2.2 Cybersecurity Audit Frameworks

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
or

Already have an account? Sign In »

Time
51 minutes
Difficulty
Intermediate
CEU/CPE
1
Video Transcription
00:00
Greetings, everyone and welcome to sever Security Audit Overview Episode five
00:05
Cyber Security Audit Frameworks
00:09
Now in Episode four, we talked about controls on why they're so important to an organization.
00:14
You're probably wondering to yourself, that's great. But where do I find these controls?
00:20
Well, that's the purpose of this episode.
00:22
We're gonna start talking about audit frameworks.
00:26
In this video, you will learn the definition of a framework, the purpose of framework.
00:31
This was examples of framework.
00:37
Now there is no single standardized definition, and I'm sure you're starting to get used to that.
00:42
But the Baseline Cross all
00:45
involves providing standards, controls and best practices to mitigate risks.
00:52
You know what our best practices
00:55
Well, the project management background You can think of best practices as lust was learned.
01:02
If you don't
01:03
and just think of best practices as learning from the errors of others,
01:10
basically, someone else encountered a problem and figure out a way to solve it,
01:15
and thankfully, they decided to share with the rest of us.
01:19
So far, our purposes of framework is an organized and distributed collection
01:25
of standards, controls and best practices to mitigate risks for a corresponding industry or activity
01:33
the framework has organized mean there's a logical flow to it.
01:38
And as Faras distributed, well, let's just say it's just made available to those who are interested in that type of a framework.
01:47
It's also important to remember frameworks can be different, so you have to find the right one.
01:55
No frameworks address forests and threats for specific industry or activity
02:00
provide best practice information based on experience,
02:04
and they provide a base for audit control selection. Now this is important because you'll go through different frameworks,
02:12
take a look at them, analyze them for applicability to your organization
02:17
and then select the appropriate audit controls.
02:23
Frameworks may also provide expected compliance standards
02:29
within an industry.
02:32
No, one of the most recognizable framework examples is PC, Idea says.
02:38
And the great thing about this framework is it was actually developed by the payment card in the screen.
02:46
Mean that everyone got together,
02:49
talked about past performance, you know, shared best practices,
02:53
and it came up with a framework
02:55
for everyone, and they all agreed to buy buy it.
03:00
Now, the focus of the framework
03:02
regards with many getting risks with credit cards and personal data,
03:07
and it applies to everyone that wants to process credit cards.
03:13
Now this is free.
03:15
Gets available at P. C. I security standards that work. So I said, just downloading and taking Look at your leisure.
03:23
There's also a PC Ideas US course available through savory, if you're interested.
03:32
Okay, Center for Internet Security. We talked about them in the last episode.
03:38
Another 20 controls are developed by the entire organization, which is made up of experts from around the world and in different areas.
03:46
And their focus is on mitigating risks according to impact and probability.
03:53
So the greater the impact, the worst loss dire, the chances of that loss occurring.
04:00
That's how they go through everything and in the rank. All of the controls one through 20 based on importance.
04:06
Now there is an accompanying spreadsheet available, which is very good. It's valuable,
04:13
and you can get all this information for free. But it does require registration through the organization
04:20
Coben.
04:23
It's developed by the I T Governance Institute and its focuses on a team management and control, which is different from the previous ones that we've talked about.
04:32
Where's P. C. I. D. SS was focused on the credit card in this for you
04:38
and the C. I s controls were available for everyone,
04:42
but their focus was on a risk versus reward type of format.
04:46
Kobe focuses on I t management and control, and it tries to help users match I t functions to processes into company goals,
04:55
which is a little different from the other two.
04:59
Now Kobe is free,
05:00
but it does require registration through I. Sacha,
05:05
Let's talk about the list.
05:08
This is a government organization is part of the Department of Commerce,
05:13
and it is wonderful repositories for different kinds of information, including frameworks.
05:18
It's a matter of fact. You probably call it a framework, a library if you wanted to.
05:24
Now the great thing about nest is that all the information is free.
05:30
The bad thing is that you're going to have to actually go through a lot of the different documents to figure out which ones apply to you and which ones don't.
05:41
Now, here I've provided a couple of examples.
05:44
There's a framework for improving critical infrastructure cybersecurity,
05:47
and it does have a corresponding spreadsheet available
05:51
critical infrastructure. We're talking about
05:55
power plants, dams,
05:58
water purification plants,
06:00
no critical infrastructure to the country
06:03
There's also a risk management framework for information systems and organizations,
06:09
and that's fairly applicable to all organizations.
06:13
And another great thing about this is they actually have a free program that you can use online or download
06:18
and its baseline Taylor,
06:21
and you can use that to create a framework for yourself.
06:27
All right,
06:29
a quiz. ***.
06:31
You picked the right answer. A framework provides best practice information,
06:36
cannot management slug controls
06:40
or is normally tied to a specific industry or function
06:44
well. The correct answer is only above a framework because provide best practice information.
06:49
Can I help management in defining in selecting controls?
06:54
And it's normally tied to a specific industry or function?
06:58
All right, In this video we discussed the definition of a framework, the purpose of a framework
07:02
examples of framework.
07:05
I urge you to take a look at the different websites that we've identified in this video.
07:11
Donald the different frameworks
07:14
and do a comparison side by side.
07:16
It'll really help you understand frameworks as well as controls
Up Next
Cybersecurity Audit Overview

This cybersecurity audit training is a beginner level course for anyone interested in cybersecurity audits or a career as an auditor. Upon completion of the course, the student will be familiar with the concept and purpose of auditing along with control frameworks focused on cybersecurity.

Instructed By