1 hour 21 minutes
greens, everyone and welcome to sever Security Audit Will review Episode six The audit.
There's a lot of information to cover in this episode, so let's get started.
In this video. You will learn audio preparation on a performance
and the proper way of documenting findings
and chaotic preparation.
Well, preparations can very according to the company size or location,
for example, or your small mom and pop
or your multinational company
with officers around the world.
Preparations can also take into account the type of audit, annual audit,
quarterly audit or special audit.
Each one of them may have their own separate preparations required
and also internal external team.
Now, for our purposes, we're going to go through this episode as if we're talking about an internal auditing.
The first step is to make sure that you actually have an audit charter.
Now, what is an auto charter? It's a document that provides authority and independence. The auditing.
It's issue at the highest level, CEO president cetera um and should be current.
Normally, you would want an audit charter issue once a year. Now it gives independence the auditing because it's signed off
by the president. Let's say.
And that way the audit team doesn't have to worry about being pressured by the oddities.
And I wanted to find the audit scope. Now, why are you doing the audit
Quarterly audits and you want it. Or maybe it's a special audit because of a recent security or data breach
location where we're going to be performing the audit,
You know which building what floor is, what room numbers, et cetera, and also the time frame.
You know, for example, you could state, you know the upcoming audits will begin on October 1st with an estimated completion date of October 8th.
Now, you also want to select your audit team.
You're gonna select personal based on their knowledge of their expertise in certain areas whose walls availability.
If you remember when we talked about setting up an audit schedule and using that schedule for planning purposes,
this is one of those reasons for that.
No one saw that information has been compiled. The want to send out an audit letter notifying the oddity of all the information, a scope as well as the team that's going to be out there performing the audit,
you know, why do we want to identify the team members. Todt.
Is it because we want to make sure that those team members can get stopped by security and have their access prevented? You know, it's actually the opposite.
We want to make sure that the team members are granted access to certain areas,
so this may require issuing badges or providing escorts. This way. The oddity can properly prepare for the audit as well as make sure that we have access to all the required areas.
And I also want the audit teen tasks to perform a review of the controls. You want to look for any updates or changes to the controls, as well as verifying applicability. For example, if the company decided to go with an outside vendor to perform certain security functions, you want to make sure that those controls
have been identified and noted
is not being applicability.
You know? No, the selected implemented controls become the audit checklist. If you don't already have one,
you know, one thing I personally recommend is performing a review of the previous audit.
This improves familiarity with the different controls, the areas they're going to be looked at, its hetero, and it gives you the opportunity to identify previous problem areas. That's important because continuous failures in the same area
is something that requires additional attention and could possibly require quarterly audits.
Okay, the audit will begin with a kickoff for opening meeting and the purposes as introductions. Got a team, was was corresponding lot of team members and review the scope as well as pairings of auditors and oddities.
Basically, the two individuals get chance to meet each other. Mrs. Jones, for example, is going to be looking at the server farm. Mr. Ford manages the server farm, so the two of them should get together and meet and understand what's going on
now, After the meeting,
the control testing and verification phase begins. This is where the auditor oddity parents disperse to go to the respective areas and they begin review of the controls in activities. And this is where the fighting actually begins.
Okay, During the audit, you have to have tested validation methods. Employee interviews are a must.
That is to say you talk to the employees, he has some questions.
Hey, are you doing this? Okay, prove it
At that part. You're going to review documentation provided by the oddity log records, policies, standards, et cetera. Anything that validates that the oddity is truthful in their answers, saying that they are doing it now. You can also do it through direct observation where the auditors saw compliance
now. One example that could be a control that says that an armed guard
must be stationed outside of the server farm. Well, simple enough. You walked by the server farm. You saw the armed guard. They spoke to him. That way you can verify through direct observation.
The control is being followed now. No, you have to have two out of the three interviews and documentation or interviews and observation to validate compliance.
You know, sometimes during lot, it's disagreements occur.
And a lot of times these disagreements are based on vague wording or
personal interpretations of controls. Now, during a disagreement, always be respectful.
This is because sometimes believe or not, auditors can get things wrong or the control was not properly written
or communicated, and the best thing to do is to notify the audit team leader for resolution.
A lot of times you are the team leader will get in touch with his counterpart in the tomb will review something, and in come to an agreement, it's better to let them do it at their level rather than you trying to fix it
as an auditor.
Okay, documenting audit results always follow the auditing protocol. Normally, there's a company template and guidelines designed to help you fill out the results. And you want to make sure that your matching the control reviewed
to the corresponding results
and always be honest, hiding things they're exaggerating doesn't help anyone. You know, someone were to ask you Hey, can you just let me slide this time? I'll have it fixed within 30 days. Well, if you trust him, then you're going to have to wait 365 days in the case of an annual on it
to verify that they actually fix things.
You should also state how good or how bad a particular program is doing.
If the program is doing well well in state that you know it's good information to know if it's bad and please identify how bad it is. Single problem, multiple problems all screwed up,
no chance of ever come down line. Just be honest
now. Sometimes the company template will have a remark section,
and this is used for the auditors recommendations. If you have one of these sections and you're going to fill it out, always be professional, no vengeance and always be factual. Remember, we're measuring performance versus the controlled. There's absolutely no reason to try and attack someone who may have been a jerk during the audit,
because that's gonna come out in your remarks
and in turn, you're going to lose credibility for it.
So he's just got a fax, Please.
All right, a quiz. Select the right answer or answers. Valid audit control testing includes interviews and nothing else. Personal observations are validation of documentation from the oddity.
Well, the right answers are B N C.
Valid Audit Control test includes interviews and personal observations. Validation of documentation from the oddity
is wrong because you need to out of the three interviews and documentation
or interviews and observation to validate compliance.
In today's video, we discussed auto preparations on a performance
as well as the probably of documenting audit results. If you're ready, let's move on to the last episode