 Hello and welcome to this session in which we would look at the cybersecurity framework and specifically we are going to be discussing the protective function within the five core functions. In the prior session we looked at the overall objective of the US cybersecurity framework, gave a historical overview and we discussed the identify function. Simply put this is the big picture in the prior session we completed the identified function which is one out of five functions and within this functions we had six categories one two three four five six. In this session we would look at the protect function and under the protect function we have one two three four five also six six so we already completed six and we gonna complete six today. In this session I'm gonna give you a little bit of subcategories just to kind of make sense of things and remember we have many references for these categories and subcategories. Before we proceed any further I have a public announcement about my company farhatlectures.com. Farhat Accounting Lectures is a supplemental educational tool that's gonna help you with your CPA exam preparation as well as your accounting courses. My CPA material is aligned with your CPA review course such as Becker, Roger, Wiley, Gleam, Miles, my accounting courses are aligned with your accounting courses broken down by chapter and topics. My resources consist of lectures, multiple choice questions, true-false questions as well as exercises. Go ahead start your free trial today no obligation, no credit card required. Simply put I'm gonna be using this template this is what I used in the prior session for consistency simply put this section here is gone. So I'm gonna be filling this section so I'm gonna be filling identify management and access control. Now identify management and access control used to be called access control then they add to it identify management. Why identified management? Because they believe they should have some weight they should have give some importance to the people involved in the management of the access. Access to what? Access to the system. So the category here is access control basically protecting the system given access and that access could be logical could be physical could be remote it's access. So here what we have to be aware of is identities and credentials are managed for authorized devices and users including outsiders. This is why we added the identify management we want to know exactly who has access to what who's authorized to do what including outside as part of your cybersecurity you want to be aware of this if you want to protect your system you want to be hold people accountable if you want to hold people accountable you need to let them know who who can access the system and who cannot who's authorized who has the credential you want to protect the system from a physical perspective should have a physical access the assets to man is managed and protected because once they can go inside the building then they may be able to find more information if they look in the garbage they could find more information about the company so physical access is as important as remote or logical access also remote access you want to protect yourself through firewalls through other techniques we'll talk about later but the point is you want to limit the remote access. Now access permission and authorization are managed incorporating the principle of least privilege what is the principle of least privilege it's been it means give the individual only enough access to what they're supposed to be responsible for or supposed to accomplish don't give them more because if you give more power you don't want that that's not a good thing so when you give access you give access to exactly what this individual needs to complete their work and obviously I don't want to mention separate separation of duties we look at separation of duties duties much much more in principles of IT security also you'd have to have your network has to be protected network integrity is protected incorporate the network segregation where appropriate so so once again to look at the big picture the function is protect the category is identify management and access control and here's some subcategories what needs to be done are these all the subcategories maybe not maybe others but the big idea is is to control the access by knowing who's authorize and who's not and protecting your system awareness and training awareness and training again this is a category under protect the protect function well guess what if you have the best system but people they don't know how to use it or they're not aware of it it's not good so what do you need to do all users must be informed and trained on cyber security risks and responsibilities you have to let them know you have to get them involved in case someone is sending emails fishing for information well they are aware of this privilege users understand the role and responsibilities privilege means that people that have access to centered sensitive information they understand that they have input the access to important information they have to be very careful they should block their phone they should not keep their laptop open you know they should not keep their car open maybe they have to be more careful because they are responsible for sensitive information also third-party stakeholders your suppliers your customers your partners remember in the prior session when we looked at identified we said also your supply chain is as responsible for your cyber security as you are so third-party stakeholders need to understand the roles and responsibilities because they might have access to your account senior executives and other decision makers receive cyber security briefing this is part of the of the communication so everyone is on the same page about any updates what's going on so on and so forth data security data security is under the function of protect this category we talked a lot about data I'm gonna tell you to go back and see the data module at some point but what is data security okay data security is the security that's addressed is protected so if it's in the warehouse and the in the cloud on site on the computer on a hard drive it's protected well when we transfer when we transit this data from one location to the other whether it's inside or outside the company the the transmission is also protected assets are formally managed throughout removal transfers and disposition so we have to be very careful with the data from A to Z from the way we put it in to transfer to get rid of it when we get rid of it we want to make sure it's not recoverable we want to make sure we have enough capacity to ensure data security because sometimes if we don't have enough capacity it's not available we might lose it that's not good so part of cyber security is having enough capacity enough power also we have to be obviously protect the data against leaks leaks means somebody accessing the data either an error or on purpose and we always have to check the mechanism that's used to verify the data to verify the integrity of the information integrity check and mechanism are used to verify the software firmware and information integrity it means the data that we have we have to make sure it's correct as well the development and testing environments are separate from the production environment so when you produce data and when you store it keep them separate the fourth function is information protection processes and procedures and once we say processes and procedures it's endless so this is another function under protect this is basically setting up setting up your policies and procedures and you could have many of them endless for one thing is you have to have a baseline configuration of IT any industrial control system that's created and maintained and what's a baseline configuration of IT what do we mean by that a baseline configuration is a standardized documented and approved sets of specification for an organization hardware software and network setting what is the purpose for this it creates a reference point it create a baseline for secure and consistent configuration across the IT environment ensuring better security simplified management and improved compliance simply put what we're saying is your all your system hardware software network they should all work together and that should be documented and this is basically your what we call baseline configuration you're starting from a good position also system development lifecycle should be implemented if you don't know what system development lifecycle that's a one-hole session we had couple session about this so when you develop a new software or purchase a new software there's a system same thing with cybersecurity it applies to cybersecurity configuration change control processes are in place same thing we have a couple maybe three or four session about change control what's a change control change control also apply to cybersecurity when you have a change control for software development you also have change control for cybersecurity you have to go through formal steps when you are changing your any cybersecurity policies backup of information are conducted maintain and tested regularly again this is part of your policies and procedures and we have a lot to talk about backups policies and regulation regarding the physical operating environment for organizational assets are met well guess what you have policies of how to maintain your physical asset your building your warehouses and those are being followed the policies and procedures the policies and procedures are met be there being followed what do you do you check for that data protection processes are maintained and tested you are you have data you are protecting this data you want to make sure that policy is maintained and tested on regular basis part of your policies and procedures because on the CPA exam or on your exam what's gonna happen is you're gonna have to know for example data protection processes what is the what is the function and what's the category so you need to know where does where does it fall okay and protection processes are continuously improved and that's always the case in any in any environment especially in cybersecurity because cybersecurity is an evolving field because right now someone someplace around the world in East Europe or whatever country they are in they are creating a new sort of a virus or a harmless small malware that you need to protect yourself from so you need to have continuous improvement effectiveness of production technologies is shared with appropriate parties so if you have if you have any new information any new technology you want to make sure you share it with everyone that's the that should be part of your policies and procedures maintenance maintenance also maintenance is part of protecting part of the protection function maintenance of the system okay maintenance and repair of industrial controls and information system component are performed according to policies and procedures not not haphazardly if you want to do maintenance and repairs you just pick up the phone go to the phone book or go on Google and randomly ask someone for help you have to have policies and procedures and especially if that maintenance is remote you want to vet them you want to make sure that that's who they are maintenance of good organizational asset is approved you approve them ahead of time you don't just call them haphazardly you logged who did it you're able to maintain this and performed in a manner that prevent unauthorized access of the came in logically which is over the internet or physically you want to make sure they don't have access to places that they're not supposed have to access to whether it's physical or logical remote or in person and protective technology basically it's part of the protect function basically you want to protect your technology how well how would you do it you have audit or log records are determined documented implemented and reviews and according what policies what does that mean that means you know exactly who logged in at one point if you need to enable to follow up so you're the important technology are protected here you have securities policies user authentication and authorization are applied within the protective technology solution so you know what's the important of technology in your business that's going to help you achieve your business function and those technologies are protected again here you would use the principle of least functionality by configuring system to minimize potential vulnerabilities remember what we talked about vulnerabilities you don't know where they're coming from but what you do using the principle of least functionality it means the people who are working on the system they have access to only enough information that they are responsible for and obviously you always want to have communication and control network are protected your communication you know through emails through phone calls through chat are protected and networks are protected that's critical because if those are vulnerable then they can access your system so what is the next step so we finish the identify function we complete this in the first session now we finish the protect function the next function we're going to be working with is the tact and under this we have three categories basically half of the prior one we should be able to go through it fairly quickly what should you know what should you do now go to far hat lectures whether you are a CPA candidate or an accounting students or studying for the CMA or your certification invest in yourself invest in your career stay motivated and stay safe