GRC & The Min & Max of Multi-Framework Optimization by Elsa Arcilla

[Music] once again thank you so much for joining me here today it is my honor pleasure and privilege to be able to talk to such a vast variety of people with so many talents and uh let's discuss a little bit of GRC and Min and Max of multif framework optimization who's with me woo yeah let's get started all right so welcome thank you nist who do amazing work isc2 isaka and besid stampa without whom we wouldn't be here today so a little bit about me I am Akash kishor s you can choose to call me Sky I have a few things that I've done in my career and uh moving on this is GRC and the Min and maps of multif framework

optimization let's break down how I plan to address that so we'll discuss our objectives go over a bit of GRC drill down into each one of its components we'll take a peek and example and basically that's how it goes sounds good all right let's get started so my role here first and foremost would be to attempt to share a little bit of what I know so first and foremost whenever you receive any information it is Paramount to consider the role and objectives of the source of that information here I am delivering this presentation from the point of view of cyber security senior management team member internal external doesn't really matter and I'm going to talk to you

about GRC now who here is familiar with GRC awesome all right anyone anyone want to take a stab at a quick uh

definition all right good

enough lots of important information there all right so the way I like to Define GRC is that GRC is a set of professionals who evaluate select and Implement Frameworks standards and policies which they then assess review and revise any objections does that sound good okay now let's break down each layer here and identify a good reference for one so governance we have n CSF 2.0 risk 837 and for compliance let's take fisma as an example we have SP 853 B5 sounds

good all right anyone know what is n yes

sir yes and the bigger question is who is Nest well nist is a team just like GRC professionals made up of some of the best scientists who are a lot like you and I I wish I could put all of them up here but for now from top left to bottom right we have director of nist Dr lorri locaso associate director for Innovation and Industry Services moan Bahar Kevin Stein of Information Technology laboratory a lot of what we are about to discuss comes from divisions under his leadership we have Delvin procket associate director for management resources Dr Charles Romine associate director for laboratory programs and last but not the least Dr Jason Jason B Chief of Staff

forest and within itl we have applied cyber security division where we have acting Chief director Rodney Peterson we have him to thank for the nice framework uh Naomi Le kovitz senior privacy policy adviser she's actually leading the charge on protecting individuals's privacy into information Technologies and we have last but not the least Sherin Pasco Director of National cyber security Center of Excellence she's the queen be responsible for the Frameworks we are about to discuss she's also done a turn of work on the hill like the AV start Act and the Innovation and competition act and at the bottom we have Natalie Martin deputy director and a collaborative Talent magnet without whom a lot of what we a lot of collaboration

that happens within this wouldn't happen so what exactly is Nest so some of you might be aware it was founded in 1901 currently under us doc its mission is to promote Innovation and Industrial competitiveness by advancing measurement science standards and technology in ways that enhance Economic Security and improve our quality of life so this is from their website and they specialize in measurement science rigorous traceability as anybody who's read read their standards are concerned and the development and use of Standards their values are perseverance integrity inclusivity and Excellence moving forward does anyone want to take a stab at defining what is a framework all right nist special publication 8152 which which deals with Federal cryptographic Key Management Systems

defines a framework as a layered structure indicating what kind of programs can or should be built and how they would interrelate some computer system Frameworks also include actual programs software programs indicating that not all Frameworks are just software nor are they just logical they can be interrelated and uh they can specify programming interfaces or offer programming tools such as as you were discussing Sir with automation of uh GRC U that can be a part of a framework a frame nwork may be a set of functions within a system and how they interrelate the layers of an operating system the layers of an application subsystem how communication should be standardized at some level of a network

so on and so forth a framework is generally more comprehensive than a protocol and more prescriptive than simply a structure we're going to get abstract up in here all right let's talk about nist CSF 2.0 if you go on to the nest website and look up uh what exactly n CSF 2.0 is you'll get this extract of uh extract of text where it defines CSF core organizational profiles and CSF tiers those who are already into GRC might have already read this those who are not for them this can be a little intimidating so with your permission I'm going to take a little bit of an interpret dative step here and perform a basic abstraction and simplification which is

a fancier way of saying let's break it down with eight or less wh questions so what is Nest it's a blueprint for a logical cyber security infrastructure by some of the best scientists known to man to help everyone now anywhere and how do we do that let's get started some GRC professionals may be familiar with the terms GRC management and internal controls uh n CSF uses the terminology of core profiles and tiers and here we have layers layers are going to come into picture quite a bit here um and one interpretation of this can be from a mathematical standpoint functions posture and ability so let's discuss the core if n CSF 2.0 as a logical structure in the

information space where ones and zeros exist is a cube then the core is looking at it from the from the top down point of view it's the top surface of the cube this is the core many of you may have already seen it it's nice and circular isn't it kind of like Iron Man's core you know so it contains govern identify protect detect respond and my favorite recover going further down into the core we can analyze it a little bit further it goes into functions which are then split into categories which are then split into subcategories and let's take a look at what those look like a little bit more in detail some of you may be familiar with this

table already so we have for example govern that goes into organizational context and risk management strategy and then it keeps getting further broken down are we good so far all right so that was the core looking from the top down of the que let's discuss what I understand them to mean by profiles so if core was looking at it from the top down profiles are like slicing the cube into smaller sections so what they mean by this is like we currently have the current profile and there is a target profile that we're trying to get to we'll get into a little bit more into detail about what those are but each and every slice is like a subsystem so we

have end users we have a end user slice we have an hris U Human Resources information system slice then we have a manufacturing floor slice and then when you put all these slices together you have your entire Supra system that we are uh attempting to address from this CSF

2.0 okay and then this is how we handle the profile this is essentially the profile life cycle which goes through scoping Gathering needed info creating the organizational profile itself analyzing the gaps and then implementing an action plan to update the profile with me so far sounds good now let's try to understand what what I understand by what they mean of tiers so if we had the top as the core and then we had slice of profiles steers are basically how full each of the pixels within that Cube gets it's how densely do we understand the information system infrastructure from a logical perspective into that framework and they give us four types of teers which is partial risk informed

repeatable and adaptive think of these like maturity within the framework now let's get into a little bit of nist SP 837 risk management framework so we attempted to understand what exactly are we dealing with from an information logical structure point of view which is our information systems infrastructure and now basically what we're trying to do is taking the same Cube and then looking at it from a different point of view for consistency's sake if we were to con we were to call the top view as core let's call it core here as well it's not actually called core in the standard this is just me taking a little bit of a creative Liberty so you might be familiar with

this little graphic which is taken thanks to the actual publication um it goes into understanding the nist uh our information systems infrastructure uh the Supra system from uh the point of view of risk management with prepare categorize select Implement assess authorize and monitor now n RMS also has tiers which is organ in this case those are vertical horizontal and uh the standard in itself gives us three layers which is organizational Mission and business process and information system and we have a report lines that go through uh the organizational Mission and information system layers to inform risk information going further in depth we can take an example of the prepar at organization level and see it goes

through risk management roles strategy assessment control baselines common control identities impact levels and continuous monitoring Strat strategy so if you haven't seen the publication yet then this is Lay layer one and this is how it further breaks down into the next layer which is system level you can see the manner in which the information needs to be sliced at different layers requires different tools further we have Nest s SP 853 ref 5 security and privacy controls for information systems from a compliance standpoint this is what you could use to audit against you can do it yourself or have somebody else do it and these are the control sets that are defined within it so we have everything from access

controls to supply chain risk management this is what a control looks like within the standard so if again for those of us who are new to the field this is what a control looks like where we have a control reference identifier right here any data set needs uh good references and that's a very good way to reference then we have what the control is trying to assess so that's basically like the title the actual verbiage of the control that's the base control then discussion which is like more explanation about it a lot of related controls and uh then we have uh additional information regarding the control that supplements what the control is trying to achieve or control

objective uh given additional strength now let's talk about framework alignment why would we want to align different Frameworks so in this case for example we can align them for the reasons of compliance so let's say we want to get certified against uh we want to be compliant for fsma purposes and we are using Mist 800 SP 53b ref 5 for that purpose so how would we align it so from a governance standpoint we would go into CSF 2.0 and this is an example of uh if you were to go on the N website and follow this link you would end up with a spreadsheet that contains information regarding the CSF 2.0 framework itself and this is what that framework looks

like how many of you have already seen this

before awesome I'm actually sharing something that uh might be new to you okay okay great so it may look intimidating to those who are not seasoned Professionals in reading such tables but what we we have here is the same information getting broken down further and further and further with references on the right hand side so this is basically the primary objective which is govern when we speak of governance risk and compliance first part of that is governance and within that GRC we are using this CSF 2.0 as a reference point to govern with in CSF 2.0 the first point that we have is govern the organization's cyber security risk management strategy expectations and policy are established communicated and

monitored this is step one for being able to start governing our cyber security logical infrastructure within an organization did I go too fast through the previous slides if this is new to you okay all right so when it comes to any information slicing and dicing it from a different perspective allows us to have different insights into it from the governance standpoint what we are looking at here is the primary objective how do we get started with governing anything let's try to have uh some kind of strategy some expectations and establish a policy make sure it's communicated and monitored so how do we do that exactly so risk management strategy for governance then it breaks down further

there are many more lines here and this is basically the code of GRC this is what GRC folks do most of the time um so we have a table we have one objective we have subparts of that objective and then specific tasks related to that and that's how this table goes so within risk management strategy the organization prioritizes constraints risk tolerance and appetite statements and assumptions are established communicated and used to support operational risk decisions did that make sense awesome awesome love to hear it so how do we do that exactly so this is further guidance that breaks down into tasks so risk management objectives are established and agreed to by organizational stakeholders so this is the next step

and then you know what do we do after that so risk appetite and risk tolerance statements are established communicated and maintained so basically when you speak of GRC you take the standard you try to understand what it's trying to say then you go into your organization talk to the right people stakeholders people who get affected by those decisions people who get to make those decisions and then you start implementing it step by step by step yes

sir yes yes so one of the reasons why I wanted to go about it from a cube standpoint if I may is that um uh this is this is uh we uh so with when it comes to science a lot of fields have very not so clear lines so take for example the line between physics and Mathematics where does mathematics end and physics begin there is you know kind of delineation so when you get down to this level within information systems like security so we what we talking about here is cyber security risk management strategy that's our objective but now we have advanced so far into the field that this is digging deep into information Sciences like how much do we

split apart things before they become very uh basic abstract of that thing so we yes ma'am okay if you if you miss one of those steps say you miss gv1 don't know how get Z without Z but anyways you miss one of those then that is not completely align is that correct yes you're right and that doesn't so here's how cyber security as I see it works now we have uh we are digging very deep into information Sciences it's like how do we understand data completion how do we understand data Integrity completeness accuracy availability Integrity like all of these things we are digging very deep down into them now because that's where a lot of uh a lot of the attacks are

happening like when you say data Integrity violations what do we mean by that exactly so in order for us to properly address Integrity violations data Integrity violations we have to from a defense standpoint we have to attack it from a very abstract layer the more withdrawn the attackers get from actual Hardware the more withdrawn we have to get from actual Hardware as well that's why we are at a level which is very basic fundamental information Sciences yes sir can I yes please all the framewor

that yes yes

yes sub is a l sub high high highly then isance that's frame contrs are to you have to know your inventory first what information is going to be on your system you

know right

yes yep exactly and so to know what we have what is it to know something you know that's where we start getting this abstract it's like uh like you said and a few layers above that is like you know we have data parity checks like U you know we have uh I we I don't want to get too too into electronics and like buffer overflows and but um so you know as our attackers get more and more uh Advanced we have to get more and more advanced in defend defending and the way we get more and more advanced in defending is this more abstract uh so we get into what exactly is information like what information do

we have so when we say information about information like you know uh we that's why the cube is an example wherein we have uh an information supera system regarding everything that's Downstream from it so that includes people processes and technology so when we get into people and processes technology very easy to understand ones and zeros Hardware you know people and processes then we get into like a lot of stuff that need to know but like um you know so as far as something that can be as broadly applied from uh uh things that have defense implications to General Public this is an excellent framework where it tries to cover all of that that's why the more simple

something is the harder it was to create like and this is as far as this goes like it's pretty simple to follow where somebody new to the field can still understand it so breaking down something like governance uh to this degree is starting at organizational cyber security risk management strategy so what does that mean exactly um so let's do we know what our priorities are do we know uh what our constraints are like how much is the budget like how where are our system boundaries exactly you know how many people do we have etc etc so um then risk management objectives are established agreed upon by the organizational stakeholders and then risk appetite and risk tolerance

statements are established so again like these are like when it comes to governance and compliance like you you can never be 100% because every time you approach something that you think is complete you discover something more that's beyond that boundary just like learning we are all students and you know I'm happy to learn something from you today so that's our governance then get let's get into thisk management so that was looking at it looking at the same Cube from a governance standpoint how would Senior Management look at it and this is from a risk management standpoint wherein what do we mean by risk management so how do we align these different objectives and viewpoints the

governance Viewpoint was that table the risk management or risk professional might look at it from this angle whereas where whereas we have the same essentially the component from a completely different point of view of looking at it from an information science standpoint which is risk management strategy so 837 R2 defines it as uh all of this where we have a task which establish a risk management strategy for the organization that includes a determination of risk tolerance then what are the potential inputs to do that we have organizational mission statement we have organizational policies which the governance side also looks at then we have organizational risk assumptions constraints priorities tradeoffs Etc then what are the expected outputs of

this process if we were to take the same object essentially and look at it from a risk management standpoint which is a risk management strategy and statement of a risk tolerance which then fits into our governance if you recall uh inclusive of information security and privacy risk so uh I'm trying to keep it very close to cyber security risk but if you're trying to follow me like looking at it from an abstract information point of view this is you know what we're trying to do is Define the risk management strategy and that doesn't isn't necessarily constrainted to just cyber security so you know so who is primarily responsible for this it would be the head of the agency so when we

speak GRC this is like pretty Senior Management stuff um who are the supporting roles for this so we have senior accountable officials for risk management or a risk executive uh that's a function uh Chief Information officer senior uh cisos and things of that nature they get involved in this discussion and like any good documentation I love this documentation because it is referenced like anything you can find different traces of information and you can learn so much just by um uh like following this reference Rabbit Hole uh and this is available at this link think if you wish to study it further now let's take a look at the same information from a compliance lens what does that look like if we look at

basically essentially the same thing but from a compliance standpoint then a good reference point would be uh SP 853 R5 uh what does that look like so from a compliance lens it looks like ra1 policies and procedures that gives us the control if you remember uh we had a slide regarding what are the different components of a control uh as defi as given to us through Nest so we have developed document and disseminate an organizational level Mission business process level or a system level a risk assessment policy now we are getting a little more concrete here whereas the first couple of steps are a lot more abstract and a lot more strategic this is a lot more

functional where this is the first place where we are going to have a product defined which is a policy for a risk assessment now we are getting to the point where we've come all the way from abstract to all right let's define a policy to have a risk assessment now we're coming somewhere a little bit more concrete which does what addresses purpose scope roles and responsibilities so now this is giving us the components of the risk uh risk assessment policy where what does that mean need to have it needs to have a purpose like for example it could be as simple as like let's perform a risk assessment then it needs to have a scope

regarding what let's say cyber security risk then who need to be involved and we don't have to have these answers you know like we don't have to have all of these answers we can take references from other standards so for example who needs to be involved head of the agency needs to be involved from another reference standpoint So within the control we have you know let's define roles and responsibilities Management's commitment and other things and make sure it's compliant with laws regulations executive orders etc etc then let's have some procedures in place to facilitate the implementation of risk assessment policy let's designate some people to actually carry it out let's review and update the risk assessment on

a periodic basis etc etc so we came at this um information object of our Cy security risk from three different lenses which is governance risk and compliance and using all these three lenses we able to form a more complete picture of what exactly are we talking about like what what does it mean to know something you know so we are trying to understand all different aspects of this information object of this logical structure so how exactly do we optimize for compan compliance there are some very simple basic steps understand why exactly are we optimizing the way we looking at all this information together one most common objective would be compliance find the most common controls from all

these different standards and Frameworks to then study the same object using different lenses and then narrow the focus of those lenses to such a degree that we are able to utilize it we are able to actually execute it using real world practical constraints like time money Manpower Etc and then find the most common testing and evidence requirements so what are we trying to get compliant against so for example an organization might have many different compliance requirements like gdpr like U uh CCPA Hippa Pi PCI Epi etc etc so understanding what different compliance requirements exist and then narrowing our focus in such a way that we are able to then find the least common denominator for compliance objects and then try to

optimize it in such a way that we can utilize very limited resources to study it and give the regulators and Auditors what they need so most optimal path to compliance this is an example of something like that when you follow this entire process of trying to break down everything and then going through the process of trying to study what it takes to get get compliant you end up with something like this where you have all these different ways of trying to get compliant with something which is Miss CSF ISO 2701 covid 2019 PCI DSS gdpr Hippa Etc and if we go back and try to remember that like we started understand cyber security risk and these are the

different identifiers where all of that information can come together and we can feed it into these using basically the same kind of evidence same kind of testing similar enough where it can get through compliance so yes compliance is the objective and so many layers behind that is like trying to understand what it means to know what our cyber security risks are and so the more simple it looks the harder it was to create and that's why multif framework optimization is such uh can be a bit of a mathematical art um full disclosure I have done quite a few of these with a lot more Frameworks in my day jobs and I made this last night using

AI because well obviously I can't take those things things with me as I leave that job and here's where I touch upon AI let's get into some memes shall we so what today people think about AI is nothing but statistics that is reframed as machine learning that is reframed as artificial intelligence and that's where a lot of uh confusion arises the AIS that we have to today are very very um shall I say um acting as if they're smart they're really good at referencing and cross referencing information without actually understanding anything that's why my question to you was like do how do we know that we know what does it mean to know something and

that's where we are in cyber security today on the on like you know very high level like uh this is an entry point but it's very important to understand what we know so far so that we can understand what we don't know this is where ai ai is at currently and a lot of people don't know that and this is why it's important because AI can spit out tables like this you can tell it exactly what it needs to know and understand to spit out a table like this because I'm such a massive nerd in information sciences and you know trying to break down down information objects like I study things from a mathematical lens and so I know

what to tell AI to get this out and I also know when it goes wrong and I also know what it doesn't know and the reason why I don't don't know what it the reason why I know that it doesn't know something is because I know it a lot of fear uncertainty and doubt has entered into a lot of people's minds regarding AI because people are trying to implement it to solve problems on an industrial scale in such a way that it's starting to seem like it's eliminating jobs in reality all those who are pivoting too hard into AI I want to give them a cautionary lesson that this is what AI understands about

reality if you tell AI to give you a picture of salmon in the river this is what understands about salmon in the river and unless you actually understand how AI works or can program it or create your own you won't understand that it's actually pretty stupid so you cannot replace human intelligence with artificial intelligence human intelligence I don't know what your beliefs are but in my belief we were created by a much higher Creator and as lower creators when we try to create our own version of lower creation of intelligence we are not that good yet so you know for what it's worth from an expert in information Sciences don't worry about AI if I can leave you

with anything at all today yes

sir this one charge gp4 so yeah so if I can leave you with anything so one of the things is that like if AI can do this then what's the point in learning this complicated way of going about learning about information and knowledge and science because that way you know enough to understand that AI is stupid you know even if you can create a table like this I can create a table like this because I understand the subject of that subject so well that I can make AI do this you know and I also know what AI can't do you know so even if you can get tables like this and a lot of people might be fooled into

thinking that like oh yeah we can replace jobs with the you can't especially not jobs in intelligence cyber security risk management a lot of things that require actual abstract thinking like like they say you won't understand what somebody has gone through unless you walk a mile in their shoes and uh so pardon my um language here but like in the previous presentation I saw somebody reference that uh don't reinvent the vi well there is a major advantage in Reinventing the vi you get to learn every single lesson that they had to solve to invent the wheel in the first place you know and if you have one good wheel you can make a reference of it and

then keep creating but if you don't know how to create the first wheel and your reference frame gets broken then you end up with things like this so yes there is a very important reason why you should learn how to optimize for multiple Frameworks even if you know somebody might tell you that like hey we can just get the AI to create this it's because people who are telling you that don't understand how AI works so you know if I can leave you with anything it's that try to reinit more wheels and don't worry about AI have faith any questions yes sir without G how long it for someone like me four hours hours yes I have no

idea yeah like uh so let's get a reference point like I like to speak make data I like to make databased decisions I like to stay in objectivity as much as possible so when I say someone like me like regardless of my own subjective opinion of myself let's go off of objective metrics of what I have so when I say for someone like me 4 hours this is what it takes to actually understand the data science behind information science behind it right and the thing is that the table is simply a point in time product you know the table is there as a control mechanism for like to show an auditor do I know what I'm doing I know what I'm

doing right the table isn't going to the table doesn't do any work I do the work you do the work this our CTO CIO cisos do the work you know our analysts do the work what they document that they have done is not what they have done that's only the documentation right think about it this way when you take your car to a mechanic and the mechanic writes you a bill like hey this is what I did did the bill bill in itself didn't fix the car just because he wrote the Bill doesn't mean the car is fixed you know he still has to fix the car so all that table all that documentation all of that analysis and

documentation it's it's just like writing the Bill uh sometimes people get confused about like evidence is the work no evidence is not the work when we submit that's why it gets so abstract now in information in uh governance risk and compliance

you're GPT even if you have complete synchronization where you have uh information object manipulation done by artificial intelligence okay let's get really abstract here like you you have a data set in a in a server somewhere you have an application server with Char jpt or like your own version of AI running on it okay you you can use it to manipulate data okay just because you can use it to manipulate data and it does manipulate the data doesn't mean it did it right

yes right and there is so I'm not against automation let's be clear about that like I'm not advising against automation but fact of the matter is like when you get into something as abstract as like you know know what is reality what is knowledge like our worlds are colliding together now like with VR and AR and like you know machines running so many things such as like so many iot devices have already come in and you know uh whether it's a blessing and a curse that like I've seen things that are going to come in the future for like 20 years or like something like that like the the the line where like our physical reality and

digital space changes is very thin even today because think about it this way let's talk about it from a pure information science standpoint a lot of what humans perceive as reality is based on psychology right like there is no such thing as color yes there are wavelengths and things like that but what we see as color is actually our own imagination do we have consensus about that or any differences so yes yeah so there is objective I love objectivity like I I stick through objectivity like anything but uh fact of the matter is our brain as an information processing system is primarily subjective in nature there is objective reality it definitely exists however what you

perceive is not objective reality and so take for example social media take for example faith and religion take for example dreams when you step out of the house what you experience of as reality in the in the senses that you are able to detect and describe and the reality that actually exists is vastly different and this has been proven through many experiments I don't have references for that because I wasn't planning on getting this abstract in a GRC discussion but you my friend like have uh actually touch them on a very key discussion that we all as people need to be having which is let's say that take for example information manipulation gas lighting when something like that happens it's so

messed up for people on the receiving end of it that they don't even know it's happening they know something is wrong but like it really messes with people and to a smaller degree I don't want to go too off key here but fact of the matter is like when you taking information about anything like let's say you you taken enough information through social media from a biased Source yes sir I ask question about uh when you take an information from a biased Source it changes your neural Pathways literally it changes the way you perceive reality to you it literally rewies your brain just like learning a new language but worse yes sir what was hours no no

no work optimization if I were to do this table follow this entire process oh the whole entire process yeah for all the Frameworks that are listed it would take me 4 hours to get to

this that for for me yes for me me too yes sir for people who actually know this people dat make

[Music]

exactly and that's where we start getting a little you can use it as a tool but you have to validate yourself for exactly and so how how do you validate something you validate something by using the knowledge that you already have now if I can start influencing the knowledge that you already have now we we're starting to get into stuff that you know I can't unsee

I get of course

this 100% I thought this yeah yes ma'am for the comp you up the polies anded CS one of those subies have a policy or procedure or both okay so let's talk about compliance compliance is s so what compliance attempts to do from a this is where compliance is evolved to currently we have different sets of experts trying to come to you know the same information object essentially currently where compliance books are coming from is that let's go from the point of view of evidence of work the bill of uh repairing the truck you know so the currently compliance books are looking at the bill of repairing the truck and so that's where this table comes in where we have uh let's say

whether risk management objects are established or not how do you verify that that you verify that from the point of view of whether you have evidence for it what can be objectively verified so you know let's say you have this part and this part but you don't have the third part then you don't meet this objective completely and depending on the compliance standard that you're approaching at uh so if you have a policy and proed uh could you please repeat your question Madam okay so like when I go through CSF the controls in there um and we drill down a little further I think it was CIS that we used to go see lot of

yes procedures and procedures aot of push saying no we don't need a poliy but I'm like if it's calling for it um or you know even if it's another framework or what have you that we like to say lining up those controls with or Crosser if they all say you should have one you don't then you don't satisfy you are absolutely right yes

yes may that risk Cy righ that way it's not part of their basine now they have to justify they but that's a thator leers of that thatal Havey back yeah Andy employees

compar yes the organ

C AC but say no you better write that policy WR that procedure and you

local govern in Florida uh yeah they need to have that we have to it yes we don't have option to say no we're not going to do it fed fisma I don't know what else would be applicable for the C I see so that's Downstream from um uh I haven't

yeah Organization for ating Cloud bis is a federal government policy process St local government also follow

going

Bas additional responsibility of the organiz for a mission or system owner to another assment make theyig

customer State of Florida right so there's two assessments to have because providers security of the cloud and me as a customer Security in the cloud they're going to give me tools but I have to know how to use the tool to be able to encp

Mya so you want to be careful because out of the scope of GC well technically we still talking about compliance and uh yeah I mean governance does imply people process technology and when we have people everything else comes into scope that we discussed uh our human rein as information processing systems like how we perceive things that does become important I believe uh our first Speaker of the day also addressed U the fact that like cyber Security Professionals for us um our psychology can be a vulnerability so we're getting pretty abstract nowadays uh I do believe we are

we I am more than happy to have any discussions with anybody that would want to for the next hour or so but U I do want to be mindful of in yes sir [Applause] [Music]

[Music]