2.1 Cybersecurity Audit Controls

00:01

Greetings, everyone. Welcome to sever Security Audit Will review Episode four

00:08

Now In this video, you will learn the definition of a control, the purpose of a control

00:13

as well as examples of controls.

00:18

Now there is no single standardized definition of the term varies across organizations and industries.

00:24

However, they all have one thing in common,

00:26

and that means controlling behaviors.

00:30

No far purposes

00:32

controls and approved unimplemented measure designed to mitigate a specific risk

00:37

measures air actions

00:39

used to control behavior activity.

00:42

And the measures could be hardware, software policies,

00:45

anything that's implemented. Order control, behaviors

00:49

and risk

00:51

are possible. Negative occurrences,

00:56

not. It controls air designed and implemented to help protect basically anything of value to the organization.

01:03

Knotted controls protect the company as well as the customers.

01:07

If you think about personal, identifiable information,

01:11

that's something of value to a hacker.

01:14

So we want to make sure that that p I

01:18

is protected,

01:19

that where the hackers can't get at it

01:23

and we're protecting ourselves from a lawsuit as well as protecting the customers from possible identity theft

01:30

and audits. Verify controls or define, implemented and followed

01:38

doesn't control examples.

01:42

These came from the stunner for Internet security wonderful organization,

01:48

and they have 20 controls that they have listed.

01:51

We're gonna take a look at the top three.

01:53

Number one inventory in control of hardware assets.

01:57

Well, you can't protect it if you don't know that you have it

02:00

simple enough, right?

02:02

Control number two. Inventory in control Software assets.

02:07

You can update her patch if you don't know that you have it.

02:12

Control Number three Procedures and tools.

02:15

Their recommendations to use vulnerability. Scanning tools?

02:19

No. Why is that?

02:23

Well, vulnerability? Skinning tools are often more effective and efficient and identifying vulnerabilities and having a person go through it on the Rome

02:32

and all the controls have sub controls associated with, um,

02:38

for example,

02:40

1.1

02:43

utilize active discovery tool

02:46

purpose that is to help build and maintain a hardware asset inventory.

02:51

Sub control 1.2

02:53

Utilize passive discovery tool once again making sure that we have a accurate hardware asset Inventory.

03:00

1.3. Use D eight C p

03:05

once again updating the hardware acid inventory

03:07

along with 1.4. Maintain a detailed asset inventory.

03:15

All right, time for another knowledge bomb.

03:19

Now, if you have an accurate inventory of all your hardware assets. That's great. It's wonderful.

03:27

If you don't, then it becomes a problem that's really gonna have to use thes voluntarily scanning tools

03:32

to go out there and give an idea of what you're never looks like.

03:38

You know, another way that you can do this is every time you purchase equipment

03:43

right down the serial numbers,

03:45

Mac addresses any other information that you find pertinent or helpful to maintaining an accurate inventory.

03:55

Nods are you're not gonna take the new piece of a club and just put it out into production.

04:00

You know, if it's a computer, for example, you're probably gonna take it out of the box

04:04

update to software

04:06

configured properly for your organization. Maybe add some software to it,

04:11

and that's the perfect time to actually take down that information

04:15

and start creating a database for yourself.

04:18

And another tip is when you're gonna go out there and actually put their computer on someone's desk,

04:26

haven't signed custody card.

04:29

It's after that. They're going to be accountable for that computer, but at least they're just verifying that

04:34

Computer 101

04:36

is now in the administration office desk. For

04:43

that, we that information

04:45

you guys can use that

04:46

to help build a topography of your network, where your assets are, what's on there, etcetera. It's very, very valuable.

04:59

All right, let's finish up sub controls.

05:02

No sub controls are also explosively going to address an acid type along with the corresponding security function.

05:10

We've identified something of value to what,

05:14

and we're also going to define how we're going to protect it

05:18

and for more information. Please take a look at the Center for Internet Security.

05:26

All right, a quiz,

05:29

you know. Please pick the right answer it controls implemented to

05:33

mitigate a specific risk,

05:36

maintain managerial dominance over employees

05:41

or increase audio failure Probability. That's my favorite, by the way.

05:49

Okay, The right answer is eight it controls implemented to mitigate a specific risk

05:56

as far as maintaining managerial dominance over employees. Well, that's not the purpose of a control. It's there to mitigate the risk.

06:04

As far as increasing audit failure probability.

06:09

Well, the controls have to be approved

06:12

and implemented, which means that there should be some sort of communication.

06:16

So if that is all taking place, then there's really no reason for there to be another failure.

06:26

All right,

06:27

in today's video, discuss the definition of a control, the purpose of a control and provided you with examples of controls.