2.1 Cybersecurity Audit Controls

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
or

Already have an account? Sign In »

Time
1 hour 21 minutes
Difficulty
Intermediate
CEU/CPE
1
Video Transcription
00:01
Greetings, everyone. Welcome to sever Security Audit Will review Episode four
00:08
Now In this video, you will learn the definition of a control, the purpose of a control
00:13
as well as examples of controls.
00:18
Now there is no single standardized definition of the term varies across organizations and industries.
00:24
However, they all have one thing in common,
00:26
and that means controlling behaviors.
00:30
No far purposes
00:32
controls and approved unimplemented measure designed to mitigate a specific risk
00:37
measures air actions
00:39
used to control behavior activity.
00:42
And the measures could be hardware, software policies,
00:45
anything that's implemented. Order control, behaviors
00:49
and risk
00:51
are possible. Negative occurrences,
00:56
not. It controls air designed and implemented to help protect basically anything of value to the organization.
01:03
Knotted controls protect the company as well as the customers.
01:07
If you think about personal, identifiable information,
01:11
that's something of value to a hacker.
01:14
So we want to make sure that that p I
01:18
is protected,
01:19
that where the hackers can't get at it
01:23
and we're protecting ourselves from a lawsuit as well as protecting the customers from possible identity theft
01:30
and audits. Verify controls or define, implemented and followed
01:38
doesn't control examples.
01:42
These came from the stunner for Internet security wonderful organization,
01:48
and they have 20 controls that they have listed.
01:51
We're gonna take a look at the top three.
01:53
Number one inventory in control of hardware assets.
01:57
Well, you can't protect it if you don't know that you have it
02:00
simple enough, right?
02:02
Control number two. Inventory in control Software assets.
02:07
You can update her patch if you don't know that you have it.
02:12
Control Number three Procedures and tools.
02:15
Their recommendations to use vulnerability. Scanning tools?
02:19
No. Why is that?
02:23
Well, vulnerability? Skinning tools are often more effective and efficient and identifying vulnerabilities and having a person go through it on the Rome
02:32
and all the controls have sub controls associated with, um,
02:38
for example,
02:40
1.1
02:43
utilize active discovery tool
02:46
purpose that is to help build and maintain a hardware asset inventory.
02:51
Sub control 1.2
02:53
Utilize passive discovery tool once again making sure that we have a accurate hardware asset Inventory.
03:00
1.3. Use D eight C p
03:05
once again updating the hardware acid inventory
03:07
along with 1.4. Maintain a detailed asset inventory.
03:15
All right, time for another knowledge bomb.
03:19
Now, if you have an accurate inventory of all your hardware assets. That's great. It's wonderful.
03:27
If you don't, then it becomes a problem that's really gonna have to use thes voluntarily scanning tools
03:32
to go out there and give an idea of what you're never looks like.
03:38
You know, another way that you can do this is every time you purchase equipment
03:43
right down the serial numbers,
03:45
Mac addresses any other information that you find pertinent or helpful to maintaining an accurate inventory.
03:55
Nods are you're not gonna take the new piece of a club and just put it out into production.
04:00
You know, if it's a computer, for example, you're probably gonna take it out of the box
04:04
update to software
04:06
configured properly for your organization. Maybe add some software to it,
04:11
and that's the perfect time to actually take down that information
04:15
and start creating a database for yourself.
04:18
And another tip is when you're gonna go out there and actually put their computer on someone's desk,
04:26
haven't signed custody card.
04:29
It's after that. They're going to be accountable for that computer, but at least they're just verifying that
04:34
Computer 101
04:36
is now in the administration office desk. For
04:43
that, we that information
04:45
you guys can use that
04:46
to help build a topography of your network, where your assets are, what's on there, etcetera. It's very, very valuable.
04:59
All right, let's finish up sub controls.
05:02
No sub controls are also explosively going to address an acid type along with the corresponding security function.
05:10
We've identified something of value to what,
05:14
and we're also going to define how we're going to protect it
05:18
and for more information. Please take a look at the Center for Internet Security.
05:26
All right, a quiz,
05:29
you know. Please pick the right answer it controls implemented to
05:33
mitigate a specific risk,
05:36
maintain managerial dominance over employees
05:41
or increase audio failure Probability. That's my favorite, by the way.
05:49
Okay, The right answer is eight it controls implemented to mitigate a specific risk
05:56
as far as maintaining managerial dominance over employees. Well, that's not the purpose of a control. It's there to mitigate the risk.
06:04
As far as increasing audit failure probability.
06:09
Well, the controls have to be approved
06:12
and implemented, which means that there should be some sort of communication.
06:16
So if that is all taking place, then there's really no reason for there to be another failure.
06:26
All right,
06:27
in today's video, discuss the definition of a control, the purpose of a control and provided you with examples of controls.
06:34
Let's move on to the next episode.
Up Next
Cybersecurity Audit Overview

This cybersecurity audit training is a beginner level course for anyone interested in cybersecurity audits or a career as an auditor. Upon completion of the course, the student will be familiar with the concept and purpose of auditing along with control frameworks focused on cybersecurity.

Instructed By