 Hello and welcome to the session in which we will keep working with the cyber security framework specifically, we're gonna be looking at the four tiers and Discussing the profile and the prior five sessions. We looked at the five core functions, which is those three component basically consist compose Hello and welcome to the session in which we will discuss the cyber security framework and Specifically, we're gonna be discussing the four tiers and the profile of the cyber security framework in the prior five sessions We discussed the five core functions, which are identified detect protect respond and recover So if you have any questions about those concept, please go back to the prior session because I'm gonna be assuming You understand what a function is what a category is one is what a subcategory is Because we are gonna be using the knowledge that we learned from the five Core functions or the five core tenants in order to create a profile and from the profile We're gonna classify ourselves as an organization under which of the four tiers Do we belong in the ecosystem of the cyber security world? Before we proceed any further. I have a public announcement about my company farhat lectures calm Farhat accounting lectures is a supplemental educational tool That's gonna help you with your CPA exam preparation as well as your accounting courses My CPA material is aligned with your CPA review course such as Becker, Roger, Wiley, Gleam, Miles My accounting courses are aligned with your accounting courses broken down by chapter and topics. My resources consist of Lectures multiple choice questions through false questions as well as exercises go ahead start your free trial today No obligation no credit card required Looking at the big pictures once again, we're gonna start with the core functions Which we have five of them and we're gonna I'm gonna go over them extremely briefly The first one is identify and what are we identifying? Identifying what we have to protect what we need to protect identifying our assets such as hardware software Network processes and including personnel then once we identify those we are going to protect them How are we going to protect them? Well, we're gonna need to learn how to defend them Whether we use firewall or any other cyber security techniques protecting then we need to detect What is detecting detecting is an ongoing process making sure of someone if there is a breach We are aware of it. We are detecting the breach For is respond and as the word respond imply looking on how to respond now again each one of these Functions will have categories and subcategories then at the end we recover and what needs to be done at the recovery To do what to get back online in quote or working at full capacity So these five core functions we discussed 23 categories and they are separated Among those five then we have 108 subcategories for the 23 categories now How do we use this information as an organization the first thing that the organization will have to do? They will have to create what we called a target profile and what is a target profile? based on based on our business based on our Mission based on our risk management based on our priorities What we do is we create a risk assessment to determine What should be our? Desired cyber security outcome. How do we do so? Well, we're gonna be looking at those categories and subcategories based on our business Which categories and subcategories do we need to select now? We're not gonna There's a good chance. They may not all apply to your company But the point is you want to know which one are relevant applicable to your company and basically list them These are the categories and subcategories, which is the controls that I need to have for my company This is my target profile. How that how did I create this? Well? I reviewed the functions their categories and their subcategories Then what you do is you're gonna be truthful with yourself You're gonna assess your current cyber security practices And how do you do so you will map your current cyber security practices again to the functions and to the categories now You have the target. You have the ideal where you should be. What's the ideal? Target, which is the target profile you look at your current profile and guess what the difference between them is what we call gap analysis What does that mean? It means you need to analyze The differences. Where are you lacking in cyber security between? How do you know? Well, you look you selected This should be the best for me based on what I do. This is what I have right now current profile The difference is the gap analysis Then you're gonna have to look at the gap analysis and prioritize actions to close the gap Simply put you have to implement based on the organization Priorities you'll have to develop an execute action plan to achieve the desire cyber security Which is your target profile now? This is important for a business because businesses will take this Will take this very seriously and the reason is you are trying to protect yourself Remember if you if you got a cyber security attack, it might put some businesses out of business So it's very important that businesses take their cyber security seriously and that's why this topic is relevant for CPAs CMAs accountant people because we they they are treated as business advisors So that's why you need to know this for your CPA exam That's why you need to learn about this on your CMA on your CMA exam So basically but basically you have to understand under your current profile You have to have basic basic security like data security data backup data encryption if you don't have them Well, you should have them if you don't have them then there's a gap analysis You have to you have to basically get those basic protection now After you have the profile then you have to classify yourself basically under 40 years Okay, where do you stand? Are you partial? Are you risk informed? Are you repeatable or are you adaptive? So simply put you have to basically determine what level are you in the cyber security? So at least you're aware of where you are. So that's very important What we need to do now is go over through each one of these tiers separately to determine To explain them now bear in mind. This is the least mature Like basically here you are a novice. You are an amateur and this is you are most mature And we're gonna see what each what each level implies tier one is called the partial tier at this level The organization cyber security practices are reactive. They're ad hoc. What does that mean? It means they have no plan They're waiting for something to happen and hopefully they're hoping that nothing will happen Then they will react based on that They're not aware of the cyber security risk or they have limited awareness of the cyber security risk and Risk management is performed on an irregular basis or they don't even have a risk management For cyber security, there is no formalized process for identifying and responding to incidents and there may not be clear Understanding of the organization risk tolerance. Simply put here what you're doing. You are driving blind You're hoping for the best You have limited awareness of what's going on and who would have something like this? Typically a small business without a dedicated IT department or cyber security personnel They're relying relying on basic antivirus software and not having comprehensive risk management in place So when you are in under those circumstances, you might be under this Tier which is tier one partial now tier two which is risk informed again Each tier is more mature than the prior one Under this tier organization have developed some rather than limited some risk management processes and have a basic Understanding of the risk profile. So you have to you understand what's out there. That's basically what this what this tier is It's not that much better, but it's better than Tier one which is partial however These processes may not be consistently applied across the organization So the problem is it's that that risk informed some of the risk management may not may not apply for every section of the company And there's some collaboration between different departments to address cyber security and Management is aware of the need for risk management. So here you are a little bit more aware But you're not doing much. You're you have more knowledge. That's basically it Usually a mid-sized company with an IT department. That's aware of the cyber security But like a comprehensive and organization-wide risk management approach and have a limited incident response capability So they don't know what to do in case something happened If you belong to tier three, which is called repeatable Organization at this level they have established and documented cyber security risk management processes Now they have it on paper what needs to be done and they are consistently applied across the organization Versus the prior tier where even if you have some of that, it's not consistently applied Here you don't have the proper tools to deal with the attacks in real time So you're aware of it you have it on paper, but you don't have the tools That's the problem. You don't have the tools to deal with it You have a clear understanding of the risk tolerance and its potential impact You are aware, but you don't have the weapon to fight back. That's that's what tier three is So the organization management is actively involved in risk management process and Fosters a culture of cyber security awareness Here you might have a large enterprise with the dedicated cyber security team that they implemented risk management program conduct regular risk assessment and have an incident respond and provide regular cyber security training for employees, but You can do better. Where can you do better? Tier four, which is adaptive And tier four here the organization have a mature and proactive approach to cyber security risk management Here you're not waiting for the monster to come to your place You're out there trying to kill the monster before it comes to your place They here you are continuously reviewing and adapting cyber security practices based on lessons learned predictive indicators You're just kind of proactive. You just wanted to predict. Where's the next attacks gonna come from? Basically patching your furnabilities using advanced technology and threat intelligence notice here You have also the tools you're aware you have everything documented, but you also have the tool here You are actively collaborating with external partners and sharing information to enhance cyber security posture of Both their organization and the larger community here. You are practically Involved who can afford something like this a multinational corporation now when I say small versus large versus medium It doesn't mean you could have a small corporation and it could it could have an adaptive tier I'm just giving you an example to kind of get you close to it But usually an adaptive is a multinational with a lot of resources could have that That's why I'm saying this but you could also have a multinational or a large corporation tier three or tier two Hopefully not tier one But the point is just to kind of give you a more realistic so you'll understand this a multinational corporation with a robust cyber security program that uses advanced threat detection systems actively participate in an industry-specific cyber security group continuously adopt its cyber security strategies based on real-time threat intelligence and risk management and Every company you want to be in tier four. Why because you are well protected. You are active You are not waiting for the attack to occur. You are trying to identify Vern abilities trying to identify those Attacks before they occur predict them. They have a looking for predictive indicator based on intelligence What should you do now go to far hat lectures and look at MCQs? That's gonna help you understand this topic as a CPA a CMA Accounting students you want to understand this topic inside out for Your exam as well as for The real world because you could be in charge or you could be involved in committees that deals with cyber security Good luck study hard and of course stay safe