CIMA Statement of Guidance and You: How to Navigate New Regulations

our next speaker is r.j sutler and he's a principal i.t security engineer a cyber security practitioner with more than eight years of hands-on experience and penetration testing of network infrastructure web applications and social engineering assessments recently he was moved from the red to the blue team to help organizations understand cyber risk navigate regulatory requirements and proactively identify threats within their infrastructure so i welcome to the stage r.j sudlow with sema statement of guidance and you how to navigate the new regulations perfect [Applause] what uh what a great introduction that normally sounds good at presentations that don't also include the likes of people from cisco and biohackers and whatnot so no i appreciate it uh thank you

everybody for coming out a quick little word thank you for coming to support b-sides as well i know we've got a lot of good presenters here and it's good to see some faces and see some uh community here driven around cyber security and cayman um a little bit about me as it said i was a red teamer for the last eight years working at a public accounting firm in the u.s i cut my teeth by doing penetration tests on a weekly basis pretty much in every vertical and organization size you could think of as i grew up and started as a again pen start as the pen tester moved to the team lead and the manager uh obviously

by osmosis i had to work with some of the other cyber compliance teams so i picked up some of the uh tools of the trade when it came to helping them identify what the results from our pen test were for assessing for stock reports or iso compliance and so on and so forth and so kind of got a unique blend of being in the purple team as well professionally i am a cyber practice lead for an msp here on islands came down to again to try and help elevate cyber security levels for not only our organization but also for the customers that we oversee um and then recently the one that i'm really proud of uh mostly just because

there's a lot of other divers on the presentation panel uh i wanted to show off and flex a little bit i'm a recent dive master sometimes i can get some good decent underwater pictures like this little turtle that i saw uh over at eaton rock so for those of you that aren't divers sorry that's just my little shameless plug that i put out there so um what's on the agenda for today um we'll get into a little bit but sema's statement of guidance for cyber security uh really just touches on how regulated entities need to work and deal with cyber risk as an organization so we'll go over basically what it is what are some of the hard requirements what are

some of the recommendations that they put in key takeaways and probably talk a little bit about what the statement of guidance future may look like a word for all of you and what's going to be in it for you unfortunately i am the one thing keeping you from getting more coffee you're not going to hurt my feelings if you need more coffee to stay awake during this presentation just because it may be a little dry and it's just because the statement of guidance i had there were some times i had to use specific excerpts to be able to put it in and put tied to some bullet points and for those of you that are visitors

to the islands you may be able to find some little nuggets to be able to take away just to see where cayman is as our cyber security maturity levels and it may be able to help you kind of harken back if you're coming from a country or location that may be more regulated to be able to see where we are and probably where it's going to take us in the future i tried to also break down some of the examples that they put specifically in the statement of guidance and what the requirements are and just put them into common terms as i was doing this presentation and as i've spoken with different organizations and customers of

mine on island um i kept coming back to how do i just make this kind of the spark notes of the statement of guidance right for organizations that are worried about cyber risk and haven't really had to deal with it beforehand what's kind of the quick bullet points you can give them again it also heavily references the statement of guidance as i was coming up with the spark notes i realized that i'm probably going to have to pdf this up send it to people so if you want a copy of this feel free to reach out to me afterwards i try to put references for whatever i'm saying as kind of the proof in the pudding as it

ties to the statement of guidance and the associated rule um and hopefully this is going to help you should sema come knocking on your door as you have to start going through those regulations and you get the regulators coming in to do their examinations as a regulated entity so without further ado we're going to talk about what the sema statement of guidance is um so sema really is breaking it down into three different entities or three different items right the first one i tried to highlight as well was essentially it's just intended to provide guidance to regulated entities on cyber security as a whole right and it sets what sema the cayman islands monetary authorities minimum expectation

is in relation to the management of cyber security risks it applies to all regulated entities i think the subsection is if you're working for a specific type of mutual fund on islands but i'm i was a business major that kind of funked uh all the finance terms so i'm not sure what the specific variations would be on what makes it regulated and what not based on the funds but i know there is that little subsection in there so the statement of guidance as a whole in case you haven't read it or you just want the tl dr because it's too long or you didn't read it is it essentially requires all regulated entities to care

about cyber threats it puts the impetus from whatever vendor product you may be using on you as the regulated entity to make sure you're doing all the right things to protect your fund and also all of the data that you have again it applies to all of the different regulated entities on island and it ties in really nicely into the cayman data protection act i think that realistically what we're going to see is these two work synonymously really helping organizations on islands have to be able to take care of cyber security risk and then also it's probably going to spill out and then start appealing and start applying to organizations that are not regulated entities

one thing that's worth noting is in sema rule 5.4 item a they do call out that any regulated entity that has an outsourcing agreement or has to use a third-party vendor they need to make sure that that vendor that they're choosing also adheres to all these different guidelines so if you're an outs if you're a service provider a third-party assessor even though you're not going to get your door knocked on by sema your customers do basically have the right to be able to say hey for vendor due diligence we're going to go somewhere else just because it's our skin in the game we don't really want to be held liable because you're not doing what

you're supposed to so what are really the hard requirements and we could probably go over this and leave these bullet points here and then just call it a day everybody gets coffee earlier but what i wanted to do was highlight again the really pertinent parts for the requirements there's really just three specific ones uh item a in 5.1 basically says an organization a regulated entity must establish implement and maintain a documented cybersecurity framework we'll get into what that is a little bit later uh here's where it's a little bit more reading but basically that framework and all of the other risk management strategies need to be well documented you have to make sure you have i.t

security policies and procedures you need to make sure that you're showing managerial responsibilities and controls and then also there needs to be a process that again is clearly documented and effective for responding to containing recovering from cyber attacks breaches and incidents the last one item c essentially says that it needs to go through a regular review to constantly look at new and emerging threats with cyber security for the threat in it landscape again very standard things but when it's written in the statement of guidance and the associated rule can kind of get lost in translation a little bit so i also gave another tldr for anybody that didn't read it or didn't want to go through it three main

things come up with a cyber security framework make sure you've got documented procedures and controls and you're doing a cyclical review of emerging threats the nice part is we're going to go through what the requirements breakdowns are for a cyber security framework for those of you that may not be familiar with it or have implemented one before this can seem kind of like a little bit of a mountain decline right really all a cyber security framework is if you take all the scary words and verbage out of it it's just guidance based on existing standards and managing to reduce cyber security risk that's really all it is it's just a collection of different things that dictate how an

organization can move forward uh based on your uh your entity and what type of risk you may have as an organization how you're going to handle that and what you're going to do to try and mitigate that moving forward for day-to-day operations there's a lot of different frameworks that exist and you want to make sure that you're choosing one that fits for your organization sema calls out specific ones like nist the cis iso so on and so forth but you want to make sure that when you're implementing the cyber security framework doing a little bit of research going online figuring out what makes sense for you if you're a regulated entity that's got three or four people you don't need

to go for iso certification that's like trying to bring a nuclear warhead to kill a fly right but if you're a larger organization that has multiple locations came in as an office for it it may make sense that the parent company or the other location has a more frame more stringent framework that's implemented um the last thing you want to make sure that you're doing is that that cyber security framework is going to be deemed successful based on what types of baselines is to find the procedures of how again your organization is going to deal with that cyber risk it's really meant to come up with in that baseline kind of a gap analysis of where your organization

is and how far away it may be from that set of standards you can start working with different type of cyber security maturity models if you want to uh cmmc was another one that came out in the u.s but essentially it's just trying to say that and this ties into what sema basically said earlier here's what the minimum baseline is in order to meet this threshold you've got to make sure that your cyber security framework is going to do these different subsections get it sorted for you the last thing it's going to really do is it's going to outline a strategy for security teams what is something that needs to happen now what needs to happen

at the end of the quarter what needs to happen in the next year two three years it's really just trying to come up with a game plan to figure out what you need to do again to mitigate all that cyber security risk it's really simple it's not scary and it's pretty well close to being handholded when you do when you implement a cyber security framework what i tried to do was basically put into here again kind of a little a-plus about specific things you need to do with the statement of guidance again for what sema is calling out for you to have a successful implementation of a cyber security framework is to be clearly well documented in item 6.2 make

sure it's built for your organization specific to those risk levels right what risk tolerance level you have what is it you're willing to say we're going to accept this risk we've mitigated it we're going to try and do risk transference based by a third party so on and so forth the last one is to make sure that you're doing cadence and improvement cadence reviews and improvement cycles 6.7 and 6.8 the nice part is any cyber security framework is also going to tie into the rest of the requirements and basically the rest of what statement of guidance is saying uh when you're implementing a cyber security framework it's going to go through all of those specific

requirements in the statement of guidance you can't have a cyber security framework implemented if you don't have i.t policies and procedures um those again those it policies and procedures are going to help drive the organization wolfgang just talked about a great one for business continuity and disaster recovery dave spoke about some other ones as well about wider end user awareness training and how you need to be able to get people involved so again there's a lot of experts here online that kind of touched on it or excuse me experts on not only island but also for presenting uh that have touched on it and if you were paying attention taking notes would be able to be pretty easy to pick

up on so uh the last thing that the cybersecurity framework is going to touch base on and make sure you got implemented are any of the technical controls that are tied to cyber risk essentially mapping out what is our risk what does our exposure look like in different type of threats what technical controls do we have in place not only human controls policies and procedures but making sure that you've got something handled in case an event came up so with that we're going to get into some of the technical and procedural controls um as wolfgang also just spoke earlier too about getting everything in from the top down i.t policies and procedures should drive everything at an organization

i as a cyber security practitioner will say that if you're going to actually have to go forward with this as a regulated entity it makes sense to if you're going to implement policies and procedures have them actually do something have them be effective and meaningful don't just put something in there just because you've got a piece of paper that you're only going to pull out whenever an incident happens or if you have something you need to react to as an organization so don't check those boxes the other thing that organizations should keep in mind too especially for regulated ones here on iowans just because cayman is unique in the fact that a regulated entity may just be a three

or four person shop it may also be a three or four person shop that's got a larger presence somewhere else in a different country don't there's no real way right way to be able to say what what policies you need right i can't just give you a tier list right of top four or five policies that everything should be done there's best practices and there's things that should be implemented for every organization but you want to make sure that it fits to you and the other thing to note too is nobody really cares and no examiner is going to come through and say your policy is only four pages long like it needs to be 400 pages long

it needs to fit for your organization if your policies and procedures need to have that much content that it needs to get through and kind of basically say how your organization should react and how it has data flows then sure have it be 400 pages long but you want to make sure it fits it's concise and it's meant to be something that is actually read and digested for those in those key stakeholders in your organization the technical procedural controls also identify against cyber risk for your organization this is included in the cyber security framework if you're implementing something like a nist cyber security framework for instance it's going to go through and essentially map all of your different controls to cyber

risk facing organization what are you doing for your backups what do you have in place of edr or male type of threats how are you measuring uh what identity protections you have cascading throughout your organization what are you doing as an overarching control uh to make sure that you've got remote workforce and workers being able to make sure that they're they're locked down when they're trying to access things internally again this is all mapped to a specific uh cybersecurity framework that you're going to have implemented and the last one that helps with this too on this slide is having third party attestation reports mostly because what it's going to do is it's going to validate that the

implementation that you have is successful it's working and it's also going to help reduce bias you could say that if you wanted to in an afternoon you've implemented an entire cyber security framework and just given a check mark talked to the cio and said yep we're good we're golden does not matter but again that's just you saying that until it's actually been implemented and you have someone to check it you're bringing in a either an expert or somebody else who's gone through an implementation to be able to say we can validate that this has been done effectively and it's something that we think is going to be successful in helping protect the business uh when you get to some of the other

implemented technical controls any good cyber security framework is going to call out in a vendor agnostic standpoint what type of controls need to be in place for what type of technical controls need to be in for a certain type of risk looking again looking at your firewalls your antivirus and your edr tools your event log management how are you doing protections for your mail network and identity these are all different things that are called out in any type of cyber security framework whether you're choosing nist or cobit or cis to make sure that you can see from a 50 000 foot view if this happens then this control is going to be in place to

give us some sort of protections um the last thing that the statement of guidance calls out and i think this is going to be pretty evident from some of the other conf the other presentations that we have later today with biohacking and some of the other ones tomorrow is that end user awareness training is key and is paramount to all of the cyber security frameworks you could have a castle that's got walls that are 80 000 feet tall and 15 miles thick and you've got a moat with sharks that have lasers on their heads waiting to keep everybody out but if somebody lets them in through the back door all of that is for naught

they've already got access to everything so what you want to make sure that you're doing and the statement of guidance calls us out specifically by calling out in the framework as well so you want to do periodic tests to make sure that those end user awareness labels are at a specific level you want to make sure when you're carrying out this test too any cyber security framework is going to call it as well this is not meant to discipline users it's meant to help figure out where are we how far do we need to go to get to the level of acceptance that we want to have to be able to meet the maturity model within our cyber security

framework so coming to that second requirement uh about the technical and policy the technical and procedural controls um i want to take a little bit of time to cover some of what those policies would be that i would expect to see and what everybody every organization should have right your overarching i.t policy which basically just outlines how an organization and employees interact with data and different resources your security policy you know obviously defining what the protections and processes are in place for said resources if you're a smaller organization you can combine some of these you can make them match and mold as you need to but the more important thing is you need to make

sure that you've got the specific content and they're actually speaking to these specific items the ir policy or incident response basically defines teams and processes and procedures to deal with various types of incidents not only from a technical and a security incident standpoint but also any other type of natural disaster that may happen as well which ties directly into the last one which is your data breach policy again how you're going to deal with what data breach may look like in your organization if there's specific regulatory requirements you may have shout out to the ombudsman that's here and we have to report everything that needs to be self-reported within a certain amount of time you want to make

sure that's listed in there along with the person who's going to take the heat for when they have to have communications back and forth uh three more that we're gonna touch on uh just as a briefly high level uh and this ties into the end user awareness that we're speaking about before is the acceptable use policy how are users able to actually work with it resources that belong to an organization are you restricting what they're supposed to be able to access on their phone or on their email how are they supposed to use their web browser are you okay with people being on event pro to figure out when the next that's going to happen

that they can go to and when they should be working so this all ties into again these policies that should drive how an organization works uh the last or the second to last one is a privacy policy uh this is especially evident in the days of gdpr came in data protection act and everything else basically to say how an organization receives and works with customer pii pii being personally identifiable information making sure that you've got a specific use case for it you're treating it and you're holding on to it for only as long as you need to the last one is one that i like seeing because this will help you basically go from we basically we've got

basic standard of controls and policies and then the next iteration or the next evolution of the policies uh could be that much better is a data classification policy basically dictates what data you have what sensitivity it may be whether it's going to be public private confidential business confidential and essentially what safeguards you have for that type of data so what are we going to do to get an a plus when sema comes through again uh in item 7.2 a through b we're going to create cyber security for risk management we're going to create some it policies and procedures as listed in 6.2 7.2 b d and e and then we're going to utilize some proven technical controls

uh something that's tried and true again vendor agnostic it doesn't matter whether using a cisco or a palo alto firewall what type of edr tool you're using just make sure you have something that is working and configured appropriately so the last thing and this is probably the easiest one to talk about as a requirement are cyclical reviews um anybody that's worked in security or pretty much i.t in general will tell you that what happened five years ago and was the norm is not going to be the same that happens in the next five years when i started in cyber security in the tail end of 2012 if you had told me that ransomware was going to be a

thing that was going to have dedicated help desks to make sure that anybody who can't pay a ransom are going to get within three you know 30 minutes of support to be able to help them pay hackers to be able to unlock their data i would not have believed you so you need to make sure that you're staying on top of what those threats are and you want to make sure that you're figuring out how your organization needs to respond and the best way to do that is to have a dedicated role either as a cyber security manager or a cso so on and so forth but you need to have some person that's responsible for dictating

how an organization needs to respond to new and emerging threats the best way to do that is to be uh trying to have constant and betterment uh you want to perform a kind of a positive feedback loop right it doesn't make sense if it's always just security exists in a silo you let us know we'll see if we have budget to stop that threat maybe we'll get to it next week who knows we'll figure it out you want to find a way to be able to have whoever that person is that's responsible for cyber security whether it be in a leadership position a sub-sect of i.t or i.t teams in general or a third party is

able to get the attention that they need to be able to say hey this is something wake up you know we got to figure out what we're going to deal with this new threat that comes in the last one is you want to make sure again you're the best way to identify those new and emerging threats is a shameless plug for b-sides um there are common interest groups that you could be involved in there's plenty that are online that you can be a part of local things like b-sides are good for this there's some people speaking from mitre and attack later that are going to talk about how you can map specific threats from a certain type of state actor

to a specific organization in a region or a type of industry what type of things to look for what are those attack patterns how do you know what that data looks like to be able to better protect yourself the other thing that you can always do too which is not as much fun as going to a fence like this is to read vendor awards for vulnerabilities that come out right if you get a if you get a blast email from fortinet saying that there's a new exploit that's available uh and there's new cves that have been discovered you you know you need to patch make sure you read them understand what's happening or give that to the

person that's the dedicated leadership role for cyber security to read and help them update that cyber security framework of how you react to those threats i think one of the most recent ones was log4j kind of caught everybody with their pants down because everybody's like i don't use java in my organization it's like what about apache yeah you got me right there okay we need to go back and revisit that so having that person that's dedicated in that leadership role or someone that's responsible for cyber security and constant and betterment is going to help your organization so what do we do to get an a plus when sema comes through again regular reviews of cyber security framework and

associated policies and procedures making sure that those policies and procedures are going through a standard cadence of being reviewed most organizations do it annually that's fine uh if you have any big overarching changes to the organization or the way the data interacts with your organization i would say update it right afterwards dedicated roles creating a feedback loop a feedback loop is specifically called out in the statement of guidance i would say that they're most likely going to eventually look for some sort of either meeting minutes or not to be able to say hey we notice an alert we noticed some type of event that either was that needed to get escalated and dealt with or was a near miss how are we

going to deal with things like that in the future i'm sure they're going to want to be able to see things like that and lastly is we need to see ownership by senior leadership so what i will do as i take a sip of water is we'll go through what some of the recommendations are sema was so gracious to give us three specific requirements and then kind of just sprinkle in some recommendations throughout the rest of the statement guidance um they're kind of haphazardly placed through the statement of guidance um for me again i'm a cyber security practitioner so i'm not gonna be the guy that just says yep check boxes you're good send it over the fence let the next

security guy deal with it so these are things that you should just do right we would also and i say we because it's i'm saying on this behalf of all the cyber security professionals that have read the statement of guidance these are most likely going to become hard requirements in version 2 when it comes out again i can't really reiterate this you should really just do these because they kind of will be tied into your cyber security framework anyway and as you start getting third party attestation reports you want to be able to say yep we've got the gold star check plus a plus plus we're good to go so rj what are those recommendations well i've

got them up here and i also tied them directly to the sema statement guidance again the third party attestation reports are something that they highly recommend they re they have a whole dedicated section to that and again i think that's going to be something that could become very much a requirement moving forward saying okay great you've implemented a cyber security framework that's great for version one let's let's drill into it and see what somebody else who has a cyber security framework implemented says about your work are they going to be able to verify it and say this is great you know there may be some things they need to work on but this is a good

solid foundation for their organization they also recommend specific penetration testing and vulnerability assessments you can tie this into a third-party attestation report this is really just working with the cyber security company whether it be one on islands third party office whatever to essentially act as an adversary and figure out where those threats exist in your organization can they be exploited what data can you get to sema calls it out as a recommendation and then also kind of a soft requirement when it comes to your end user awareness training but they did harp on this in two different sections so i think this is something that if you're going to make an it policy you want to make sure

you've got your acceptable use and your end user awareness policy and you're doing constant reviews making sure that they just understand at whatever cadence you want whether it be annually you do it every 18 months however you wish that they understand what threats they face on a day-to-day basis how they should react to it and then when should they just say i'm going to pull the rip cord and get someone else to look at this because this is above my pay grade i don't know what this is but i don't want to cause any detriment to the company um the last one and this is where it kind of ties into that section that i mentioned beforehand

at the beginning the presentation for third party and managed service providers is they really really harp on vendor due diligence vendor due diligence is something that if you're not familiar with it it's essentially just doing a suss out test of anybody you're working with to say yep uh we choose this person as our cloud provider or we choose this person as somebody that's going to handle rit outsourcing agreement and we verified that the standards that they hold themselves to are the same ones that we hold ourselves to and then that way you can make sure that you've got a little bit of a cya you're making sure that you're doing business with someone else that is verified as actually doing

the things they say they're doing um has anybody heard or does anybody know how the target breach happened a couple years ago i think probably like six years now right supply chain right if and again you could probably make the argument that there were other things that were happening right as far as maybe they should have been on the same network as some of their vendors so on and so forth but again it was their vendor due diligence their the way target got breached was one of their hvac vendors uh got hacked it had nothing to do with target but because they were on the same network they were able to get one of their vendors get in once they had a

foothold then they moved over to target so again this kind of goes into is kind of a an easy example and you could make the argument that that's vendor due diligence right but you would also certainly find that by the third party attestation reports doing pen testing doing vulnerability assessments it's all very cyclical but you want to make sure that anybody you're working with especially in it and especially if you're an organization that doesn't have a dedicated internal team you've got an outsourcing agreement you've checked them out they've gone through the sus test because at the end of the day it's not the third party that's going to be liable it's you so what are some key takeaways uh that we

have for this well uh the first one is again finding a cyber security framework that's specific for your organization um the implementation is gonna tackle the statement of guidance requirements anyway uh it's something that there's no way you can implement a statement a guide or a cyber security framework without actually getting through all the different things that would be required so finding one and implementing it working with a third party that's gone through this process and these procedures beforehand is absolutely going to be able to take you across the finish line uh the second one would be creating i.t policies that are actually useful right we talked about a little bit before don't just write it home and just have

one that is a policy that you've created and you touched on it once maybe again a couple months ago you've updated some things since then you've changed the way people work remotely and then you just don't look at it that's that's just not useful for anybody and again as an organization you need to be better than that for people that are worried about what policies they should use or how do they go about them there's a lot of free policies that are templates that are available online but again please keep in mind that they are just that they're templates they're meant for you to be able to tweak them and move them and massage it to what works for your

organization and not specifically just say yeah whatever purple team sex says is exactly what i'm going to put in my organization those are the same data classification policies we're going to have and match it up it may work but again you need to have some way to verify that and look over that information when you're creating these policies it's really important to involve all of the key stakeholders what you don't want to do is create a policy and then write it from a specific it level right that matches and matches up with the it department and then just give it to senior leadership and they look at it kick it back and say what is this this

this doesn't work for our business model right you didn't work with different teams you didn't figure out how these data flows are going to affect someone else on a different department or accounting is going to be able to kick this back because they've got an application that can't meet these recovery type recovery time applications so you want to make sure that you're including all of the key people the third takeaway is going to be fostering a culture of cyber security awareness again this is probably the fourth or fifth time i've talked about awareness specifically end user awareness but having a culture of positivity and understanding what those threats are in the workplace and what they see on a

day-to-day basis is going to make your organization that much better i've heard people refer to the uh every user and every day that they're walking in they're kind of you want to train and be a cyber ninja right you want to train them to be diligent what are they expecting when they have it when they log in and they check their outlook for the day what type of threats are they expecting if they get some data being sent to them and how do they interact with it you can call them that if you want but really you just need to make sure that everyone understands what the threats are and they really know exactly how to act

with that um the last takeaway that i would say is also again and i cannot harp on it enough is doing periodic third-party reviews um this is just this is just the right way of doing it right uh you could sit there and say that i'm a contractor i watched a youtube video one time of like somebody building a house right it was just like a 10 minute video but i get it dig some holes put some posts in there throw some floor joists in together done solid ready to go all of a sudden you get a tropical storm that comes through and cayman that house is not going to make it there's different regulations and

requirements for having third-party people come through because they can help validate that what you're doing is being done effectively and that's what the real real benefit is in having a third-party assessment so as i close i'll stop here and ask a little bit if there's questions if there's not that's fine um i will be able to pdf this up send it over to you again i tried to write this as kind of just a spark note to be able to say uh you know this is just meant to be a quick reference guide but i guess i will hand it over to anyone in the audience if there's any questions specifically about cyber security uh or specific to the cyber

security to uh the statement guidance that's honest yes

i would say that that the correct answer for reporting back needs to be dictated by what you have in your policies and procedures as far as be able to effectively give back to management what it is that we're good what where were successful when we're not successful right so if you need to be able to give some hard evidence back to uh key management you want to be able to say from a very high level here's something that happens right so if we take an example for let's say someone clicked on a phishing email a simple one right and then their account was compromised i if i was senior leadership i would like to be

able to say here's what time that incident happened here's how long it took us to identify it it took us to kind of wrap our hands around the rule and then be able to ultimately remediate that finding that would be the first thing i would want and then the next follow-up will most likely be what was the root failure right what is it that we think we can implement why was it something that was able to get back and then ultimately go back into your lessons learned and then be able to say how do we prove that to not be happen in the future how do we then have that cyclical and that constant feedback

group to be able to say hey yep we had a mistake either something wasn't implemented or configured appropriately how do we keep this from happening in the future so that's just an easy example but it may be that you want more detail based on what your policies and procedures are or it may be based on the severity of the data that's going through base and again on your data classification policy so kind of a loaded unloaded answer like is also a non-committal answer but there's a lot of different ways you could skin that cat perfect anyone else all right well that's that's everything that i've got i appreciate y'all have a good one

you