2.2 Cybersecurity Audit Frameworks

00:00

Greetings, everyone and welcome to sever Security Audit Overview Episode five

00:05

Cyber Security Audit Frameworks

00:09

Now in Episode four, we talked about controls on why they're so important to an organization.

00:14

You're probably wondering to yourself, that's great. But where do I find these controls?

00:20

Well, that's the purpose of this episode.

00:22

We're gonna start talking about audit frameworks.

00:26

In this video, you will learn the definition of a framework, the purpose of framework.

00:31

This was examples of framework.

00:37

Now there is no single standardized definition, and I'm sure you're starting to get used to that.

00:42

But the Baseline Cross all

00:45

involves providing standards, controls and best practices to mitigate risks.

00:52

You know what our best practices

00:55

Well, the project management background You can think of best practices as lust was learned.

01:02

If you don't

01:03

and just think of best practices as learning from the errors of others,

01:10

basically, someone else encountered a problem and figure out a way to solve it,

01:15

and thankfully, they decided to share with the rest of us.

01:19

So far, our purposes of framework is an organized and distributed collection

01:25

of standards, controls and best practices to mitigate risks for a corresponding industry or activity

01:33

the framework has organized mean there's a logical flow to it.

01:38

And as Faras distributed, well, let's just say it's just made available to those who are interested in that type of a framework.

01:47

It's also important to remember frameworks can be different, so you have to find the right one.

01:55

No frameworks address forests and threats for specific industry or activity

02:00

provide best practice information based on experience,

02:04

and they provide a base for audit control selection. Now this is important because you'll go through different frameworks,

02:12

take a look at them, analyze them for applicability to your organization

02:17

and then select the appropriate audit controls.

02:23

Frameworks may also provide expected compliance standards

02:29

within an industry.

02:32

No, one of the most recognizable framework examples is PC, Idea says.

02:38

And the great thing about this framework is it was actually developed by the payment card in the screen.

02:46

Mean that everyone got together,

02:49

talked about past performance, you know, shared best practices,

02:53

and it came up with a framework

02:55

for everyone, and they all agreed to buy buy it.

03:00

Now, the focus of the framework

03:02

regards with many getting risks with credit cards and personal data,

03:07

and it applies to everyone that wants to process credit cards.

03:13

Now this is free.

03:15

Gets available at P. C. I security standards that work. So I said, just downloading and taking Look at your leisure.

03:23

There's also a PC Ideas US course available through savory, if you're interested.

03:32

Okay, Center for Internet Security. We talked about them in the last episode.

03:38

Another 20 controls are developed by the entire organization, which is made up of experts from around the world and in different areas.

03:46

And their focus is on mitigating risks according to impact and probability.

03:53

So the greater the impact, the worst loss dire, the chances of that loss occurring.

04:00

That's how they go through everything and in the rank. All of the controls one through 20 based on importance.

04:06

Now there is an accompanying spreadsheet available, which is very good. It's valuable,

04:13

and you can get all this information for free. But it does require registration through the organization

04:20

Coben.

04:23

It's developed by the I T Governance Institute and its focuses on a team management and control, which is different from the previous ones that we've talked about.

04:32

Where's P. C. I. D. SS was focused on the credit card in this for you

04:38

and the C. I s controls were available for everyone,

04:42

but their focus was on a risk versus reward type of format.

04:46

Kobe focuses on I t management and control, and it tries to help users match I t functions to processes into company goals,

04:55

which is a little different from the other two.

04:59

Now Kobe is free,

05:00

but it does require registration through I. Sacha,

05:05

Let's talk about the list.

05:08

This is a government organization is part of the Department of Commerce,

05:13

and it is wonderful repositories for different kinds of information, including frameworks.

05:18

It's a matter of fact. You probably call it a framework, a library if you wanted to.

05:24

Now the great thing about nest is that all the information is free.

05:30

The bad thing is that you're going to have to actually go through a lot of the different documents to figure out which ones apply to you and which ones don't.

05:41

Now, here I've provided a couple of examples.

05:44

There's a framework for improving critical infrastructure cybersecurity,

05:47

and it does have a corresponding spreadsheet available

05:51

critical infrastructure. We're talking about

05:55

power plants, dams,

05:58

water purification plants,

06:00

no critical infrastructure to the country

06:03

There's also a risk management framework for information systems and organizations,

06:09

and that's fairly applicable to all organizations.

06:13

And another great thing about this is they actually have a free program that you can use online or download

06:18

and its baseline Taylor,

06:21

and you can use that to create a framework for yourself.

06:27

All right,

06:29

a quiz. ***.

06:31

You picked the right answer. A framework provides best practice information,

06:36

cannot management slug controls

06:40

or is normally tied to a specific industry or function

06:44

well. The correct answer is only above a framework because provide best practice information.

06:49

Can I help management in defining in selecting controls?

06:54

And it's normally tied to a specific industry or function?

06:58

All right, In this video we discussed the definition of a framework, the purpose of a framework

07:02

examples of framework.

07:05

I urge you to take a look at the different websites that we've identified in this video.

07:11

Donald the different frameworks

07:14

and do a comparison side by side.