Greetings, everyone and welcome to sever Security Audit Overview Episode five
Cyber Security Audit Frameworks
Now in Episode four, we talked about controls on why they're so important to an organization.
You're probably wondering to yourself, that's great. But where do I find these controls?
Well, that's the purpose of this episode.
We're gonna start talking about audit frameworks.
In this video, you will learn the definition of a framework, the purpose of framework.
This was examples of framework.
Now there is no single standardized definition, and I'm sure you're starting to get used to that.
But the Baseline Cross all
involves providing standards, controls and best practices to mitigate risks.
You know what our best practices
Well, the project management background You can think of best practices as lust was learned.
and just think of best practices as learning from the errors of others,
basically, someone else encountered a problem and figure out a way to solve it,
and thankfully, they decided to share with the rest of us.
So far, our purposes of framework is an organized and distributed collection
of standards, controls and best practices to mitigate risks for a corresponding industry or activity
the framework has organized mean there's a logical flow to it.
And as Faras distributed, well, let's just say it's just made available to those who are interested in that type of a framework.
It's also important to remember frameworks can be different, so you have to find the right one.
No frameworks address forests and threats for specific industry or activity
provide best practice information based on experience,
and they provide a base for audit control selection. Now this is important because you'll go through different frameworks,
take a look at them, analyze them for applicability to your organization
and then select the appropriate audit controls.
Frameworks may also provide expected compliance standards
No, one of the most recognizable framework examples is PC, Idea says.
And the great thing about this framework is it was actually developed by the payment card in the screen.
Mean that everyone got together,
talked about past performance, you know, shared best practices,
and it came up with a framework
for everyone, and they all agreed to buy buy it.
Now, the focus of the framework
regards with many getting risks with credit cards and personal data,
and it applies to everyone that wants to process credit cards.
Gets available at P. C. I security standards that work. So I said, just downloading and taking Look at your leisure.
There's also a PC Ideas US course available through savory, if you're interested.
Okay, Center for Internet Security. We talked about them in the last episode.
Another 20 controls are developed by the entire organization, which is made up of experts from around the world and in different areas.
And their focus is on mitigating risks according to impact and probability.
So the greater the impact, the worst loss dire, the chances of that loss occurring.
That's how they go through everything and in the rank. All of the controls one through 20 based on importance.
Now there is an accompanying spreadsheet available, which is very good. It's valuable,
and you can get all this information for free. But it does require registration through the organization
It's developed by the I T Governance Institute and its focuses on a team management and control, which is different from the previous ones that we've talked about.
Where's P. C. I. D. SS was focused on the credit card in this for you
and the C. I s controls were available for everyone,
but their focus was on a risk versus reward type of format.
Kobe focuses on I t management and control, and it tries to help users match I t functions to processes into company goals,
which is a little different from the other two.
but it does require registration through I. Sacha,
Let's talk about the list.
This is a government organization is part of the Department of Commerce,
and it is wonderful repositories for different kinds of information, including frameworks.
It's a matter of fact. You probably call it a framework, a library if you wanted to.
Now the great thing about nest is that all the information is free.
The bad thing is that you're going to have to actually go through a lot of the different documents to figure out which ones apply to you and which ones don't.
Now, here I've provided a couple of examples.
There's a framework for improving critical infrastructure cybersecurity,
and it does have a corresponding spreadsheet available
critical infrastructure. We're talking about
water purification plants,
no critical infrastructure to the country
There's also a risk management framework for information systems and organizations,
and that's fairly applicable to all organizations.
And another great thing about this is they actually have a free program that you can use online or download
and its baseline Taylor,
and you can use that to create a framework for yourself.
You picked the right answer. A framework provides best practice information,
cannot management slug controls
or is normally tied to a specific industry or function
well. The correct answer is only above a framework because provide best practice information.
Can I help management in defining in selecting controls?
And it's normally tied to a specific industry or function?
All right, In this video we discussed the definition of a framework, the purpose of a framework
examples of framework.
I urge you to take a look at the different websites that we've identified in this video.
Donald the different frameworks
and do a comparison side by side.
It'll really help you understand frameworks as well as controls