1 00:00:00,000 --> 00:00:06,000 What's the first present you ever remember receiving for the holiday season? 2 00:00:10,000 --> 00:00:18,000 I know I obviously got toys before this, but I just remember the big Barbie year. 3 00:00:18,000 --> 00:00:24,000 I feel like it's common. Everybody's got that Barbie year where every toy is Barbie. 4 00:00:24,000 --> 00:00:34,000 I think I got a lot of animals, like animals for my Barbie horses and orca. 5 00:00:34,000 --> 00:00:38,000 Like SeaWorld Barbie. 6 00:00:38,000 --> 00:00:44,000 I'm still out of the loop on this. Did Barbie have an orca friend? Is that? 7 00:00:44,000 --> 00:00:45,000 I did. 8 00:00:45,000 --> 00:00:49,000 That's so cool. 9 00:00:49,000 --> 00:00:57,000 That wasn't my first, but I know that I had, and I think it means still be resident at my parents' house. 10 00:00:57,000 --> 00:01:08,000 The Barbie RV that was very 60s or 70s when a bagel looking so very boxy. 11 00:01:08,000 --> 00:01:10,000 Nice. 12 00:01:10,000 --> 00:01:12,000 Matthew, what about you? 13 00:01:12,000 --> 00:01:21,000 I remember getting my first Game Boy, which was the original. 14 00:01:21,000 --> 00:01:28,000 My brother got a very loud noise making toy because he's a couple of years younger than me. 15 00:01:28,000 --> 00:01:39,000 Most of the reason I remember it is because the drive home was me trying to play my Game Boy when my brother pressed every button on this toy and made as much noise as possible. 16 00:01:39,000 --> 00:01:46,000 I do think it was intended to annoy my parents because my parents didn't get it for him. 17 00:01:46,000 --> 00:01:55,000 The one I have the most evidence of is a Power Ranger outfit. 18 00:01:55,000 --> 00:02:04,000 There was like the full outfit and there's so many photos of me wearing it because I wore it nonstop. 19 00:02:04,000 --> 00:02:10,000 In public, two kindergarten, daily. 20 00:02:10,000 --> 00:02:13,000 Everyone has that phase where they just wear the same outfit constantly, right? 21 00:02:13,000 --> 00:02:15,000 Yeah, for sure. 22 00:02:15,000 --> 00:02:17,000 Yeah, that was mine. 23 00:02:17,000 --> 00:02:20,000 Like, my same outfit. 24 00:02:20,000 --> 00:02:21,000 It's the same. 25 00:02:21,000 --> 00:02:22,000 Exactly. 26 00:02:22,000 --> 00:02:24,000 Now it's just business professional. 27 00:02:24,000 --> 00:02:27,000 It's sort of Power Ranger outfits. 28 00:02:27,000 --> 00:02:30,000 What about you, Ann? 29 00:02:30,000 --> 00:02:41,000 I don't know that it was the first, but I remember getting a pinball-esque type machine that my brother and I could play together. 30 00:02:41,000 --> 00:03:00,000 And as a now parent, I think my parents saw or felt the error of that quite quickly because the balls were not soft. 31 00:03:00,000 --> 00:03:06,000 In fact, they were just slightly less hard than a actual pool ball. 32 00:03:06,000 --> 00:03:14,000 Of course, after gameplay, then became projectiles. 33 00:03:14,000 --> 00:03:17,000 At each other in general. 34 00:03:17,000 --> 00:03:25,000 And they were hard enough that they bounced and bounced off the fireplace. 35 00:03:25,000 --> 00:03:28,000 Oh my goodness. 36 00:03:28,000 --> 00:03:38,000 I don't know how. I think of other people to your point. Other people can get my children these kinds of gifts. 37 00:03:38,000 --> 00:03:40,000 I will get one for mine. 38 00:03:40,000 --> 00:03:41,000 Yeah. 39 00:03:41,000 --> 00:03:43,000 Oh man, I love it. 40 00:03:43,000 --> 00:04:02,000 Well, today on our Tech for Business podcast, you might recognize the voices we've got Ann, our quality assurance analyst and GRC specialist, and Matthew, our GRC analyst, and V.C. So, and we're kind of continuing our customer question series. 41 00:04:02,000 --> 00:04:16,000 And so we've got some common compliance questions. And I think I'm just going to pose all of these at the same time because I know they're going to feed in together and kind of build off of each other. 42 00:04:16,000 --> 00:04:23,000 So kind of the top four that we got war was. 43 00:04:23,000 --> 00:04:28,000 Why do I have to follow? I think the why is huge. Why do I have to follow a framework? 44 00:04:28,000 --> 00:04:37,000 Why aren't they all the same? Or why are they all different? Which one is the best? And where do I start? 45 00:04:37,000 --> 00:04:43,000 I'll kind of throw it to Matthew first. That's a lot. That's a lot of questions. 46 00:04:43,000 --> 00:04:45,000 Yeah. 47 00:04:45,000 --> 00:04:50,000 Okay, I'm going to try and keep them in line. I apologize, if not. 48 00:04:50,000 --> 00:04:55,000 Let's just actually instead, let's just start with the first one. Why do I have to follow a framework? 49 00:04:55,000 --> 00:04:59,000 You don't. 50 00:04:59,000 --> 00:05:10,000 In some cases, it's okay. In some cases, that's not true, right? In some cases, you do. You have regulatory requirements, you're a bank, you're a, you know, a healthcare institute, you do have to. 51 00:05:10,000 --> 00:05:15,000 Why do you have to? Well, not everyone has the same training, not everyone has the same knowledge. 52 00:05:15,000 --> 00:05:19,000 Not everyone cares about the same stuff. 53 00:05:19,000 --> 00:05:26,000 Not everyone reads the same things. So the overarching answer of why is because 54 00:05:26,000 --> 00:05:30,000 do I go to the inflammatory answer or the kind answer? 55 00:05:30,000 --> 00:05:31,000 We... 56 00:05:31,000 --> 00:05:36,000 Yeah, consistency. Not everyone can be trusted to do all the things they're meant to do. 57 00:05:36,000 --> 00:05:42,000 At the same time, it could be that it's just impossible to know all this stuff. 58 00:05:42,000 --> 00:05:49,000 It just allows you to do something repeatable, something consistent, to make sure everyone's following the same things. 59 00:05:49,000 --> 00:05:59,000 The why comes down to why wouldn't you? Why wouldn't you follow a pattern when you don't have to, when you can? 60 00:05:59,000 --> 00:06:01,000 It's... 61 00:06:01,000 --> 00:06:06,000 I think I keep coming back to the scientific method. It's reproducible, it's consistent, and it's understood. 62 00:06:06,000 --> 00:06:12,000 Does that mean it's perfect? No, but it means that we know and expect the outcomes to be the same. 63 00:06:12,000 --> 00:06:14,000 And... 64 00:06:16,000 --> 00:06:23,000 I'll actually, I'll give an example that's not from the tech world. I used to teach guitar. 65 00:06:23,000 --> 00:06:33,000 And with almost, almost every single time I had someone who wanted to get better at learning solos from songs, 66 00:06:33,000 --> 00:06:36,000 there was a very consistent reason they couldn't learn it. 67 00:06:36,000 --> 00:06:41,000 And I'd have them play it for me, and I'd just say, just play it. Let's see where you're at. 68 00:06:41,000 --> 00:06:47,000 And then they'd play it, they'd mess up where they messed up, and then I'd say, okay, now, let's show me how you're practicing. 69 00:06:47,000 --> 00:06:51,000 And every single time, there'd be a part they really, really liked. 70 00:06:51,000 --> 00:06:55,000 And it was the part right before it or right after it that they'd mess up. 71 00:06:55,000 --> 00:07:03,000 And so what they would do is they'd play the part they really, they basically were just playing the part they really liked over and over again. 72 00:07:03,000 --> 00:07:10,000 They were messing up slightly and then playing the fun bit or playing the fun bit and messing up and stopping and going back to the fun bit again. 73 00:07:10,000 --> 00:07:16,000 That I feel is how I've seen many, not all, obviously, but many IT techs. 74 00:07:16,000 --> 00:07:22,000 They absolutely love one part of what network management is, so they'll focus on that. They'll ignore the rest of it. 75 00:07:22,000 --> 00:07:27,000 Because it's not as important to them. It's not as cool to them. It's not as fun. 76 00:07:27,000 --> 00:07:34,000 Frameworks make sure you're doing the whole solo and not just caring about the cool part in the middle. 77 00:07:34,000 --> 00:07:40,000 Yeah. I think that answered it, Ann. 78 00:07:40,000 --> 00:07:53,000 I think the music analogy is actually a really good one, but it's ensuring that we know all the parts that make up and consistently know the parts. 79 00:07:53,000 --> 00:07:58,000 It doesn't necessarily ever say you must meet it in this way. 80 00:07:58,000 --> 00:08:04,000 It leaves freedom to meet the requirements, whatever framework you're using. 81 00:08:04,000 --> 00:08:14,000 However, those requirements are still the same for everybody. If you're following one framework, that requirement is the same for everybody. 82 00:08:14,000 --> 00:08:33,000 And it takes guesswork out. I don't have to do more research or understand or guess at what level of compliance we want to find. 83 00:08:33,000 --> 00:08:42,000 It's spelled out. As Matthew alluded to, it isn't always worded. 84 00:08:42,000 --> 00:08:56,000 Terrifically, it isn't always crystal clear, even in the questions that are reviewed and published over and over. 85 00:08:56,000 --> 00:09:07,000 There's still sometimes clear as mud, but at least they give a definition of some achievable mechanism to strive for. 86 00:09:07,000 --> 00:09:13,000 Yeah. 100% agree. 87 00:09:13,000 --> 00:09:18,000 What was the next question? Why aren't they all the same? 88 00:09:18,000 --> 00:09:34,000 Yeah, the first is kind of why are we here? Why are we talking about this? So now that we're here, why aren't they all the same? If we're talking about these frameworks, why are there so many different ones? 89 00:09:34,000 --> 00:09:39,000 Again, such a loaded question. 90 00:09:39,000 --> 00:09:50,000 The answer is kind of the same as the first one, in that not everyone cares about the same things, not everyone needs to care about the same things. 91 00:09:50,000 --> 00:09:58,000 And I think that's the answer. They aren't all the same because they aren't all trying to do the same thing. 92 00:09:58,000 --> 00:10:13,000 Some people or some frameworks are trying to protect information in a very specific way. The NIST frameworks, I'll talk about NIST 800171, which is designed to protect confidential unclassified information. 93 00:10:13,000 --> 00:10:23,000 This relates to things like contracts with government entities, a bunch of status information. 94 00:10:23,000 --> 00:10:35,000 A lot of information that is not considered classified information, therefore, is not required to be kept in a certain way, but is more important than it could be used to cause trouble. 95 00:10:35,000 --> 00:10:55,000 NIST 800171 includes a whole bunch of things about making sure you can confirm someone is who they say they are when they walk into a physical location or when they check specifically for things that are kept in safes, lockboxes, things like that. 96 00:10:55,000 --> 00:11:03,000 Do you have cameras? Do you have physical entry guarantees? Do you have FOBS? All the things that you'd expect in those types of locations. 97 00:11:03,000 --> 00:11:09,000 That's not the same requirement that someone has if they're fully digital. 98 00:11:09,000 --> 00:11:21,000 If they're not doing anything but data like that, that would be overkill for some, say, a fish and chip shop. You wouldn't need that. That would be crazy to try and follow that. 99 00:11:21,000 --> 00:11:30,000 They instead are worried mostly about their credit card data, which is generally in, you know, it's on the credit card machines that are at the counter. 100 00:11:30,000 --> 00:11:40,000 So they have a different requirement for what that looks like. And that's why they're different. That's why they aren't all the same, but are all kind of similar in a way. 101 00:11:40,000 --> 00:11:59,000 It's about where the focus is. Generally, it comes down to the data. So where your data is stored, how critical your data is, and then how complex your environment is for how that data flows. 102 00:11:59,000 --> 00:12:02,000 Yeah. 103 00:12:02,000 --> 00:12:07,000 So I'm going to side step. 104 00:12:07,000 --> 00:12:21,000 Is there, this is probably a silly question, but depending on what you're doing as a business, is there a time in which you're using more than one framework? And are there some that fit better together? 105 00:12:21,000 --> 00:12:23,000 Most definitely. 106 00:12:23,000 --> 00:12:33,000 So I think your question ties in with the next two questions, which were, which one is best and where do I start? 107 00:12:33,000 --> 00:12:36,000 So the answer is yes. 108 00:12:36,000 --> 00:12:38,000 Multiple people. 109 00:12:38,000 --> 00:12:40,000 D, all of the above. 110 00:12:40,000 --> 00:12:43,000 Exactly. 111 00:12:43,000 --> 00:12:48,000 Many of the organizations we work with have multiple compliance requirements. 112 00:12:48,000 --> 00:12:52,000 It is incredibly common to want to do that. In fact, 113 00:12:52,000 --> 00:13:01,000 there are things called meta frameworks that are designed to help with organizing that and covering more than one at a time. So you're not completing two questionnaires every day. 114 00:13:01,000 --> 00:13:04,000 They're often called crosswalks. 115 00:13:04,000 --> 00:13:08,000 Incredibly useful for looking into, especially if you are one of these people. 116 00:13:08,000 --> 00:13:16,000 Healthcare industry, healthcare companies that also take credit cards have to worry about HIPAA and PCI. 117 00:13:16,000 --> 00:13:22,000 Right out the gate. That's, you should be looking at both of those if you take credit cards in-house in any way, shape or form. 118 00:13:22,000 --> 00:13:25,000 So there's definitely ways that you'll be looking at more than one. 119 00:13:25,000 --> 00:13:34,000 And it's not uncommon for certain organizations to have three or four that they track whether they're required to be compliant with them or not. 120 00:13:34,000 --> 00:13:42,000 In-house we track multiple just because we want to know where we stand against them. 121 00:13:42,000 --> 00:13:44,000 Ann. 122 00:13:44,000 --> 00:13:49,000 I completely agree. I would have used that exact example. 123 00:13:49,000 --> 00:14:06,000 The idea that you can know, even your HSA card is a debit or credit card that needs to be controlled and the entity has to control that to some framework. 124 00:14:06,000 --> 00:14:15,000 And it's always better to have that framework to not guess. I don't want to guess about how I have to protect someone's credit card data. 125 00:14:15,000 --> 00:14:23,000 I can go to a guide and say, hey, this is where we're at. This is how we perform this. 126 00:14:23,000 --> 00:14:34,000 Look, I can go through a checklist, however exhaustive, and find out where I need to be with reasonable certainty. 127 00:14:34,000 --> 00:14:40,000 It leaves out a great deal of the guesswork. Sometimes we don't like the answer. 128 00:14:40,000 --> 00:14:48,000 Sometimes you don't want to know that you really can't just leave these credit card machines out wide open. 129 00:14:48,000 --> 00:14:58,000 Sometimes knowing what framework really means that you're going to have to do a full-scale change internally in process procedure. 130 00:14:58,000 --> 00:15:08,000 Maybe implement new takeaway old that might be unknowingly harmful to how you protect your data. 131 00:15:08,000 --> 00:15:16,000 But all in all, it's still a framework to go back to and say, this is how we do it. 132 00:15:16,000 --> 00:15:22,000 Exactly. And so I think that the best one is the one that suits your needs. 133 00:15:22,000 --> 00:15:36,000 With all of that, it's the one that's not doing too much. Just going into NIST 800 again, there is no need to follow the NIST 800 if you aren't storing CUI data. 134 00:15:36,000 --> 00:15:43,000 It is a great baseline if you want a very thorough review, but it's very thorough. 135 00:15:43,000 --> 00:15:54,000 If you were a small retail shop following that would be cost prohibitive to the point of potentially shutting you down because you can't keep up with doing that and actually selling goods. 136 00:15:54,000 --> 00:15:58,000 It requires a full person generally to do that. 137 00:15:58,000 --> 00:16:12,000 So it's about finding one that suits your needs, suits your level of risk, and makes you feel comfortable that it's still doing enough while not making you do too much at the same time. 138 00:16:12,000 --> 00:16:18,000 And so with that, the last one was, I think, where do I start? 139 00:16:18,000 --> 00:16:27,000 And we could go through the list of different compliance requirements and describe which ones we think are the best for what purpose. 140 00:16:27,000 --> 00:16:39,000 But if you don't have any physical requirements, if you don't have FDIC or the FTC saying be compliant with us, if you don't have HIPAA data, if you don't have any of that stuff, 141 00:16:39,000 --> 00:16:46,000 the NIST CSF or the NIST Cybersecurity Framework is a great starting point. 142 00:16:46,000 --> 00:16:53,000 Yeah, it was designed, if I'm remembering my history correctly, to be exactly this. 143 00:16:53,000 --> 00:17:02,000 We'll take as much of the NIST 800 framework as we can, condense it into the cybersecurity items that allow us to do a general baseline. 144 00:17:02,000 --> 00:17:12,000 It is the closest thing I think there is to a actual baseline that isn't something like ISO, which can also be cross prohibitive for people. 145 00:17:12,000 --> 00:17:15,000 Yes. 146 00:17:15,000 --> 00:17:19,000 Those reviews are always fun. 147 00:17:19,000 --> 00:17:24,000 The NIST CSF is talking about it and where to start. 148 00:17:24,000 --> 00:17:36,000 The number one thing for me is language, because oftentimes when you're doing this, the terminology used has a very specific meaning that may be completely different to what you intend or how you use it in-house. 149 00:17:36,000 --> 00:17:51,000 And oftentimes when I see people who've started and gotten lost or started and then potentially failed in audit, it's because the person doing it, when they started, made a bunch of assumptions about how things work. 150 00:17:51,000 --> 00:18:13,000 As a quick example, within the NIST 800 guidelines, an incident is any event that is any cybersecurity occurrence that causes or could have potentially caused a significant loss to the organization. 151 00:18:13,000 --> 00:18:21,000 This doesn't mean anytime anyone nearly clicked a link, it's a problem, it means anytime you've looked into it and gone, this could have been a problem. 152 00:18:21,000 --> 00:18:25,000 So you're defining what counts as an incident for your organization. 153 00:18:25,000 --> 00:18:41,000 Within the HIPAA guidelines, it's a little vaguer and personally I read the HIPAA guidelines as anytime you do get a phishing email, whether it's a aimed at a person or it's just a generic phishing email, technically that's a HIPAA incident. 154 00:18:41,000 --> 00:18:49,000 So because of that, that alone is a huge distinction when you're defining how you handle incidents. Do you keep that same language? Do you change it? 155 00:18:49,000 --> 00:18:58,000 So when I'm starting any of these, I will pull up their definitions list because they always have one and it's generally huge. 156 00:18:58,000 --> 00:19:01,000 And that gets printed out and put next to me. 157 00:19:01,000 --> 00:19:08,000 And then I start reading through the questionnaire and I just make sure the words mean what I think they mean. 158 00:19:08,000 --> 00:19:16,000 Think about PCI and they use the word, they say CDE or the credit data environment, but then they also use the framing network. 159 00:19:16,000 --> 00:19:20,000 They also use environment just in general. 160 00:19:20,000 --> 00:19:34,000 Keeping in mind the CDE is purely the environment that has credit card data in it and your network may include the CDE or not, and your environment includes everything. 161 00:19:34,000 --> 00:19:50,000 So that distinction alone is worth wrapping your head around before you start or else half of these questions are going to sound identical because they are if you don't have the definitions for what each section means. 162 00:19:50,000 --> 00:19:52,000 Anne. 163 00:19:52,000 --> 00:19:54,000 No, spot on. 164 00:19:54,000 --> 00:20:01,000 No, it really is. I don't think I could have said it better. 165 00:20:01,000 --> 00:20:14,000 The thing I caution in that very often you don't actually get to pick your framework. 166 00:20:14,000 --> 00:20:33,000 But there should be an oversight entity agency, something like that, that is actually required to provide what what framework, what level of framework that you're required to abide by to start. 167 00:20:33,000 --> 00:20:40,000 And that often comes in contract requirements, agreement requirements, that kind of thing. 168 00:20:40,000 --> 00:20:44,000 However, 169 00:20:44,000 --> 00:20:53,000 leaving it, leaving that to guests is is never a a good methodology either. 170 00:20:53,000 --> 00:20:58,000 I guess I'm tiptoeing around that very gingerly. 171 00:20:58,000 --> 00:21:06,000 It doesn't do any any good to kind of scatter plot the framework you think might work. 172 00:21:06,000 --> 00:21:12,000 And just use like saying ISO 27001. 173 00:21:12,000 --> 00:21:26,000 But do you know what that means, you might go down a whole different path in in a costly mistake of trying to achieve a level of compliance that isn't necessary. 174 00:21:26,000 --> 00:21:38,000 Where the the CMMC is and the even the financial industry. Some are more complex and less but where you find those those. 175 00:21:38,000 --> 00:21:47,000 I guess overlaps is where you're going to find your efficiencies to once you're finding the the the framework that is required for you. 176 00:21:47,000 --> 00:22:00,000 You're you're seeing where you're meeting all of this and it starts to become routine to your business and your general operations where it's not really an audit it's just kind of a temperature check on where you are at a given time. 177 00:22:00,000 --> 00:22:01,000 Thank you. 178 00:22:01,000 --> 00:22:14,000 CIT uses has a sock audit and sock to type to we can go and look at that framework whenever we need to and we do self audits against that. 179 00:22:14,000 --> 00:22:25,000 And that's where we can internally say hey guys how we do it. I know we were we were looking at these access list this is the requirement hey we can communicate where that is. 180 00:22:25,000 --> 00:22:40,000 And that makes it easier to educate to not to totally go on tangent but I do like having the whatever framework it is it serves to to also get the buy in and through education. 181 00:22:40,000 --> 00:22:50,000 I don't think there's any one framework that no one really loves to go and say let's audit against our compliance of anything. 182 00:22:50,000 --> 00:22:56,000 But if you can really understand where that framework comes from what what's its intent. 183 00:22:56,000 --> 00:23:04,000 And then going through and say this is this requirement meets this spirit and intent for access control. 184 00:23:04,000 --> 00:23:19,000 I just throwing out different ideas. It becomes real. It's not just a checkbox on a list. It's a no we we definitely want to update our access make sure our access lists are current. 185 00:23:19,000 --> 00:23:34,000 And as you go through whatever framework you're able to see that those those levels of true up to ensure that the consistency is applied really are meaningful. 186 00:23:34,000 --> 00:23:42,000 It really is I want my my vendor to review their access lists every week or every year. Sorry. 187 00:23:42,000 --> 00:23:58,000 That is in your in your given industry. So I not only do I want to do that because I want to make sure my my information is accurate but that that's that level set for for your vendors for your customers even there. 188 00:23:58,000 --> 00:24:09,000 There's so much so much more clarity in being able to say here's where the rules are here's where they lie even if they come in you know 250 question. 189 00:24:09,000 --> 00:24:17,000 Exactly. You know which is super fun to Matthew and I but probably not to a normal. 190 00:24:17,000 --> 00:24:30,000 I mean, and I got done with a meeting earlier today that was a security review like this and it was two hours of us just answering questions and at the end I said you know time flies when you're having fun. 191 00:24:30,000 --> 00:24:42,000 And I actually got we got an agreement from the people we were working with which I you know anytime someone can see as much joy in it as we do I'm happy. 192 00:24:42,000 --> 00:24:54,000 The one last thing I'll mention when I when I moved into cybersecurity was basically out of necessity at a previous organization. 193 00:24:54,000 --> 00:25:12,000 I was doing a lot of internal testing as well as a lot of a lot of work as a network admin for customers as well as for the organization itself and as soon as I started doing that I realized from a technical standpoint there was no without a framework there is nothing 194 00:25:12,000 --> 00:25:21,000 that says here's what's most important because if you have that mindset which is where I was in that place. 195 00:25:21,000 --> 00:25:39,000 I was just running around finding what's coolest not dissimilar to fun. It's a lot of fun. It's that playing that same part of the guitar solo over and over it's it feels cool but it doesn't actually help you perform it as a whole if someone were to watch you they don't want to 196 00:25:39,000 --> 00:25:55,000 play the first three seconds of stay away to heaven over and over. So because of that I started looking into the framework specifically basically exactly what and said finding one that made the most sense for the organization finding one that we could hit consistently 197 00:25:55,000 --> 00:26:10,000 without overworking the team and then seeing what we stood up to that and working from there at the same time my first run through it I did mess up. I did exactly what and was talking about I. 198 00:26:10,000 --> 00:26:25,000 Didn't really gauge it properly. I also didn't follow my own current advice which is read through the definitions because I thought I knew it already because I've been doing this for so long and I believed that network administration is network administration. 199 00:26:25,000 --> 00:26:44,000 That's not true when you start looking at the compliance items. So really it is important to keep in mind that if you're doing this have a purpose for it. For me it was about guiding myself finding a way for me to direct my energy more efficiently because when you are a solo 200 00:26:44,000 --> 00:26:52,000 technician as a network admin or something for an organization it can feel overwhelming because you are doing more than one thing at a time. 201 00:26:52,000 --> 00:27:02,000 So really look for what works for you if you do have contract requirements. Those are first that's where you should start if you don't. 202 00:27:02,000 --> 00:27:09,000 The NIST CSF is a really good baseline if it feels too basic for you find something else that builds from it. 203 00:27:09,000 --> 00:27:23,000 But there's there's so many out there that really are designed to help this way and to make you to make you sleep better at night which is what I keep which is what I always say compliance is actually about. 204 00:27:23,000 --> 00:27:28,000 Don't try and do the bare minimum do the baseline and then try and beat it. 205 00:27:28,000 --> 00:27:35,000 That's the goal but make sure you do in the baseline first. 206 00:27:35,000 --> 00:27:43,000 Play the whole guitar solo. Yeah that guitar it was such a good analogy. 207 00:27:43,000 --> 00:28:02,000 I just the reason I keep coming back to it and I think about this at least once a month there's one person I taught in particular because the reason they came to me is because they said that they were an older student and they said their partner was sick of hearing the first minute of their favorite song forever. 208 00:28:02,000 --> 00:28:06,000 They wanted to be able to learn the best of the song. 209 00:28:06,000 --> 00:28:08,000 And that's really like that. 210 00:28:08,000 --> 00:28:17,000 So many things I think about thinking about this individual and just being like, yeah, I can see why that would have got annoying for their partner. 211 00:28:17,000 --> 00:28:20,000 We want to do the whole song and then once we can do it all. 212 00:28:20,000 --> 00:28:24,000 Maybe we play it a little less often. 213 00:28:24,000 --> 00:28:36,000 Well that kind of leaves me in my my last question and then I'll kind of open up if there's anything else so let's say you've got a framework you've you've put it all into place and things are going well. 214 00:28:36,000 --> 00:28:43,000 How often are you reviewing other than if things in your framework change. 215 00:28:43,000 --> 00:28:47,000 Is this yearly is it monthly. What does that look like. 216 00:28:47,000 --> 00:28:56,000 Most of the frameworks will typically guide where they want you to be. I always recommend more than that because no one wants a surprise. 217 00:28:56,000 --> 00:29:02,000 As you're assessing yourself or have an external auditor. 218 00:29:02,000 --> 00:29:14,000 But we had this today you should always write your policies of audit tier to the requirement and if you exceed that fantastic. 219 00:29:14,000 --> 00:29:21,000 But actually, we'll keep it at the requirement and shine if it's better. 220 00:29:21,000 --> 00:29:25,000 Keep it keep it where it's at if as an EP. 221 00:29:25,000 --> 00:29:33,000 Yeah, exactly stick with their baseline of what their requirement is and then put your own spin on top of that if use their language. 222 00:29:33,000 --> 00:29:35,000 If they say this is what it needs to do. 223 00:29:35,000 --> 00:29:43,000 Say this is what we do if that's what you do like follow their language it's really in there for a reason. 224 00:29:43,000 --> 00:29:50,000 And then and then again just build from that it will evolve it will change. 225 00:29:50,000 --> 00:29:59,000 You mentioned changes to frameworks and they do happen there's a lot of really big ones going through right now especially to NIST they're adding a new pillar. 226 00:29:59,000 --> 00:30:04,000 Which is I think the first time they've done that since they invented the pillar system. 227 00:30:04,000 --> 00:30:07,000 So it's a huge change for them. 228 00:30:07,000 --> 00:30:17,000 And that's fantastic, but it does mean a lot of people have to answer their questions again so do the baseline. 229 00:30:17,000 --> 00:30:19,000 Try and make it better do it as much as you can. 230 00:30:19,000 --> 00:30:25,000 If something says do it annually try and do it every six months if someone says if something says do it quarterly try and do it every month. 231 00:30:25,000 --> 00:30:33,000 But at least do it quarterly at least do it annually whatever that minimum is. 232 00:30:33,000 --> 00:30:38,000 Well thank you so much, Anne and Matthew for joining us today. 233 00:30:38,000 --> 00:30:44,000 If you enjoyed this podcast please like and subscribe it's how we know that you're interested in these topics. 234 00:30:44,000 --> 00:30:56,000 If you have a question or topic you'd like us to discuss reach out to us at info at cit-net.com or head out to our website cit-net.com slash podcast. 235 00:30:56,000 --> 00:31:06,000 And we'll be back next week with an all new episode.