': 2.864}, {'end': 1002.186, 'text': 'Here, malicious code is inserted into the SQL server to obtain information.', 'start': 997.921, 'duration': 4.265}, {'end': 1007.983, 'text': 'So in CISSP, as with every security course, we start off with the CIA triad.', 'start': 1002.918, 'duration': 5.065}, {'end': 1012.127, 'text': 'Now here CIA is confidentiality, integrity and availability.', 'start': 1008.143, 'duration': 3.984}], 'summary': 'Sql injection attack compromises data integrity and confidentiality in database-driven websites.', 'duration': 29.564, 'max_score': 982.563, 'thumbnail': 'https://coursnap.oss-ap-southeast-1.aliyuncs.com/video-capture/i6vKjSa20iw/pics/i6vKjSa20iw982563.jpg'}, {'end': 1177.002, 'src': 'embed', 'start': 1150.052, 'weight': 5, 'content': [{'end': 1153.493, 'text': 'Information security is the process of protecting data and information systems.', 'start': 1150.052, 'duration': 3.441}, {'end': 1157.855, 'text': 'So in the CIA, as we talked about it when we said what do we want to protect?', 'start': 1153.533, 'duration': 4.322}, {'end': 1164.918, 'text': 'We want to protect all the information assets, or the technical assets that we have from any of the vulnerabilities that can be identified.', 'start': 1157.995, 'duration': 6.923}, {'end': 1167.959, 'text': 'So we want to restrict unauthorized access and use.', 'start': 1165.038, 'duration': 2.921}, {'end': 1173.421, 'text': 'We want to restrict deletion, accidental or intentional if they have not been authorized to do so.', 'start': 1168.239, 'duration': 5.182}, {'end': 1177.002, 'text': 'Modification of data, so the integrity part and destruction of data.', 'start': 1173.681, 'duration': 3.321}], 'summary': 'Information security aims to protect data and systems from unauthorized access, deletion, modification, and destruction.', 'duration': 26.95, 'max_score': 1150.052, 'thumbnail': 'https://coursnap.oss-ap-southeast-1.aliyuncs.com/video-capture/i6vKjSa20iw/pics/i6vKjSa20iw1150052.jpg'}, {'end': 1228.995, 'src': 'embed', 'start': 1205.746, 'weight': 6, 'content': [{'end': 1212.768, 'text': 'They come from standards or guidelines which are globally available and based on which we can start developing our security policies.', 'start': 1205.746, 'duration': 7.022}, {'end': 1220.992, 'text': 'For example, if I want to develop a security policy in my organization, I might want to depend on frameworks like ISO 27001,', 'start': 1212.929, 'duration': 8.063}, {'end': 1222.372, 'text': 'COBIT or something similar.', 'start': 1220.992, 'duration': 1.38}, {'end': 1225.694, 'text': 'Once I have these standards set, I would come back to procedures.', 'start': 1222.552, 'duration': 3.142}, {'end': 1228.995, 'text': 'Procedures being how are these standards to be executed.', 'start': 1225.874, 'duration': 3.121}], 'summary': 'Develop security policies based on global standards like iso 27001 or cobit to guide procedures.', 'duration': 23.249, 'max_score': 1205.746, 'thumbnail': 'https://coursnap.oss-ap-southeast-1.aliyuncs.com/video-capture/i6vKjSa20iw/pics/i6vKjSa20iw1205746.jpg'}, {'end': 1356.628, 'src': 'embed', 'start': 1331.592, 'weight': 8, 'content': [{'end': 1338.015, 'text': 'The risk management comes in saying okay, this is a risk that we have identified, and now how do we want to mitigate the risk?', 'start': 1331.592, 'duration': 6.423}, {'end': 1345.56, 'text': 'then the security organization comes into the picture the day-to-day activity of how security is to be implemented, and for all of these procedures,', 'start': 1338.015, 'duration': 7.545}, {'end': 1352.685, 'text': 'policies, baseline, standards to be implemented, to be ensured that they are to be assured that they are working properly,', 'start': 1345.56, 'duration': 7.125}, {'end': 1356.628, 'text': 'we need to make our employees aware that these policies exist.', 'start': 1352.685, 'duration': 3.943}], 'summary': 'Risk management and security organization work together to implement and ensure effectiveness of procedures, policies, and standards, requiring employee awareness.', 'duration': 25.036, 'max_score': 1331.592, 'thumbnail': 'https://coursnap.oss-ap-southeast-1.aliyuncs.com/video-capture/i6vKjSa20iw/pics/i6vKjSa20iw1331592.jpg'}, {'end': 1437.12, 'src': 'embed', 'start': 1405.787, 'weight': 7, 'content': [{'end': 1407.068, 'text': 'since we have been talking about it,', 'start': 1405.787, 'duration': 1.281}, {'end': 1412.413, 'text': 'governance ensures that the security strategies are aligned with business objectives and consistent with regulations.', 'start': 1407.068, 'duration': 5.345}, {'end': 1413.814, 'text': 'so what does it guarantee?', 'start': 1412.413, 'duration': 1.401}, {'end': 1417.598, 'text': 'appropriate information security activities are being performed based on what?', 'start': 1413.814, 'duration': 3.784}, {'end': 1422.963, 'text': 'based on the policies that we have created, based on the standards that we have and the baselines that we would have created.', 'start': 1417.598, 'duration': 5.365}, {'end': 1425.534, 'text': 'so security has to be comparable, right.', 'start': 1422.963, 'duration': 2.571}, {'end': 1432.798, 'text': 'so if I say I have secured against particular attacks, the attacks have to be identified and then compared to those particular attacks,', 'start': 1425.534, 'duration': 7.264}, {'end': 1437.12, 'text': 'I can say I have mitigated these activities by having specific security controls.', 'start': 1432.798, 'duration': 4.322}], 'summary': 'Governance aligns security with business objectives and regulations, ensuring appropriate security activities based on policies, standards, and baselines.', 'duration': 31.333, 'max_score': 1405.787, 'thumbnail': 'https://coursnap.oss-ap-southeast-1.aliyuncs.com/video-capture/i6vKjSa20iw/pics/i6vKjSa20iw1405787.jpg'}, {'end': 1561.026, 'src': 'embed', 'start': 1533.133, 'weight': 9, 'content': [{'end': 1538.219, 'text': 'So security controls could be administrative controls, technical controls or physical security controls.', 'start': 1533.133, 'duration': 5.086}, {'end': 1543.121, 'text': 'What are administrative security controls? They would be policies, procedures that we have in place.', 'start': 1538.359, 'duration': 4.762}, {'end': 1551.544, 'text': 'So the password policy becomes an administrative control where the management has made everybody aware that the password needs to meet a particular complexity,', 'start': 1543.301, 'duration': 8.243}, {'end': 1555.205, 'text': 'should not be shared, and thus becomes an administrative security control.', 'start': 1551.544, 'duration': 3.661}, {'end': 1561.026, 'text': 'A technical security control would be where we are implementing this policy and thus, when I try to create a password,', 'start': 1555.385, 'duration': 5.641}], 'summary': 'Security controls include administrative, technical, and physical measures, such as password policies and implementation.', 'duration': 27.893, 'max_score': 1533.133, 'thumbnail': 'https://coursnap.oss-ap-southeast-1.aliyuncs.com/video-capture/i6vKjSa20iw/pics/i6vKjSa20iw1533133.jpg'}], 'start': 859.181, 'title': 'Cybersecurity threats and governance', 'summary': 'Covers various malware threats such as spyware, adware, and social engineering attacks, emphasizing the need for confidentiality, integrity, and availability of data. it also discusses security governance aligning with business objectives, risk management for identifying and mitigating security risks, and implementing security controls for information system protection.', 'chapters': [{'end': 1313.164, 'start': 859.181, 'title': 'Malware and information security', 'summary': 'Discusses various security threats such as malware, including types like spyware, adware, and social engineering attacks, and emphasizes the importance of ensuring confidentiality, integrity, and availability of data to achieve information security.', 'duration': 453.983, 'highlights': ['Malware includes viruses, ransomware, worms, and Trojans, and protecting against it involves double-checking downloads. Malware encompasses viruses, ransomware, worms, and Trojan viruses, and safeguarding against it entails verifying downloads.', 'Spyware, a type of malware, spies on systems and can be prevented by enabling pop-up blockers. Spyware, a form of malware, covertly monitors systems and can be deterred by activating pop-up blockers.', 'Adware, known as Advertising Supported Software, displays constant ads and pop-ups, potentially gathering user information. Adware, also referred to as Advertising Supported Software, presents continuous ads and pop-ups, with the potential to collect user data.', 'Social engineering attacks, like phishing, manipulate individuals to divulge confidential information and can lead to the installation of malware or theft of sensitive data. Social engineering attacks, such as phishing, manipulate individuals into revealing sensitive information, potentially resulting in malware installation or theft of confidential data.', 'SQL injection attack involves manipulating standard SQL queries in database-driven websites, allowing unauthorized tampering with data. SQL injection attack entails manipulating standard SQL queries in database-driven websites, enabling unauthorized alteration of data.', 'Information security aims to protect data and information systems from vulnerabilities and unauthorized access, use, modification, and destruction. Information security seeks to safeguard data and information systems from vulnerabilities, unauthorized access, use, modification, and destruction.', 'Information security policies, standards, procedures, guidelines, and baselines are crucial for implementing security measures within an organization. Information security policies, standards, procedures, guidelines, and baselines are essential for instituting security protocols within an organization.']}, {'end': 1722.824, 'start': 1313.304, 'title': 'Security governance and risk management', 'summary': 'Discusses the importance of security governance in aligning security strategies with business objectives, the role of risk management in identifying and mitigating security risks, and the implementation of security controls to safeguard information systems, with a focus on administrative, technical, and physical security controls.', 'duration': 409.52, 'highlights': ['Security governance ensures that security strategies are aligned with business objectives and consistent with regulations, based on policies, standards, and baselines, to ensure appropriate information security activities are performed. Security governance aligns security strategies with business objectives and regulations, ensuring appropriate information security activities are performed based on policies, standards, and baselines.', 'Risk management involves identifying and mitigating security risks, implementing security controls to reduce newly identified risks, and ensuring that information security investments are appropriately directed with an acceptable return on investment. Risk management includes identifying and mitigating security risks, implementing security controls, and ensuring appropriate direction of information security investments with an acceptable return on investment.', "Security controls encompass administrative, technical, and physical measures to safeguard information systems, including policies dictating the role of security, procedures integrating security into business processes, and periodic review and modification of policies to support the organization's vision and mission. Security controls include administrative, technical, and physical measures to safeguard information systems, with policies dictating the role of security, procedures integrating security into business processes, and periodic review and modification of policies to support the organization's vision and mission."]}], 'duration': 863.643, 'thumbnail': 'https://coursnap.oss-ap-southeast-1.aliyuncs.com/video-capture/i6vKjSa20iw/pics/i6vKjSa20iw859181.jpg', 'highlights': ['Malware encompasses viruses, ransomware, worms, and Trojan viruses, and safeguarding against it entails verifying downloads.', 'Spyware, a form of malware, covertly monitors systems and can be deterred by activating pop-up blockers.', 'Adware, also referred to as Advertising Supported Software, presents continuous ads and pop-ups, with the potential to collect user data.', 'Social engineering attacks, such as phishing, manipulate individuals into revealing sensitive information, potentially resulting in malware installation or theft of confidential data.', 'SQL injection attack entails manipulating standard SQL queries in database-driven websites, enabling unauthorized alteration of data.', 'Information security seeks to safeguard data and information systems from vulnerabilities, unauthorized access, use, modification, and destruction.', 'Information security policies, standards, procedures, guidelines, and baselines are essential for instituting security protocols within an organization.', 'Security governance aligns security strategies with business objectives and regulations, ensuring appropriate information security activities are performed based on policies, standards, and baselines.', 'Risk management includes identifying and mitigating security risks, implementing security controls, and ensuring appropriate direction of information security investments with an acceptable return on investment.', "Security controls include administrative, technical, and physical measures to safeguard information systems, with policies dictating the role of security, procedures integrating security into business processes, and periodic review and modification of policies to support the organization's vision and mission."]}, {'end': 2688.847, 'segs': [{'end': 1759.077, 'src': 'embed', 'start': 1723.085, 'weight': 0, 'content': [{'end': 1728.969, 'text': 'All my security mechanism that are in place should be in alignment with the business plans, business visions,', 'start': 1723.085, 'duration': 5.884}, {'end': 1732.612, 'text': 'across the number of years that we have envisaged the business to perform.', 'start': 1728.969, 'duration': 3.643}, {'end': 1734.854, 'text': "So that's where the policies come into the picture.", 'start': 1732.932, 'duration': 1.922}, {'end': 1738.797, 'text': 'Policies are always long term, not short term documents,', 'start': 1734.894, 'duration': 3.903}, {'end': 1744.702, 'text': 'but need to be periodically reviewed and modified as the business grows or business changes its posture.', 'start': 1738.797, 'duration': 5.905}, {'end': 1745.923, 'text': 'Then looking at compliance.', 'start': 1744.962, 'duration': 0.961}, {'end': 1751.108, 'text': 'Compliance means confirming to a rule such as a specification, policy, standard or law.', 'start': 1746.323, 'duration': 4.785}, {'end': 1759.077, 'text': 'So we have looked at compliance from a perspective where we talked about ISO 27001 or PCI DSS or those frameworks.', 'start': 1751.349, 'duration': 7.728}], 'summary': 'Security mechanisms should align with business plans and visions across years, with policies periodically reviewed and modified as the business grows. compliance includes iso 27001 and pci dss frameworks.', 'duration': 35.992, 'max_score': 1723.085, 'thumbnail': 'https://coursnap.oss-ap-southeast-1.aliyuncs.com/video-capture/i6vKjSa20iw/pics/i6vKjSa20iw1723085.jpg'}, {'end': 1968.272, 'src': 'embed', 'start': 1941.726, 'weight': 2, 'content': [{'end': 1949.188, 'text': 'The person or the people inside the organization need access to data to complete their assigned work and hence have the potential to misuse these privileges,', 'start': 1941.726, 'duration': 7.462}, {'end': 1952.789, 'text': 'and thus you should have personnel security as well.', 'start': 1949.188, 'duration': 3.601}, {'end': 1956.349, 'text': 'Now, when we talk about hiring practices for people,', 'start': 1953.189, 'duration': 3.16}, {'end': 1961.511, 'text': 'most of the organizations perform background checks and we get confused why these background checks are being done.', 'start': 1956.349, 'duration': 5.162}, {'end': 1968.272, 'text': 'The background checks are essential to the health of the organization, where you are ensuring that the person is not a malicious person,', 'start': 1961.791, 'duration': 6.481}], 'summary': 'Access to data requires personnel security and background checks for prevention of misuse.', 'duration': 26.546, 'max_score': 1941.726, 'thumbnail': 'https://coursnap.oss-ap-southeast-1.aliyuncs.com/video-capture/i6vKjSa20iw/pics/i6vKjSa20iw1941726.jpg'}, {'end': 2110.487, 'src': 'embed', 'start': 2074.572, 'weight': 3, 'content': [{'end': 2075.351, 'text': 'and so on and so forth.', 'start': 2074.572, 'duration': 0.779}, {'end': 2080.317, 'text': "Now let's come back to the technical aspect and start talking about vulnerability threats and risk.", 'start': 2075.713, 'duration': 4.604}, {'end': 2082.437, 'text': 'now, what is a vulnerability?', 'start': 2080.817, 'duration': 1.62}, {'end': 2087.739, 'text': 'it is nothing but a weakness in a system or a process implies the absence of a countermeasure.', 'start': 2082.437, 'duration': 5.302}, {'end': 2090.379, 'text': 'vulnerability is internal and is more easily managed.', 'start': 2087.739, 'duration': 2.64}, {'end': 2101.562, 'text': "so it's a basically a flaw or a misconfiguration, or a design flaw, or something like using defaults, username passwords, configurations where,", 'start': 2090.379, 'duration': 11.183}, {'end': 2110.487, 'text': 'if that particular flaw is misused, it will lead into a security event on that particular device for that particular organization.', 'start': 2101.562, 'duration': 8.925}], 'summary': 'Vulnerability is a weakness in a system, process, or configuration that, if exploited, can lead to security events.', 'duration': 35.915, 'max_score': 2074.572, 'thumbnail': 'https://coursnap.oss-ap-southeast-1.aliyuncs.com/video-capture/i6vKjSa20iw/pics/i6vKjSa20iw2074572.jpg'}, {'end': 2185.156, 'src': 'heatmap', 'start': 2101.562, 'weight': 0.775, 'content': [{'end': 2110.487, 'text': 'if that particular flaw is misused, it will lead into a security event on that particular device for that particular organization.', 'start': 2101.562, 'duration': 8.925}, {'end': 2114.089, 'text': 'so when we say a security event, it has to be detrimental in nature.', 'start': 2110.487, 'duration': 3.602}, {'end': 2117.892, 'text': 'so if somebody is using a weak password, that can easily be cracked.', 'start': 2114.089, 'duration': 3.803}, {'end': 2125.716, 'text': 'that is a vulnerability where you have identified a weak password and then you want to prevent that vulnerability by imposing a security control or a countermeasure.', 'start': 2117.892, 'duration': 7.824}, {'end': 2132.422, 'text': 'The security control here starts off with the policy of having a robust security policy where a password policy comes in.', 'start': 2125.956, 'duration': 6.466}, {'end': 2134.563, 'text': 'that describes the complexity of a particular password.', 'start': 2132.422, 'duration': 2.141}, {'end': 2145.693, 'text': 'And then you talk about a technical countermeasure where you have implemented an identity and access management plan which would ensure that the person creating that password adheres to the complexity of that particular policy.', 'start': 2135.024, 'duration': 10.669}, {'end': 2146.593, 'text': 'Then a threat.', 'start': 2145.993, 'duration': 0.6}, {'end': 2151.377, 'text': 'The threat is the possibility that the vulnerability might be exploited, which will result in loss.', 'start': 2146.954, 'duration': 4.423}, {'end': 2155.139, 'text': 'So if somebody has created a weak password and it has been allowed,', 'start': 2151.677, 'duration': 3.462}, {'end': 2162.665, 'text': "that's a vulnerability which can be exploited by the usage of brute force attacks or dictionary-based attacks to crack passwords.", 'start': 2155.139, 'duration': 7.526}, {'end': 2169.249, 'text': 'If the password is cracked, somebody unauthorized may get access to that data, thus resulting in a loss for that organization.', 'start': 2162.845, 'duration': 6.404}, {'end': 2174.273, 'text': 'So the threat is the possibility of that particular vulnerability being exploited.', 'start': 2169.63, 'duration': 4.643}, {'end': 2176.133, 'text': 'and then comes the risk.', 'start': 2174.853, 'duration': 1.28}, {'end': 2179.274, 'text': 'the risk is basically the likelihood of that attack being happening.', 'start': 2176.133, 'duration': 3.141}, {'end': 2181.235, 'text': 'so i have a weak password.', 'start': 2179.274, 'duration': 1.961}, {'end': 2185.156, 'text': 'it can be exploited by a brute force dictionary attack.', 'start': 2181.235, 'duration': 3.921}], 'summary': 'A weak password vulnerability can lead to security events and loss for an organization, mitigated by robust security policies and technical countermeasures.', 'duration': 83.594, 'max_score': 2101.562, 'thumbnail': 'https://coursnap.oss-ap-southeast-1.aliyuncs.com/video-capture/i6vKjSa20iw/pics/i6vKjSa20iw2101562.jpg'}, {'end': 2593.387, 'src': 'heatmap', 'start': 2257.385, 'weight': 0.835, 'content': [{'end': 2265.153, 'text': 'Or the second threat would be man-made, where man is responsible for it, like theft, hacking, rioting, war, anything that is created by a man,', 'start': 2257.385, 'duration': 7.768}, {'end': 2265.894, 'text': 'or rather humans.', 'start': 2265.153, 'duration': 0.741}, {'end': 2271.059, 'text': 'And technical in nature could be software bugs where vulnerabilities are created,', 'start': 2266.274, 'duration': 4.785}, {'end': 2281.549, 'text': 'or server failures where something technical has gone wrong and you need a technical skilled person to come in and repair that particular aspect.', 'start': 2271.059, 'duration': 10.49}, {'end': 2287.852, 'text': 'Then the fourth one would be a supply system failure or a chain supply failure where you have dependencies.', 'start': 2281.869, 'duration': 5.983}, {'end': 2289.073, 'text': 'For example,', 'start': 2288.012, 'duration': 1.061}, {'end': 2297.097, 'text': 'any organization will have a dependency on an electricity service provider where they are providing electricity as a service which powers on the IT infrastructure.', 'start': 2289.073, 'duration': 8.024}, {'end': 2303.24, 'text': 'If the service provider fails and there is electricity or a power cut, your systems are not going to work.', 'start': 2297.377, 'duration': 5.863}, {'end': 2308.443, 'text': 'Thus, you need a secondary mechanism to prevent that threat from being realized.', 'start': 2303.62, 'duration': 4.823}, {'end': 2311.025, 'text': 'Once we have identified these threats,', 'start': 2309.083, 'duration': 1.942}, {'end': 2315.469, 'text': 'we have identified these vulnerabilities and we have identified the likelihood and the probability of that attack.', 'start': 2311.025, 'duration': 4.444}, {'end': 2317.771, 'text': "that's where we come across the risk management exercise.", 'start': 2315.469, 'duration': 2.302}, {'end': 2319.473, 'text': 'Now, what is risk management?', 'start': 2318.112, 'duration': 1.361}, {'end': 2323.757, 'text': 'Risk management is a hypothetical exercise where we have identified a vulnerability,', 'start': 2319.793, 'duration': 3.964}, {'end': 2328.761, 'text': 'we have looked at the threat that it may have and the likelihood of that threat being realized.', 'start': 2323.757, 'duration': 5.004}, {'end': 2334.026, 'text': "Once we have identified the risk level, that's where the risk management comes into the picture.", 'start': 2329.101, 'duration': 4.925}, {'end': 2337.45, 'text': 'Reading from the slides, a core component of enterprise security program.', 'start': 2334.286, 'duration': 3.164}, {'end': 2341.414, 'text': 'Why? Because we need a baseline and we compare security to a baseline.', 'start': 2337.71, 'duration': 3.704}, {'end': 2344.999, 'text': "For example, I've got a firewall that has been configured in a particular manner.", 'start': 2341.695, 'duration': 3.304}, {'end': 2348.403, 'text': 'Now, when I do a vulnerability assessment on the firewall,', 'start': 2345.399, 'duration': 3.004}, {'end': 2356.468, 'text': 'the vulnerability assessment gives me a report that states that some of the rules may now be redundant, thus allowing access to unauthorized users.', 'start': 2348.403, 'duration': 8.065}, {'end': 2359.07, 'text': 'this becomes a risk or this becomes a threat.', 'start': 2356.468, 'duration': 2.602}, {'end': 2361.691, 'text': 'if this threat is identified by unauthorized people,', 'start': 2359.07, 'duration': 2.621}, {'end': 2367.113, 'text': 'they would then try to attack this firewall to gain access to that data which they are unauthorized to access,', 'start': 2361.691, 'duration': 5.422}, {'end': 2369.875, 'text': 'thus leading to losses for an organization.', 'start': 2367.113, 'duration': 2.762}, {'end': 2374.517, 'text': 'what is the likelihood of this happening if the likelihood is high or low?', 'start': 2369.875, 'duration': 4.642}, {'end': 2380.642, 'text': "that's what the risk management program is all about, And based on these risks, we implement security controls,", 'start': 2374.517, 'duration': 6.125}, {'end': 2386.728, 'text': 'we manage the security controls and then we verify the security controls for future risks coming into the picture.', 'start': 2380.642, 'duration': 6.086}, {'end': 2394.015, 'text': 'It must be defined and it is always defined as an ongoing project, because risks will always change based on the businesses,', 'start': 2387.028, 'duration': 6.987}, {'end': 2396.258, 'text': 'based on the security controls that you have.', 'start': 2394.015, 'duration': 2.243}, {'end': 2401.783, 'text': 'This will give a guidance to an organization of how security is being implemented,', 'start': 2396.718, 'duration': 5.065}, {'end': 2409.33, 'text': 'how it has enhanced over a period of time and how security mature that organization has become because of the risk assessment program.', 'start': 2401.783, 'duration': 7.547}, {'end': 2413.835, 'text': 'It also helps you to satisfy two aspects, due diligence and due care.', 'start': 2409.611, 'duration': 4.224}, {'end': 2421.48, 'text': 'What is due diligence? Due diligence is basically the research that organization does in identifying those risks and mitigating them.', 'start': 2414.115, 'duration': 7.365}, {'end': 2427.964, 'text': 'The due care is the actual part of mitigation where you have implemented a security control to mitigate the risk that you have identified.', 'start': 2421.74, 'duration': 6.224}, {'end': 2433.528, 'text': "So if company is negligent, that means if the company doesn't have a risk management program,", 'start': 2428.265, 'duration': 5.263}, {'end': 2439.072, 'text': 'it is not going to be that security oriented or the security is not going to be that create.', 'start': 2433.528, 'duration': 5.544}, {'end': 2444.678, 'text': 'thus the company may not comply to laws, regulations and standards, thus causing them penalties,', 'start': 2439.072, 'duration': 5.606}, {'end': 2449.082, 'text': 'lawsuits and other repercussions in the industry based on whatever they are doing.', 'start': 2444.678, 'duration': 4.404}, {'end': 2451.204, 'text': 'For risk management, we come to frameworks.', 'start': 2449.362, 'duration': 1.842}, {'end': 2457.331, 'text': 'The frameworks are used to categorize information systems so that we can identify threats or risks based on the classification.', 'start': 2451.605, 'duration': 5.726}, {'end': 2458.352, 'text': 'So these?', 'start': 2457.811, 'duration': 0.541}, {'end': 2463.136, 'text': 'classification helps us determine the criticality and the sensitivity of information system, right?', 'start': 2458.352, 'duration': 4.784}, {'end': 2465.739, 'text': 'So what is the sensitivity and criticality?', 'start': 2463.517, 'duration': 2.222}, {'end': 2469.823, 'text': 'It basically gives us an understanding of the value of the asset that we have.', 'start': 2466.159, 'duration': 3.664}, {'end': 2476.169, 'text': "So if you go back to domain one, the asset value or the asset identification, asset security, that's where it comes into the picture.", 'start': 2470.143, 'duration': 6.026}, {'end': 2482.195, 'text': 'Obviously, our database server is going to be more secure than an end user laptop based on the data that they have.', 'start': 2476.569, 'duration': 5.626}, {'end': 2486.88, 'text': "Thus, the criticality of the system for a database is much higher than an end user's laptop.", 'start': 2482.515, 'duration': 4.365}, {'end': 2489.923, 'text': 'Then we look at the security controls that can be implemented.', 'start': 2487.22, 'duration': 2.703}, {'end': 2494.728, 'text': 'Then for those, the frameworks like ISO 27001 comes into the picture.', 'start': 2490.364, 'duration': 4.364}, {'end': 2498.232, 'text': 'There is COBIT, there are a lot of frameworks out there, NIST 800-53.', 'start': 2495.229, 'duration': 3.003}, {'end': 2503.218, 'text': 'Then we talk about assessing the security controls.', 'start': 2500.094, 'duration': 3.124}, {'end': 2507.643, 'text': 'Once we have placed those security controls, we need to verify those controls are placed properly.', 'start': 2503.478, 'duration': 4.165}, {'end': 2514.631, 'text': 'They actually mitigate the risk and are appropriate to correctly mitigate that particular risk that they are creating.', 'start': 2508.143, 'duration': 6.488}, {'end': 2520.738, 'text': 'Then looking at authorizing information systems, grant information systems operations based on risk data mine.', 'start': 2514.991, 'duration': 5.747}, {'end': 2522.039, 'text': 'So you have identified risk.', 'start': 2520.918, 'duration': 1.121}, {'end': 2526.725, 'text': 'you have authorizing some of the devices to function in a particular manner,', 'start': 2522.039, 'duration': 4.686}, {'end': 2531.611, 'text': 'based on which some of those risks would be mitigated or would be reduced to an acceptable level.', 'start': 2526.725, 'duration': 4.886}, {'end': 2535.934, 'text': 'So in the CISSP, we talk about a lot of risk assessment strategies.', 'start': 2532.091, 'duration': 3.843}, {'end': 2538.016, 'text': 'We look at how we can manage risks.', 'start': 2535.974, 'duration': 2.042}, {'end': 2544.3, 'text': 'The four different types of managing risks would be one is to mitigate, other is to transfer,', 'start': 2538.456, 'duration': 5.844}, {'end': 2549.624, 'text': 'the third is to accept it and the fourth one is to neglect the risk.', 'start': 2544.3, 'duration': 5.324}, {'end': 2555.809, 'text': 'So in the CISSP, it talks in great details about those risk assessment strategies.', 'start': 2549.804, 'duration': 6.005}, {'end': 2558.952, 'text': 'We are talking about the four types of risk mitigating strategies.', 'start': 2556.109, 'duration': 2.843}, {'end': 2566.621, 'text': 'They are risk avoiding or avoiding the risks, accepting the risk, transferring the risk and limiting the risk.', 'start': 2559.293, 'duration': 7.328}, {'end': 2568.703, 'text': 'So, in the course,', 'start': 2566.641, 'duration': 2.062}, {'end': 2577.833, 'text': 'we basically talk about a lot of risk strategies and how to mitigate these risks and how they can be implemented to bring down to an acceptable level.', 'start': 2568.703, 'duration': 9.13}, {'end': 2582.498, 'text': 'So again risk acceptance, risk appetite of an organization comes into the picture.', 'start': 2577.993, 'duration': 4.505}, {'end': 2589.845, 'text': 'These terms are then discussed in the training to understand how the policies would work around the risk management strategy.', 'start': 2582.518, 'duration': 7.327}, {'end': 2593.387, 'text': 'Moving on, then looking at monitoring security controls.', 'start': 2590.606, 'duration': 2.781}], 'summary': 'Identifying and managing risks, vulnerabilities, and threats to enhance security controls and mitigate potential attacks.', 'duration': 336.002, 'max_score': 2257.385, 'thumbnail': 'https://coursnap.oss-ap-southeast-1.aliyuncs.com/video-capture/i6vKjSa20iw/pics/i6vKjSa20iw2257385.jpg'}, {'end': 2337.45, 'src': 'embed', 'start': 2311.025, 'weight': 4, 'content': [{'end': 2315.469, 'text': 'we have identified these vulnerabilities and we have identified the likelihood and the probability of that attack.', 'start': 2311.025, 'duration': 4.444}, {'end': 2317.771, 'text': "that's where we come across the risk management exercise.", 'start': 2315.469, 'duration': 2.302}, {'end': 2319.473, 'text': 'Now, what is risk management?', 'start': 2318.112, 'duration': 1.361}, {'end': 2323.757, 'text': 'Risk management is a hypothetical exercise where we have identified a vulnerability,', 'start': 2319.793, 'duration': 3.964}, {'end': 2328.761, 'text': 'we have looked at the threat that it may have and the likelihood of that threat being realized.', 'start': 2323.757, 'duration': 5.004}, {'end': 2334.026, 'text': "Once we have identified the risk level, that's where the risk management comes into the picture.", 'start': 2329.101, 'duration': 4.925}, {'end': 2337.45, 'text': 'Reading from the slides, a core component of enterprise security program.', 'start': 2334.286, 'duration': 3.164}], 'summary': 'Identified vulnerabilities, assessed likelihood and probability of attack, and highlighted risk management as a core component of enterprise security program.', 'duration': 26.425, 'max_score': 2311.025, 'thumbnail': 'https://coursnap.oss-ap-southeast-1.aliyuncs.com/video-capture/i6vKjSa20iw/pics/i6vKjSa20iw2311025.jpg'}, {'end': 2439.072, 'src': 'embed', 'start': 2409.611, 'weight': 5, 'content': [{'end': 2413.835, 'text': 'It also helps you to satisfy two aspects, due diligence and due care.', 'start': 2409.611, 'duration': 4.224}, {'end': 2421.48, 'text': 'What is due diligence? Due diligence is basically the research that organization does in identifying those risks and mitigating them.', 'start': 2414.115, 'duration': 7.365}, {'end': 2427.964, 'text': 'The due care is the actual part of mitigation where you have implemented a security control to mitigate the risk that you have identified.', 'start': 2421.74, 'duration': 6.224}, {'end': 2433.528, 'text': "So if company is negligent, that means if the company doesn't have a risk management program,", 'start': 2428.265, 'duration': 5.263}, {'end': 2439.072, 'text': 'it is not going to be that security oriented or the security is not going to be that create.', 'start': 2433.528, 'duration': 5.544}], 'summary': 'Due diligence involves risk identification, due care involves implementing security controls for risk mitigation.', 'duration': 29.461, 'max_score': 2409.611, 'thumbnail': 'https://coursnap.oss-ap-southeast-1.aliyuncs.com/video-capture/i6vKjSa20iw/pics/i6vKjSa20iw2409611.jpg'}, {'end': 2514.631, 'src': 'embed', 'start': 2482.515, 'weight': 6, 'content': [{'end': 2486.88, 'text': "Thus, the criticality of the system for a database is much higher than an end user's laptop.", 'start': 2482.515, 'duration': 4.365}, {'end': 2489.923, 'text': 'Then we look at the security controls that can be implemented.', 'start': 2487.22, 'duration': 2.703}, {'end': 2494.728, 'text': 'Then for those, the frameworks like ISO 27001 comes into the picture.', 'start': 2490.364, 'duration': 4.364}, {'end': 2498.232, 'text': 'There is COBIT, there are a lot of frameworks out there, NIST 800-53.', 'start': 2495.229, 'duration': 3.003}, {'end': 2503.218, 'text': 'Then we talk about assessing the security controls.', 'start': 2500.094, 'duration': 3.124}, {'end': 2507.643, 'text': 'Once we have placed those security controls, we need to verify those controls are placed properly.', 'start': 2503.478, 'duration': 4.165}, {'end': 2514.631, 'text': 'They actually mitigate the risk and are appropriate to correctly mitigate that particular risk that they are creating.', 'start': 2508.143, 'duration': 6.488}], 'summary': "Database system criticality higher than end user's laptop. discussing security controls like iso 27001, cobit, nist 800-53.", 'duration': 32.116, 'max_score': 2482.515, 'thumbnail': 'https://coursnap.oss-ap-southeast-1.aliyuncs.com/video-capture/i6vKjSa20iw/pics/i6vKjSa20iw2482515.jpg'}, {'end': 2577.833, 'src': 'embed', 'start': 2544.3, 'weight': 7, 'content': [{'end': 2549.624, 'text': 'the third is to accept it and the fourth one is to neglect the risk.', 'start': 2544.3, 'duration': 5.324}, {'end': 2555.809, 'text': 'So in the CISSP, it talks in great details about those risk assessment strategies.', 'start': 2549.804, 'duration': 6.005}, {'end': 2558.952, 'text': 'We are talking about the four types of risk mitigating strategies.', 'start': 2556.109, 'duration': 2.843}, {'end': 2566.621, 'text': 'They are risk avoiding or avoiding the risks, accepting the risk, transferring the risk and limiting the risk.', 'start': 2559.293, 'duration': 7.328}, {'end': 2568.703, 'text': 'So, in the course,', 'start': 2566.641, 'duration': 2.062}, {'end': 2577.833, 'text': 'we basically talk about a lot of risk strategies and how to mitigate these risks and how they can be implemented to bring down to an acceptable level.', 'start': 2568.703, 'duration': 9.13}], 'summary': 'Cissp course covers four risk assessment strategies: avoid, accept, transfer, limit.', 'duration': 33.533, 'max_score': 2544.3, 'thumbnail': 'https://coursnap.oss-ap-southeast-1.aliyuncs.com/video-capture/i6vKjSa20iw/pics/i6vKjSa20iw2544300.jpg'}, {'end': 2656.373, 'src': 'embed', 'start': 2627.33, 'weight': 8, 'content': [{'end': 2630.112, 'text': 'a quantitative assessment or a qualitative assessment.', 'start': 2627.33, 'duration': 2.782}, {'end': 2636.517, 'text': 'A quantitative assessment is more quantifiable or is numerical in its process,', 'start': 2630.453, 'duration': 6.064}, {'end': 2640.761, 'text': "where you're looking at assigning costs to particular assets and the threats?", 'start': 2636.517, 'duration': 4.244}, {'end': 2650.008, 'text': "So the losses that you may figure out in a risk assessment strategy would be more numerical where it would be, in a currency format, where, let's say,", 'start': 2641.041, 'duration': 8.967}, {'end': 2653.771, 'text': 'a risk, if realized, would lead to a loss of an extra amount of dollars.', 'start': 2650.008, 'duration': 3.763}, {'end': 2656.373, 'text': "That's where the quantitative analysis comes into the picture.", 'start': 2654.151, 'duration': 2.222}], 'summary': 'Quantitative assessment assigns numerical costs to assets and threats, leading to measurable losses in currency format.', 'duration': 29.043, 'max_score': 2627.33, 'thumbnail': 'https://coursnap.oss-ap-southeast-1.aliyuncs.com/video-capture/i6vKjSa20iw/pics/i6vKjSa20iw2627330.jpg'}], 'start': 1723.085, 'title': 'Security alignment and risk management', 'summary': 'Emphasizes aligning security mechanisms with business plans, complying with iso 27001 and pci dss, and implementing risk management frameworks like cobit and nist 800-53. it covers vulnerability, threats, risk mitigation, and the significance of security controls and risk assessment.', 'chapters': [{'end': 2074.572, 'start': 1723.085, 'title': 'Aligning security mechanisms with business plans', 'summary': 'Emphasizes aligning security mechanisms with business plans, compliance with standards like iso 27001 and pci dss, the significance of code of ethics, understanding legal systems, and implementing personnel security measures including background checks and confidentiality agreements.', 'duration': 351.487, 'highlights': ['The significance of aligning security mechanisms with business plans and visions across the years to ensure long-term effectiveness. ', 'The importance of compliance with standards such as ISO 27001 and PCI DSS for effective business operations. ', 'The criticality of adhering to the Code of Ethics established by IIC Square for CISSP professionals, with potential consequences for violation including debarring and blacklisting. Consequences for violation of Code of Ethics include debarring, stripping of certification, and blacklisting.', 'The need to understand different legal systems internationally, including civil, common, and religious laws, and their implications on information security professionals. ', 'The importance of implementing personnel security measures such as background checks, confidentiality agreements, and conflict of interest agreements to safeguard the organization from potential risks and lawsuits. ']}, {'end': 2449.082, 'start': 2074.572, 'title': 'Vulnerability, threats, and risk: understanding and mitigating', 'summary': "Discusses vulnerability, threats, and risk, defining vulnerability as a weakness in a system or process, explaining the concept of security events, and detailing the likelihood and impact of potential attacks. it also covers the types of threats, risk management, and the importance of security controls and risk assessment in enhancing an organization's security posture.", 'duration': 374.51, 'highlights': ['Vulnerability defined as a weakness in a system or process, such as a flaw, misconfiguration, or design flaw, leading to potential security events. Vulnerability is described as a weakness in a system or process, which if misused, can lead to a security event on a device or organization.', 'Explanation of the likelihood and impact of potential attacks, such as the exploitation of weak passwords and the resulting loss for an organization. Weak passwords being susceptible to exploitation through brute force attacks, leading to unauthorized access and potential loss for organizations.', 'Types of threats categorized as natural (e.g., fires, flooding), man-made (e.g., theft, hacking), technical (e.g., software bugs, server failures), and supply system failures. Threats classified into natural, man-made, technical, and supply system failures, encompassing various scenarios affecting organizational security.', 'Importance of risk management in identifying vulnerabilities, assessing threats, and implementing security controls to mitigate potential risks. Risk management as a crucial exercise to identify vulnerabilities, assess threats, and implement security controls for mitigating potential risks.', 'Significance of due diligence and due care in risk management, emphasizing the research and implementation aspects of mitigating identified risks. Due diligence and due care as essential in the risk management process, involving research in identifying risks and implementing security controls for mitigation.']}, {'end': 2688.847, 'start': 2449.362, 'title': 'Risk management frameworks and strategies', 'summary': 'Discusses risk management frameworks such as iso 27001, cobit, and nist 800-53, and highlights the process of identifying, mitigating, and monitoring risks, including the four types of risk mitigation strategies: mitigating, transferring, accepting, and neglecting risks.', 'duration': 239.485, 'highlights': ['The chapter discusses risk management frameworks such as ISO 27001, COBIT, and NIST 800-53. The speaker mentions various frameworks used for categorizing information systems and identifying threats or risks, including ISO 27001, COBIT, and NIST 800-53.', 'The process of identifying, mitigating, and monitoring risks is emphasized, including the four types of risk mitigation strategies: mitigating, transferring, accepting, and neglecting risks. The chapter covers the process of identifying, mitigating, and monitoring risks, and highlights the four types of risk mitigation strategies: mitigating, transferring, accepting, and neglecting risks.', 'The importance of risk assessment and the distinction between quantitative and qualitative assessments are explained. The chapter explains the significance of risk assessment, distinguishing between quantitative and qualitative assessments in evaluating the impact of risks on the organization and its assets.']}], 'duration': 965.762, 'thumbnail': 'https://coursnap.oss-ap-southeast-1.aliyuncs.com/video-capture/i6vKjSa20iw/pics/i6vKjSa20iw1723085.jpg', 'highlights': ['Importance of aligning security mechanisms with business plans and visions for long-term effectiveness.', 'Significance of compliance with standards such as ISO 27001 and PCI DSS for effective business operations.', 'Importance of implementing personnel security measures to safeguard the organization from potential risks and lawsuits.', 'Vulnerability defined as a weakness in a system or process, leading to potential security events.', 'Importance of risk management in identifying vulnerabilities, assessing threats, and implementing security controls to mitigate potential risks.', 'Significance of due diligence and due care in risk management, emphasizing the research and implementation aspects of mitigating identified risks.', 'Discussion of risk management frameworks such as ISO 27001, COBIT, and NIST 800-53.', 'Process of identifying, mitigating, and monitoring risks, and the four types of risk mitigation strategies: mitigating, transferring, accepting, and neglecting risks.', 'Importance of risk assessment and the distinction between quantitative and qualitative assessments.']}, {'end': 3535.601, 'segs': [{'end': 2727.422, 'src': 'embed', 'start': 2688.847, 'weight': 0, 'content': [{'end': 2691.628, 'text': 'does it is a risk and it is causing me losses?', 'start': 2688.847, 'duration': 2.781}, {'end': 2698.092, 'text': 'right. so qualitative risk analysis would be more descriptive in nature rather than be numerical in nature.', 'start': 2691.628, 'duration': 6.464}, {'end': 2701.934, 'text': 'most of the companies or organizations would follow a hybrid policy,', 'start': 2698.092, 'duration': 3.842}, {'end': 2706.657, 'text': 'because it is not possible to have a quantitative risk analysis in each and every scenario.', 'start': 2701.934, 'duration': 4.723}, {'end': 2714.259, 'text': "Newer organization, which doesn't have much data to rely on historical data of how threats have affected that particular organization,", 'start': 2707.077, 'duration': 7.182}, {'end': 2715.779, 'text': 'may go in for a qualitative one.', 'start': 2714.259, 'duration': 1.52}, {'end': 2724.321, 'text': 'And as they mature over time in the security practices, they may then turn over to a quantitative risk analysis or a hybrid risk analysis,', 'start': 2716.159, 'duration': 8.162}, {'end': 2727.422, 'text': "where they're using a combination of quantitative and qualitative both.", 'start': 2724.321, 'duration': 3.101}], 'summary': 'Hybrid risk analysis is common; newer orgs start with qualitative, then shift to quantitative or hybrid as they mature.', 'duration': 38.575, 'max_score': 2688.847, 'thumbnail': 'https://coursnap.oss-ap-southeast-1.aliyuncs.com/video-capture/i6vKjSa20iw/pics/i6vKjSa20iw2688847.jpg'}, {'end': 2780.673, 'src': 'embed', 'start': 2749.79, 'weight': 2, 'content': [{'end': 2752.392, 'text': "That's where you're avoiding risk by outsourcing it.", 'start': 2749.79, 'duration': 2.602}, {'end': 2758.696, 'text': 'So talking about risk controls again, the four types being accept, avoid, transfer and reduce.', 'start': 2752.752, 'duration': 5.944}, {'end': 2767.602, 'text': "Risk acceptance is where the organization is willingly accepting the risk as the way it is because they don't want to deal with it right now.", 'start': 2759.056, 'duration': 8.546}, {'end': 2774.086, 'text': 'They might deal with it in the next iteration or it is at an acceptable level and the company just wants to move on.', 'start': 2767.642, 'duration': 6.444}, {'end': 2780.673, 'text': 'Avoiding the risk is where you are going to try to not use the service where the risk exists.', 'start': 2774.586, 'duration': 6.087}], 'summary': 'Outsourcing risk, discussing risk controls: accept, avoid, transfer, reduce.', 'duration': 30.883, 'max_score': 2749.79, 'thumbnail': 'https://coursnap.oss-ap-southeast-1.aliyuncs.com/video-capture/i6vKjSa20iw/pics/i6vKjSa20iw2749790.jpg'}, {'end': 2929.103, 'src': 'heatmap', 'start': 2829.032, 'weight': 3, 'content': [{'end': 2834.736, 'text': 'Then there are technical controls, software controls, anything that is technical in nature IDS, IPS firewalls,', 'start': 2829.032, 'duration': 5.704}, {'end': 2838.539, 'text': 'encryption anything that is going to help you implement the CIA.', 'start': 2834.736, 'duration': 3.803}, {'end': 2842.201, 'text': 'And then physical where you would look at locks on doors.', 'start': 2838.999, 'duration': 3.202}, {'end': 2847.905, 'text': "security guards at fences where they're preventing access to unauthorized people.", 'start': 2842.561, 'duration': 5.344}, {'end': 2850.586, 'text': "Let's talk about roles and responsibilities of management.", 'start': 2848.325, 'duration': 2.261}, {'end': 2855.97, 'text': 'Now, as far as management is concerned, or the hierarchy is concerned,', 'start': 2851.147, 'duration': 4.823}, {'end': 2861.073, 'text': "you can see on the screen there's a senior management the security professional data owner, custodian and user.", 'start': 2855.97, 'duration': 5.103}, {'end': 2869.038, 'text': 'Now these are from exam perspective, from the certification perspective, obviously the hierarchy in an organization would be slightly different.', 'start': 2861.133, 'duration': 7.905}, {'end': 2874.361, 'text': 'But here the senior management is the responsible party for the entire security mechanism.', 'start': 2869.198, 'duration': 5.163}, {'end': 2876.882, 'text': 'So they must drive the entire security program.', 'start': 2874.661, 'duration': 2.221}, {'end': 2887.447, 'text': 'So CISSSP talks about a top-down approach where the senior management has realized the importance of security and is implementing at all levels within the organization.', 'start': 2877.162, 'duration': 10.285}, {'end': 2893.429, 'text': 'Thus, they are a part of it and they are supporting the security program.', 'start': 2887.907, 'duration': 5.522}, {'end': 2895.29, 'text': 'They define the tolerance of risk,', 'start': 2893.67, 'duration': 1.62}, {'end': 2903.714, 'text': 'of how much risk is to be tolerated by an organization from a monetary perspective or the qualitative perspective as well, depending on the laws,', 'start': 2895.29, 'duration': 8.424}, {'end': 2908.016, 'text': 'legislations, regulations, compliances and the contracts the business has signed.', 'start': 2903.714, 'duration': 4.302}, {'end': 2915.719, 'text': 'They will rely on security professionals to manage the risk, but the exercise and the management process has to be defined by the senior management.', 'start': 2908.276, 'duration': 7.443}, {'end': 2921.981, 'text': 'Once the security team comes up with the countermeasures, the senior management either approves or disapproves them,', 'start': 2916.039, 'duration': 5.942}, {'end': 2925.202, 'text': 'based on the return on investment of that countermeasure.', 'start': 2921.981, 'duration': 3.221}, {'end': 2929.103, 'text': 'The security professional assists with the development of policy documents,', 'start': 2925.642, 'duration': 3.461}], 'summary': 'Security management involves technical and physical controls, with senior management driving the security program and defining risk tolerance.', 'duration': 100.071, 'max_score': 2829.032, 'thumbnail': 'https://coursnap.oss-ap-southeast-1.aliyuncs.com/video-capture/i6vKjSa20iw/pics/i6vKjSa20iw2829032.jpg'}, {'end': 3075.155, 'src': 'heatmap', 'start': 2989.73, 'weight': 0.754, 'content': [{'end': 2995.051, 'text': 'for example, the sales data is normally owned by the director of sales of that department,', 'start': 2989.73, 'duration': 5.321}, {'end': 2998.792, 'text': 'so that they would be ultimately responsible for identifying that data,', 'start': 2995.051, 'duration': 3.741}, {'end': 3003.273, 'text': 'classifying that data and accepting the security controls that are implemented.', 'start': 2998.792, 'duration': 4.481}, {'end': 3007.294, 'text': 'they may request for additional security controls if they deem fit.', 'start': 3003.273, 'duration': 4.021}, {'end': 3010.095, 'text': 'the security professional implements these security controls.', 'start': 3007.294, 'duration': 2.801}, {'end': 3011.637, 'text': 'Then the custodian,', 'start': 3010.515, 'duration': 1.122}, {'end': 3019.687, 'text': 'a person who is responsible for implementing the approved security controls or managing the day to day activity of the security controls.', 'start': 3011.637, 'duration': 8.05}, {'end': 3026.956, 'text': 'For example, the security professional has identified an access control to be implemented on a data set that the data owner owns.', 'start': 3019.907, 'duration': 7.049}, {'end': 3034.5, 'text': 'the data owner has approved of it, it is the custodian who is going to implement that strategy or implement the control on it.', 'start': 3027.236, 'duration': 7.264}, {'end': 3042.224, 'text': 'The user is basically the person who accesses the information and IT resources does.', 'start': 3034.82, 'duration': 7.404}, {'end': 3046.367, 'text': 'whatever access controls have been implemented would identify the user, authenticate,', 'start': 3042.224, 'duration': 4.143}, {'end': 3050.589, 'text': 'authorize them and held them accountable for whatever they are doing.', 'start': 3046.367, 'duration': 4.222}, {'end': 3053.731, 'text': 'If the user is unable to authenticate, access would be denied.', 'start': 3050.929, 'duration': 2.802}, {'end': 3058.398, 'text': 'we will focus on the second domain of CISSP which is asset security.', 'start': 3054.414, 'duration': 3.984}, {'end': 3062.642, 'text': "So let's understand the need for asset security through a small scenario.", 'start': 3058.758, 'duration': 3.884}, {'end': 3066.406, 'text': "Well, it was yet another regular day in Tim's organization.", 'start': 3063.083, 'duration': 3.323}, {'end': 3071.131, 'text': 'Everything was going on fine until the organization faced a cyber attack.', 'start': 3066.887, 'duration': 4.244}, {'end': 3075.155, 'text': "The hacker hacked all the servers in Tim's organization.", 'start': 3071.651, 'duration': 3.504}], 'summary': 'Security roles manage access controls for data, assets, and users in response to cyber attack.', 'duration': 85.425, 'max_score': 2989.73, 'thumbnail': 'https://coursnap.oss-ap-southeast-1.aliyuncs.com/video-capture/i6vKjSa20iw/pics/i6vKjSa20iw2989730.jpg'}, {'end': 3237.577, 'src': 'heatmap', 'start': 3134.323, 'weight': 4, 'content': [{'end': 3145.37, 'text': 'The domains are information classification, Then we have data classification, data life cycle, data remnants and finally we have data loss prevention.', 'start': 3134.323, 'duration': 11.047}, {'end': 3147.812, 'text': 'Each of these domains have different goals.', 'start': 3145.851, 'duration': 1.961}, {'end': 3151.475, 'text': 'All of these domains together make up asset security.', 'start': 3148.493, 'duration': 2.982}, {'end': 3154.617, 'text': "Now let's have a look at each of these domains individually.", 'start': 3151.875, 'duration': 2.742}, {'end': 3157.599, 'text': 'First up we have information classification.', 'start': 3155.037, 'duration': 2.562}, {'end': 3163.463, 'text': "As you saw what happened in Tim's organization, it is understood that importance of data varies largely.", 'start': 3158.019, 'duration': 5.444}, {'end': 3167.345, 'text': 'We have to classify data before we can move on to protecting it.', 'start': 3163.863, 'duration': 3.482}, {'end': 3173.169, 'text': 'We need to be able to identify which is the most crucial data with respect to our organizations.', 'start': 3167.605, 'duration': 5.564}, {'end': 3183.235, 'text': 'Information classification is defined as the process of segregating data based on its importance to provide adequate level of protection to every piece of data.', 'start': 3173.549, 'duration': 9.686}, {'end': 3186.577, 'text': 'Information classification is different for each sector.', 'start': 3183.595, 'duration': 2.982}, {'end': 3189.818, 'text': 'Based on their objectives, the classification varies.', 'start': 3186.937, 'duration': 2.881}, {'end': 3195.641, 'text': 'In the general sector, information classification is used to minimize risks on crucial information.', 'start': 3190.198, 'duration': 5.443}, {'end': 3200.943, 'text': 'Whereas, in the government or military sector, it is used to prevent unauthorized access.', 'start': 3195.841, 'duration': 5.102}, {'end': 3206.025, 'text': 'And finally, in the commercial sector, it is used to keep sensitive information private.', 'start': 3201.323, 'duration': 4.702}, {'end': 3211.267, 'text': "Here, it is seen to it that information is not disclosed to a company's competitors.", 'start': 3206.345, 'duration': 4.922}, {'end': 3216.869, 'text': "let's now move on to our second domain, that is data classification, as the name suggests.", 'start': 3211.807, 'duration': 5.062}, {'end': 3221.29, 'text': 'here data is basically classified based on a set of considerations.', 'start': 3216.869, 'duration': 4.421}, {'end': 3229.053, 'text': 'here we will look into factors like data retention requirements, then data security requirements, data disposal methods,', 'start': 3221.29, 'duration': 7.763}, {'end': 3232.854, 'text': 'data encryption requirements and, finally, compliance requirements.', 'start': 3229.053, 'duration': 3.801}, {'end': 3237.577, 'text': 'So these are the factors which are taken into consideration while classifying data.', 'start': 3233.194, 'duration': 4.383}], 'summary': 'Asset security comprises information classification, data classification, data life cycle, data remnants, and data loss prevention, each with specific goals and considerations.', 'duration': 23.276, 'max_score': 3134.323, 'thumbnail': 'https://coursnap.oss-ap-southeast-1.aliyuncs.com/video-capture/i6vKjSa20iw/pics/i6vKjSa20iw3134323.jpg'}], 'start': 2688.847, 'title': 'Transitioning risk analysis and security mechanisms', 'summary': 'Discusses the limitations of quantitative risk analysis, the progression from qualitative to hybrid or quantitative analysis, and the four risk controls - acceptance, avoidance, transfer, and reduction, along with the roles and responsibilities of management in security mechanisms.', 'chapters': [{'end': 2727.422, 'start': 2688.847, 'title': 'Qualitative vs quantitative risk analysis', 'summary': 'Discusses the transition from qualitative to quantitative risk analysis in organizations, highlighting the limitations of quantitative analysis and the potential progression from qualitative to hybrid or quantitative analysis as organizations mature in their security practices.', 'duration': 38.575, 'highlights': ['Newer organizations may opt for qualitative risk analysis due to limited historical data, with a potential transition to quantitative or hybrid analysis as they mature in security practices.', 'Hybrid policy is commonly followed due to the impracticality of conducting quantitative risk analysis in every scenario.']}, {'end': 3535.601, 'start': 2728.582, 'title': 'Risk controls, countermeasures, and asset security', 'summary': 'Covers the four risk controls - acceptance, avoidance, transfer, and reduction, along with the roles and responsibilities of management in security mechanisms. it also explores the importance of asset security through the domains of information classification, data classification, data lifecycle, data remnants, and data loss prevention.', 'duration': 807.019, 'highlights': ['The chapter covers the four risk controls - acceptance, avoidance, transfer, and reduction. Risk controls are categorized into acceptance, avoidance, transfer, and reduction, providing options for managing and mitigating risks within an organization.', "The roles and responsibilities of management in security mechanisms are outlined, emphasizing the senior management's role in defining risk tolerance and driving the security program. Senior management plays a crucial role in defining risk tolerance, supporting the security program, and driving the implementation of security measures within the organization.", 'Asset security is explained through the domains of information classification, data classification, data lifecycle, data remnants, and data loss prevention. The importance of asset security is highlighted through the domains of information and data classification, lifecycle, remnants, and loss prevention, aiming to protect and classify valuable data within an organization.']}], 'duration': 846.754, 'thumbnail': 'https://coursnap.oss-ap-southeast-1.aliyuncs.com/video-capture/i6vKjSa20iw/pics/i6vKjSa20iw2688847.jpg', 'highlights': ['Newer organizations may opt for qualitative risk analysis due to limited historical data, with a potential transition to quantitative or hybrid analysis as they mature in security practices.', 'Hybrid policy is commonly followed due to the impracticality of conducting quantitative risk analysis in every scenario.', 'The chapter covers the four risk controls - acceptance, avoidance, transfer, and reduction, providing options for managing and mitigating risks within an organization.', "The roles and responsibilities of management in security mechanisms are outlined, emphasizing the senior management's role in defining risk tolerance and driving the security program.", 'Asset security is explained through the domains of information classification, data classification, data lifecycle, data remnants, and data loss prevention, aiming to protect and classify valuable data within an organization.']}, {'end': 4385.995, 'segs': [{'end': 3562.465, 'src': 'embed', 'start': 3536.081, 'weight': 0, 'content': [{'end': 3542.288, 'text': 'And finally, in tokenization, a sensitive piece of data is substituted with a non-sensitive equivalent.', 'start': 3536.081, 'duration': 6.207}, {'end': 3549.151, 'text': 'CISSP stands for the certified information security or rather certified information system security professional.', 'start': 3542.822, 'duration': 6.329}, {'end': 3552.695, 'text': 'It is considered as a gold standard in the field of information security.', 'start': 3549.431, 'duration': 3.264}, {'end': 3554.938, 'text': 'It is a management certification.', 'start': 3553.036, 'duration': 1.902}, {'end': 3562.465, 'text': 'So when you are in the senior management, This is the kind of certifications that you would require for your management skills.', 'start': 3555.259, 'duration': 7.206}], 'summary': 'Cissp is a gold standard management certification in information security, required for senior management.', 'duration': 26.384, 'max_score': 3536.081, 'thumbnail': 'https://coursnap.oss-ap-southeast-1.aliyuncs.com/video-capture/i6vKjSa20iw/pics/i6vKjSa20iw3536081.jpg'}, {'end': 3766.168, 'src': 'embed', 'start': 3740.311, 'weight': 2, 'content': [{'end': 3746.636, 'text': 'and then get certified as a CISSP, so you can see the stringent levels that are taken for this certification.', 'start': 3740.311, 'duration': 6.325}, {'end': 3752.66, 'text': 'the validation is basically documentation and proof that you have to submit and which is verified.', 'start': 3746.636, 'duration': 6.024}, {'end': 3757.443, 'text': 'so even after you clear an exam to get validated and get certified,', 'start': 3752.66, 'duration': 4.783}, {'end': 3763.727, 'text': 'it can take up to five to six weeks for ISEE2 to validate and provide you with the certification.', 'start': 3757.443, 'duration': 6.284}, {'end': 3766.168, 'text': "With that, let's go and see the exam.", 'start': 3763.907, 'duration': 2.261}], 'summary': 'Cissp certification requires stringent validation, taking 5-6 weeks for validation and certification.', 'duration': 25.857, 'max_score': 3740.311, 'thumbnail': 'https://coursnap.oss-ap-southeast-1.aliyuncs.com/video-capture/i6vKjSa20iw/pics/i6vKjSa20iw3740311.jpg'}, {'end': 3843.472, 'src': 'embed', 'start': 3815.167, 'weight': 3, 'content': [{'end': 3818.508, 'text': 'The exam fees, $699.', 'start': 3815.167, 'duration': 3.341}, {'end': 3822.03, 'text': "So it's an expensive exam, a single attempt for each voucher.", 'start': 3818.508, 'duration': 3.522}, {'end': 3826.336, 'text': "If you fail, that's another $700 for the second attempt.", 'start': 3823.072, 'duration': 3.264}, {'end': 3831.962, 'text': 'The fact being, if you fail for the first time, you cannot attempt the exam for the next 30 days.', 'start': 3826.696, 'duration': 5.266}, {'end': 3836.526, 'text': 'If you fail for the second time, you cannot attempt the exam again for the next 60 days.', 'start': 3832.382, 'duration': 4.144}, {'end': 3840.09, 'text': 'And if you fail for the third time, you cannot attempt the exam for another 90 days.', 'start': 3836.847, 'duration': 3.243}, {'end': 3843.472, 'text': "so there's a cooling off period after each attempt.", 'start': 3840.971, 'duration': 2.501}], 'summary': 'Exam fees: $699, second attempt $700. cooling off period after each attempt.', 'duration': 28.305, 'max_score': 3815.167, 'thumbnail': 'https://coursnap.oss-ap-southeast-1.aliyuncs.com/video-capture/i6vKjSa20iw/pics/i6vKjSa20iw3815167.jpg'}, {'end': 3877.493, 'src': 'embed', 'start': 3853.256, 'weight': 4, 'content': [{'end': 3859.179, 'text': 'the exam length is three hours and the questions could vary from 100 to 150, 150 being the max questions that can be asked in that exam.', 'start': 3853.256, 'duration': 5.923}, {'end': 3868.505, 'text': 'you can clear the exam well before 150 questions, so be prepared for that as well.', 'start': 3862.62, 'duration': 5.885}, {'end': 3870.787, 'text': "but imagine, when you're walking into that exam,", 'start': 3868.505, 'duration': 2.282}, {'end': 3877.493, 'text': 'bear in mind that you will be asked 150 questions and you have to time those in three hours 180 minutes.', 'start': 3870.787, 'duration': 6.706}], 'summary': 'Exam is 3 hours long, with 100-150 questions; 150 is the max. be prepared to manage time for 150 questions in 180 minutes.', 'duration': 24.237, 'max_score': 3853.256, 'thumbnail': 'https://coursnap.oss-ap-southeast-1.aliyuncs.com/video-capture/i6vKjSa20iw/pics/i6vKjSa20iw3853256.jpg'}, {'end': 4373.311, 'src': 'embed', 'start': 4346.887, 'weight': 1, 'content': [{'end': 4351.952, 'text': "So That's the exam outline from ISC2 towards CISSP.", 'start': 4346.887, 'duration': 5.065}, {'end': 4354.755, 'text': 'This is the latest document that is there available online.', 'start': 4351.992, 'duration': 2.763}, {'end': 4358.078, 'text': 'You can see the URL in my browser address bar.', 'start': 4354.955, 'duration': 3.123}, {'end': 4360.38, 'text': 'And these are the eight domains.', 'start': 4358.539, 'duration': 1.841}, {'end': 4367.628, 'text': 'This is the exam three hours, number of questions 100 to 150, multiple choice and advanced innovative questions.', 'start': 4360.821, 'duration': 6.807}, {'end': 4373.311, 'text': "That's where the drag and drop and the hotspot comes into the picture, though based on experience,", 'start': 4367.668, 'duration': 5.643}], 'summary': 'Latest cissp exam outline: 8 domains, 3-hour duration, 100-150 questions, including innovative question formats.', 'duration': 26.424, 'max_score': 4346.887, 'thumbnail': 'https://coursnap.oss-ap-southeast-1.aliyuncs.com/video-capture/i6vKjSa20iw/pics/i6vKjSa20iw4346887.jpg'}], 'start': 3536.081, 'title': 'Cissp certification and exam overview', 'summary': 'Provides an overview of the cissp certification, highlighting its significance as a management certification, the continuing education points required for its validity, the passing rate of less than 50%, and the stringent validation process for certification. it also covers the cissp exam, including exam fees, duration, passing score, and domains covered, emphasizing thorough preparation and understanding of job roles and responsibilities, as well as the exam format, testing centers, and cooling off period between exam attempts.', 'chapters': [{'end': 3814.947, 'start': 3536.081, 'title': 'Cissp certification overview', 'summary': 'Provides an overview of the cissp certification, highlighting its significance as a management certification, the continuing education points required for its validity, the passing rate of less than 50%, and the stringent validation process for certification.', 'duration': 278.866, 'highlights': ['CISSP is a gold standard management certification in information security, requiring at least five years of experience in two or more domains for certification, with a passing rate of less than 50%.', 'Validity of CISSP certification is three years, requiring continuing education points earned through authorized activities for renewal.', 'The CISSP exam is known for its toughness, with a passing rate of less than 50%, and requires comprehensive knowledge in information security.', 'Validation for CISSP certification involves a stringent process, including submitting documentation and proof of experience, which can take up to five to six weeks for verification.', 'CISSP certification requires at least five years of paid full-time work experience in two or more domains, with the option of becoming an associate of ISC2 for CISSP if the experience criteria are not met.']}, {'end': 4385.995, 'start': 3815.167, 'title': 'Cissp exam overview', 'summary': 'Provides an overview of the cissp exam, including exam fees, duration, passing score, and domains covered, emphasizing the significance of thorough preparation and understanding of job roles and responsibilities. the chapter also outlines the exam format, testing centers, and the cooling off period between exam attempts.', 'duration': 570.828, 'highlights': ['Exam Fees and Attempt Restrictions The exam fees are $699, with an additional $700 for the second attempt if you fail, and subsequent waiting periods of 30, 60, and 90 days for the first, second, and third failed attempts, respectively.', 'Exam Duration and Question Format The exam is three hours long, with a varying number of questions (up to 150), requiring approximately a minute and a half or less for each question, including multiple-choice, drag-and-drop, and hotspot question formats.', 'Domains and Weightage The exam covers eight domains, with varying weightage for each, including security and risk management (15%), communications and network security (14%), and security operations (13%), emphasizing the importance of understanding and preparing for each domain.', 'Ideal World vs. Real World Scenario The exam assumes an ideal world scenario, focusing on standardized job roles and responsibilities, which differs from the real-world customization based on organizational expertise and hierarchy, requiring candidates to align with the ideal world perspective for the exam.', 'Thorough Preparation and Understanding of Job Roles Thorough preparation, identification of strong and weak points, and understanding job roles and responsibilities are emphasized for exam success, with practical insight recommended for effective preparation.']}], 'duration': 849.914, 'thumbnail': 'https://coursnap.oss-ap-southeast-1.aliyuncs.com/video-capture/i6vKjSa20iw/pics/i6vKjSa20iw3536081.jpg', 'highlights': ['CISSP is a gold standard management certification in information security, requiring at least five years of experience in two or more domains for certification, with a passing rate of less than 50%.', 'The CISSP exam is known for its toughness, with a passing rate of less than 50%, and requires comprehensive knowledge in information security.', 'Validation for CISSP certification involves a stringent process, including submitting documentation and proof of experience, which can take up to five to six weeks for verification.', 'Exam Fees and Attempt Restrictions The exam fees are $699, with an additional $700 for the second attempt if you fail, and subsequent waiting periods of 30, 60, and 90 days for the first, second, and third failed attempts, respectively.', 'Exam Duration and Question Format The exam is three hours long, with a varying number of questions (up to 150), requiring approximately a minute and a half or less for each question, including multiple-choice, drag-and-drop, and hotspot question formats.']}, {'end': 5204.604, 'segs': [{'end': 4411.496, 'src': 'embed', 'start': 4385.995, 'weight': 0, 'content': [{'end': 4392.417, 'text': 'those who want to attempt in other languages it is available, but then the exam is six hours and the questions are 250.', 'start': 4385.995, 'duration': 6.422}, {'end': 4396.418, 'text': "so that's your option, depending on which language you are most comfortable with.", 'start': 4392.417, 'duration': 4.001}, {'end': 4397.86, 'text': 'We are going to go with English.', 'start': 4396.698, 'duration': 1.162}, {'end': 4401.043, 'text': "That's the language options coming in CISSP Linear Exam.", 'start': 4398.06, 'duration': 2.983}, {'end': 4403.106, 'text': '6 hours, 250 questions.', 'start': 4401.524, 'duration': 1.582}, {'end': 4405.008, 'text': 'Everything else remains the same.', 'start': 4403.326, 'duration': 1.682}, {'end': 4406.61, 'text': 'These are the languages supported.', 'start': 4405.308, 'duration': 1.302}, {'end': 4411.496, 'text': 'French, German, Brazilian, Portuguese, Spanish, Japanese, Simplified Chinese and Korean.', 'start': 4406.75, 'duration': 4.746}], 'summary': 'Cissp linear exam offers 250 questions in 6 hours, available in multiple languages.', 'duration': 25.501, 'max_score': 4385.995, 'thumbnail': 'https://coursnap.oss-ap-southeast-1.aliyuncs.com/video-capture/i6vKjSa20iw/pics/i6vKjSa20iw4385995.jpg'}, {'end': 4471.44, 'src': 'embed', 'start': 4448.347, 'weight': 1, 'content': [{'end': 4462.61, 'text': 'governance is basically having a overlying architectural security policy that can be integrated with an enterprise architecture and thus having your security policy in alignment with the business goals and objectives.', 'start': 4448.347, 'duration': 14.263}, {'end': 4465.493, 'text': 'Security should never become a hindrance for a business.', 'start': 4462.89, 'duration': 2.603}, {'end': 4471.44, 'text': 'Security should always become a supporting feature which should allow the business to be executed in a secure manner.', 'start': 4465.834, 'duration': 5.606}], 'summary': 'Governance ensures security aligns with business goals and supports operations.', 'duration': 23.093, 'max_score': 4448.347, 'thumbnail': 'https://coursnap.oss-ap-southeast-1.aliyuncs.com/video-capture/i6vKjSa20iw/pics/i6vKjSa20iw4448347.jpg'}, {'end': 4582.029, 'src': 'embed', 'start': 4546.573, 'weight': 2, 'content': [{'end': 4548.955, 'text': "so that's where your security control frameworks would come in.", 'start': 4546.573, 'duration': 2.382}, {'end': 4557.663, 'text': "you're going to talk about ISO 27001, you're going to talk about COBIT, PCI DSS, NIST 800 series and so on so forth.", 'start': 4548.955, 'duration': 8.708}, {'end': 4563.345, 'text': 'and the most two important statements or terms in the CISSP is due care and due diligence.', 'start': 4557.663, 'duration': 5.682}, {'end': 4564.105, 'text': 'Due care.', 'start': 4563.445, 'duration': 0.66}, {'end': 4573.027, 'text': 'is you doing your own research to identify what security controls need to be implemented or what kind of governance needs to be implemented and due diligence?', 'start': 4564.105, 'duration': 8.922}, {'end': 4582.029, 'text': 'is you yourself spending that much time, money, effort into implementing those decisions that you have come across during the due care,', 'start': 4573.027, 'duration': 9.002}], 'summary': 'Security control frameworks include iso 27001, cobit, pci dss, nist 800 series; cissp emphasizes due care and due diligence.', 'duration': 35.456, 'max_score': 4546.573, 'thumbnail': 'https://coursnap.oss-ap-southeast-1.aliyuncs.com/video-capture/i6vKjSa20iw/pics/i6vKjSa20iw4546573.jpg'}, {'end': 4716.916, 'src': 'embed', 'start': 4690.648, 'weight': 3, 'content': [{'end': 4694.969, 'text': "If you're looking at a particular risk, that means a particular vulnerability has been identified.", 'start': 4690.648, 'duration': 4.321}, {'end': 4701.451, 'text': 'You want to see the likelihood of that vulnerability being exploited, and then the business impact analysis that it may have,', 'start': 4694.989, 'duration': 6.462}, {'end': 4710.033, 'text': 'based on which you would then create a plan to mitigate that particular risk by having a business continuity or a disaster recovery plan coming into the picture.', 'start': 4701.451, 'duration': 8.582}, {'end': 4713.714, 'text': "Now this is, as far as this domain is concerned, you're calculating the risk.", 'start': 4710.333, 'duration': 3.381}, {'end': 4716.916, 'text': "It doesn't actually tell you how to mitigate that risk.", 'start': 4714.095, 'duration': 2.821}], 'summary': 'Identify vulnerability, assess likelihood of exploitation, analyze business impact, and create mitigation plan for risk in risk calculation domain.', 'duration': 26.268, 'max_score': 4690.648, 'thumbnail': 'https://coursnap.oss-ap-southeast-1.aliyuncs.com/video-capture/i6vKjSa20iw/pics/i6vKjSa20iw4690648.jpg'}, {'end': 4769.194, 'src': 'embed', 'start': 4746.705, 'weight': 4, 'content': [{'end': 4754.227, 'text': 'so cissp would also deal with people protection in the first place, for example, protecting people against social engineering attacks,', 'start': 4746.705, 'duration': 7.522}, {'end': 4755.867, 'text': 'making them aware about these attacks.', 'start': 4754.227, 'duration': 1.64}, {'end': 4758.128, 'text': 'If there are natural calamities,', 'start': 4756.247, 'duration': 1.881}, {'end': 4765.132, 'text': 'you have to plan for them during your disaster recovery and business continuity plan and ensure that people are safeguarded.', 'start': 4758.128, 'duration': 7.004}, {'end': 4769.194, 'text': 'Not only that, you have to tie these things up with identity and access management.', 'start': 4765.472, 'duration': 3.722}], 'summary': 'Cissp covers people protection, disaster recovery planning, and identity management.', 'duration': 22.489, 'max_score': 4746.705, 'thumbnail': 'https://coursnap.oss-ap-southeast-1.aliyuncs.com/video-capture/i6vKjSa20iw/pics/i6vKjSa20iw4746705.jpg'}, {'end': 4907.141, 'src': 'embed', 'start': 4874.132, 'weight': 5, 'content': [{'end': 4876.773, 'text': "What you're trying to do is, in your organization,", 'start': 4874.132, 'duration': 2.641}, {'end': 4884.858, 'text': 'you are trying to create a security awareness program which allows your employees to know what kind of policies exist in your company,', 'start': 4876.773, 'duration': 8.085}, {'end': 4891.822, 'text': 'what rules need to be followed, what are the procedures that need to be followed for them to safeguard themselves and company assets as well?', 'start': 4884.858, 'duration': 6.964}, {'end': 4896.007, 'text': 'and ensure that data leakage and data loss are kept at a minimum.', 'start': 4892.162, 'duration': 3.845}, {'end': 4900.633, 'text': "So you're basically trying to make everyone aware of the risks that they may have.", 'start': 4896.247, 'duration': 4.386}, {'end': 4907.141, 'text': 'For example, social engineering, not clicking on links, not going to unwanted sites and so on and so forth.', 'start': 4900.833, 'duration': 6.308}], 'summary': 'Create a security awareness program to educate employees on company policies and procedures, minimizing data leakage and loss.', 'duration': 33.009, 'max_score': 4874.132, 'thumbnail': 'https://coursnap.oss-ap-southeast-1.aliyuncs.com/video-capture/i6vKjSa20iw/pics/i6vKjSa20iw4874132.jpg'}, {'end': 5065.852, 'src': 'embed', 'start': 5031.05, 'weight': 6, 'content': [{'end': 5036.956, 'text': 'And for that I want a secondary control to be in place to ensure that if the first control fails,', 'start': 5031.05, 'duration': 5.906}, {'end': 5042.061, 'text': 'the second control would still be able to identify that and stop the security incident happening.', 'start': 5036.956, 'duration': 5.105}, {'end': 5047.246, 'text': 'So we are looking at residual risks and then having contingency plan to manage those residual risks.', 'start': 5042.361, 'duration': 4.885}, {'end': 5054.288, 'text': 'Question three when the cost of the countermeasures outweigh the cost of the risk, the best way to handle the risk is to reject the risk,', 'start': 5047.526, 'duration': 6.762}, {'end': 5056.789, 'text': 'transfer the risk, accept the risk or reduce the risk.', 'start': 5054.288, 'duration': 2.501}, {'end': 5059.63, 'text': 'Now there are four ways a risk can be managed right?', 'start': 5057.049, 'duration': 2.581}, {'end': 5064.072, 'text': 'Accept the risk, avoid the risk, transfer the risk or mitigate the risk.', 'start': 5059.91, 'duration': 4.162}, {'end': 5065.852, 'text': 'right?. Rejecting the risk is not an option.', 'start': 5064.072, 'duration': 1.78}], 'summary': 'Implement secondary control, manage residual risks, and choose cost-effective risk handling methods.', 'duration': 34.802, 'max_score': 5031.05, 'thumbnail': 'https://coursnap.oss-ap-southeast-1.aliyuncs.com/video-capture/i6vKjSa20iw/pics/i6vKjSa20iw5031050.jpg'}], 'start': 4385.995, 'title': 'Cissp linear exam and security awareness', 'summary': 'Covers cissp linear exam details, language options, security governance principles, security control frameworks, risk assessment, and personnel security policies. it also discusses the importance of security awareness programs, addresses potential, identified, and residual risks, and provides insights on managing risks based on cost analysis.', 'chapters': [{'end': 4805.482, 'start': 4385.995, 'title': 'Cissp linear exam overview', 'summary': 'Covers the cissp linear exam details, language options, security governance principles, security control frameworks, risk assessment, and personnel security policies.', 'duration': 419.487, 'highlights': ['The CISSP exam is six hours long and consists of 250 questions, available in multiple languages including English, French, German, Brazilian Portuguese, Spanish, Japanese, Simplified Chinese, and Korean. The exam duration and question count for the CISSP exam, and the supported languages.', 'Security governance principles involve aligning security policies with business goals, integrating security policy with enterprise architecture, and ensuring security supports business functionality. Explanation of security governance principles and its alignment with business goals.', 'Security control frameworks such as ISO 27001, COBIT, PCI DSS, NIST 800 series are essential, along with understanding due care and due diligence for enhancing organization security functions. The importance of security control frameworks and the concept of due care and due diligence in enhancing security functions.', 'Risk assessment involves identifying vulnerabilities, analyzing likelihood of exploitation, and understanding the business impact to create a plan for mitigation through business continuity or disaster recovery plans. The process of risk assessment and creating plans for mitigation through business continuity or disaster recovery plans.', 'Personnel security policies encompass physical security, protecting individuals from social engineering attacks, planning for natural calamities in business continuity and disaster recovery plans, and managing identity and access. The importance of personnel security policies in ensuring physical security and managing identity and access.']}, {'end': 5204.604, 'start': 4805.482, 'title': 'Security awareness and risk management', 'summary': 'Discusses the importance of security awareness programs, addresses the concepts of potential, identified, and residual risks, and provides insights on managing risks based on cost analysis, emphasizing the best approach to handle risks.', 'duration': 399.122, 'highlights': ['The primary goal of a security awareness program is to make everyone aware of potential risks and exposures, safeguard company assets, and minimize data leakage and data loss. The primary goal of a security awareness program is to make everyone aware of potential risks and exposures, safeguard company assets, and minimize data leakage and data loss.', 'A contingency plan should address residual risks and have secondary controls to manage those residual risks. A contingency plan should address residual risks and have secondary controls to manage those residual risks.', 'When the cost of the countermeasures outweighs the cost of the risk, the best way to handle the risk is to accept the risk. When the cost of the countermeasures outweighs the cost of the risk, the best way to handle the risk is to accept the risk.']}], 'duration': 818.609, 'thumbnail': 'https://coursnap.oss-ap-southeast-1.aliyuncs.com/video-capture/i6vKjSa20iw/pics/i6vKjSa20iw4385995.jpg', 'highlights': ['The CISSP exam is six hours long and consists of 250 questions, available in multiple languages including English, French, German, Brazilian Portuguese, Spanish, Japanese, Simplified Chinese, and Korean.', 'Security governance principles involve aligning security policies with business goals, integrating security policy with enterprise architecture, and ensuring security supports business functionality.', 'Security control frameworks such as ISO 27001, COBIT, PCI DSS, NIST 800 series are essential, along with understanding due care and due diligence for enhancing organization security functions.', 'Risk assessment involves identifying vulnerabilities, analyzing likelihood of exploitation, and understanding the business impact to create a plan for mitigation through business continuity or disaster recovery plans.', 'Personnel security policies encompass physical security, protecting individuals from social engineering attacks, planning for natural calamities in business continuity and disaster recovery plans, and managing identity and access.', 'The primary goal of a security awareness program is to make everyone aware of potential risks and exposures, safeguard company assets, and minimize data leakage and data loss.', 'A contingency plan should address residual risks and have secondary controls to manage those residual risks.', 'When the cost of the countermeasures outweighs the cost of the risk, the best way to handle the risk is to accept the risk.']}, {'end': 6138.941, 'segs': [{'end': 5245.43, 'src': 'embed', 'start': 5204.604, 'weight': 0, 'content': [{'end': 5209.607, 'text': 'which means we are not going to implement the firewall because it is outweighing the cost of the risk.', 'start': 5204.604, 'duration': 5.003}, {'end': 5212.169, 'text': 'We are just willing to accept the risk itself and move on.', 'start': 5209.647, 'duration': 2.522}, {'end': 5213.77, 'text': "That's the first domain.", 'start': 5212.529, 'duration': 1.241}, {'end': 5219.473, 'text': 'Moving on to the second, which is asset security, consists of topics about physical requirements of information security.', 'start': 5214.01, 'duration': 5.463}, {'end': 5222.776, 'text': "Let's go back to the document in hand.", 'start': 5219.734, 'duration': 3.042}, {'end': 5224.797, 'text': 'So moving on to domain two.', 'start': 5223.036, 'duration': 1.761}, {'end': 5232.102, 'text': "Asset security, we talk about assets, assets could be, now, okay, let's get into the definition of what an asset is.", 'start': 5225.217, 'duration': 6.885}, {'end': 5238.306, 'text': "Asset could be anything that has a monetary value associated with it from the organization's perspective.", 'start': 5232.322, 'duration': 5.984}, {'end': 5243.929, 'text': 'It could be data, it could be virtual assets, it could be physical assets, it could be anything and everything.', 'start': 5238.506, 'duration': 5.423}, {'end': 5245.43, 'text': 'It could be a license right?', 'start': 5243.989, 'duration': 1.441}], 'summary': 'Decision to skip firewall for cost reasons. asset security covers physical and virtual assets.', 'duration': 40.826, 'max_score': 5204.604, 'thumbnail': 'https://coursnap.oss-ap-southeast-1.aliyuncs.com/video-capture/i6vKjSa20iw/pics/i6vKjSa20iw5204604.jpg'}, {'end': 5313.674, 'src': 'embed', 'start': 5282.995, 'weight': 4, 'content': [{'end': 5285.417, 'text': 'Determine and maintain information and asset ownership.', 'start': 5282.995, 'duration': 2.422}, {'end': 5288.379, 'text': 'So your asset management program comes into the picture.', 'start': 5285.497, 'duration': 2.882}, {'end': 5292.682, 'text': 'And when you say asset ownership, the organization owns the assets as they are.', 'start': 5288.499, 'duration': 4.183}, {'end': 5299.687, 'text': 'However, roles and responsibilities that you have created in the organization will ensure that some assets are virtually owned by somebody.', 'start': 5292.982, 'duration': 6.705}, {'end': 5302.428, 'text': 'that means that they are responsible for the well-being of that asset.', 'start': 5299.687, 'duration': 2.741}, {'end': 5305.55, 'text': 'so you have to identify who, for example, hr.', 'start': 5302.428, 'duration': 3.122}, {'end': 5313.674, 'text': 'now, hr is a function, human resources, but they also need it assets, for example, a payroll, which will institute a payroll software,', 'start': 5305.55, 'duration': 8.124}], 'summary': 'Maintain asset ownership by assigning responsibilities to specific roles within the organization.', 'duration': 30.679, 'max_score': 5282.995, 'thumbnail': 'https://coursnap.oss-ap-southeast-1.aliyuncs.com/video-capture/i6vKjSa20iw/pics/i6vKjSa20iw5282995.jpg'}, {'end': 5415.323, 'src': 'embed', 'start': 5362.148, 'weight': 1, 'content': [{'end': 5369.43, 'text': 'GDPR basically states that you will only retain personal identifiable information for as long as the organization requires it.', 'start': 5362.148, 'duration': 7.282}, {'end': 5373.87, 'text': "The moment you have no reason to have that data with you, you're going to delete that data.", 'start': 5369.61, 'duration': 4.26}, {'end': 5378.391, 'text': "So which means automatically says you're going to retain that data till it makes business sense.", 'start': 5374.15, 'duration': 4.241}, {'end': 5386.433, 'text': "Once you figure out it doesn't, it is not required, you're going to delete it in a secure manner, which is not recoverable to unwanted parties.", 'start': 5378.771, 'duration': 7.662}, {'end': 5389.697, 'text': 'So you have to determine those asset retention periods.', 'start': 5386.713, 'duration': 2.984}, {'end': 5392.981, 'text': 'We have to understand what those attention retention periods are.', 'start': 5390.058, 'duration': 2.923}, {'end': 5398.388, 'text': 'So even for your physical assets, there will be a life of the asset that is associated with it.', 'start': 5393.021, 'duration': 5.367}, {'end': 5404.857, 'text': 'And once the life of that asset is over, even if the asset is working properly, you have to discard that asset and you have to replace it.', 'start': 5398.809, 'duration': 6.048}, {'end': 5406.818, 'text': 'You have to do this with security in mind.', 'start': 5405.017, 'duration': 1.801}, {'end': 5409.24, 'text': 'Then the security controls for all of these things.', 'start': 5407.058, 'duration': 2.182}, {'end': 5410.54, 'text': 'Understanding data states.', 'start': 5409.44, 'duration': 1.1}, {'end': 5412.462, 'text': 'Data states could be in three different aspects.', 'start': 5410.601, 'duration': 1.861}, {'end': 5415.323, 'text': 'Data in motion, data at rest, and data in use.', 'start': 5412.542, 'duration': 2.781}], 'summary': 'Gdpr mandates secure retention and deletion of personal data based on business necessity, including asset retention periods and security controls for data in motion, at rest, and in use.', 'duration': 53.175, 'max_score': 5362.148, 'thumbnail': 'https://coursnap.oss-ap-southeast-1.aliyuncs.com/video-capture/i6vKjSa20iw/pics/i6vKjSa20iw5362148.jpg'}], 'start': 5204.604, 'title': 'Infosec asset management and data protection measures', 'summary': 'Covers decision-making on risk acceptance in lieu of implementing a firewall, asset ownership and classification, gdpr regulations, asset retention periods, security controls, audit frequency, security architecture, engineering, communication, network security, vpn usage, and tcp protocol characteristics.', 'chapters': [{'end': 5338.593, 'start': 5204.604, 'title': 'Infosec asset management', 'summary': 'Covers the decision to accept risk over implementing a firewall due to cost, and the definition, classification, and ownership of assets within an organization, highlighting the importance of determining asset ownership and classifying different types of assets.', 'duration': 133.989, 'highlights': ["The decision to accept risk over implementing a firewall due to cost is discussed, showcasing the organization's willingness to accept risk and move on. The cost of implementing a firewall outweighs the risk, leading to the decision to accept the risk.", 'The definition and classification of assets within an organization are elaborated, emphasizing that assets include anything owned by the organization with a monetary value associated with it. Assets encompass anything owned by the organization with a monetary value, including data, virtual assets, physical assets, and more.', 'The importance of determining and maintaining information and asset ownership is highlighted, with a focus on roles and responsibilities within the organization to ensure the well-being of assets. Roles and responsibilities within the organization ensure the well-being of assets, with a specific emphasis on identifying asset ownership.']}, {'end': 6138.941, 'start': 5338.593, 'title': 'Data protection and security measures', 'summary': 'Discusses data protection measures including gdpr regulations, asset retention periods, security controls for data states, and security audit frequency. it also covers security architecture and engineering, including enterprise architecture, physical security, and managing vulnerabilities. additionally, it delves into communication and network security, covering topics such as vpn usage and characteristics of the tcp protocol.', 'duration': 800.348, 'highlights': ['The GDPR regulation mandates retaining personal identifiable information only as long as the organization requires it, emphasizing the need to delete data when it no longer serves a business purpose. GDPR regulation specifies the retention period for personal identifiable information, stressing the importance of data deletion when it is no longer necessary, aligning with business needs.', "Understanding asset retention periods, including physical assets, and the need to discard assets after their life span, ensuring secure disposal. Emphasizes the importance of understanding and adhering to asset retention periods, including physical assets, and the necessity of secure disposal after the asset's life span.", 'Explaining the security controls for data in motion, data at rest, and data in use, and the methods for protecting data during these stages. Detailed explanation of security controls for data states, covering data in motion, at rest, and in use, along with the methods employed to protect data during these stages.']}], 'duration': 934.337, 'thumbnail': 'https://coursnap.oss-ap-southeast-1.aliyuncs.com/video-capture/i6vKjSa20iw/pics/i6vKjSa20iw5204604.jpg', 'highlights': ["The decision to accept risk over implementing a firewall due to cost is discussed, showcasing the organization's willingness to accept risk and move on.", 'The GDPR regulation mandates retaining personal identifiable information only as long as the organization requires it, emphasizing the need to delete data when it no longer serves a business purpose.', 'The definition and classification of assets within an organization are elaborated, emphasizing that assets include anything owned by the organization with a monetary value associated with it.', 'Understanding asset retention periods, including physical assets, and the need to discard assets after their life span, ensuring secure disposal.', 'The importance of determining and maintaining information and asset ownership is highlighted, with a focus on roles and responsibilities within the organization to ensure the well-being of assets.', 'Explaining the security controls for data in motion, data at rest, and data in use, and the methods for protecting data during these stages.']}, {'end': 6850.352, 'segs': [{'end': 6169.086, 'src': 'embed', 'start': 6139.261, 'weight': 1, 'content': [{'end': 6144.486, 'text': 'question three, which, if you remember the previous slide, would be the udp protocol.', 'start': 6139.261, 'duration': 5.225}, {'end': 6149.53, 'text': 'a udp protocol is a protocol that is used for its speed rather than reliability.', 'start': 6144.486, 'duration': 5.044}, {'end': 6157.957, 'text': 'when it is real-time processing that is required, we use udp, so most of our wiped communications would happen over udp protocols.', 'start': 6149.53, 'duration': 8.427}, {'end': 6163.201, 'text': 'okay, so, looking at domain number five, domain five talks about identity and access management.', 'start': 6157.957, 'duration': 5.244}, {'end': 6169.086, 'text': 'so this ties up with your asset management, your risk management, because, if we go back to the confidentiality,', 'start': 6163.201, 'duration': 5.885}], 'summary': 'Udp protocol is used for real-time processing, with most voip communications happening over it. domain 5 focuses on identity and access management.', 'duration': 29.825, 'max_score': 6139.261, 'thumbnail': 'https://coursnap.oss-ap-southeast-1.aliyuncs.com/video-capture/i6vKjSa20iw/pics/i6vKjSa20iw6139261.jpg'}, {'end': 6203.281, 'src': 'embed', 'start': 6180.191, 'weight': 4, 'content': [{'end': 6187.494, 'text': "so this becomes the essence of how you're going to allow people to access the resources that you have in your organization.", 'start': 6180.191, 'duration': 7.303}, {'end': 6189.955, 'text': "let's look at what this domain covers.", 'start': 6187.494, 'duration': 2.461}, {'end': 6192.936, 'text': 'it will talk about physical and logical access to assets.', 'start': 6189.955, 'duration': 2.981}, {'end': 6196.378, 'text': 'so servers need to be protected by putting them in a secure server room,', 'start': 6192.936, 'duration': 3.442}, {'end': 6203.281, 'text': 'thus restricting access to them and allowing access only to those few people who require access to them.', 'start': 6196.738, 'duration': 6.543}], 'summary': 'Domain covers physical and logical access to assets, restricting server access to authorized personnel.', 'duration': 23.09, 'max_score': 6180.191, 'thumbnail': 'https://coursnap.oss-ap-southeast-1.aliyuncs.com/video-capture/i6vKjSa20iw/pics/i6vKjSa20iw6180191.jpg'}, {'end': 6273.698, 'src': 'embed', 'start': 6240.342, 'weight': 3, 'content': [{'end': 6242.668, 'text': 'We are talking about single sign-ons.', 'start': 6240.342, 'duration': 2.326}, {'end': 6245.751, 'text': 'we will talk about federated identity management modules.', 'start': 6242.668, 'duration': 3.083}, {'end': 6249.234, 'text': "we'll look at CASB or cloud access service brokers.", 'start': 6245.751, 'duration': 3.483}, {'end': 6253.253, 'text': "we'll talk about session management from applications and so on, so forth.", 'start': 6249.234, 'duration': 4.019}, {'end': 6260.195, 'text': 'We will also talk about third party identity as a service provider, where we integrate those identities, like open ID,', 'start': 6253.533, 'duration': 6.662}, {'end': 6266.956, 'text': 'into our organization and we validate people based on the identity that they have created with those organizations.', 'start': 6260.195, 'duration': 6.761}, {'end': 6273.698, 'text': 'Then we talk about access control lists, which would be role based access controls mandatory access controls.', 'start': 6267.317, 'duration': 6.381}], 'summary': 'Discussion on single sign-ons, federated identity, casb, session management, third party identity integration, and access control lists.', 'duration': 33.356, 'max_score': 6240.342, 'thumbnail': 'https://coursnap.oss-ap-southeast-1.aliyuncs.com/video-capture/i6vKjSa20iw/pics/i6vKjSa20iw6240342.jpg'}, {'end': 6308.522, 'src': 'embed', 'start': 6279.54, 'weight': 2, 'content': [{'end': 6286.205, 'text': 'and then there are a lot of theoretical models that are integrated in this module, which talk about lattice based approach,', 'start': 6279.54, 'duration': 6.665}, {'end': 6294.492, 'text': 'which will talk about other theoretical models which will help you align how identity and access management is implemented in an organization.', 'start': 6286.205, 'duration': 8.287}, {'end': 6301.817, 'text': 'so at this point in time, we will also be looking at a life cycle of how identities are managed, for example, onboarding of people,', 'start': 6294.492, 'duration': 7.325}, {'end': 6308.522, 'text': 'deboarding of people, termination of employees, employees as they move within the organization by getting promotions,', 'start': 6301.817, 'duration': 6.705}], 'summary': 'The module integrates theoretical models for identity and access management, including managing identities throughout the employee lifecycle.', 'duration': 28.982, 'max_score': 6279.54, 'thumbnail': 'https://coursnap.oss-ap-southeast-1.aliyuncs.com/video-capture/i6vKjSa20iw/pics/i6vKjSa20iw6279540.jpg'}, {'end': 6449.366, 'src': 'embed', 'start': 6422.288, 'weight': 0, 'content': [{'end': 6428.833, 'text': 'Now the question here is which of the following is the most important factor while selecting a biometric system for secure and critical assets?', 'start': 6422.288, 'duration': 6.545}, {'end': 6434.137, 'text': 'Now would I want to focus on false rejection rate or false acceptance rate?', 'start': 6429.133, 'duration': 5.004}, {'end': 6437.699, 'text': 'Then we also have equal error rate and maximum allowable downtime.', 'start': 6434.237, 'duration': 3.462}, {'end': 6443.824, 'text': 'Maximum allowable downtime is if the biometric measure fails and if nobody is getting access to any of the resources,', 'start': 6437.98, 'duration': 5.844}, {'end': 6449.366, 'text': 'to what level or to what extent would my business be able to tolerate such an outage here?', 'start': 6444.244, 'duration': 5.122}], 'summary': 'Selecting a biometric system involves considering factors like false rejection rate, false acceptance rate, equal error rate, and maximum allowable downtime.', 'duration': 27.078, 'max_score': 6422.288, 'thumbnail': 'https://coursnap.oss-ap-southeast-1.aliyuncs.com/video-capture/i6vKjSa20iw/pics/i6vKjSa20iw6422288.jpg'}], 'start': 6139.261, 'title': 'Identity access management and biometric system selection', 'summary': 'Covers identity and access management, including physical and logical access control, authentication mechanisms, access control lists, and theoretical models. it also discusses the importance of selecting a biometric system for securing critical assets, emphasizing the significance of false acceptance rate, false rejection rate, and maximum allowable downtime, steganography, and security assessment and testing.', 'chapters': [{'end': 6338.356, 'start': 6139.261, 'title': 'Identity and access management', 'summary': 'Discusses the udp protocol for real-time processing, and then delves into domain five, which covers identity and access management, including physical and logical access control, authentication mechanisms, access control lists, and theoretical models. it emphasizes the importance of managing the identity life cycle.', 'duration': 199.095, 'highlights': ['The chapter emphasizes the use of UDP protocol for real-time processing, which prioritizes speed over reliability.', 'It explains domain five, focusing on physical and logical access control, authentication mechanisms, access control lists, and theoretical models.', 'It discusses the life cycle of identity management, including onboarding, deboarding, and managing identity relationships.', 'It details various authentication mechanisms such as single authentication, multi-factor authentication, single sign-ons, federated identity management modules, and cloud access service brokers.', 'It highlights the implementation of access control lists, including role-based access controls, mandatory access controls, discretionary access controls, attribute-based access controls, and rule-based access controls.']}, {'end': 6850.352, 'start': 6338.356, 'title': 'Biometric system selection', 'summary': 'Discusses the importance of selecting a biometric system for securing critical assets, emphasizing the significance of false acceptance rate, false rejection rate, and maximum allowable downtime, and also touches on steganography and security assessment and testing.', 'duration': 511.996, 'highlights': ['The false acceptance rate is the most important factor while selecting a biometric system for securing critical assets, as it poses a greater risk than the false rejection rate. The false acceptance rate poses a higher risk, as it allows unauthorized access to sensitive data, making it the most critical factor in biometric system selection.', 'The false acceptance rate and false rejection rate are the two major factors to measure biometric performance, with the former being less tolerable than the latter. Both the false acceptance rate and false rejection rate are crucial factors in evaluating biometric performance, with the false acceptance rate being less tolerable than the false rejection rate.', 'Steganography can be used to identify the authenticity of a document through techniques like adding invisible watermarks, highlighting its application beyond data hiding. Steganography can be applied to identify the authenticity of a document, such as adding invisible watermarks, expanding its use beyond data concealment.', 'The involvement of an information security analyst is required during program testing, as it is the phase where their contribution is most probable. An information security analyst is most likely involved in program testing, making it the phase where their contribution is most probable, despite the other phases also requiring security considerations.', 'Countermeasures testing is generally not used for monitoring purposes, as it assesses the effectiveness of implemented countermeasures rather than monitoring ongoing activities. Countermeasures testing is not typically used for monitoring purposes, as it focuses on evaluating the effectiveness of implemented countermeasures rather than monitoring ongoing activities.']}], 'duration': 711.091, 'thumbnail': 'https://coursnap.oss-ap-southeast-1.aliyuncs.com/video-capture/i6vKjSa20iw/pics/i6vKjSa20iw6139261.jpg', 'highlights': ['The false acceptance rate is the most important factor while selecting a biometric system for securing critical assets, as it poses a greater risk than the false rejection rate.', 'The chapter emphasizes the use of UDP protocol for real-time processing, which prioritizes speed over reliability.', 'It discusses the life cycle of identity management, including onboarding, deboarding, and managing identity relationships.', 'It details various authentication mechanisms such as single authentication, multi-factor authentication, single sign-ons, federated identity management modules, and cloud access service brokers.', 'It explains domain five, focusing on physical and logical access control, authentication mechanisms, access control lists, and theoretical models.']}, {'end': 8085.987, 'segs': [{'end': 6889.251, 'src': 'embed', 'start': 6863.984, 'weight': 0, 'content': [{'end': 6873.432, 'text': 'understanding and highlighting the keywords in the question itself and then analyzing the scenario that you are placed in and then identifying the most appropriate answer for that particular question,', 'start': 6863.984, 'duration': 9.448}, {'end': 6881.521, 'text': "that is how you want to approach a CISSP exam, Looking at the next domain, domain number seven, and that's security operations.", 'start': 6873.432, 'duration': 8.089}, {'end': 6884.345, 'text': "Let's look at what security operations has for us.", 'start': 6881.942, 'duration': 2.403}, {'end': 6889.251, 'text': "Now in security operations, you're looking at a SOC, a security operations center.", 'start': 6884.846, 'duration': 4.405}], 'summary': 'Approach cissp exam by understanding keywords and analyzing scenarios. domain 7 focuses on security operations and soc.', 'duration': 25.267, 'max_score': 6863.984, 'thumbnail': 'https://coursnap.oss-ap-southeast-1.aliyuncs.com/video-capture/i6vKjSa20iw/pics/i6vKjSa20iw6863984.jpg'}, {'end': 6930.922, 'src': 'embed', 'start': 6905.679, 'weight': 1, 'content': [{'end': 6915.51, 'text': 'What are event sources? When I have an SIEM implemented, I am not going to expect the SIEM to automatically start collecting data all by itself.', 'start': 6905.679, 'duration': 9.831}, {'end': 6921.014, 'text': "And then again, I don't expect the SIEM tool to understand what kind of data it needs to collect.", 'start': 6916.111, 'duration': 4.903}, {'end': 6930.922, 'text': "So for me in a security operation center, after I've installed an SIEM tool, I first need to configure it to identify which devices I want to monitor,", 'start': 6921.114, 'duration': 9.808}], 'summary': 'Event sources need to be configured in siem for data collection in security operation center.', 'duration': 25.243, 'max_score': 6905.679, 'thumbnail': 'https://coursnap.oss-ap-southeast-1.aliyuncs.com/video-capture/i6vKjSa20iw/pics/i6vKjSa20iw6905679.jpg'}, {'end': 7036.699, 'src': 'embed', 'start': 7013.81, 'weight': 2, 'content': [{'end': 7020.952, 'text': "So when you're looking at these requirements for investigation, all of these would have prescribed how you're going to handle that investigation.", 'start': 7013.81, 'duration': 7.142}, {'end': 7026.014, 'text': "If it is a criminal investigation, an organization by itself doesn't have the right to investigate.", 'start': 7021.332, 'duration': 4.682}, {'end': 7029.135, 'text': 'They have to go to a law enforcement agency and there is a procedure to follow.', 'start': 7026.034, 'duration': 3.101}, {'end': 7030.776, 'text': 'In case of a civil lawsuit.', 'start': 7029.455, 'duration': 1.321}, {'end': 7036.699, 'text': 'there are lawyers who would deal with this kind of activity, send out notices to the other party,', 'start': 7030.776, 'duration': 5.923}], 'summary': 'Organizations must follow procedures for investigations, involving law enforcement for criminal cases and lawyers for civil lawsuits.', 'duration': 22.889, 'max_score': 7013.81, 'thumbnail': 'https://coursnap.oss-ap-southeast-1.aliyuncs.com/video-capture/i6vKjSa20iw/pics/i6vKjSa20iw7013810.jpg'}, {'end': 7189.809, 'src': 'embed', 'start': 7166.829, 'weight': 5, 'content': [{'end': 7175.778, 'text': 'So people normally focus on a keyword called multi-level security policy and start getting confused in that while we do disregard what a subject and an object is.', 'start': 7166.829, 'duration': 8.949}, {'end': 7183.044, 'text': 'So a subject and an object is a relationship that is created between identity and access management, subject being the user,', 'start': 7176.698, 'duration': 6.346}, {'end': 7186.626, 'text': 'object being the resource that needs to be accessed by that particular user.', 'start': 7183.044, 'duration': 3.582}, {'end': 7189.809, 'text': 'After which comes a multi-level security policy,', 'start': 7187.247, 'duration': 2.562}], 'summary': 'Understanding the relationship between subject and object in multi-level security policies is crucial for identity and access management.', 'duration': 22.98, 'max_score': 7166.829, 'thumbnail': 'https://coursnap.oss-ap-southeast-1.aliyuncs.com/video-capture/i6vKjSa20iw/pics/i6vKjSa20iw7166829.jpg'}, {'end': 7253.428, 'src': 'embed', 'start': 7231.652, 'weight': 4, 'content': [{'end': 7240.119, 'text': 'And then the identity and access management tool would become the verification factor where it identifies the labels for the subject and the object.', 'start': 7231.652, 'duration': 8.467}, {'end': 7246.964, 'text': 'And based on those labels, they allow or disallow connectivity or allow connections to happen.', 'start': 7240.219, 'duration': 6.745}, {'end': 7253.428, 'text': "Now here the correct answer is that the subject sensitivity label must dominate the object's sensitivity label.", 'start': 7247.204, 'duration': 6.224}], 'summary': "Identity and access management tool verifies subject and object labels, with subject sensitivity label dominating object's sensitivity label.", 'duration': 21.776, 'max_score': 7231.652, 'thumbnail': 'https://coursnap.oss-ap-southeast-1.aliyuncs.com/video-capture/i6vKjSa20iw/pics/i6vKjSa20iw7231652.jpg'}, {'end': 7364.708, 'src': 'embed', 'start': 7338.22, 'weight': 6, 'content': [{'end': 7343.181, 'text': 'the only reason for anything to become a deterrent to business is the legality of it.', 'start': 7338.22, 'duration': 4.961}, {'end': 7347.042, 'text': 'if a business is illegal, it will not happen or it should not happen.', 'start': 7343.181, 'duration': 3.861}, {'end': 7352.644, 'text': 'however, if the business activity is legal, then security should not stop that activity from happening.', 'start': 7347.042, 'duration': 5.602}, {'end': 7361.206, 'text': 'security should be implemented in such a way that it is the business activity is strengthened, there is security embedded within it,', 'start': 7352.644, 'duration': 8.562}, {'end': 7364.708, 'text': 'secure by design then the business activity goes on.', 'start': 7361.206, 'duration': 3.502}], 'summary': 'Legal business should not be deterred by security; it should be strengthened by secure design.', 'duration': 26.488, 'max_score': 7338.22, 'thumbnail': 'https://coursnap.oss-ap-southeast-1.aliyuncs.com/video-capture/i6vKjSa20iw/pics/i6vKjSa20iw7338220.jpg'}, {'end': 7508.633, 'src': 'embed', 'start': 7483.285, 'weight': 7, 'content': [{'end': 7490.908, 'text': 'we are basically installing a software or an application on a particular system which allows a hacker a backdoor access to the system.', 'start': 7483.285, 'duration': 7.623}, {'end': 7495.669, 'text': 'So this would violate the integrity of the system itself.', 'start': 7491.168, 'duration': 4.501}, {'end': 7501.831, 'text': 'The data would be compromised, but the data would be compromised because the system got compromised.', 'start': 7496.029, 'duration': 5.802}, {'end': 7508.633, 'text': "A user doesn't matter because a backdoor is a backdoor entry where you can get access without even logging in as a user.", 'start': 7502.311, 'duration': 6.322}], 'summary': 'Installing backdoor software compromises system integrity and allows unauthorized access to data.', 'duration': 25.348, 'max_score': 7483.285, 'thumbnail': 'https://coursnap.oss-ap-southeast-1.aliyuncs.com/video-capture/i6vKjSa20iw/pics/i6vKjSa20iw7483285.jpg'}, {'end': 7706.673, 'src': 'embed', 'start': 7667.326, 'weight': 8, 'content': [{'end': 7670.229, 'text': "So credit cards you're going to be going to be involved.", 'start': 7667.326, 'duration': 2.903}, {'end': 7672.491, 'text': "There's a database or SQL injection attacks.", 'start': 7670.249, 'duration': 2.242}, {'end': 7675.153, 'text': "So these are the threats that we're looking at.", 'start': 7672.811, 'duration': 2.342}, {'end': 7679.697, 'text': 'And now a threat modeling exercise would be followed by a risk assessment.', 'start': 7675.413, 'duration': 4.284}, {'end': 7686.3, 'text': 'then would be looked at upon a by an impact analysis and then, based on that, you will prioritize those risks.', 'start': 7680.097, 'duration': 6.203}, {'end': 7689.782, 'text': 'you will then educate your developers to use secure coding practices.', 'start': 7686.3, 'duration': 3.482}, {'end': 7695.205, 'text': 'at the same time, security testing would be done to see how the application is being evolved and then,', 'start': 7689.782, 'duration': 5.423}, {'end': 7698.607, 'text': 'by the time that the software development lifecycle comes to an end,', 'start': 7695.205, 'duration': 3.402}, {'end': 7706.673, 'text': 'you would have a secure software which had security by design integrated since the inception rather than having bolted on.', 'start': 7698.607, 'duration': 8.066}], 'summary': 'Threat modeling, risk assessment, and secure coding to build secure software.', 'duration': 39.347, 'max_score': 7667.326, 'thumbnail': 'https://coursnap.oss-ap-southeast-1.aliyuncs.com/video-capture/i6vKjSa20iw/pics/i6vKjSa20iw7667326.jpg'}, {'end': 7777.481, 'src': 'embed', 'start': 7748.353, 'weight': 13, 'content': [{'end': 7754.96, 'text': 'you look at the costs, you look at the timelines, deadlines and then you take an informed decision of how much you want to invest in what.', 'start': 7748.353, 'duration': 6.607}, {'end': 7761.187, 'text': 'In the ideal world for the CISSP exam, there are no limitations.', 'start': 7755.401, 'duration': 5.786}, {'end': 7770.836, 'text': "You are looking at the most correct way of doing those things and thus you identify those requirements and that's how you answer the exam.", 'start': 7761.827, 'duration': 9.009}, {'end': 7777.481, 'text': "So you're looking at the security software environments that you require configuration management, auditing and logging of changes.", 'start': 7771.136, 'duration': 6.345}], 'summary': 'Cissp exam preparation involves identifying security software requirements such as configuration management, auditing, and logging of changes.', 'duration': 29.128, 'max_score': 7748.353, 'thumbnail': 'https://coursnap.oss-ap-southeast-1.aliyuncs.com/video-capture/i6vKjSa20iw/pics/i6vKjSa20iw7748353.jpg'}, {'end': 7811.04, 'src': 'embed', 'start': 7786.667, 'weight': 14, 'content': [{'end': 7795.892, 'text': 'now this software, when integrated, how is it going to impact my current security controls, impact my current identity access management,', 'start': 7786.667, 'duration': 9.225}, {'end': 7799.894, 'text': 'my networking, my other applications, my communications?', 'start': 7795.892, 'duration': 4.002}, {'end': 7803.016, 'text': "so that's something that you want to assess as well, right?", 'start': 7799.894, 'duration': 3.122}, {'end': 7806.097, 'text': "so let's go for the questions, Question 1..", 'start': 7803.016, 'duration': 3.081}, {'end': 7811.04, 'text': 'In which of the following RAID level the drive array continues to operate even if any disk fails?', 'start': 7806.097, 'duration': 4.943}], 'summary': 'Integration impact on security controls, identity access management, networking, applications, and communications must be assessed. question 1: raid levels.', 'duration': 24.373, 'max_score': 7786.667, 'thumbnail': 'https://coursnap.oss-ap-southeast-1.aliyuncs.com/video-capture/i6vKjSa20iw/pics/i6vKjSa20iw7786667.jpg'}, {'end': 7849.976, 'src': 'embed', 'start': 7824.386, 'weight': 15, 'content': [{'end': 7830.408, 'text': 'the different levels of RAID because you might want to use that as a solution in a particular thing.', 'start': 7824.386, 'duration': 6.022}, {'end': 7834.43, 'text': "How do you want to implement RAID and all of those? That's not the knowledge that we want.", 'start': 7830.469, 'duration': 3.961}, {'end': 7838.192, 'text': 'But in this scenario, RAID level 7 is the ideal answer.', 'start': 7834.59, 'duration': 3.602}, {'end': 7847.415, 'text': 'Question 2, which of the following steps can be utilized or can be used to protect an organization against the failure of a critical software firm?', 'start': 7838.632, 'duration': 8.783}, {'end': 7849.976, 'text': 'Now, basically, what does this talk about?', 'start': 7847.815, 'duration': 2.161}], 'summary': 'Raid level 7 is the ideal solution for data protection against software firm failure.', 'duration': 25.59, 'max_score': 7824.386, 'thumbnail': 'https://coursnap.oss-ap-southeast-1.aliyuncs.com/video-capture/i6vKjSa20iw/pics/i6vKjSa20iw7824386.jpg'}, {'end': 7893.672, 'src': 'embed', 'start': 7867.123, 'weight': 16, 'content': [{'end': 7871.505, 'text': 'If the business continuity plan fails, then the disaster recovery plan kicks in.', 'start': 7867.123, 'duration': 4.382}, {'end': 7881.549, 'text': 'So if you look into it, as we go in, we might even come against terminologies like RTOs, RPOs, return time objective and recovery point objective.', 'start': 7871.885, 'duration': 9.664}, {'end': 7888.951, 'text': 'And at that point in time, you want to look at how do we want to recover from a data loss? And thus, you will come across solutions.', 'start': 7881.929, 'duration': 7.022}, {'end': 7893.672, 'text': 'Now of the four options full backups, differential backups and incremental backups.', 'start': 7889.071, 'duration': 4.601}], 'summary': 'In case of business continuity plan failure, disaster recovery plan takes over. recovery strategies involve rtos, rpos, and backup options.', 'duration': 26.549, 'max_score': 7867.123, 'thumbnail': 'https://coursnap.oss-ap-southeast-1.aliyuncs.com/video-capture/i6vKjSa20iw/pics/i6vKjSa20iw7867123.jpg'}, {'end': 7994.617, 'src': 'embed', 'start': 7972.447, 'weight': 17, 'content': [{'end': 7980.971, 'text': 'because I may have invested millions of dollars, or reinvesting into a different product and migrating to a different product would be expensive,', 'start': 7972.447, 'duration': 8.524}, {'end': 7983.212, 'text': 'very costly and may be very time consuming.', 'start': 7980.971, 'duration': 2.241}, {'end': 7987.334, 'text': 'So what do I do with that point in time? So there is an option for software escrow agreement.', 'start': 7983.232, 'duration': 4.102}, {'end': 7988.234, 'text': 'What does that mean??', 'start': 7987.434, 'duration': 0.8}, {'end': 7994.617, 'text': "That the source code of that software is placed in an escrow, which means, let's say,", 'start': 7988.534, 'duration': 6.083}], 'summary': 'Invested millions in a product, considering software escrow for source code protection.', 'duration': 22.17, 'max_score': 7972.447, 'thumbnail': 'https://coursnap.oss-ap-southeast-1.aliyuncs.com/video-capture/i6vKjSa20iw/pics/i6vKjSa20iw7972447.jpg'}], 'start': 6851.053, 'title': 'Cissp exam and security operations', 'summary': 'Covers cissp exam approach, security operations center tasks, creating a soc, information security policy development, and software development security in cissp, along with ideal cissp exam training scenarios.', 'chapters': [{'end': 7047.025, 'start': 6851.053, 'title': 'Cissp exam approach & security operations', 'summary': 'Discusses the approach to cissp exam and highlights the key tasks of a security operations center, such as managing incidents, configuring siem tool, and handling investigation requirements.', 'duration': 195.972, 'highlights': ['In security operations, tasks include managing incidents, configuring SIEM tool, and handling investigation requirements.', 'SIEM tool configuration involves identifying event sources, data collection, and storage.', 'Investigation requirements encompass criminal laws, civil laws, regulatory laws, and industry standards.', 'Handling investigation requirements involves following procedures for criminal investigation, civil lawsuit, and GDPR.', 'Understanding and highlighting keywords in CISSP exam questions is crucial for an effective approach.']}, {'end': 7274.483, 'start': 7047.325, 'title': 'Creating a security operations center', 'summary': 'Discusses the key aspects of creating a security operations center, including logging and monitoring activities, asset identification, and access management, emphasizing the importance of understanding theoretical access management models and sensitivity labels for effective policy creation.', 'duration': 227.158, 'highlights': ['Understanding theoretical access management models and sensitivity labels is crucial for effective policy creation The understanding of theoretical models for access management, including lattice-based approach, Clark-Wilson model, and Bell-LaPadula model, is essential for creating effective security policies.', 'Importance of subject and object relationship in identity and access management The relationship between subjects (users) and objects (resources) in identity and access management, along with the access control matrix, is crucial for implementing a multi-level security policy.', "Emphasizing the need for subject sensitivity label to dominate the object's sensitivity label The correct access control principle is that the subject's sensitivity label must dominate the object's sensitivity label, ensuring that users have the appropriate sensitivity label to access corresponding objects."]}, {'end': 7520.741, 'start': 7275.273, 'title': 'Ideal department for information security policy', 'summary': 'Emphasizes that the business operations department, not the it department, is ideal for developing information security policies as security needs to enhance business functionality, ensuring secure business activities without hindering them.', 'duration': 245.468, 'highlights': ['The business operations department, not the IT department, is ideal for developing information security policies as security needs to enhance business functionality. The training for CISSP emphasizes that security needs to enhance business functionality, ensuring secure business activities without hindering them.', 'Security should be implemented to strengthen business activities, with security embedded within them, ensuring secure business operations. Security should be implemented in such a way that it strengthens business activities, ensuring security is embedded within them without hindering business operations.', 'Installing malicious software on the system to allow future backdoor access violates the integrity of the system itself. Installing malicious software on a system to allow future backdoor access violates the integrity of the system itself, compromising the security of the system.']}, {'end': 7706.673, 'start': 7520.741, 'title': 'Cissp: software development security', 'summary': 'Covers software development security in cissp, emphasizing the importance of integrating secure software development lifecycle (ssdlc) from inception, including threat modeling, risk assessment, secure coding practices, and security testing.', 'duration': 185.932, 'highlights': ['Integrating security at every phase of the software development lifecycle (SDLC) is essential, emphasizing security by design rather than bolted on, to ensure a secure software product. N/A', 'Threat modeling exercise is conducted during the inception phase to identify and prioritize the security risks, such as payment information handling, credit card involvement, and database or SQL injection attacks. Identification of security risks and prioritization for mitigation', 'Risk assessment, impact analysis, and prioritization of risks are carried out based on the identified threats and vulnerabilities during the software development process. Risk assessment, impact analysis, and prioritization of identified risks', 'Developers are educated and encouraged to use secure coding practices to ensure the development of a secure software product, reducing the likelihood of vulnerabilities and security flaws. Implementation of secure coding practices', "Continuous security testing is performed throughout the software development lifecycle to monitor the evolution of the application's security and ensure the integration of security by design. Continuous security testing throughout the software development lifecycle"]}, {'end': 8085.987, 'start': 7706.953, 'title': 'Ideal scenario for cissp exam training', 'summary': 'Emphasizes the importance of an ideal scenario for cissp exam training, covering concepts such as security software environments, raid levels, disaster recovery, and software escrow agreements.', 'duration': 379.034, 'highlights': ['The importance of an ideal scenario for CISSP exam training The chapter emphasizes the significance of an ideal scenario for CISSP exam training, ensuring adequate time, resources, and knowledge for making correct decisions.', 'Concepts related to security software environments and impact assessment The transcript discusses the need to assess the impact of integrating third-party software on security controls, identity access management, networking, applications, and communications.', 'Explanation of RAID levels and its relevance to CISSP exam The chapter provides insights into RAID levels, emphasizing the significance of understanding RAID as a potential solution in specific scenarios, such as the CISSP exam.', 'Understanding disaster recovery and business continuity concepts The transcript covers the importance of business continuity plans and disaster recovery, along with terminologies like RTOs and RPOs, in mitigating business interruptions and data loss.', 'Significance of software escrow agreements and their role in risk mitigation The chapter explains the concept of software escrow agreements as a risk mitigation strategy, ensuring access to source code in cases of software provider bankruptcy or cessation of support.']}], 'duration': 1234.934, 'thumbnail': 'https://coursnap.oss-ap-southeast-1.aliyuncs.com/video-capture/i6vKjSa20iw/pics/i6vKjSa20iw6851053.jpg', 'highlights': ['Understanding and highlighting keywords in CISSP exam questions is crucial for an effective approach.', 'SIEM tool configuration involves identifying event sources, data collection, and storage.', 'Investigation requirements encompass criminal laws, civil laws, regulatory laws, and industry standards.', 'Handling investigation requirements involves following procedures for criminal investigation, civil lawsuit, and GDPR.', "The correct access control principle is that the subject's sensitivity label must dominate the object's sensitivity label, ensuring that users have the appropriate sensitivity label to access corresponding objects.", 'The relationship between subjects (users) and objects (resources) in identity and access management, along with the access control matrix, is crucial for implementing a multi-level security policy.', 'Security should be implemented in such a way that it strengthens business activities, ensuring security is embedded within them without hindering business operations.', 'Installing malicious software on a system to allow future backdoor access violates the integrity of the system itself, compromising the security of the system.', 'Integrating security at every phase of the software development lifecycle (SDLC) is essential, emphasizing security by design rather than bolted on, to ensure a secure software product.', 'Threat modeling exercise is conducted during the inception phase to identify and prioritize the security risks, such as payment information handling, credit card involvement, and database or SQL injection attacks.', 'Risk assessment, impact analysis, and prioritization of identified risks', 'Developers are educated and encouraged to use secure coding practices to ensure the development of a secure software product, reducing the likelihood of vulnerabilities and security flaws.', "Continuous security testing is performed throughout the software development lifecycle to monitor the evolution of the application's security and ensure the integration of security by design.", 'The chapter emphasizes the significance of an ideal scenario for CISSP exam training, ensuring adequate time, resources, and knowledge for making correct decisions.', 'The transcript discusses the need to assess the impact of integrating third-party software on security controls, identity access management, networking, applications, and communications.', 'The chapter provides insights into RAID levels, emphasizing the significance of understanding RAID as a potential solution in specific scenarios, such as the CISSP exam.', 'The transcript covers the importance of business continuity plans and disaster recovery, along with terminologies like RTOs and RPOs, in mitigating business interruptions and data loss.', 'The chapter explains the concept of software escrow agreements as a risk mitigation strategy, ensuring access to source code in cases of software provider bankruptcy or cessation of support.']}], 'highlights': ['CISSP certification is in high demand with nearly 50,000 job postings.', 'The certification comprises 8 domains covering various aspects of information security.', 'The training covers the importance of having a CSSP certification and exam requirements.', 'Malware encompasses viruses, ransomware, worms, and Trojan viruses.', 'Information security seeks to safeguard data and information systems from vulnerabilities.', 'Importance of aligning security mechanisms with business plans and visions for long-term effectiveness.', 'Risk management includes identifying and mitigating security risks, implementing security controls, and ensuring appropriate direction of information security investments.', 'Newer organizations may opt for qualitative risk analysis due to limited historical data.', 'CISSP is a gold standard management certification in information security, requiring at least five years of experience in two or more domains for certification.', 'The CISSP exam is known for its toughness, with a passing rate of less than 50%.', 'The decision to accept risk over implementing a firewall due to cost is discussed.', 'Understanding asset retention periods, including physical assets, and the need to discard assets after their life span.', 'The false acceptance rate is the most important factor while selecting a biometric system for securing critical assets.', 'Understanding and highlighting keywords in CISSP exam questions is crucial for an effective approach.', 'Security should be implemented in such a way that it strengthens business activities, ensuring security is embedded within them without hindering business operations.', 'Integrating security at every phase of the software development lifecycle (SDLC) is essential, emphasizing security by design rather than bolted on.', 'Developers are educated and encouraged to use secure coding practices to ensure the development of a secure software product.', "Continuous security testing is performed throughout the software development lifecycle to monitor the evolution of the application's security and ensure the integration of security by design.", 'The chapter emphasizes the significance of an ideal scenario for CISSP exam training, ensuring adequate time, resources, and knowledge for making correct decisions.', 'The transcript discusses the need to assess the impact of integrating third-party software on security controls, identity access management, networking, applications, and communications.', 'The chapter provides insights into RAID levels, emphasizing the significance of understanding RAID as a potential solution in specific scenarios, such as the CISSP exam.', 'The transcript covers the importance of business continuity plans and disaster recovery, along with terminologies like RTOs and RPOs, in mitigating business interruptions and data loss.', 'The chapter explains the concept of software escrow agreements as a risk mitigation strategy, ensuring access to source code in cases of software provider bankruptcy or cessation of support.']}