Greetings, everyone. Welcome to sever Security Audit Will review Episode four
Now In this video, you will learn the definition of a control, the purpose of a control
as well as examples of controls.
Now there is no single standardized definition of the term varies across organizations and industries.
However, they all have one thing in common,
and that means controlling behaviors.
controls and approved unimplemented measure designed to mitigate a specific risk
measures air actions
used to control behavior activity.
And the measures could be hardware, software policies,
anything that's implemented. Order control, behaviors
are possible. Negative occurrences,
not. It controls air designed and implemented to help protect basically anything of value to the organization.
Knotted controls protect the company as well as the customers.
If you think about personal, identifiable information,
that's something of value to a hacker.
So we want to make sure that that p I
that where the hackers can't get at it
and we're protecting ourselves from a lawsuit as well as protecting the customers from possible identity theft
and audits. Verify controls or define, implemented and followed
doesn't control examples.
These came from the stunner for Internet security wonderful organization,
and they have 20 controls that they have listed.
We're gonna take a look at the top three.
Number one inventory in control of hardware assets.
Well, you can't protect it if you don't know that you have it
simple enough, right?
Control number two. Inventory in control Software assets.
You can update her patch if you don't know that you have it.
Control Number three Procedures and tools.
Their recommendations to use vulnerability. Scanning tools?
Well, vulnerability? Skinning tools are often more effective and efficient and identifying vulnerabilities and having a person go through it on the Rome
and all the controls have sub controls associated with, um,
utilize active discovery tool
purpose that is to help build and maintain a hardware asset inventory.
Utilize passive discovery tool once again making sure that we have a accurate hardware asset Inventory.
1.3. Use D eight C p
once again updating the hardware acid inventory
along with 1.4. Maintain a detailed asset inventory.
All right, time for another knowledge bomb.
Now, if you have an accurate inventory of all your hardware assets. That's great. It's wonderful.
If you don't, then it becomes a problem that's really gonna have to use thes voluntarily scanning tools
to go out there and give an idea of what you're never looks like.
You know, another way that you can do this is every time you purchase equipment
right down the serial numbers,
Mac addresses any other information that you find pertinent or helpful to maintaining an accurate inventory.
Nods are you're not gonna take the new piece of a club and just put it out into production.
You know, if it's a computer, for example, you're probably gonna take it out of the box
configured properly for your organization. Maybe add some software to it,
and that's the perfect time to actually take down that information
and start creating a database for yourself.
And another tip is when you're gonna go out there and actually put their computer on someone's desk,
haven't signed custody card.
It's after that. They're going to be accountable for that computer, but at least they're just verifying that
is now in the administration office desk. For
that, we that information
you guys can use that
to help build a topography of your network, where your assets are, what's on there, etcetera. It's very, very valuable.
All right, let's finish up sub controls.
No sub controls are also explosively going to address an acid type along with the corresponding security function.
We've identified something of value to what,
and we're also going to define how we're going to protect it
and for more information. Please take a look at the Center for Internet Security.
you know. Please pick the right answer it controls implemented to
mitigate a specific risk,
maintain managerial dominance over employees
or increase audio failure Probability. That's my favorite, by the way.
Okay, The right answer is eight it controls implemented to mitigate a specific risk
as far as maintaining managerial dominance over employees. Well, that's not the purpose of a control. It's there to mitigate the risk.
As far as increasing audit failure probability.
Well, the controls have to be approved
and implemented, which means that there should be some sort of communication.
So if that is all taking place, then there's really no reason for there to be another failure.
in today's video, discuss the definition of a control, the purpose of a control and provided you with examples of controls.
Let's move on to the next episode.