SOT

SOT

SOAR
Security Orchestration, Automation and Response

Automation of response to information security incidents using dynamic playbooks and information security tools, building an attack chain and with an object-oriented approach

NG SOAR
Next Generation SOAR

Automation of response to information security incidents with built-in basic correlation (SIEM), vulnerability Scanner (VS), collection of raw events directly from information security tools, dynamic playbooks, building an attack chain and an object-oriented approach. AM and VM are included

AM
Asset Management

Description of the IT landscape, detection of new objects on the network, categorization of assets, inventory, life cycle management of equipment and software on automated workstations and servers of organizations

VS
Vulnerability Scanner

Scanning information assets with enrichment from any external services (additional scanners, The Data Security Threats Database and other analytical databases) to analyze the security of the infrastructure.

VM
Vulnerability Management

Building a process for detecting and eliminating technical vulnerabilities, collecting information from existing security scanners, update management platforms, expert external services and other solutions

FinCERT
Financial Computer Emergency Response Team

Bilateral interaction with the Central Bank, namely the transfer of information about incidents and receipt of prompt notifications/bulletins from the regulator

GovCERT
Government Computer Emergency Response Team

Bilateral interaction with the state coordination center for computer incidents, namely the transfer of information about incidents and receipt of prompt notifications/bulletins from the regulator

Mail us to sales@securityvision.ru or get demo presentation

SDA

SDA

TIP
Threat Intelligence Platform

Cybersecurity threat data collection, analysis, enrichment, infrastructure detection, investigation and response.

UEBA
User and Entity Behavior Analytics

Building behavior models and detecting deviations from them using several dozen built-in static analysis rules.

AD + ML
User and Entity Behavior Analysis

Dynamic behavioral analysis to search for anomalies using machine learning and to search for possible incidents.

Mail us to sales@securityvision.ru or get demo presentation

GRC

GRC

RM
Risk Management

Formation of a register of risks, threats, protection measures and other control parameters, assessment using the chosen methodology, formation of a list of additional measures to change the level of risk, control of execution, periodic reassessment.

ORM
Operational Risk Management

Accounting and recording of operational risk events, monitoring of key risk indicators and self-assessment/control

CM
Compliance Management

Audit of compliance with various methodologies and standards

BCM
Business Continuity Management

Automation of ensuring continuity and restoration of activities after emergencies.

OTS
Operational Technology Security

Operational Technology Security

Mail us to sales@securityvision.ru or get demo presentation

DEMO
presentation

SOT

Technology
SOAR

Security Orchestration, Automation and Response
NG SOAR

Next Generation SOAR
AM

Asset Management
VS

Vulnerability Scanner
VM

Vulnerability Management
FinCERT

Financial Computer Emergency Response Team
GovCERT

Government Computer Emergency Response Team

GRC

Processes
RM

Risk Management
ORM

Operational Risk Management
CM

Compliance Management
BCM

Business Continuity Management
OTS

Operational Technology Security

SDA

Analytics
TIP

Threat Intelligence Platform
UEBA

User and Entity Behavior Analytics
AD + ML

User and Entity Behavior Analysis

All products

SOT

Technology

SOAR

Security Orchestration, Automation and Response

NG SOAR

Next Generation SOAR

AM

Asset Management

VS

Vulnerability Scanner

VM

Vulnerability Management

FinCERT

Financial Computer Emergency Response Team

GovCERT

Government Computer Emergency Response Team

GRC

Processes

RM

Risk Management

ORM

Operational Risk Management

CM

Compliance Management

BCM

Business Continuity Management

OTS

Operational Technology Security

SDA

Analytics

TIP

Threat Intelligence Platform

UEBA

User and Entity Behavior Analytics

AD + ML

User and Entity Behavior Analysis
All products
Clients FAQ

CyBОК. Chapter 3. Laws and regulations. Part 3

CyBОК. Chapter 3. Laws and regulations. Part 3
02.10.2025

Ruslan Rakhmetov, Security Vision


We continue the series of publications devoted to the body of knowledge on cybersecurity - Cybersecurity Body of Knowledge (CyBOK). Chapter 3 of this body of knowledge describes the main regulatory norms and principles of international law that are relevant to cybersecurity and can be applied in assessing cyber risks, managing information security, and investigating cyber incidents. Today is the third part of the review of Chapter 3 of CyBOK, which describes the principles of privacy protection and international standards for ensuring the security of personal data.


3.3. General principles of legislation on privacy protection and interception of electronic communications


The concept of privacy (confidentiality or inviolability of private and personal life) is quite common, but nevertheless it is difficult to define it clearly. In the book, the authors use the term "privacy" in a sense that dates back to the late 19th century: in 1890, in the Harvard Law Review, two American lawyers (S. Warren and L. Brandeis) defined privacy as a private individual's right to privacy and freedom from the attention of outsiders. As part of the work of a cybersecurity specialist, privacy issues arise, as a rule, in the context of digital surveillance and actions during the investigation of cyber incidents.


3.3.1. International standards for the protection of individual rights


Privacy is recognized as one of the inalienable rights of the individual, while it may be subject to various restrictions and exceptions. Freedom from invasion of privacy is protected in case of accidental, malicious or unjustified access, while violation of privacy is allowed in cases established by law. At first, privacy rules were applied only to the premises and places of residence of citizens, but in the last few decades they have also been applied to intangible objects, such as electronic communications of individuals. The right to privacy is interpreted and implemented in different countries in different ways: in some cases it applies to almost all situations by default, and in others it only slightly limits the state's ability to interfere in the private lives of citizens. In addition, the conditions for the legal interference of an employer in an employee's privacy can be very diverse. At the same time, the proliferation of cloud computing increases users' concerns about ensuring the confidentiality of huge amounts of their personal data, which are subject to cross-border transfer and processing in various jurisdictions. In cases prescribed by law, limited intrusion into the subject's personal life is allowed, while accompanying documents (for example, a warrant or search warrant) may limit the scope of privacy violations to certain places or persons, specific equipment or premises. Another urgent challenge is protecting the privacy of metadata: traditionally, it was believed that it was necessary to ensure only the confidentiality of user data itself, and metadata (i.e., "data about data" - properties of documents and photographs, information about network connections, transaction history, etc.) can be processed without restrictions, however, given the growing volume of metadata and modern technologies the technology of their processing, this approach is gradually changing.


3.3.2. Interception of electronic communications by government agencies


Authorized interception of electronic communications (English lawful interception) by government agencies for legally defined purposes is recognized as permissible in international law. At the same time, each country regulates such access in its own way. For example, in some countries, every request for interception of electronic communications is carefully studied by an independent legal expert. So far, there are no uniform international legal rules regarding the legitimate interception of electronic communications, but there are a number of standards that guide manufacturers of tools for such interception. The decision to use such means is made by telecom service providers depending on the requirements of local legislation, including the need to maintain appropriate equipment and premises, provide support when receiving requests for authorized interception of electronic communications from government officials, and respect the confidentiality of requests for interception of communications, including information about the identity of the objects of investigation. In some countries, legislation requires that information about the frequency and subjects of requests for interception of communications and the characteristics and location of equipment for such interception be kept secret, which imposes certain restrictions on telecom providers when they issue transparency reports.


The widespread use of cryptographic technologies to encrypt traffic has led to increased difficulty in accessing the contents of electronic communications. States use various legal mechanisms to decrypt traffic and gain access to messages in clear text, including search and seizure warrants for devices, decryption requests to device manufacturers and third-party companies, and forcing investigative subjects to issue encryption keys and passwords. Another difficulty is related to the proliferation of transnational virtual telecommunications providers, which must comply with the requirements of the country of presence regarding interception of communications. In case of refusal to cooperate, users' access to such services may be restricted legally (by refusing to issue a license to provide communication services) or technically (by blocking traffic by local telecom operators).


3.3.3. Interception of electronic communications by persons outside government agencies


Unauthorized interception of electronic communications by employees of telecom providers is usually legally prohibited. This also applies to other public networks. In some cases, such interception may be considered a cybercrime. However, if traffic is intercepted by a private individual on his own network and on his equipment (for example, on a router or mail server on a local network), this may not show signs of cybercrime, but the provisions of legislation on the protection of privacy or personal data may apply.


3.3.4. Compliance with legislation on the protection of privacy - penalties for violations


The observance of privacy rights involves a number of challenges - for example, a victim of a violation of his privacy may not notice this and there will be no evidence of this. However, there may be requirements to notify subjects when unauthorized access to their data is detected (English data breach notification), and during court proceedings, a person may be familiarized with the evidence and evidence obtained against him. A civil action against the infringing company with a claim for financial compensation may become a remedy for citizens who have suffered from a violation of their privacy. In addition, in certain countries, evidence collected with violations of the privacy rights of the accused may not be recognized by the court, and some privacy violations, such as interception of electronic communications without a warrant or unauthorized access to stored data, may be considered crimes.


3.4. Data protection


The data protection legislation was developed on the basis of privacy protection laws, but covers more modern information processing technologies. Information security specialists often have to deal with regulatory requirements for data protection, especially in terms of practical cybersecurity, while focusing on protecting the legitimate rights of the subject whose data is being processed. Traditionally, much attention has been paid to data protection legislation in the EU, where the GDPR (General Data Protection Regulation) is currently in force, which is applied, among other things, to protect the personal data of EU citizens during their processing in any country that may not be a member of the EU.


3.4.1. Subject matter and regulatory focus


The purpose of EU data protection legislation is to ensure that the legitimate interests of data subjects are respected by operators and processors when processing personal data.


3.4.1.1. PD subject, personal data


Article 4(1) of the GDPR states that personal data is any information related to an identified or identifiable natural person (PD subject). An identifiable person is defined as a person who can be identified, directly or indirectly, in particular by using identifiers such as name, identification number, location data, online identifier, or by using one or more factors specific to physical, physiological, genetic, mental, economic, cultural, or social status. this face. Personal data can also be understood as technical data, on the basis of which, with the help of enrichment and analytics, information about an individual can be obtained, for example, server logs with IP addresses or cookies. In addition to the EU, in the USA, for example, the term "personally identifiable information" is used, while technical data such as the MAC address or IP address of the device may not fall under this definition.


3.4.1.2. Processing


Article 4(2) of the GDPR states that processing is any operation (or set of operations) that is performed with personal data (or sets of personal data), regardless of whether they are automated or not, including collection, recording, organization, structuring, storage, adaptation or modification, extraction, use, disclosure by transmission, distribution, or other means of access, combination, restriction, erasure, or destruction. Thus, any possible action with PD is their processing.


3.4.1.3. Operator and handler


Article 4(7) of the GDPR states that an operator is a natural or legal person, government agency, agency or other body that independently or jointly with others determines the purposes and means of processing personal data. If the purposes and means of such processing are determined by EU (or EU Member State) legislation, the operator or the specific criteria for his appointment may be determined by EU (or EU Member State) legislation. Article 4(8) of the GDPR states that a processor is a natural or legal person, government agency, agency or other body that processes personal data on behalf of (on behalf of) the operator.


Thus, the operator makes decisions (regarding PD processing), and the handler executes them. Operators, as a rule, have more opportunities to interact with PD subjects, therefore, responsibility is higher, and in many cases the handler only acts in accordance with the instructions of the operator. However, the development of SaaS technologies has led to a more even division of responsibility between cloud service users and processing providers. Often, SaaS providers do not provide users with a choice of options for protecting their personal data, suggesting that if they disagree with the personal data processing policy, they simply do not use the service at all.


3.4.2. Basic regulatory principles of GDPR


The principles of PD processing are formulated in Article 5 GDPR:

 -  legality, fairness and transparency of processing: compliance of PD processing with legislation, development and following of a publicly available policy on working with personal data (the so-called privacy policy);
 -  limitation of the purposes of processing: the processing of personal data is carried out for specific, clearly defined purposes and no longer than required by the achievement of these goals;
 -  data minimization: processing exactly the amount of personal data required to achieve the processing goals;
 -  accuracy: the processed PD is accurate and correct, otherwise the subject may request to delete or correct incorrect PD;
 -  storage restriction: after the purpose of processing is achieved, the data is deleted;
 -  integrity and confidentiality: personal data is processed securely, data is protected from unauthorized access, accidental or intentional deletion, loss, damage, using appropriate technical and organizational measures.


Particular attention should be paid to the protection of certain types of sensitive personal data: in accordance with Article 9 GDPR, this includes information about race or nationality, political opinions, religious or philosophical beliefs, trade union membership, as well as genetic and biometric data (used to identify individuals), information about health and intimate life. Increased security measures should be applied when processing such data, and regulators closely monitor their compliance, since the misuse of this type of information can lead to high risks to the legitimate interests of the PD subject.


The issue of obtaining the consent of a personal data subject to the processing of his data is also quite complex: on the one hand, the GDPR defines cases when such consent is not required, on the other hand, if consent is still necessary, it must be free, specific, informed and unambiguous, while the subject can give such consent in the form of an approval. written consent or specific action.


3.4.3. Data protection in the investigation and prevention of crimes


In accordance with GDPR standards, government-employed individuals have certain exemptions in terms of protecting personal data when investigating crimes and prosecuting violators. If the investigation of crimes is conducted by persons who do not belong to government agencies, then the GDPR allows for the development by individual states of certain reduced requirements for the protection of personal data in the prevention, investigation, and detection of crimes.


3.4.4. Appropriate security measures


In accordance with Article 32(1) of the GDPR, operators and processors must implement technical and organizational measures to ensure that the level of security corresponds to the level of risk. Thus, the quality of security measures and the costs of their implementation should correspond to the risks of PD processing, which they minimize. Pseudonymization and encryption of personal data, continuous assurance of confidentiality, integrity and accessibility, maintenance of cyber resilience of information systems, development of reliable plans for response and recovery after cyber incidents can be considered as technical measures to protect personal data. Contractual obligations with suppliers and contractors can be considered as organizational measures to protect personal data. In addition, companies can use certification and best practices assessment procedures to prove the correctness of the choice of protective measures, but they do not confirm that all GDPR requirements have been met.


3.4.5. Assessment and design of PD processing systems


To prevent violations of legislation in the field of personal data protection, it is often more effective to initially design an information system accordingly, therefore, the GDPR requires the implementation of the concept of constructive privacy (Privacy by Design) and privacy by Default (Privacy by Default) in terms of technical and organizational measures. This requirement must be met at the planning stage - before the start of PD processing and simultaneously with the determination of the methods of PD processing by the operator in accordance with Article 25 GDPR.


The operator is required to conduct an additional assessment of the impact on data protection (data protection impact assessment) in the event that any actions to process personal data pose a significant risk to personal data subjects, especially during development or migration to information systems that process large amounts of data. If such an assessment reveals significant risks, the operator should conduct additional consultations with the relevant supervisory authority on the planned risky actions.


3.4.6. Cross-border data transfer


Article 44 of the GDPR prohibits the transfer of personal data of EU residents to any state outside the European Economic Area or any international intergovernmental organization. However, such a cross-border transfer of personal data is allowed if it is determined by the appropriate mechanism for compliance with export legislation.


3.4.6.1. The concept of adequate protection and the Privacy Shield Agreement


The decision on the cross-border transfer of personal data is made based on an assessment of the adequacy of the protection provided by a non-EU State or an international intergovernmental organization. The European Commission evaluates the adequacy of protection by examining the legal norms implemented by the country wishing to receive personal data - this process can take a long time. The adequacy of protection is determined either on the basis of the existence in principle of laws on the protection of transferred personal data, or on the basis of the existence of conditions for the protection of transferred personal data.


The EU-USA Privacy Protection Agreement ("EU-U.S. Privacy Shield") was put into effect in July 2016 and defines approaches to the secure processing of personal data of EU citizens by companies from the United States. An American business wishing to process personal data of EU citizens must comply with the requirements of the EU-U.S. Privacy Shield: confirmation of compliance is carried out in the form of voluntary self-certification by the US Department of Commerce, and the operating company must comply with certain requirements confirming an adequate level of protection of personal data of EU citizens.


3.4.6.2. Cross-border data transmission requiring protection


In accordance with Article 46 of the GDPR, cross-border data transfer is also permitted if appropriate security measures are applied. Typical protective measures are mandatory corporate rules and conditions for the protection of personal data, prescribed in contracts between data exporters and importers. Mandatory corporate rules are management procedures used by multinational corporations to demonstrate compliance with the principles of personal data protection before the supervisory authorities. In particular, many American cloud providers providing services to EU citizens use similar legal mechanisms - they significantly affect the security architecture and management procedures in such companies. In the case of the transfer of personal data between exporters and importers of data to protect the rights of personal data subjects, certain conditions are prescribed in the contracts - they can be standard or specific (including, for example, details about the characteristics of personal data and the purposes of their processing), which are agreed upon by the relevant supervisory authorities.


3.4.6.3. Cross-border data transfer within the framework of international mutual legal assistance agreements


The cross-border transfer of personal data, which in other cases is prohibited by GDPR norms, becomes possible in the case of requests from law enforcement agencies of other countries within the framework of international mutual legal assistance agreements - this is stated in Article 48 of the GDPR.


3.4.6.4. Exceptions allowing cross-border data transfer


In the absence of other permissive legal mechanisms, in accordance with Article 49 GDPR, the export of personal data from the European Economic Area may be possible under certain limited circumstances:

 -  The PD subject has expressed informed informed consent to the transfer of his PD;
 -  The transfer is necessary to fulfill the contract with the PD entity or with a third party in the interests of the PD entity;
 -  The transfer of personal data is of high public importance;
 -  The transfer of personal data involves legal proceedings;
 -  The transfer of personal data is necessary to protect the life or well-being of a personal data subject who is physically unable to give consent.


3.4.7. Notification of data leakage


Laws regulating the notification of PD subjects about a data breach began to appear in the EU and the USA at the beginning of the 21st century. According to Article 4(12) of the GDPR, a data leak is a security breach that has led to the accidental or unlawful destruction, loss, modification, unauthorized disclosure or access to personal data being processed, transmitted, stored. Thus, unauthorized modification of personal data, theft of personal data, and the impact of an encryption virus on personal data will be considered personal data leaks.


In accordance with Article 33 GDPR, in case of detection of such a leak, the PD processor is obliged to notify the relevant PD operator of the circumstances of the incident without undue delay, who, in turn, is obliged to notify the relevant supervisory authority about the leak - again, without undue delay, and, if possible, within 72 hours from the moment of detection. leaks. There are exceptions to this rule - a leak may not be notified if it is unlikely that it will lead to a risk to the rights and freedoms of individuals. Regardless of whether a notification has been sent to the supervisory authority, the operator is required to document all incidents related to PD leaks, and these documents are subject to periodic audit by the supervisory authority.


If the probability of a risk to the rights and freedoms of individuals is high, the operator must notify the subjects of personal data about the circumstances of the leakage of their personal data without undue delay. It is not necessary to notify PD subjects if the operator has implemented measures that reduce the harm to subjects as a result of a PD leak - for example, encrypted personal data remains PD from a legal point of view, but encryption reduces the potential damage to subjects in the event of a leak. Such an exception is a useful option in the GDPR, since in the United States, for example, it is required to notify subjects of leaks, regardless of the assessment of the level of potential damage to them. However, the supervisory authorities still have the right to notify the subjects themselves if the regulator does not agree with the harm assessment conducted by the operator.


3.4.8. Monitoring of compliance and punishment for non-compliance


Gross violations of the law on the protection of personal data can be regarded as crimes in accordance with the domestic legislation of the EU member States and can be considered as computer crimes, and subjects of personal data can file lawsuits for violation of their legal rights. Public authorities also have the authority to issue orders to eliminate violations in the processing of personal data in order to bring it into compliance with legal requirements, or even completely prohibit the processing of personal data by the infringing company.


Fines levied by European regulators for non—compliance with GDPR standards in case of minor violations amount to 10 million euros or 2% of the company's global annual turnover, and in case of significant violations - up to 20 million euros or 4% of the global annual turnover. By now (May 2025), the total amount of fines for non-compliance with GDPR standards is almost 6.2 billion euros. In the end, such impressive penalties drew the attention of company executives to the issue of personal data protection and to increasing the priority of cybersecurity in general.

Recommended

How hardening works and how it is integrated into information security processes
How hardening works and how it is integrated into information security processes

23.06.2025

Certification and safe development: in simple language
Certification and safe development: in simple language

03.04.2025

Ecosystem of products for retrospective analysis
Ecosystem of products for retrospective analysis

22.09.2025

Phishing - what is it, how to protect yourself from phishing attacks and emails. Part 1
Phishing - what is it, how to protect yourself from phishing attacks and emails. Part 1

02.06.2025

Vulnerability search methods and types of scanners
Vulnerability search methods and types of scanners

20.01.2025

Cybersecurity – how to protect yourself from the threats of the digital world
Cybersecurity – how to protect yourself from the threats of the digital world

16.06.2025

Secure development without barriers: How to build an SSDLC that actually works
Secure development without barriers: How to build an SSDLC that actually works

03.07.2025

What are XSS vulnerabilities and how to protect against them using the Content Security Policy?
What are XSS vulnerabilities and how to protect against them using the Content Security Policy?

29.09.2025

Browser fingerprint - what is it
Browser fingerprint - what is it

19.05.2025

eBPF Through the eyes of a hacker. Part 2
eBPF Through the eyes of a hacker. Part 2

21.08.2025

From tactical indicators to strategic solutions Security Vision TIP Review
From tactical indicators to strategic solutions Security Vision TIP Review

16.12.2025

What is obfuscation? Part 1
What is obfuscation? Part 1

09.02.2026

Recommended

How hardening works and how it is integrated into information security processes

23.06.2025

How hardening works and how it is integrated into information security processes
Certification and safe development: in simple language

03.04.2025

Certification and safe development: in simple language
Ecosystem of products for retrospective analysis

22.09.2025

Ecosystem of products for retrospective analysis
Phishing - what is it, how to protect yourself from phishing attacks and emails. Part 1

02.06.2025

Phishing - what is it, how to protect yourself from phishing attacks and emails. Part 1
Vulnerability search methods and types of scanners

20.01.2025

Vulnerability search methods and types of scanners
Cybersecurity – how to protect yourself from the threats of the digital world

16.06.2025

Cybersecurity – how to protect yourself from the threats of the digital world
Secure development without barriers: How to build an SSDLC that actually works

03.07.2025

Secure development without barriers: How to build an SSDLC that actually works
What are XSS vulnerabilities and how to protect against them using the Content Security Policy?

29.09.2025

What are XSS vulnerabilities and how to protect against them using the Content Security Policy?
Browser fingerprint - what is it

19.05.2025

Browser fingerprint - what is it
eBPF Through the eyes of a hacker. Part 2

21.08.2025

eBPF Through the eyes of a hacker. Part 2
From tactical indicators to strategic solutions Security Vision TIP Review

16.12.2025

From tactical indicators to strategic solutions Security Vision TIP Review
What is obfuscation? Part 1

09.02.2026

What is obfuscation? Part 1

Other articles

How AI tools work in cybersecurity
How AI tools work in cybersecurity

07.07.2025

What goals do attackers set for VPOs
What goals do attackers set for VPOs

02.12.2024

10 Popular EDR Bypass Techniques
10 Popular EDR Bypass Techniques

20.11.2025

Capabilities of the updated Security Vision KII product
Capabilities of the updated Security Vision KII product

25.02.2025

NIST CSF 2.0 implementation
NIST CSF 2.0 implementation

23.10.2025

ARP spoofing (ARP spoofing, ARP poisoning): what it is
ARP spoofing (ARP spoofing, ARP poisoning): what it is

24.02.2025

Compliance in information security
Compliance in information security

16.12.2024

Comparative Review: Shodan, ZoomEye , Netlas , Censys , FOFA and Criminal IP. Part 3
Comparative Review: Shodan, ZoomEye , Netlas , Censys , FOFA and Criminal IP. Part 3

10.07.2025

What skills a SOC specialist should master
What skills a SOC specialist should master

21.10.2024

Other articles

How AI tools work in cybersecurity

07.07.2025

How AI tools work in cybersecurity
What goals do attackers set for VPOs

02.12.2024

What goals do attackers set for VPOs
10 Popular EDR Bypass Techniques

20.11.2025

10 Popular EDR Bypass Techniques
Capabilities of the updated Security Vision KII product

25.02.2025

Capabilities of the updated Security Vision KII product
NIST CSF 2.0 implementation

23.10.2025

NIST CSF 2.0 implementation
ARP spoofing (ARP spoofing, ARP poisoning): what it is

24.02.2025

ARP spoofing (ARP spoofing, ARP poisoning): what it is
Compliance in information security

16.12.2024

Compliance in information security
Comparative Review: Shodan, ZoomEye , Netlas , Censys , FOFA and Criminal IP. Part 3

10.07.2025

Comparative Review: Shodan, ZoomEye , Netlas , Censys , FOFA and Criminal IP. Part 3
What skills a SOC specialist should master

21.10.2024

What skills a SOC specialist should master

This website uses cookies to ensure you get the best experience.