we're gonna continue talking about domain four compliance and audit management in particular, we will discuss how security relates to compliance and audits the audit management process and finish up with an overview of popular standards and compliance certifications that you want to be aware of. Four year see CSK exam.
Earlier in this domain, we examine the relationship between compliance and audits.
CCS K is a security focused certification, so I thought it would be worth a minute to examine how these aspects tie into security.
You see, compliance does not always equal security and security. It is not always equal compliance. Still, if an audit occurs and it determines your company's cloud deployment is not compliant, changes will need to be made.
All said another way. Being compliant does not imply you are secure. Performing audits does not imply you are compliant or you are secure.
Being secure does not employ you are compliant. Nor does it imply audits take place to prove your compliance.
So the goal here is to be in the middle where all three of these concepts intersect so that you're conducting audits. They're demonstrating your compliance, and you are also secure the same time
auditor planned events and planning an audit is part of the audit management function. This is an overview of the major steps in the audit process.
Keep in mind an audit is done at a snapshot in time, but compliance is expected to be a continual method of operating in a certain manner.
You wanna have auditor occurring on a regular basis to demonstrate continual operating compliance.
Automation and technical policies could be a huge factor in achieving this,
and it's important that you recognize the continual need. Four compliance, especially when you're taking the CCS K exam.
Let's take a moment and walk through each of the steps in the audit process
to start out. We want to make sure the audit has a clearly defined purpose. Are there specific laws, standards and obligations that you're hoping to verify? With the audit?
It could be this is a follow A bought it to ensure that corrective actions and updates to procedures have taken place based on deficiencies found in a prior audit.
Once you have the purpose defined, then you're gonna create the scope. What are the things that you are going to be auditing? Is it specific cloud services. Is it specific geographic regions? Are there particular business products, systems or functions that are going to be part of the audit?
With those in place, you can assess the risk and determine how critical the processes and the data managed by those processes is. This will allow you to figure out how deep do you want to go in the audit and how thorough and diligent does it make sense? It's all about spending your time and investing it wisely.
You're gonna spend the majority of your time
on things that are high risk scenarios, less time on things that don't present the same level of risk.
Once you have those items figured out, then you need to determine who are you going to rely on for the audit. This would include internal individuals and could include third party individuals as well as companies. It also be very helpful to define the different tools that you're willing to use. For example, you use cloud AP eyes
to assess the technical configuration
of particular cloud services.
Moving forward, it's time to set a schedule. You're gonna need to perform interviews and collect data. You're going to need to analyse that information and in generate audit reports.
And when those activities air done, you should have a determination of compliance. This is the audit report itself.
It is not a typical for an audit. Determine compliance for a particular scope, but also to identify some corrective actions thes air, the kind of things that may not be considered critical to achieve that compliance or major deficiencies but small notes of the auditor for future areas of improvement.
And once you've made your way through all those steps, you can consider the audit complete again. Continual compliance is very important, and some methods and mechanisms to have continual auditing and ongoing enforcement of that compliance is very important.
Let's change gears a little bit and discuss popular compliance standards. Your audits will often be assessing the level of compliance you have with one or more of these standards. But regardless of the industry and company here at today, for purposes of the exam, you're gonna want to be familiar with each one of these just at the basic fundamental level.
Of course, if you're interested or you find these standards are applicable to your company and what they do,
I definitely encourage you to take a deep dive into the specific standards. First up, we have the NIST 853. This is part of the NIST risk management framework. You may recall we discussed the risk management framework when examining enterprise risk management in a prior module.
This standard is well adopted in the government, and it's composed of different tiers of classifications low, moderate and high, depending on what you're doing in the risk of the process. The risk of the data there's could certainly be an expectation that certain systems meet the high classification of this standard. While it's very acceptable for other systems to have low.
And what happened was they took that NIST standard and looked at it and then took into consideration all the different things going on in the cloud to create the Fed ramp standards. So Fed Ramp is the NIST 853 standard, but evaluated and adjusted to accommodate the unique considerations and situations when you're working in the cloud
So I e. C 27 002 is an international standard for information security. 27 017 They took that standard and again examined what are the unique elements of working in the cloud and then modified 27 002 to apply
managing information security in the cloud.
Kobe is an interesting comps standard in that it's not just saying, Here's what you need to do, but it's truly defining a governance model and a risk framer for I t organizations to follow
P. C. I. D. S s is very popular if you're dealing with any sort of payment information credit cards, bank accounts. HIPPA high Trust is like PC eyes, brother, except it's focuses on patient health information and health records, as opposed to payment information.
Stock one sock to sock. Three are related, but they're different compliance standards in different reports.
Sock One is focused on controls relative to audit of financial statements, stock to talks about controls, relevant operations and compliance. It deals with ensuring that controls within an organisation are relevant for security availability and processing integrity of systems. Sock three is a publicly available high level sock report
that contains a statement from an independent
C P. A. Confirming sock engagement was performed. It also includes a high level result of the assessment, for example, could indicate that the vendor statement of security controls in place are accurate,
and that does it. For this video, we covered how security relates to compliance audits. We talked about audit management process, really emphasizing that compliance should be considered a continuous and ongoing activity.
Then we also spent a moment talking about popular standards and compliance certifications that you should expect to see in the CCS K exam.