Audit Management and Standards
Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or
Already have an account? Sign In »
Time
9 hours 59 minutes
Difficulty
Intermediate
CEU/CPE
10
Video Transcription
00:00
>> We're going to continue talking about domain
00:00
for compliance and audit management.
00:00
In particular, we will discuss how
00:00
security relates to compliance and audits,
00:00
the audit management process and,
00:00
finish up with an overview of popular standards and
00:00
compliance certifications that you'll want to
00:00
be aware of for your CCSK exam.
00:00
Earlier in this domain,
00:00
we examined the relationship
00:00
between compliance and audits.
00:00
CCSK is a security focused certification,
00:00
so I thought it'd be worth a minute to examine
00:00
how these aspects tie into security.
00:00
You see compliance does not always equal security,
00:00
and security does not always equal compliance.
00:00
Still, if an audit occurs and it determines
00:00
your company's Cloud deployment is not compliant,
00:00
changes will need to be made.
00:00
I'll say another way,
00:00
being compliant does not imply you are secure.
00:00
Performing audits does not imply you are
00:00
compliant or you are secure.
00:00
Being secured does not imply you are compliant,
00:00
nor does it imply audits take
00:00
place to prove your compliance.
00:00
The goal here is to be in the middle where all three of
00:00
these concepts intersect so
00:00
that you are conducting audits,
00:00
they're demonstrating your compliance,
00:00
and you are also secure at the same time.
00:00
Audits are planned events,
00:00
and planning an audit is part of
00:00
the audit management function.
00:00
This is an overview of the major steps
00:00
in the audit process.
00:00
Keep in mind, an audit is done at a snapshot in time,
00:00
but compliance is expected to be
00:00
a continual method of operating in a certain manner.
00:00
You'll want to have audits occurring on a regular basis
00:00
to demonstrate continual operating compliance.
00:00
Automation and technical policies can be
00:00
a huge factor in achieving this,
00:00
and it's important that you recognize
00:00
the continual need for compliance,
00:00
especially when you're taking the CCSK exam.
00:00
Let's take a moment and walk through each of
00:00
the steps in the audit process.
00:00
To start out, we want to make sure the audit
00:00
has a clearly defined purpose.
00:00
Are there specific laws, standards,
00:00
and obligations that you're
00:00
hoping to verify with the audit?
00:00
It could be this is a follow-up audit
00:00
to ensure that corrective actions and updates
00:00
to procedures have taken place based on
00:00
deficiencies found in a prior audit.
00:00
Once you have the purpose defined,
00:00
then you're going to create the scope.
00:00
What are the things that you are going to be auditing?
00:00
Is it specific Cloud services?
00:00
Is it specific geographic regions?
00:00
Are there particular business products,
00:00
systems or functions that
00:00
are going to be part of the audit.
00:00
With those in place,
00:00
you can assess the risk and determine how critical
00:00
the processes and the
00:00
>> data managed by those processes is.
00:00
>> This will allow you to figure out
00:00
how deep do you want to go in the audit,
00:00
and how thorough and diligent does it make sense?
00:00
It's all about spending
00:00
your time and investing it wisely.
00:00
You're going to spend the majority of your time
00:00
on things that are high-risk scenarios,
00:00
less time on things that don't
00:00
present the same level of risk.
00:00
Once you have those items figured out,
00:00
then you need to determine who are you
00:00
going to rely on for the audit.
00:00
This would include internal individuals,
00:00
and could include third party individuals
00:00
as well as companies.
00:00
It'll also be very helpful to define
00:00
the different tools that you're going
00:00
to use, for example,
00:00
when you use cloud APIs to assess
00:00
the technical configuration
00:00
>> of particular cloud services.
00:00
>> Moving forward, it's time to set a schedule.
00:00
You're going to need to perform
00:00
interviews and collect data.
00:00
You're going to need to analyze that information
00:00
and then generate audit reports.
00:00
When those activities are done,
00:00
you should have a determination of compliance.
00:00
This is the audit report itself.
00:00
It is not atypical for an audit to
00:00
determine compliance for a particular scope,
00:00
but also to identify some corrective actions.
00:00
These are the things that may not be considered
00:00
critical to achieve
00:00
that compliance or major deficiencies,
00:00
but small notes of
00:00
the auditor for future areas of improvement.
00:00
Once you've made your way through all those steps,
00:00
you can consider the audit complete.
00:00
Again, continual compliance is very
00:00
important and some methods and mechanisms to
00:00
have continual auditing and
00:00
ongoing enforcement of that
00:00
>> compliance is very important.
00:00
>> Let's change gears a little bit and
00:00
discuss popular compliance standards.
00:00
Your audits will often be assessing the level of
00:00
compliance you have with
00:00
>> one or more of these standards.
00:00
>> But regardless of the industry
00:00
and company you are at today,
00:00
for purposes of the exam,
00:00
you're going to want to be familiar with each one of
00:00
these just at the basic fundamental level.
00:00
Of course, if you're interested or you find
00:00
these standards are applicable
00:00
to your company and what they do,
00:00
I definitely encourage you to take
00:00
a deep dive into the specific standards.
00:00
First step, we have the NIST 800-53,
00:00
this is part of the NIST risk management framework.
00:00
You may recall we discussed
00:00
the risk management framework when
00:00
examining enterprise risk management in a prior module.
00:00
This standard is well adopted in the government,
00:00
and it's composed of different tiers of
00:00
classifications: low, moderate, and high.
00:00
Depending on what you're doing and
00:00
the risk of this process, the risk of the data,
00:00
there can certainly be an expectation that
00:00
certain systems meet
00:00
the high classification of this standard,
00:00
while it's very acceptable
00:00
>> for other systems to have low.
00:00
>> What happened was they took
00:00
that NIST standard and looked at it and then
00:00
took into consideration
00:00
all of the different things going on
00:00
in the Cloud to create the FedRAMP standard.
00:00
FedRAMP is the NIST 800-53 standard,
00:00
but evaluated and adjusted to accommodate
00:00
the unique considerations in
00:00
situations when you're working in the Cloud.
00:00
ISO/IEC 27002 is an international standard
00:00
for information security, 27017,
00:00
they took that standard and again
00:00
examined what are the unique elements
00:00
of working in the Cloud,
00:00
and then modified 27002 to
00:00
apply to managing information security in the Cloud.
00:00
COBIT is an interesting standard in that
00:00
it's not just saying here's what you need to do,
00:00
but it's truly defining a governance model and
00:00
a risk framework for IT organizations to follow.
00:00
PCI DSS is very popular if
00:00
you're dealing with any payment information,
00:00
credit cards, bank accounts.
00:00
HIPAA/HITRUST is like PCI's brother,
00:00
except it focuses on patient health information
00:00
and health records as opposed to payment information.
00:00
SOC 1, SOC 2,
00:00
SOC 3 are related,
00:00
but they are different compliance standards
00:00
and different reports.
00:00
SOC 1 is focused on controls
00:00
relative to audit of financial statements.
00:00
SOC 2 talks about controls
00:00
relevant to operations and compliance.
00:00
It deals with ensuring that controls
00:00
within an organization are relevant
00:00
for security availability and
00:00
processing integrity of systems.
00:00
SOC 3 is a publicly available
00:00
high-level SOC report that contains
00:00
a statement from an independent CPA
00:00
confirming the SOC engagement was performed.
00:00
It also includes a high-level result of the assessment.
00:00
For example, it could indicate
00:00
that the vendors' statement of
00:00
security controls in place are accurate.
00:00
That does it for this video,
00:00
we covered how security
00:00
>> relates to compliance and audits.
00:00
>> We talked about audit management process,
00:00
really emphasizing that compliance should be considered
00:00
a continuous and ongoing activity.
00:00
Then we also spend a moment
00:00
talking about popular standards and
00:00
compliance certifications that you should
00:00
expect to see in the CCSK exam.
Up Next
Similar Content
