WEBVTT 00:00:00.688 --> 00:00:03.260 One thing I should say is we're going to talk about 00:00:03.260 --> 00:00:06.688 data breaches in a different course, 00:00:06.688 --> 00:00:10.888 but one of the requirements when a forensic investigator comes and looks at 00:00:10.888 --> 00:00:14.688 you is one of the questions I answer to the card brands is, 00:00:14.688 --> 00:00:19.688 did this requirement, did this not having this requirement in place, 00:00:19.688 --> 00:00:22.688 did that contribute to the breach, right? 00:00:22.688 --> 00:00:27.355 So no one ever cares when you're breached that your 288 controls are all 00:00:27.355 --> 00:00:30.688 running and everything and compliant and working fine. 00:00:30.688 --> 00:00:36.688 but was any of the controls failed that made the breach happen, right? 00:00:36.688 --> 00:00:40.688 And one I always use to see was the fact the policies were not right. 00:00:40.688 --> 00:00:43.688 So the forensic investigator says show me your policies. 00:00:43.688 --> 00:00:44.688 We don't have one. 00:00:44.688 --> 00:00:45.234 That's a fail. 00:00:45.234 --> 00:00:46.688 You didn't have a policy for a firewall. 00:00:46.688 --> 00:00:48.688 They broke in through a firewall. 00:00:48.688 --> 00:00:49.688 Everything else about your firewalls was fine, 00:00:49.688 --> 00:00:51.688 but your policy failed, 00:00:51.688 --> 00:00:54.688 and now you're maybe assessed as liable for that breach 00:00:54.688 --> 00:00:55.688 for not having a policy in place. 00:00:55.688 --> 00:00:56.688 Right. 00:00:56.688 --> 00:00:58.688 So although it might not be the cause of a compromise, 00:00:58.688 --> 00:01:00.938 it might be the cause of some really serious 00:01:00.938 --> 00:01:02.688 questions if you do suffer a breach. 00:01:02.688 --> 00:01:03.688 Right. 00:01:03.688 --> 00:01:03.974 Great. 00:01:03.974 --> 00:01:05.688 Anything else we should talk about? 00:01:05.688 --> 00:01:08.688 Firewall, personal firewalls, and policies? 00:01:08.688 --> 00:01:15.022 I'd say the one thing that I do see more and more of now where in my current 00:01:15.022 --> 00:01:18.688 employment we do a variety of different kinds of audits, 00:01:18.688 --> 00:01:24.688 so we do PCI, and we do SSAE 18, SOC, and we do ISO 27001, 00:01:24.688 --> 00:01:27.688 very often I have organizations come to me and say here are the policies, 00:01:27.688 --> 00:01:30.022 and they were adequate for ISO 27001. 00:01:30.022 --> 00:01:32.688 They should be fine for you. 00:01:32.688 --> 00:01:33.688 And that, I think, 00:01:33.688 --> 00:01:37.688 really gets into the sort of differentiation between policies and procedures, 00:01:37.688 --> 00:01:40.688 which PCI DSS maybe it doesn't care so much about, 00:01:40.688 --> 00:01:43.688 but those policies that are sort of ISO adequate are very, 00:01:43.688 --> 00:01:45.688 very high level, right, 00:01:45.688 --> 00:01:51.688 and do not have a lot of the sort of necessary detail that we require. 00:01:51.688 --> 00:01:55.188 And maybe that should go in your procedure documents if you also have 00:01:55.188 --> 00:01:58.831 ISO requirements for policies that are very top level. 00:01:58.831 --> 00:02:00.813 That's fine, but then, fine, 00:02:00.813 --> 00:02:03.938 show me the attendant procedures that also have the detail, 00:02:03.938 --> 00:02:06.355 who does what, how do you accomplish this, 00:02:06.355 --> 00:02:07.688 what are the steps. 00:02:07.688 --> 00:02:11.938 And if you don't have that, then maybe your ISO auditor will say, 00:02:11.938 --> 00:02:13.779 eh, you're fine, but I'm going to say, hmm, 00:02:13.779 --> 00:02:14.688 we need more substance here. 00:02:14.688 --> 00:02:15.688 Okay.