Certified: The CISSP Audio Course

Episode 1: What Is the CISSP and Why It Matters

Dr. Jason Edwards — Sun, 22 Jun 2025 18:11:10 -0500

In this foundational episode, we introduce the Certified Information Systems Security Professional—better known as the CISSP. You’ll learn what the certification represents, who it’s designed for, and why it continues to be considered the gold standard for cybersecurity professionals around the world. We explore how the CISSP stands apart from other security credentials, what it proves about your skills, and how it fits into the broader cybersecurity career ecosystem. Whether you’re pursuing technical leadership, governance, or executive-level roles, understanding the CISSP’s value is the first step toward strategic career development.

Episode 2: CISSP vs. Other Certifications: Which One’s Right for You?

Dr. Jason Edwards — Sun, 22 Jun 2025 18:11:59 -0500

Choosing the right cybersecurity certification can shape your career for years to come. In this episode, we compare the CISSP to other well-known certifications including CompTIA Security+, CISM, CRISC, and CEH. We examine how these credentials differ in focus, experience level, and strategic alignment—helping you understand which path fits your background and goals. Whether you're looking for a technical launchpad or a management-level credential, this discussion highlights where the CISSP stands in the broader certification landscape and how it fits into a layered learning and professional development plan.

Episode 3: Career Impact of the CISSP: Roles, Salaries, Growth

Dr. Jason Edwards — Sun, 22 Jun 2025 18:12:50 -0500

The CISSP isn’t just a certification—it’s a powerful career accelerator. This episode breaks down how earning your CISSP can open doors to high-level roles, raise your earning potential, and give you access to new leadership opportunities in the cybersecurity field. We cover the types of positions typically held by CISSP-certified professionals, explore industry data on salary trends, and discuss how employers view this credential during the hiring process. If you're wondering whether the CISSP is worth the investment, this episode lays out the tangible career benefits that come with certification.

Episode 4: How to Study and Pass the CISSP Exam: Resources and Mindset

Dr. Jason Edwards — Sun, 22 Jun 2025 18:13:42 -0500

Success on the CISSP exam requires more than memorizing facts—it takes a strategy, the right materials, and a focused mindset. In this episode, we walk through the most effective ways to prepare for the test, from selecting the right books and practice exams to choosing between self-paced and instructor-led training. We also talk about managing study timelines, pacing your progress, and mentally preparing for the adaptive test environment. If you're committed to passing the CISSP on your first attempt, this episode will give you the tools and confidence to build a structured and effective study plan.

Episode 5: The CIA Triad: Confidentiality, Integrity, Availability

Dr. Jason Edwards — Sun, 22 Jun 2025 18:14:45 -0500

Every cybersecurity professional must understand the CIA triad—confidentiality, integrity, and availability. These three pillars form the core of nearly every security strategy, policy, and control. In this episode, we break down what each term means, how they apply to real-world environments, and why balancing them is critical to risk management. You’ll learn how breaches in confidentiality, corruption of data integrity, or denial of availability can disrupt business operations and violate trust. This foundational concept is essential for mastering other topics across the CISSP domains.

Episode 6: Security Governance Principles: Frameworks and Strategy

Dr. Jason Edwards — Sun, 22 Jun 2025 18:15:40 -0500

Governance gives structure and direction to an organization’s cybersecurity efforts. In this episode, we explore what it means to build a security strategy aligned with business goals, risk appetite, and compliance obligations. You’ll learn about common governance frameworks such as NIST, ISO, and COBIT, and how they guide policy creation, control selection, and program management. We also discuss the importance of leadership involvement, accountability, and communication when establishing effective governance. Mastering these principles is key for any cybersecurity leader working at the strategic level.

Episode 7: Compliance Requirements: Legal, Regulatory, Contractual

Dr. Jason Edwards — Sun, 22 Jun 2025 18:16:54 -0500

Cybersecurity professionals must navigate a complex landscape of compliance obligations. This episode explains the differences between legal, regulatory, and contractual requirements, and how they impact your organization’s security posture. From privacy laws like GDPR and CCPA to industry frameworks such as HIPAA, PCI-DSS, and SOX, we explore what it takes to build and maintain compliance. We also address contractual security obligations that arise in third-party agreements. If you’re preparing for CISSP exam questions related to governance, law, and regulation, this episode provides critical clarity.

Episode 8: Organizational Roles and Responsibilities

Dr. Jason Edwards — Sun, 22 Jun 2025 18:17:52 -0500

Security is not the job of a single person or department—it’s a shared responsibility across the organization. In this episode, we examine the roles of executives, managers, security teams, end users, and third-party stakeholders in protecting assets and managing risk. You’ll learn about role-based access, segregation of duties, the function of a CISO, and the interplay between business units and IT. Understanding how responsibilities are distributed is essential for implementing effective governance, managing incidents, and ensuring organizational accountability.

Episode 9: Professional Ethics and (ISC)² Code of Ethics

Dr. Jason Edwards — Sun, 22 Jun 2025 18:18:43 -0500

Ethics are the backbone of trust in the cybersecurity profession. This episode explores the professional responsibilities outlined in the ISC² Code of Ethics, including the duty to protect society, act honorably, provide competent service, and advance the profession. We explain how these ethical canons apply to real-world decision-making and the consequences of ethical violations. As a CISSP candidate, demonstrating ethical judgment isn’t just part of the exam—it’s a lifelong obligation. This episode lays the ethical foundation for your professional conduct in and beyond the certification.

Episode 10: Risk Management Concepts: Threats, Vulnerabilities, Risk

Dr. Jason Edwards — Sun, 22 Jun 2025 18:19:28 -0500

Risk management is a cornerstone of cybersecurity, and this episode introduces the essential vocabulary and concepts you need to know. We define threats, vulnerabilities, likelihood, impact, and risk—and show how these elements interact in both assessments and real-world decision-making. You’ll also hear how organizations use risk tolerance and acceptance to prioritize controls and allocate resources. By mastering these fundamentals, you’ll be equipped to approach risk-based questions on the CISSP exam and to contribute to sound security decisions in your career.

Episode 11: Risk Response and Risk Appetite

Dr. Jason Edwards — Sun, 22 Jun 2025 18:20:17 -0500

Once a risk is identified and assessed, the next critical step is determining how to respond. In this episode, we examine the four primary risk response strategies: risk avoidance, risk mitigation, risk transference, and risk acceptance. We also clarify the concepts of risk appetite and risk tolerance, and how organizations use these to shape their security policies and control decisions. You'll learn how business objectives, regulatory pressure, and operational needs influence how much risk an organization is willing to take. Understanding these principles enables security professionals to align cybersecurity decisions with broader business goals.

Episode 12: Business Continuity Planning (BCP) Fundamentals

Dr. Jason Edwards — Sun, 22 Jun 2025 18:21:00 -0500

Business Continuity Planning, or BCP, is essential for maintaining operations during unexpected disruptions. This episode explores the key elements of a successful BCP strategy, including risk identification, business impact analysis, and recovery planning. We discuss how organizations determine critical functions, establish recovery priorities, and ensure that people, systems, and processes can recover efficiently. You’ll also learn the difference between BCP and disaster recovery, and why both are necessary for resilience. Mastering BCP concepts not only prepares you for the CISSP exam but helps you contribute to real-world continuity efforts.

Episode 13: Disaster Recovery Planning (DRP) and Continuity of Operations

Dr. Jason Edwards — Sun, 22 Jun 2025 18:21:46 -0500

Disaster Recovery Planning is a focused component of business continuity that addresses the rapid restoration of IT infrastructure and systems. In this episode, we explore how DRP helps organizations bounce back after major incidents such as natural disasters, cyberattacks, or system failures. You'll learn about recovery time objectives (RTOs), recovery point objectives (RPOs), and different recovery site strategies like hot, warm, and cold sites. We also explain how DRP integrates with continuity of operations to ensure both technology and essential services remain functional. This episode equips you with tools for designing robust recovery capabilities.

Episode 14: Security Policies, Standards, Procedures, and Guidelines

Dr. Jason Edwards — Sun, 22 Jun 2025 18:22:30 -0500

A strong cybersecurity program is built on clear and well-documented policies. In this episode, we break down the four foundational types of documentation: policies, standards, procedures, and guidelines. You'll learn how each plays a role in setting expectations, enforcing controls, and guiding behavior. We also explain who creates these documents, how they’re maintained, and why they matter for regulatory compliance and security culture. Understanding this documentation hierarchy is crucial for exam success and for implementing effective, enforceable cybersecurity programs in any organization.

Episode 15: Personnel Security: Background Checks, Policies, Termination

Dr. Jason Edwards — Sun, 22 Jun 2025 18:23:13 -0500

People are often the weakest link in cybersecurity, and managing personnel risk is a critical responsibility. In this episode, we discuss best practices for pre-employment screening, including background checks and reference validation. We also explore how organizations use security policies to govern employee behavior and set expectations for acceptable use, confidentiality, and compliance. Finally, we walk through secure termination processes that include revoking access, conducting exit interviews, and managing offboarding. Understanding the human side of cybersecurity is essential for risk reduction, especially in enterprise environments.

Episode 16: Security Awareness and Training Programs

Dr. Jason Edwards — Sun, 22 Jun 2025 18:23:51 -0500

Even the best technical defenses can fail if employees don’t understand their security responsibilities. This episode focuses on the development and delivery of effective security awareness and training programs. We explore how to tailor content for different roles, choose the right delivery formats, and measure effectiveness through assessments and behavioral monitoring. You’ll also learn how awareness programs support compliance and reduce risks such as phishing, social engineering, and insider threats. CISSP professionals must not only understand awareness programs but often play a key role in designing and leading them.

Episode 17: Third-Party Risk Management

Dr. Jason Edwards — Sun, 22 Jun 2025 18:24:37 -0500

Today’s organizations rely heavily on vendors, contractors, and service providers—but each relationship introduces potential risks. In this episode, we cover the principles of third-party risk management, including due diligence, contractual controls, and ongoing monitoring. You’ll learn how to assess a vendor’s security posture, enforce security requirements through service-level agreements (SLAs), and respond when third-party weaknesses are discovered. This topic is increasingly important as supply chain attacks and vendor-based breaches become more common. Managing third-party risk is a core responsibility for any CISSP-certified leader.

Episode 18: Supply Chain Risk and Due Diligence

Dr. Jason Edwards — Sun, 22 Jun 2025 18:25:26 -0500

Supply chains extend far beyond traditional logistics—they now include digital components, cloud providers, software dependencies, and more. This episode explores how cyber threats enter through the supply chain and what due diligence processes are needed to prevent compromise. We discuss methods for evaluating supply chain partners, setting clear security expectations, and responding to incidents that originate outside your direct control. By understanding the dynamics of modern supply chain risk, CISSP candidates will be better prepared to assess and secure the full ecosystem surrounding their organization’s operations.

Episode 19: Privacy Principles and Data Protection (GDPR, CCPA)

Dr. Jason Edwards — Sun, 22 Jun 2025 18:26:10 -0500

Protecting personal data is not just a compliance requirement—it’s a trust imperative. In this episode, we dive into key privacy principles such as data minimization, purpose limitation, and transparency. You’ll learn how regulations like the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) define privacy obligations and empower individuals with rights over their data. We also cover how organizations can embed privacy by design into their systems and policies. A solid grasp of privacy principles is vital for anyone working in security governance, policy, or legal alignment roles.

Episode 20: Intellectual Property and Licensing Laws

Dr. Jason Edwards — Sun, 22 Jun 2025 18:26:52 -0500

Cybersecurity professionals must understand how to protect not only data but also intellectual property. This episode unpacks the key types of intellectual property—copyrights, trademarks, patents, and trade secrets—and how they apply in the digital world. We also examine licensing models for software and content, including open-source and proprietary agreements. Understanding the legal landscape helps prevent accidental infringement and supports secure software procurement, asset management, and contract design. CISSPs are often called upon to advise on or enforce policies around intellectual property and licensing compliance.

Episode 21: Legal Systems and Cybercrime Laws Globally

Dr. Jason Edwards — Sun, 22 Jun 2025 18:27:46 -0500

Cybersecurity professionals operate in a legal landscape that spans continents, jurisdictions, and regulatory systems. In this episode, we examine the major types of legal systems—common law, civil law, religious law, and customary law—and how each influences how cybersecurity is enforced. We also explore global cybercrime laws and treaties, including the Budapest Convention, and review how international cooperation is achieved in cyber investigations. Understanding the legal frameworks that govern data, privacy, and technology helps CISSPs ensure compliance, support law enforcement, and avoid conflicts across borders.

Episode 22: Security Documentation and Governance Metrics

Dr. Jason Edwards — Sun, 22 Jun 2025 18:29:05 -0500

Effective security governance depends on clear documentation and measurable performance. This episode explains the structure and function of security documentation—including policies, standards, guidelines, and procedures—as well as how to manage these documents over time. We also explore key performance indicators (KPIs) and metrics used to assess the effectiveness of security controls and governance practices. You'll learn how to track compliance, measure risk reduction, and communicate results to stakeholders. These practices are essential for demonstrating due diligence and maintaining alignment with organizational objectives.

Episode 23: Information Lifecycle and Data Classification

Dr. Jason Edwards — Sun, 22 Jun 2025 18:29:56 -0500

Understanding how data flows through its lifecycle is essential for protecting it appropriately. This episode walks through the phases of the information lifecycle: creation, storage, usage, transmission, archival, and disposal. We then examine data classification schemes—such as public, internal, confidential, and restricted—and how classification drives the application of controls. You'll learn how to create classification policies, apply labels, and ensure data is treated consistently according to its value and sensitivity. This foundation is critical for managing risk and enforcing security policies across diverse data environments.

Episode 24: Data Sensitivity and Labeling Requirements

Dr. Jason Edwards — Sun, 22 Jun 2025 18:32:26 -0500

Labeling data according to its sensitivity is one of the most overlooked but powerful techniques in cybersecurity. In this episode, we explore what it means for data to be considered sensitive, how that sensitivity is determined, and how labels communicate handling requirements to users and systems. We also cover how to implement labeling technologies and ensure compliance with both organizational policies and regulatory requirements. Properly labeling data not only supports access control and encryption but also reinforces accountability and transparency throughout the information lifecycle.

Episode 25: Ownership and Stewardship Responsibilities

Dr. Jason Edwards — Sun, 22 Jun 2025 18:33:12 -0500

Every piece of information in an organization should have an assigned owner and one or more stewards. In this episode, we define what it means to be a data owner—someone accountable for the data’s use, classification, and protection. We also explore the role of stewards—those responsible for managing data quality and integrity on a day-to-day basis. Clarifying these roles strengthens governance, supports compliance, and streamlines incident response. Understanding how to define, document, and enforce ownership is essential for ensuring security accountability across the enterprise.

Episode 26: Data Retention and Archival Strategies

Dr. Jason Edwards — Sun, 22 Jun 2025 18:34:11 -0500

Keeping data longer than necessary can increase your risk exposure, but disposing of it too early can create legal and operational gaps. This episode addresses how to build effective data retention and archival strategies that meet legal, regulatory, and business needs. You’ll learn how to define retention periods, implement secure storage solutions for inactive data, and manage transitions into archives. We also discuss how to ensure accessibility for audit and legal discovery without compromising security. These practices are essential for managing digital clutter while protecting valuable records.

Episode 27: Privacy Protection and PII Handling

Dr. Jason Edwards — Sun, 22 Jun 2025 18:35:02 -0500

Personally Identifiable Information (PII) is one of the most regulated and targeted types of data in cybersecurity. This episode focuses on how organizations identify, handle, and protect PII throughout its lifecycle. We explain what qualifies as PII, the risks associated with its misuse, and the controls needed to ensure confidentiality, integrity, and lawful processing. From consent management and access restrictions to anonymization techniques and breach response plans, you’ll gain a comprehensive view of how to build strong privacy protections into your security program.

Episode 28: Data Remanence and Secure Disposal Techniques

Dr. Jason Edwards — Sun, 22 Jun 2025 18:38:32 -0500

Even when you delete a file, remnants can linger—posing serious security risks. This episode delves into the concept of data remanence and the techniques used to ensure secure data disposal. You'll learn about data wiping, degaussing, shredding, cryptographic erasure, and the standards that guide their use, such as NIST SP 800-88. We also cover the importance of disposal audits, chain of custody for media, and the role of policy in enforcing proper end-of-life procedures. Secure disposal is a small step with massive implications for data confidentiality.

Episode 29: Secure Data Handling in Transit and at Rest

Dr. Jason Edwards — Sun, 22 Jun 2025 18:39:28 -0500

Data is constantly on the move—or waiting to be accessed—and must be protected in both states. In this episode, we examine the best practices for securing data at rest (stored on disk or cloud) and data in transit (moving across networks). You'll learn about encryption methods, key management practices, access controls, and monitoring techniques. We also address compliance requirements that demand specific protections for data in these states. Protecting data wherever it resides or flows is a foundational concept every CISSP candidate must master.

Episode 30: Media Storage and Sanitization Methods

Dr. Jason Edwards — Sun, 22 Jun 2025 18:40:22 -0500

Digital media—whether it’s a hard drive, USB stick, or backup tape—requires special handling to ensure data remains protected throughout its lifecycle. This episode explores how to securely store, track, and sanitize various types of storage media. We discuss media classification, physical protections, encryption, and environmental controls for storage, as well as different sanitization techniques including clearing, purging, and destruction. You’ll also learn how to enforce policy compliance using checklists, audits, and disposal logs. This topic reinforces your understanding of data confidentiality and end-of-life security.

Episode 31: Asset Inventory Management

Dr. Jason Edwards — Sun, 22 Jun 2025 18:41:09 -0500

You can’t protect what you don’t know you have. In this episode, we focus on the importance of maintaining a comprehensive and accurate inventory of all information assets—hardware, software, data, and even personnel. Asset inventory management supports effective risk assessments, helps identify gaps in coverage, and is a foundational requirement for many compliance standards. We explore asset classification, ownership, tracking methods, and how asset data feeds into broader security operations. Without a solid inventory process, security controls can’t be properly scoped, prioritized, or audited—making this topic essential for every CISSP candidate.

Episode 32: Data Sovereignty and Jurisdictional Control

Dr. Jason Edwards — Sun, 22 Jun 2025 18:42:49 -0500

In a global digital economy, where your data resides can determine which laws apply to it. This episode explains data sovereignty—the principle that data is subject to the laws of the country in which it’s stored—and how jurisdictional control affects compliance, privacy, and access. We examine common challenges organizations face when storing or processing data across borders, such as conflicting legal obligations or data transfer restrictions. We also explore strategies to manage these complexities, including data localization, cloud region selection, and contractual controls. CISSPs must understand how legal geography impacts cybersecurity.

Episode 33: Secure Use of Cloud Storage and Shared Resources

Dr. Jason Edwards — Sun, 22 Jun 2025 18:57:06 -0500

Cloud services offer scalability and convenience, but they also introduce unique security risks—especially when sharing infrastructure with other tenants. In this episode, we cover best practices for securely using cloud storage, virtualized environments, and shared computing platforms. Topics include encryption, access control, tenant isolation, identity federation, and logging. We also discuss the shared responsibility model, where both provider and customer have distinct obligations. If you’re working with SaaS, IaaS, or hybrid cloud models, you need to know how to safeguard data, workloads, and services in dynamic cloud environments.

Episode 34: Backup Controls and Data Recovery

Dr. Jason Edwards — Sun, 22 Jun 2025 18:57:49 -0500

Backup and recovery plans are your insurance against data loss. In this episode, we explore the critical controls necessary to ensure backups are available, secure, and usable when needed. We discuss types of backups (full, incremental, differential), retention policies, storage locations (on-site vs. off-site), and encryption strategies. You’ll also learn about recovery objectives like RTO (Recovery Time Objective) and RPO (Recovery Point Objective), and how to test your backup system effectively. An untested backup is a false sense of security—this episode equips you to build reliable data recovery capabilities.

Episode 35: Handling of Sensitive Systems and High-Value Assets

Dr. Jason Edwards — Sun, 22 Jun 2025 18:58:47 -0500

Some systems and data are too critical to treat like everything else. This episode focuses on how organizations identify, secure, and manage sensitive systems and high-value assets (HVAs), such as financial databases, intellectual property repositories, and industrial control systems. We discuss segmentation, access control, system hardening, monitoring, and tailored incident response plans for these resources. You’ll also learn how to align asset protection with business impact, risk appetite, and regulatory requirements. CISSP candidates must understand how to prioritize protections for the assets that matter most.

Episode 36: Logging, Monitoring, and Metadata Retention for Assets

Dr. Jason Edwards — Sun, 22 Jun 2025 18:59:35 -0500

Without visibility, security is just guesswork. In this episode, we explore how logging and monitoring give security teams the information they need to detect, investigate, and respond to incidents. We discuss log types (system, application, network), retention policies, log integrity, and secure storage. Metadata, such as timestamps, source IPs, and user actions, adds context to every alert and event. You'll also learn about regulatory and legal considerations for log retention, especially in forensic investigations. Monitoring is the heartbeat of any security program—this episode shows you how to keep it strong.

Episode 37: Secure Design Principles: Defense in Depth, Least Privilege

Dr. Jason Edwards — Sun, 22 Jun 2025 19:00:24 -0500

Designing secure systems isn’t just about applying tools—it’s about embedding principles. This episode introduces two foundational security design concepts: defense in depth and least privilege. Defense in depth layers multiple controls to prevent, detect, and contain threats, while least privilege ensures users and systems operate with the minimum access necessary. We explain how these principles apply to networks, applications, and user environments, and how they reduce risk from both internal and external threats. Understanding and applying these design principles is critical for both the CISSP exam and real-world implementation.

Episode 38: Security Models: Bell-LaPadula, Biba, Clark-Wilson

Dr. Jason Edwards — Sun, 22 Jun 2025 19:01:19 -0500

Security models are theoretical frameworks that help define how systems enforce access control, integrity, and confidentiality. In this episode, we review the three classic models: Bell-LaPadula (focused on confidentiality), Biba (focused on integrity), and Clark-Wilson (focused on well-formed transactions and separation of duties). We explain the core rules behind each model—like “no read up” and “no write down”—and discuss where each is applied in government, commercial, and financial systems. Understanding these models gives you a structured way to think about how systems enforce security.

Episode 39: Architecture Layers: OSI, System, Application

Dr. Jason Edwards — Sun, 22 Jun 2025 19:02:01 -0500

Security must be applied across all layers of a system, from the physical infrastructure to the application interface. In this episode, we explore the layered nature of system architecture—starting with the OSI model’s seven layers, then expanding into how security is applied at the hardware, system, and application levels. You’ll learn how to align controls with each layer’s function, recognize common threats at each level, and understand how layered defenses provide coverage across the stack. This foundational knowledge helps you design and evaluate more secure system architectures.

Episode 40: Secure Hardware Architecture and TPM

Dr. Jason Edwards — Sun, 22 Jun 2025 19:02:48 -0500

Security isn’t only about software—hardware matters too. This episode introduces key elements of secure hardware architecture, including trusted computing bases, secure boot processes, and hardware root of trust. We also dive into the Trusted Platform Module (TPM), a hardware chip that provides cryptographic key storage, platform integrity checks, and secure identity verification. You’ll learn how TPMs support secure encryption, authentication, and remote attestation. CISSP candidates must understand how hardware-based protections contribute to a system’s overall security posture—especially in high-assurance or regulated environments.

Episode 41: Virtualization and Cloud Infrastructure Considerations

Dr. Jason Edwards — Sun, 22 Jun 2025 19:06:10 -0500

Virtualization and cloud computing are cornerstones of modern IT, but they also introduce unique security challenges. In this episode, we examine the architecture and risks associated with virtual machines, hypervisors, containers, and cloud platforms. You’ll learn how virtual environments increase complexity and expand the attack surface, and what controls are necessary to mitigate these risks. We also explore the shared responsibility model, virtualization sprawl, tenant isolation, and the importance of secure provisioning. Understanding these technologies is critical for designing secure, scalable, and compliant IT environments.

Episode 42: Secure Baseline and Configuration Management

Dr. Jason Edwards — Sun, 22 Jun 2025 19:07:16 -0500

Systems don’t stay secure by accident—they stay secure through consistent configuration and control. In this episode, we cover the concepts of secure baselining and configuration management. You’ll learn how to establish security baselines, enforce configuration standards, and use automation tools to detect and remediate drift. We also discuss patching, change control, and the role of configuration management databases (CMDBs). These practices ensure your systems remain hardened, predictable, and auditable—critical for minimizing attack surfaces, meeting compliance obligations, and maintaining operational stability.

Episode 43: Common Security Flaws in Architecture

Dr. Jason Edwards — Sun, 22 Jun 2025 19:08:06 -0500

Flawed architecture is one of the most serious vulnerabilities in any system. In this episode, we explore common architectural security weaknesses, including insecure defaults, lack of isolation, poor trust boundaries, and insufficient input validation. We explain how these flaws emerge during design and how they can be exploited by attackers. You’ll also learn how to apply secure design principles to avoid introducing systemic weaknesses in new systems. Whether you're evaluating an existing architecture or designing one from scratch, recognizing and addressing architectural flaws is a must-have skill for CISSPs.

Episode 44: Cryptographic Concepts: Symmetric and Asymmetric

Dr. Jason Edwards — Sun, 22 Jun 2025 19:08:58 -0500

Cryptography is the backbone of digital security, and understanding its core principles is essential. In this episode, we explain the difference between symmetric and asymmetric encryption, along with their real-world applications. You’ll learn how symmetric encryption uses a single key for both encryption and decryption, while asymmetric encryption relies on key pairs for secure key exchange, digital signatures, and more. We also discuss algorithm examples like AES, RSA, and ECC. Grasping these concepts enables you to evaluate the strength, use cases, and implementation considerations of cryptographic solutions.

Episode 45: Cryptographic Lifecycle: Algorithms, Strength, Obsolescence

Dr. Jason Edwards — Sun, 22 Jun 2025 19:09:49 -0500

Cryptographic tools aren’t set-and-forget solutions—they require lifecycle management. This episode explores how organizations select, deploy, and eventually retire cryptographic algorithms. We examine how algorithm strength is determined, the impact of key length, and the risks posed by deprecated or broken ciphers like MD5 and SHA-1. You’ll learn how to stay ahead of threats by monitoring crypto standards and planning for migration to newer algorithms. From algorithm selection to end-of-life planning, this topic helps CISSPs build cryptographic systems that remain secure over time.

Episode 46: Hashing and Message Integrity

Dr. Jason Edwards — Sun, 22 Jun 2025 19:10:44 -0500

Hashing ensures that data remains unchanged during storage or transmission—a core requirement for integrity. In this episode, we explore how cryptographic hash functions like SHA-256 and SHA-3 are used to detect tampering, generate digital signatures, and verify file authenticity. We discuss key properties such as collision resistance, pre-image resistance, and determinism. You'll also learn the difference between hashing and encryption, and how tools like checksums, MACs, and digital signatures work together to protect data. This is foundational knowledge for building secure applications and validating system outputs.

Episode 47: Key Management and Key Escrow

Dr. Jason Edwards — Sun, 22 Jun 2025 19:11:26 -0500

Cryptographic systems are only as secure as the keys they use—and how those keys are managed. In this episode, we delve into key management principles, including generation, storage, distribution, rotation, and destruction. We also explore key escrow, where a third party securely stores encryption keys for legal or recovery purposes. You’ll learn about hardware security modules (HSMs), key management systems (KMS), and the challenges of managing keys in cloud environments. Whether protecting secrets or ensuring regulatory compliance, strong key management is non-negotiable for any CISSP.

Episode 48: PKI, Digital Certificates, and Trust Models

Dr. Jason Edwards — Sun, 22 Jun 2025 19:12:17 -0500

Public Key Infrastructure (PKI) is essential for enabling secure communication and verifying digital identities. This episode breaks down how PKI works, including the roles of certificate authorities (CAs), registration authorities (RAs), and digital certificates. You’ll learn about certificate chaining, revocation, validation protocols like OCSP and CRL, and how trust is established in both hierarchical and web-of-trust models. From SSL/TLS to code signing and user authentication, PKI is everywhere—and CISSPs need to know how to deploy and troubleshoot it securely.

Episode 49: Cryptanalysis and Attacks Against Crypto

Dr. Jason Edwards — Sun, 22 Jun 2025 19:13:06 -0500

No cryptographic system is immune to attack, and CISSPs must understand the methods used to break or weaken them. In this episode, we explore cryptanalysis techniques including brute-force, dictionary attacks, chosen plaintext attacks, and side-channel analysis. We explain how poor implementation, weak keys, and outdated algorithms create vulnerabilities, and how to mitigate those risks through proper design and monitoring. Understanding these threats enables security professionals to assess crypto deployments with a critical eye and defend against evolving attack strategies.

Episode 50: Security Evaluations: Common Criteria, RMF, ISO/IEC

Dr. Jason Edwards — Sun, 22 Jun 2025 19:13:53 -0500

Security evaluations provide assurance that systems meet defined security requirements. In this episode, we examine key evaluation frameworks including Common Criteria (CC), the NIST Risk Management Framework (RMF), and the ISO/IEC 27000 series. You'll learn how these models define evaluation assurance levels, categorize controls, and guide secure system development. We also discuss how evaluation results support procurement, risk analysis, and compliance audits. For CISSP candidates and practitioners, understanding security evaluation frameworks is essential for aligning technical design with governance expectations.

Episode 51: Security Boundaries and Isolation Techniques

Dr. Jason Edwards — Sun, 22 Jun 2025 19:14:41 -0500

Security boundaries are essential for creating logical separations between systems, users, and data flows. In this episode, we explore how boundaries are defined and enforced, using both physical and logical mechanisms. You’ll learn about concepts like trust zones, network segmentation, VLANs, virtualization, and sandboxing. We also discuss isolation techniques that prevent lateral movement, contain breaches, and ensure critical assets remain protected. Proper use of boundaries and isolation helps reduce attack surfaces, enforce policy, and support compliance. These principles are vital for scalable and secure infrastructure design.

Episode 52: Emerging Technologies and Security Architecture (e.g., IoT, AI)

Dr. Jason Edwards — Sun, 22 Jun 2025 19:15:24 -0500

Technological innovation continues to transform the security landscape. In this episode, we examine how emerging technologies such as the Internet of Things (IoT), Artificial Intelligence (AI), and machine learning are impacting security architecture. We discuss the benefits and vulnerabilities of these systems, including expanded attack surfaces, device sprawl, privacy concerns, and autonomous decision-making risks. You’ll also learn strategies for integrating these technologies securely using layered defenses, segmentation, and monitoring. CISSPs must understand both the opportunity and risk that innovation brings to cybersecurity.

Episode 53: SCADA and Embedded System Security

Dr. Jason Edwards — Sun, 22 Jun 2025 19:16:11 -0500

Supervisory Control and Data Acquisition (SCADA) systems and embedded devices operate some of the most critical infrastructure in the world—from energy grids to transportation systems. This episode explores the unique challenges of securing these environments, including limited resources, outdated firmware, lack of patching, and real-time operational requirements. We cover best practices for access control, network isolation, vendor management, and secure configuration. As cyber threats increasingly target industrial systems, it’s crucial for CISSPs to understand how to protect these specialized and high-impact platforms.

Episode 54: Fault Tolerance, Redundancy, and High Availability

Dr. Jason Edwards — Sun, 22 Jun 2025 19:17:10 -0500

Downtime is not an option for mission-critical systems. In this episode, we dive into fault tolerance, redundancy, and high availability—design strategies that ensure continuity despite component failures or unexpected disruptions. You’ll learn the differences between active-active and active-passive configurations, the role of clustering, load balancing, failover mechanisms, and geographically distributed resources. We also cover the importance of regular testing and monitoring to validate these systems. Building resilient infrastructure is a core CISSP competency and a vital part of risk mitigation planning.

Episode 55: Network Architecture: LAN, WAN, Internet

Dr. Jason Edwards — Sun, 22 Jun 2025 19:18:08 -0500

Understanding how networks are built and connected is foundational for any security professional. In this episode, we review core network architecture concepts, including the structure and purpose of Local Area Networks (LANs), Wide Area Networks (WANs), and the global Internet. We examine how data moves across these networks and where vulnerabilities may appear, from physical access points to routing protocols. You’ll also learn about segmentation, perimeter controls, and traffic flow management. A solid grasp of network architecture is necessary for applying controls and preventing unauthorized access.

Episode 56: OSI and TCP/IP Models Refresher

Dr. Jason Edwards — Sun, 22 Jun 2025 19:19:00 -0500

The OSI and TCP/IP models provide a layered approach to understanding how data is transmitted, received, and managed across networks. In this episode, we refresh your understanding of these models and their significance in network security. We explore the function of each layer—from physical cabling to application-level protocols—and explain how attacks and defenses map to specific layers. You’ll also learn how these models aid in troubleshooting, forensic analysis, and control implementation. Mastery of these foundational models helps CISSPs design and secure resilient networked systems.

Episode 57: Secure Protocols: HTTPS, SSH, SFTP, SNMPv3

Dr. Jason Edwards — Sun, 22 Jun 2025 19:19:54 -0500

Secure communication protocols form the backbone of protected digital environments. In this episode, we explore widely used secure protocols like HTTPS, SSH, SFTP, and SNMPv3. You’ll learn how each one provides confidentiality, integrity, and authentication for various types of data exchanges—from web traffic and file transfers to remote administration and device management. We cover protocol strengths, configuration tips, and common pitfalls. CISSPs must understand which protocols are appropriate for specific use cases and how to deploy them effectively in enterprise environments.

Episode 58: Network Segmentation and Microsegmentation

Dr. Jason Edwards — Sun, 22 Jun 2025 19:20:40 -0500

Segmentation limits the spread of attacks and improves control over traffic flows within a network. In this episode, we examine both traditional network segmentation and microsegmentation techniques. You’ll learn how VLANs, firewalls, and subnetting create macro boundaries, while software-defined networking enables granular control over traffic between workloads and devices. We discuss how segmentation supports least privilege access, improves detection, and reduces risk. CISSPs must know how to design segmented architectures that balance performance, visibility, and security.

Episode 59: Defense in Depth with Firewalls and DMZs

Dr. Jason Edwards — Sun, 22 Jun 2025 19:21:29 -0500

Layered security—known as defense in depth—is a core concept in cybersecurity architecture. This episode focuses on how firewalls and demilitarized zones (DMZs) serve as essential layers in protecting internal networks. We explore different types of firewalls (packet filtering, stateful, next-gen), the design of DMZs for public-facing services, and how to enforce traffic controls between zones. You'll also learn how to implement rule sets, audit firewall logs, and support intrusion detection systems. This is critical knowledge for securing enterprise perimeters and enforcing trust boundaries.

Episode 60: Intrusion Detection and Prevention Systems

Dr. Jason Edwards — Sun, 22 Jun 2025 19:22:20 -0500

Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS) are crucial for identifying and stopping threats in real time. This episode explores how these tools work, their deployment strategies, and how they integrate with broader security operations. You’ll learn about signature-based and anomaly-based detection, false positives, evasion techniques, and tuning practices. We also cover network-based and host-based implementations, and how alerts are correlated in a Security Information and Event Management (SIEM) platform. IDS and IPS are key components of active defense and threat response.

Episode 61: Secure Routing and Switching

Dr. Jason Edwards — Sun, 22 Jun 2025 19:22:57 -0500

Secure routing and switching are foundational elements of network security. In this episode, we explore how routers and switches operate, and how attackers exploit their misconfigurations or weaknesses to gain access or disrupt communication. Topics include route hijacking, ARP poisoning, MAC flooding, and VLAN hopping. You’ll learn best practices for hardening these devices, including access control lists (ACLs), management plane protection, port security, and proper firmware management. Ensuring routing and switching infrastructure is properly secured is a critical skill for any CISSP responsible for protecting the integrity of network environments.

Episode 62: VPNs, Remote Access, and Tunneling Protocols

Dr. Jason Edwards — Sun, 22 Jun 2025 19:23:42 -0500

Episode 63: Wireless Network Security (WEP, WPA2/3, 802.1X)

Dr. Jason Edwards — Sun, 22 Jun 2025 19:24:27 -0500

Wireless networks present a unique set of vulnerabilities due to their reliance on open air transmission. In this episode, we examine wireless security protocols and controls, including WEP, WPA2, WPA3, and 802.1X. We explain how authentication frameworks, encryption standards, and access controls protect against threats like rogue access points, packet sniffing, and brute-force attacks. You’ll also learn about secure SSID broadcasting, segmentation, and signal isolation. Securing wireless environments is a critical task for CISSPs, especially as more enterprise traffic shifts to mobile and remote connections.

Episode 64: VOIP and Secure Communication Channels

Dr. Jason Edwards — Sun, 22 Jun 2025 19:25:12 -0500

Voice over IP (VOIP) technologies have replaced traditional telephony in many organizations, but they come with their own set of security concerns. This episode explores the architecture of VOIP systems and the threats they face, including call interception, eavesdropping, spoofing, and denial-of-service attacks. We also cover secure communication protocols such as SRTP, SIPS, and encrypted signaling mechanisms. You’ll learn how to harden VOIP infrastructure, apply access controls, and monitor for anomalies. CISSPs must be prepared to evaluate communication channels not just for functionality, but also for confidentiality and integrity.

Episode 65: Network Address Translation and Proxy Usage

Dr. Jason Edwards — Sun, 22 Jun 2025 19:25:55 -0500

NAT and proxy servers play important roles in hiding internal IP addresses, enforcing access policies, and controlling traffic flow. In this episode, we explore how Network Address Translation (NAT) works to conserve IP space and obscure internal architectures. We also explain how proxies—forward, reverse, and transparent—support web filtering, anonymization, caching, and load balancing. You’ll learn how to implement these technologies securely, monitor their usage, and avoid common pitfalls. CISSPs must understand how to integrate NAT and proxy mechanisms into broader network defense strategies.

Episode 66: Network Monitoring and Traffic Analysis

Dr. Jason Edwards — Sun, 22 Jun 2025 19:26:41 -0500

Continuous monitoring and traffic analysis are essential for detecting threats, performance issues, and policy violations. In this episode, we explore tools and techniques used to observe network behavior in real time. Topics include flow monitoring, deep packet inspection, NetFlow, and behavioral analytics. You’ll also learn about the role of Security Information and Event Management (SIEM) in aggregating data and generating actionable alerts. By understanding normal traffic patterns, CISSPs can more effectively detect anomalies, trace intrusions, and support forensic investigations. Monitoring is not optional—it's the pulse of your security operations.

Episode 67: Zero Trust and Software-Defined Networking (SDN)

Dr. Jason Edwards — Sun, 22 Jun 2025 19:27:21 -0500

Zero Trust has emerged as a powerful model for modern cybersecurity, shifting the focus from perimeter defenses to granular, identity-centric control. In this episode, we explain the principles of Zero Trust—never trust, always verify—and how it’s implemented using continuous authentication, microsegmentation, and least privilege access. We also explore Software-Defined Networking (SDN), a framework for dynamically managing and securing network resources through centralized controllers. Together, Zero Trust and SDN provide the flexibility and control needed for cloud-first, hybrid, and highly distributed environments.

Episode 68: Content Delivery Networks and Edge Security

Dr. Jason Edwards — Sun, 22 Jun 2025 19:27:58 -0500

Content Delivery Networks (CDNs) accelerate access to web content by distributing it across global edge nodes, but they also introduce new attack surfaces. In this episode, we discuss how CDNs work, their role in performance optimization, and the security challenges they present, such as cache poisoning, misconfigured access controls, and DDoS targeting. We also explore edge computing security—protecting data and services closer to the end user. CISSPs must understand how to secure the entire content delivery path, from cloud origin to user browser, while balancing speed, scalability, and control.

Episode 69: Cloud Network Security (CASB, SASE, Virtual Firewalls)

Dr. Jason Edwards — Sun, 22 Jun 2025 19:28:46 -0500

As more organizations move to the cloud, network security must evolve. This episode focuses on cloud-native controls including Cloud Access Security Brokers (CASB), Secure Access Service Edge (SASE), and virtual firewalls. You’ll learn how these tools provide visibility, policy enforcement, data loss prevention, and threat protection across hybrid and multi-cloud environments. We also cover identity-based access control, cloud segmentation, and encryption in transit. With cloud services extending beyond traditional boundaries, CISSPs must adopt new strategies to maintain consistent and scalable network protections.

Episode 70: DDoS Protection and High Availability Networks

Dr. Jason Edwards — Sun, 22 Jun 2025 19:29:55 -0500

Distributed Denial of Service (DDoS) attacks are designed to overwhelm systems and take down critical services. In this episode, we explain how these attacks work—volumetric, protocol, and application-layer—and the techniques used to defend against them. You’ll learn about scrubbing centers, rate limiting, traffic shaping, and the role of content delivery networks in mitigation. We also explore how to design high-availability network architectures with redundancy, failover, and load balancing to ensure service continuity even under stress. CISSPs must be equipped to anticipate, prevent, and recover from large-scale disruption events.

Episode 71: Authentication Factors and Methods

Dr. Jason Edwards — Sun, 22 Jun 2025 19:30:40 -0500

Authentication is the process of verifying identity, and it forms the first line of defense in access control. In this episode, we explore the different authentication factors: something you know (passwords, PINs), something you have (tokens, smart cards), something you are (biometrics), somewhere you are (location), and something you do (behavioral patterns). We also examine common authentication methods, including single-factor, multi-factor, and risk-based authentication. Understanding how these factors work—individually and in combination—is essential for designing secure systems and passing CISSP exam questions that deal with identity assurance.

Episode 72: Identity Proofing and Registration Processes

Dr. Jason Edwards — Sun, 22 Jun 2025 19:32:27 -0500

Before you can authenticate someone, you must first establish their identity through a process called identity proofing. In this episode, we cover how identity proofing works—from in-person validation and biometric capture to document verification and knowledge-based authentication. We explain how organizations perform registration, bind credentials, and manage onboarding securely. These processes form the foundation of digital identity and trust. Whether you're issuing smart cards for physical access or provisioning accounts for a cloud service, CISSPs must understand the lifecycle of identity creation and assurance.

Episode 73: Authorization Techniques: RBAC, ABAC, MAC, DAC

Dr. Jason Edwards — Sun, 22 Jun 2025 19:33:08 -0500

Once a user’s identity is authenticated, the system must decide what they are allowed to do. This episode focuses on common authorization models: Role-Based Access Control (RBAC), Attribute-Based Access Control (ABAC), Mandatory Access Control (MAC), and Discretionary Access Control (DAC). We explore the rules and policies that govern each model, along with their strengths, weaknesses, and appropriate use cases. You'll learn how to align authorization mechanisms with security policies and compliance requirements. For the CISSP exam and real-world implementation, these models form the core of secure resource management.

Episode 74: IAM Lifecycle and Governance

Dr. Jason Edwards — Sun, 22 Jun 2025 19:33:48 -0500

Identity and Access Management (IAM) is not just about technology—it’s a continuous lifecycle that requires strong governance. This episode walks through each stage of the IAM lifecycle: provisioning, access management, auditing, revalidation, and deprovisioning. We also examine governance frameworks that ensure IAM aligns with policy, risk appetite, and regulatory standards. From role design and separation of duties to periodic access reviews and exception handling, we explain how to maintain control and accountability over digital identities. A strong IAM governance model is essential for CISSPs managing access at scale.

Episode 75: Password Policy Design and Management

Dr. Jason Edwards — Sun, 22 Jun 2025 19:34:27 -0500

Passwords remain one of the most widely used—but frequently abused—authentication methods. In this episode, we explore how to design and manage effective password policies that balance usability with security. We cover best practices like minimum complexity, reuse prevention, expiration cycles, and password vaulting. You’ll also learn about modern recommendations from NIST that challenge older practices like frequent forced changes. CISSPs must understand how password policies impact behavior, system integration, and the broader security landscape, especially in hybrid and cloud environments.

Episode 76: Biometric Authentication Strengths and Weaknesses

Dr. Jason Edwards — Sun, 22 Jun 2025 19:35:13 -0500

Biometric authentication uses unique physical or behavioral traits—like fingerprints, facial features, or voice—to verify identity. In this episode, we explore how biometrics work, including the concepts of enrollment, matching algorithms, false acceptance rates (FAR), false rejection rates (FRR), and spoofing resistance. We also examine the strengths and weaknesses of different biometric systems, their privacy implications, and where they’re most effectively deployed. As biometric technologies continue to evolve and gain adoption, CISSPs must understand how to assess, implement, and monitor them securely and ethically.

Episode 77: Federation and SSO: SAML, OAuth, OpenID

Dr. Jason Edwards — Sun, 22 Jun 2025 19:36:09 -0500

Federated identity systems allow users to authenticate across multiple platforms using a single identity, often enabling Single Sign-On (SSO). In this episode, we explain how standards like SAML, OAuth 2.0, and OpenID Connect enable cross-domain authentication. You’ll learn the difference between authentication and authorization, how token exchanges work, and what security concerns arise with federated systems. These technologies reduce friction, improve user experience, and centralize control—but only when implemented correctly. CISSPs must understand how to secure identity federation for enterprise and cloud environments.

Episode 78: Privileged Access Management (PAM)

Dr. Jason Edwards — Sun, 22 Jun 2025 19:36:54 -0500

Privileged accounts have elevated access and are among the most targeted assets in any organization. In this episode, we examine Privileged Access Management (PAM) solutions, including vaulting, session recording, just-in-time provisioning, and approval workflows. We explain how PAM helps enforce least privilege, reduce insider threats, and meet compliance obligations. You'll also learn how to monitor, audit, and respond to anomalous privileged activity. Managing administrative access is critical to defending your environment, and CISSPs must know how to control the power that comes with privileged credentials.

Episode 79: Directory Services: LDAP, Active Directory

Dr. Jason Edwards — Sun, 22 Jun 2025 19:37:36 -0500

Directory services are centralized databases that store and manage user credentials, permissions, and group memberships. In this episode, we explore how Lightweight Directory Access Protocol (LDAP) and Microsoft Active Directory (AD) function as the backbone of identity infrastructure. Topics include directory hierarchies, schema design, authentication flows, and integration with Kerberos. We also discuss common attacks on directories—like privilege escalation and replication abuse—and how to defend against them. For CISSPs, understanding directory services is essential for building scalable, secure access management systems.

Episode 80: Multi-Factor Authentication and Implementation

Dr. Jason Edwards — Sun, 22 Jun 2025 19:39:16 -0500

Multi-Factor Authentication (MFA) significantly strengthens identity verification by requiring more than one authentication factor. In this episode, we break down the different types of factors—something you know, have, are, do, or where you are—and how they’re combined for robust protection. We explore methods such as SMS codes, authenticator apps, smart cards, biometrics, and physical tokens. You’ll also learn how to implement MFA in various environments, manage usability challenges, and respond to bypass attempts. For CISSPs, mastering MFA is critical to securing both cloud and on-premise access paths.

Episode 81: Identity-as-a-Service (IDaaS) and Cloud IAM

Dr. Jason Edwards — Sun, 22 Jun 2025 19:39:57 -0500

Identity-as-a-Service (IDaaS) provides centralized identity and access management capabilities from the cloud. In this episode, we explore the architecture and benefits of IDaaS solutions, including scalability, simplified administration, and integration with cloud-native applications. You’ll learn how IDaaS supports federated identity, multi-factor authentication, and compliance through managed platforms. We also cover risks such as vendor lock-in, data privacy concerns, and API exposure. CISSPs must be prepared to evaluate IDaaS providers, configure identity governance, and ensure secure, policy-driven access in hybrid environments.

Episode 82: Credential Management and Recovery

Dr. Jason Edwards — Sun, 22 Jun 2025 19:40:39 -0500

Managing credentials securely is critical to preventing unauthorized access and ensuring business continuity. This episode explores techniques for secure credential issuance, storage, expiration, and revocation. We discuss the lifecycle of credentials across devices, users, and systems, including integration with password managers, key vaults, and enterprise authentication platforms. You'll also learn about secure recovery mechanisms such as self-service portals, identity proofing, and multi-step revalidation. CISSPs must understand how to enforce strong credential management policies while balancing usability, privacy, and administrative efficiency.

Episode 83: Access Control Lists and Capability Tables

Dr. Jason Edwards — Sun, 22 Jun 2025 19:41:22 -0500

Access control mechanisms determine who can access what—and how. In this episode, we compare two classic models: Access Control Lists (ACLs) and capability tables. ACLs associate permissions with objects, while capability tables associate them with subjects. We examine their strengths, limitations, and real-world implementations in file systems, network devices, and operating systems. You’ll also learn about how these mechanisms enforce discretionary and mandatory access controls, and how they can be extended using role or attribute-based models. Understanding these concepts is essential for effective system authorization design.

Episode 84: Access Recertification and Review

Dr. Jason Edwards — Sun, 22 Jun 2025 19:42:06 -0500

Access permissions tend to accumulate over time, creating a significant security risk if not reviewed regularly. This episode focuses on access recertification—the process of periodically validating that users still need the permissions they’ve been granted. We explain how to plan, automate, and document access reviews, and how to manage exceptions and approvals. You’ll also learn how access governance tools integrate with identity platforms to support audits and compliance. CISSPs play a vital role in ensuring that the principle of least privilege is continuously enforced across dynamic environments.

Episode 85: Session Management and Timeout Policies

Dr. Jason Edwards — Sun, 22 Jun 2025 19:42:52 -0500

Controlling user sessions is a critical part of maintaining secure access. In this episode, we examine how session tokens are issued, maintained, and terminated—along with techniques to prevent hijacking and session fixation attacks. We explore timeout policies, inactivity limits, reauthentication triggers, and secure logout practices. You’ll learn how session management differs across web applications, VPNs, and enterprise software. By enforcing proper session controls, CISSPs can prevent unauthorized reuse, detect anomalies, and strengthen overall authentication posture.

Episode 86: Threats to IAM: Replay, Pass-the-Hash, Credential Stuffing

Dr. Jason Edwards — Sun, 22 Jun 2025 19:43:48 -0500

Identity systems are high-value targets, and attackers use increasingly sophisticated techniques to exploit them. This episode examines key IAM-related attack vectors, including replay attacks, pass-the-hash, credential stuffing, brute-force, and phishing-based compromise. We explain how these attacks work, the conditions that enable them, and the defenses needed to detect and prevent them. Controls discussed include session binding, MFA, rate limiting, password hygiene, and advanced behavioral analytics. CISSPs must understand not just how to build IAM systems, but how to defend them against persistent and evolving threats.

Episode 87: Assessment Types: Vulnerability Scans, Pen Testing, Audits

Dr. Jason Edwards — Sun, 22 Jun 2025 19:44:30 -0500

Security assessments come in many forms—each with a specific purpose. In this episode, we compare and contrast vulnerability scanning, penetration testing, and formal security audits. We cover the methodologies, tools, scope definitions, and reporting standards associated with each type. You’ll learn how to select the right assessment based on business goals, risk tolerance, and compliance requirements. We also examine legal considerations and rules of engagement for ethical hacking. For CISSPs, choosing and interpreting assessment results is key to effective security governance.

Episode 88: Planning a Security Assessment

Dr. Jason Edwards — Sun, 22 Jun 2025 19:45:27 -0500

Security assessments must be planned thoroughly to be effective, safe, and actionable. This episode walks through the planning phase of an assessment project, including goal setting, scope definition, timeline management, and stakeholder communication. We explain how to assess organizational readiness, gain necessary approvals, and avoid disrupting operations. You’ll also learn about risk categorization, asset selection, test environment configuration, and the importance of documentation. CISSPs often serve as project leads or advisors for assessments, making this planning knowledge essential for both technical and governance roles.

Episode 89: Security Control Testing: Manual vs. Automated

Dr. Jason Edwards — Sun, 22 Jun 2025 19:46:39 -0500

Security controls are only effective if they’re working as designed. In this episode, we explore how to test those controls using both manual and automated methods. We compare control validation techniques such as checklists, code reviews, synthetic transactions, vulnerability scanners, and red team exercises. You’ll learn when human judgment is needed, when automation scales better, and how to combine the two for comprehensive testing. As a CISSP, knowing how to assess the effectiveness of physical, technical, and administrative controls is key to maintaining a secure and compliant environment.

Episode 90: Code Review and Static/Dynamic Testing

Dr. Jason Edwards — Sun, 22 Jun 2025 19:47:43 -0500

Code is a frequent source of vulnerabilities, and reviewing it is essential for secure software development. In this episode, we discuss secure code review techniques—both manual and tool-assisted. We explain how static application security testing (SAST) scans source code before runtime, while dynamic application security testing (DAST) analyzes behavior during execution. You’ll also learn about interactive testing, false positives, secure development lifecycles, and DevSecOps integration. CISSPs don’t have to write code, but they do need to understand how to validate its security and guide development practices.

Episode 91: Security Test Data and Environment Management

Dr. Jason Edwards — Sun, 22 Jun 2025 19:48:42 -0500

Security testing requires careful control over both the test environment and the data used within it. In this episode, we explore how to create and manage dedicated testing environments that accurately simulate production systems without risking real assets. We cover the importance of data masking, synthetic data generation, and environment segmentation. You'll also learn how to prevent test environments from becoming security liabilities. CISSPs must understand how to manage test data in compliance with privacy regulations while ensuring integrity and realism in the testing process.

Episode 92: Test Coverage and Measurement

Dr. Jason Edwards — Sun, 22 Jun 2025 19:49:57 -0500

How do you know your security testing is thorough? In this episode, we examine test coverage metrics and how they help evaluate the effectiveness and completeness of assessments. We explain different forms of coverage—such as code path coverage, requirement coverage, and risk-based coverage—and how to map test cases to threat models and control objectives. You'll also learn how to interpret results and identify coverage gaps. Effective measurement allows CISSPs to ensure that testing efforts align with business risks and produce actionable insights for continuous improvement.

Episode 93: Risk Assessment and Gap Analysis

Dr. Jason Edwards — Sun, 22 Jun 2025 19:50:43 -0500

Risk assessments help prioritize security controls by identifying vulnerabilities, evaluating threats, and estimating potential impacts. In this episode, we break down how to conduct both qualitative and quantitative assessments, including risk matrix construction, asset valuation, and likelihood estimation. We also explain gap analysis—comparing current security posture against frameworks, regulations, or internal standards to find missing controls. CISSPs must be able to interpret these assessments, communicate their implications to stakeholders, and use them to justify security investments and policy changes.

Episode 94: Compliance Auditing and Evidence Collection

Dr. Jason Edwards — Sun, 22 Jun 2025 19:51:30 -0500

Audits provide assurance that an organization is following its security policies and regulatory obligations. In this episode, we explore how compliance audits are structured, conducted, and evaluated. You’ll learn how to collect evidence, prepare audit trails, manage interviews, and handle audit scope creep. We also cover the role of internal vs. external auditors and discuss popular frameworks like ISO 27001, SOC 2, and PCI DSS. For CISSPs, knowing how to support audits with accurate records and professional communication is essential to demonstrating due diligence and regulatory alignment.

Episode 95: Log Analysis for Forensics and Compliance

Dr. Jason Edwards — Sun, 22 Jun 2025 19:53:10 -0500

Logs are a goldmine of insight—but only if you know how to analyze them effectively. This episode dives into log collection, normalization, and correlation to support both forensic investigations and compliance reporting. We cover log sources such as firewalls, IDS/IPS, servers, applications, and cloud services, as well as how to identify anomalies, detect patterns, and preserve evidence. We also discuss the use of SIEM tools and log retention policies. CISSPs must understand how to leverage log data to validate events, investigate incidents, and meet audit requirements.

Episode 96: Threat Hunting and Red Team Exercises

Dr. Jason Edwards — Sun, 22 Jun 2025 19:54:03 -0500

Proactive threat hunting involves searching for signs of compromise that automated tools may miss. In this episode, we explain how threat hunters use hypothesis-driven analysis, threat intelligence, and behavioral indicators to uncover hidden risks. We also explore red team exercises—simulated attacks designed to test detection and response capabilities. You'll learn about attack frameworks like MITRE ATT&CK and how to coordinate purple teaming to maximize value. These offensive techniques, when used ethically, provide deep insight into real-world readiness and resilience—essential knowledge for CISSP professionals.

Episode 97: Reporting Assessment Results Effectively

Dr. Jason Edwards — Sun, 22 Jun 2025 19:54:55 -0500

The value of a security assessment is only realized when the results are communicated clearly. In this episode, we discuss how to structure, write, and deliver effective reports for vulnerability scans, penetration tests, audits, and more. You'll learn how to prioritize findings by risk, provide context for business stakeholders, and recommend actionable remediation. We also explore visualizations, executive summaries, and post-report follow-ups. Strong reporting bridges the gap between technical detail and strategic decision-making—a vital skill for CISSPs responsible for communicating risk.

Episode 98: Metrics and KPIs for Security Performance

Dr. Jason Edwards — Sun, 22 Jun 2025 19:55:52 -0500

What gets measured gets managed—and security is no exception. This episode focuses on security metrics and key performance indicators (KPIs) that help organizations evaluate the effectiveness of their controls and programs. We cover types of metrics (operational, compliance, risk-based), how to design meaningful KPIs, and how to avoid common pitfalls like vanity metrics. You'll also learn how to tie metrics to business objectives and use them in dashboards and reports. CISSPs must understand how to measure what matters and use those insights to drive continuous improvement.

Episode 99: Continuous Monitoring and Feedback Loops

Dr. Jason Edwards — Sun, 22 Jun 2025 19:56:43 -0500

Security is not a one-time event—it’s a continuous process. In this episode, we explore how continuous monitoring helps organizations detect changes, uncover risks, and maintain compliance in dynamic environments. We discuss how to implement automated data collection, baseline comparison, and event correlation across networks, endpoints, cloud services, and applications. You'll also learn how feedback loops from incidents, audits, and testing drive program maturity. CISSPs must understand how to design, scale, and sustain continuous monitoring efforts that support real-time decision-making and operational resilience.

Episode 100: Assessing Third-Party and Vendor Risk

Dr. Jason Edwards — Sun, 22 Jun 2025 19:57:30 -0500

Vendors and service providers often have privileged access to your data and systems—making them a potential weak link. This episode focuses on third-party risk management, including how to evaluate a vendor's security posture before and after engagement. We cover due diligence checklists, contract clauses, security questionnaires, and ongoing monitoring practices. You'll also learn about shared responsibility models and how to manage risks across cloud, SaaS, and supply chain relationships. CISSPs must ensure that third-party access is governed with the same rigor as internal controls.

Episode 101: Daily Operations: Procedures, Monitoring, Checklists

Dr. Jason Edwards — Sun, 22 Jun 2025 19:58:27 -0500

Security operations are built on consistency, structure, and clear documentation. In this episode, we explore the daily tasks that keep cybersecurity programs running—such as log reviews, system checks, user access reviews, and patch verification. We explain how operational procedures and checklists reduce errors, promote accountability, and streamline incident response. You’ll also learn how to align these routines with compliance requirements and best practices. CISSPs are expected to understand how standard operating procedures (SOPs) and continuous monitoring form the backbone of an effective and auditable security operations center (SOC).

Episode 102: Logging, Event Correlation, and SIEM

Dr. Jason Edwards — Sun, 22 Jun 2025 19:59:11 -0500

Capturing events is only the beginning—making sense of them is where the real value lies. This episode covers how organizations collect, normalize, and correlate logs from various systems and devices using Security Information and Event Management (SIEM) platforms. We discuss the components of a SIEM, alert tuning, and the use of correlation rules to detect complex threat patterns. You'll learn how SIEMs enhance visibility, speed up investigations, and support compliance with standards like HIPAA and PCI DSS. CISSPs must understand how to use logging and SIEM tools to build proactive and resilient detection capabilities.

Episode 103: Incident Management: Preparation and Response

Dr. Jason Edwards — Sun, 22 Jun 2025 19:59:57 -0500

Incidents are inevitable, and how you respond can determine the scale of impact. In this episode, we walk through the phases of incident management—preparation, identification, containment, eradication, recovery, and lessons learned. We explain how to build an incident response plan, assemble a response team, and establish escalation protocols. You’ll also learn how to coordinate with legal, PR, and law enforcement when necessary. Incident management is a high-priority domain for CISSPs because it brings together technical expertise, process discipline, and communication under pressure.

Episode 104: Digital Forensics and Chain of Custody

Dr. Jason Edwards — Sun, 22 Jun 2025 20:00:52 -0500

Preserving and analyzing digital evidence requires precision, consistency, and legal awareness. This episode explores the fundamentals of digital forensics—from identifying and collecting evidence to maintaining a documented chain of custody. We discuss volatile data acquisition, imaging tools, hashing for integrity verification, and timeline reconstruction. You’ll also learn about legal standards that govern admissibility and the responsibilities of forensic investigators. CISSPs don’t have to be deep forensic experts, but they must understand how to support investigations and preserve evidence in a defensible manner.

Episode 105: Evidence Acquisition and Preservation

Dr. Jason Edwards — Sun, 22 Jun 2025 20:01:41 -0500

The reliability of evidence hinges on how it’s handled. In this episode, we dive deeper into the principles and techniques for acquiring and preserving digital evidence. Topics include imaging storage media, capturing memory dumps, recording live sessions, and documenting every step in the collection process. We also address how to avoid contamination, preserve timestamps, and ensure repeatability for court presentation. CISSPs must ensure that any evidence collected during investigations—whether by internal teams or third-party experts—is done with integrity and according to accepted forensic procedures.

Episode 106: Disaster Recovery Planning: RTO, RPO

Dr. Jason Edwards — Sun, 22 Jun 2025 20:02:24 -0500

When disaster strikes, organizations must restore operations quickly—and with minimal data loss. This episode focuses on Disaster Recovery Planning (DRP), particularly the metrics used to guide recovery strategies: Recovery Time Objective (RTO) and Recovery Point Objective (RPO). We explain how to define recovery priorities, select appropriate backup and failover solutions, and develop DR plans that meet business expectations. You’ll also learn about recovery site options, communication planning, and regular testing. CISSPs must understand DRP as part of a broader resilience strategy tied to business continuity.

Episode 107: Business Continuity Testing and Tabletop Exercises

Dr. Jason Edwards — Sun, 22 Jun 2025 20:03:13 -0500

Plans are only useful if they’re tested. In this episode, we explore the various methods for testing business continuity and disaster recovery plans—including walkthroughs, simulations, functional tests, and tabletop exercises. We discuss how to design tests, involve key stakeholders, and evaluate performance without disrupting operations. You’ll learn how testing helps uncover weaknesses in coordination, communication, and recovery capabilities. For CISSPs, facilitating and analyzing these exercises is crucial to strengthening organizational resilience and ensuring plans work under real-world conditions.

Episode 108: Patch Management and Configuration Control

Dr. Jason Edwards — Sun, 22 Jun 2025 20:04:10 -0500

Unpatched systems are one of the leading causes of successful cyberattacks. In this episode, we explore the role of patch management and configuration control in maintaining secure and reliable systems. We explain how to evaluate patches, schedule deployments, and monitor success. You'll also learn how to track configuration baselines, control changes, and enforce consistent settings across environments. CISSPs must ensure that vulnerabilities are addressed promptly and that unauthorized changes are detected and corrected before they become security issues.

Episode 109: Change Control and Approval Processes

Dr. Jason Edwards — Sun, 22 Jun 2025 20:05:01 -0500

Security isn’t just about stopping bad changes—it’s about managing all changes effectively. In this episode, we examine the formal process of change control: how to submit change requests, perform impact assessments, obtain approvals, test in controlled environments, and document results. We also cover the importance of change advisory boards (CABs), rollback planning, and post-implementation review. For CISSPs, understanding change control is key to maintaining operational stability, preventing unauthorized modifications, and aligning IT operations with regulatory and security frameworks.

Episode 110: Secure Disposal and Media Sanitization

Dr. Jason Edwards — Sun, 22 Jun 2025 20:05:53 -0500

Data doesn’t disappear just because you delete it. In this episode, we focus on how to securely dispose of media and sanitize storage devices to prevent data recovery. We cover techniques such as overwriting, degaussing, cryptographic erasure, and physical destruction, as well as when and how to apply each. You’ll also learn about documentation requirements, chain of custody for retired media, and applicable standards like NIST SP 800-88. CISSPs must ensure that end-of-life processes are consistent, auditable, and aligned with regulatory and organizational data protection obligations.

Episode 111: Endpoint Detection and Response (EDR)

Dr. Jason Edwards — Sun, 22 Jun 2025 20:06:49 -0500

Endpoints remain a primary target for cyberattacks, and protecting them requires more than traditional antivirus solutions. This episode explores Endpoint Detection and Response (EDR), a modern approach to securing laptops, desktops, servers, and mobile devices. We explain how EDR tools provide real-time monitoring, behavioral analysis, threat hunting, and automated response capabilities. You'll learn how EDR integrates with SIEM platforms, supports forensic investigations, and helps contain lateral movement during incidents. CISSPs must understand how to evaluate, deploy, and tune EDR solutions to protect the front lines of enterprise environments.

Episode 112: Insider Threat Identification and Mitigation

Dr. Jason Edwards — Sun, 22 Jun 2025 20:07:38 -0500

Not all threats come from the outside. Insider threats—whether malicious or accidental—pose a significant risk to organizational security. In this episode, we examine how to identify, monitor, and respond to threats from employees, contractors, or partners with legitimate access. We discuss behavioral indicators, user activity monitoring, data loss prevention (DLP), and privacy considerations. You'll also learn how to balance detection efforts with employee trust and legal requirements. CISSPs must be able to design and enforce insider threat programs that protect assets without undermining culture or morale.

Episode 113: Malware Analysis and Containment

Dr. Jason Edwards — Sun, 22 Jun 2025 20:08:27 -0500

Understanding malware is essential for effective defense. This episode explores how security teams analyze and contain malicious software, including viruses, worms, ransomware, and trojans. We break down static and dynamic analysis techniques, sandboxing environments, signature development, and reverse engineering basics. You'll also learn how to contain outbreaks, remove malware safely, and update detection tools. CISSPs may not perform deep malware analysis themselves, but they must understand how malware spreads, how it's investigated, and how to manage risk during outbreaks.

Episode 114: Physical Security Operations: Locks, Guards, Cameras

Dr. Jason Edwards — Sun, 22 Jun 2025 20:09:11 -0500

Cybersecurity extends into the physical world, where threats like unauthorized access, theft, and sabotage can bypass digital defenses. In this episode, we explore physical security operations, including the use of barriers, locks, access control systems, security guards, surveillance cameras, and visitor management. We also cover how physical security integrates with IT through badges, biometrics, and monitoring. CISSPs must understand how to assess facility risks, implement layered physical defenses, and coordinate between IT and facilities teams to protect critical assets from physical compromise.

Episode 115: Personnel Security Controls and Separation of Duties

Dr. Jason Edwards — Sun, 22 Jun 2025 20:09:59 -0500

People are at the heart of every security program—and also one of its greatest vulnerabilities. In this episode, we examine personnel security controls that mitigate human-based risks. Topics include background checks, onboarding protocols, security training, acceptable use policies, and ongoing behavior monitoring. We also explore separation of duties, job rotation, and least privilege principles that reduce fraud and error. CISSPs must be able to design and enforce personnel policies that protect the organization while supporting a strong security culture and clear accountability.

Episode 116: Security Operations Center (SOC) Best Practices

Dr. Jason Edwards — Sun, 22 Jun 2025 20:10:48 -0500

The Security Operations Center (SOC) is the nerve center of cybersecurity monitoring and incident response. In this episode, we explore SOC roles, responsibilities, staffing models, tools, and key performance indicators. We discuss shift scheduling, escalation paths, use cases, and integration with threat intelligence feeds. You'll also learn about SOC maturity models and how to evolve from reactive operations to proactive threat hunting. CISSPs must understand how to structure, support, and evaluate SOCs to ensure they deliver measurable protection and business value.

Episode 117: Software Development Lifecycle (SDLC) Models

Dr. Jason Edwards — Sun, 22 Jun 2025 20:11:32 -0500

Secure software doesn’t happen by accident—it’s the result of disciplined development practices. This episode explores common Software Development Lifecycle (SDLC) models, including waterfall, spiral, and V-model, and how they structure phases such as requirements, design, coding, testing, deployment, and maintenance. We also discuss where and how security should be integrated into each phase. CISSPs must understand SDLC frameworks to support secure software planning, ensure oversight of third-party development, and implement governance for both agile and traditional projects.

Episode 118: Waterfall vs. Agile vs. DevOps Approaches

Dr. Jason Edwards — Sun, 22 Jun 2025 20:12:28 -0500

Development methodologies have a direct impact on how security is integrated into software projects. This episode compares three major approaches—Waterfall, Agile, and DevOps—and how each handles risk, testing, and control. You'll learn the strengths and challenges of each model, including change management, documentation, and time-to-delivery. We also explore how DevSecOps brings security into the CI/CD pipeline. CISSPs must be familiar with these approaches to advise development teams, align controls with process realities, and adapt governance to fast-moving development environments.

Episode 119: Secure Design and Secure Coding Guidelines

Dr. Jason Edwards — Sun, 22 Jun 2025 20:13:17 -0500

Secure applications start with secure design. In this episode, we explore how to incorporate security into architecture and code from the very beginning. Topics include threat modeling, input validation, secure defaults, and fail-safe mechanisms. We also cover secure coding practices that prevent common vulnerabilities such as injection, buffer overflows, and improper error handling. CISSPs must understand the principles of secure design so they can set expectations, evaluate vendor software, and collaborate effectively with developers to reduce risks before code is ever deployed.

Episode 120: Input Validation and Output Encoding

Dr. Jason Edwards — Sun, 22 Jun 2025 20:14:36 -0500

User input is one of the most common vectors for exploitation in modern applications. In this episode, we focus on two critical programming techniques: input validation and output encoding. We explain how to validate input to ensure it meets expected formats and prevents attacks like SQL injection and cross-site scripting (XSS). We also explore how to encode output for different contexts—such as HTML, JavaScript, or SQL—to avoid executing untrusted data. CISSPs may not write code, but they must understand these defenses to reduce software vulnerabilities and enforce security requirements in development projects.

Episode 121: OWASP Top 10 Threats and Controls

Dr. Jason Edwards — Sun, 22 Jun 2025 20:15:24 -0500

The OWASP Top 10 is a widely recognized list of the most critical security risks to web applications. In this episode, we walk through each entry—from injection and broken authentication to cross-site scripting, insecure deserialization, and insufficient logging. You'll learn how these vulnerabilities occur, the business impact they can have, and the recommended controls to prevent or mitigate them. We also discuss how developers and security professionals can use the OWASP Top 10 as a baseline for secure coding practices. CISSPs must understand these threats to assess application risk and implement effective defense strategies.

Episode 122: Buffer Overflows, SQL Injection, and Common Flaws

Dr. Jason Edwards — Sun, 22 Jun 2025 20:16:09 -0500

Many devastating cyberattacks originate from well-known coding flaws. This episode examines classic vulnerabilities including buffer overflows, SQL injection, and other input-related attacks. We explain how these issues arise, what they allow attackers to do, and how to defend against them using secure coding, bounds checking, input validation, and runtime protections like DEP and ASLR. You'll also learn about real-world incidents that exploited these flaws. For CISSPs, understanding common software weaknesses is critical for conducting risk assessments, reviewing software, and advising development teams.

Episode 123: Security Testing: SAST, DAST, IAST

Dr. Jason Edwards — Sun, 22 Jun 2025 20:17:00 -0500

Security testing helps ensure software behaves as intended under hostile conditions. In this episode, we explore different application security testing methodologies, including Static Application Security Testing (SAST), Dynamic Application Security Testing (DAST), and Interactive Application Security Testing (IAST). We explain how each method works, their strengths and limitations, and when to use them during the software development lifecycle. You’ll also learn how these tools integrate with DevOps workflows and how to interpret test results. CISSPs must be able to recommend and evaluate testing strategies to support secure software delivery.

Episode 124: Code Repositories and Access Controls

Dr. Jason Edwards — Sun, 22 Jun 2025 20:17:46 -0500

Source code repositories are central to modern software development—and to software security. This episode covers the security considerations for using platforms like GitHub, GitLab, Bitbucket, and internal repositories. We examine access control policies, branching strategies, commit tracking, and how to detect malicious code changes. You’ll learn about secrets scanning, signed commits, and repository hardening. CISSPs must understand how to secure the development pipeline and enforce controls that protect intellectual property and prevent code tampering at its source.

Episode 125: Configuration Management and CI/CD Pipelines

Dr. Jason Edwards — Sun, 22 Jun 2025 20:18:28 -0500

Secure development doesn't stop at writing code—it includes how that code is built, tested, and deployed. In this episode, we explore configuration management and continuous integration/continuous delivery (CI/CD) pipelines. We discuss how insecure configurations, exposed secrets, and unmonitored automation can lead to compromise. Topics include infrastructure as code (IaC), environment hardening, automated security gates, and rollback procedures. CISSPs must know how to assess CI/CD pipeline security and ensure that automation enhances, rather than undermines, control over software deployment.

Episode 126: Version Control and Code Integrity

Dr. Jason Edwards — Sun, 22 Jun 2025 20:19:13 -0500

Version control systems track changes to code—but they also need to be protected themselves. This episode explores how tools like Git help enforce code integrity, collaboration, and traceability across development teams. We cover commit histories, branching strategies, and how to detect unauthorized or malicious changes. You’ll learn about tagging, rollbacks, signed commits, and hash verification to ensure that what gets deployed is what was intended. For CISSPs, maintaining code integrity across distributed teams and tools is key to supporting trustworthy software development practices.

Episode 127: Application Whitelisting and Sandboxing

Dr. Jason Edwards — Sun, 22 Jun 2025 20:20:00 -0500

Not all applications should be allowed to run in your environment. This episode explores application control mechanisms like whitelisting and sandboxing. You'll learn how whitelisting enforces control by allowing only approved executables, and how sandboxing isolates applications to prevent them from affecting system integrity. We also discuss implementation strategies, policy management, and how to handle exceptions. These controls are especially valuable in high-security or highly regulated environments. CISSPs must understand how to limit application behavior to reduce attack surfaces and contain potential damage.

Episode 128: Mobile Application Security and Reverse Engineering

Dr. Jason Edwards — Sun, 22 Jun 2025 20:20:58 -0500

Mobile apps introduce unique risks due to their widespread use, diverse platforms, and limited control over user devices. In this episode, we explore mobile app security concerns, including insecure storage, weak authentication, exposed APIs, and code tampering. We also introduce reverse engineering concepts—how attackers decompile apps to uncover secrets or modify behavior. You’ll learn mitigation strategies such as code obfuscation, secure storage APIs, and runtime protections. CISSPs must understand how to assess mobile application threats and ensure that mobile deployments align with organizational security standards.

Episode 129: Secure APIs and Service Integration

Dr. Jason Edwards — Sun, 22 Jun 2025 20:21:42 -0500

APIs enable system integration but can expose your infrastructure to serious vulnerabilities if not secured properly. This episode focuses on how to design and manage secure APIs. We cover authentication methods (API keys, OAuth), input validation, rate limiting, logging, and error handling. You’ll also learn about common API security issues like broken object-level authorization and excessive data exposure. Secure API development is essential for any modern digital service, and CISSPs must ensure that APIs are managed with the same rigor as traditional application interfaces.

Episode 130: DevSecOps Culture and Continuous Assurance

Dr. Jason Edwards — Sun, 22 Jun 2025 20:22:24 -0500

DevSecOps is not just a toolset—it’s a culture that integrates security into every phase of the software development lifecycle. In this episode, we explore how DevSecOps breaks down silos between development, operations, and security teams. Topics include automated security testing, continuous compliance checks, secure coding training, and real-time feedback loops. You’ll learn how to embed security into CI/CD pipelines and enforce policy-as-code principles. For CISSPs, fostering a DevSecOps culture means shifting security left, enabling rapid innovation while maintaining rigorous standards for protection and assurance.

Episode 131: Top 10 Hardest CISSP Concepts Demystified

Dr. Jason Edwards — Sun, 22 Jun 2025 20:23:54 -0500

Some CISSP topics consistently challenge even experienced professionals. In this episode, we break down ten of the most difficult concepts on the exam—ranging from cryptographic key lifecycle and security models to risk calculations and legal frameworks. We clarify the nuances, provide examples, and share memory aids to help you master these areas. Whether you’re struggling with asset valuation formulas, access control methodologies, or cloud governance, this review will sharpen your understanding. CISSPs must be confident in these complex subjects to handle exam scenarios and real-world leadership challenges.

Episode 135: Memory Tricks and Mnemonics for the CISSP

Dr. Jason Edwards — Sun, 22 Jun 2025 20:24:58 -0500

With so much material to retain, memory tools are a CISSP candidate’s secret weapon. In this episode, we provide proven mnemonics, visual associations, and acronym expansions to help you remember everything from the OSI model and CIA triad to the phases of incident response and risk treatment options. You’ll also learn strategies for reducing cognitive overload and improving recall under exam pressure. These techniques are designed to make memorization more efficient and retention more reliable—especially when you're balancing study time with professional responsibilities.

Episode 136: How to Deconstruct CISSP Questions

Dr. Jason Edwards — Sun, 22 Jun 2025 20:26:03 -0500

CISSP exam questions are known for being complex, layered, and sometimes intentionally confusing. In this episode, we teach you how to break questions apart to find the real point being tested. You'll learn how to identify the scenario, isolate the question stem, and evaluate answer choices using elimination strategies. We also discuss common distractors, keywords like “best,” “first,” and “most likely,” and how to avoid overthinking. CISSPs must be able to think critically, quickly, and clearly—this episode helps you build the habits to do just that.

Episode 137: Understanding "Best", "First", and "Most Likely" Wording

Dr. Jason Edwards — Sun, 22 Jun 2025 20:27:13 -0500

CISSP exam questions often hinge on a single word that changes everything. In this episode, we examine how to interpret qualifiers like “best,” “first,” “most appropriate,” and “least likely.” We explain what each prompt is asking you to consider—whether it’s prioritization, sequencing, or judgment—and how to choose the answer that aligns with ISC2's expected mindset. You'll hear examples and practice strategies that train you to read between the lines. CISSPs must be precise thinkers, and this episode ensures you don't miss points over semantics.

Episode 138: Adaptive Testing Tips and Time Management

Dr. Jason Edwards — Sun, 22 Jun 2025 20:28:06 -0500

The CISSP exam uses Computerized Adaptive Testing (CAT), which means question difficulty and test length vary based on your performance. In this episode, we demystify the CAT format, explain how scoring works, and share strategies to manage your time across the exam. You’ll learn when to move quickly, when to slow down, and how to pace yourself under pressure. We also provide techniques for staying focused during long test sessions and avoiding mental fatigue. CISSP candidates who understand CAT mechanics have a clear advantage in approaching the exam with confidence and control.

Episode 139: What Comes After the CISSP: Career and Certification Roadmap

Dr. Jason Edwards — Sun, 22 Jun 2025 20:28:56 -0500

Earning your CISSP opens new doors—but where you go next depends on your goals. In this episode, we explore the post-CISSP landscape, including leadership roles like CISO, and technical specializations like cloud security and digital forensics. We also review advanced certifications such as CCSP, CISM, CRISC, and the CISSP concentrations in architecture, engineering, and management. You’ll learn how to use your CISSP as a launchpad for continuous professional development. CISSPs are expected to lead—this episode shows you how to build a career path that’s secure, strategic, and sustainable.

Episode 140: What to Do If You Fail the CISSP

Dr. Jason Edwards — Sun, 22 Jun 2025 20:29:37 -0500

Not everyone passes on the first try—but failure doesn’t define your journey. In this episode, we guide you through a structured plan for recovery if you don’t pass the CISSP exam. We cover how to interpret your exam feedback, identify weak domains, revise your study strategy, and rebuild confidence. You’ll also learn how to maintain momentum and avoid burnout during your next round of preparation. CISSPs are persistent by nature, and this episode helps you turn setbacks into setups for future success—because your path forward is still wide open.

Welcome to the ISC2 CISSP Audio Course

Dr. Jason Edwards — Mon, 13 Oct 2025 22:33:34 -0500

Dive into a fast, no-fluff overview of what this podcast delivers, who it’s for, and how each episode helps you level up with practical, real-world takeaways. In this trailer, you’ll hear the show’s promise, the format you can expect, and a sneak peek at the kinds of stories, tips, and expert insights coming your way. Hit follow to get new episodes as they drop and start listening smarter from day one.

Episode 132: Memory Tricks and Mnemonics for the CISSP

Dr. Jason Edwards — Sat, 17 Jan 2026 13:31:14 -0600

Episode 133: How to Deconstruct CISSP Questions

Dr. Jason Edwards — Sat, 17 Jan 2026 13:31:37 -0600

Episode 134: Understanding "Best", "First", and "Most Likely" Wording

Dr. Jason Edwards — Sat, 17 Jan 2026 13:32:01 -0600