everyone walking to another app sewed of the s S C P exam print. I'm your host, Peter Simple in For those who've been following since the beginning, this is going to be third lesson in the third domain.
So far in the third domain, we've looked at the risk management process, how to prepare for the assessment of risk management, how to take it
and how to communicate the findings of the assessment. We've looked at risk treatment, specifically four ways of handling gris, which are mitigation, avoidance, acceptance and transference.
And finally, in this lesson will be taking a look at ordinating, which is simply an evaluation off, a security framework for an organization and the determination of how appropriate that framework is for that organization.
An audit is really simply just an evaluation off. How, AH security framework is so It takes a look at the objectives of security framework and verifies as I like an outside party to ensure that the security framework is fitting
for any particular organization.
Audits really serve two purposes. One, they point out where security is lax, offers any problems
or any type of weakness or anything like that and what it will definitely bring that the light.
The second point of an audit is to emphasize security things that are being done right. So if there's something that is really, really good and the organizations that we really great job with it, an audit will definitely bring that to light as well.
This is like a general note. If you're up the deed on all of your security or controls all of your policies and your procedures,
nothing will surprise you in it on it.
If you are up to date and for doing everything you're supposed to be doing,
nothing will be. Nothing will surprise you. There will be no hidden things or emergencies that we no problems that you're missing nothing like that.
There's really two types of auditors. There are internal auditors, which are people who belong to the organization who do an audit of our particular department.
And there's also external auditors, which is really just a company of people that comes in. They look at all your documentation and then they make a decision from there.
Why do what it's happened while all that's happened for a variety of reasons, But the most
the most consistent ones are, um, it's dictated by policy. So usually an audit is performed once a year by policy, just to make sure that everything is consistent on an ongoing basis.
There's also event trigger on it. So if an incident happens, or if there's a data breach, usually an audit will happen just so you can analyze the event or the data breach and figure out what went wrong, Aunt to figure out how to fix it.
There's also a merger and acquisition on its, which is usually done when the company that's buying the other company requests an audit on the company being purchased simply so they can get an idea of the security framework of that company that being born
every once in a while, there are regulation compliance on it. You know, these are orders that are dictated by different law, such as Sarbanes Oxley for financial reporting and hip for the medical fields.
Every once in a while, it's also an order on it usually buy in court. But this is this is very rare and doesn't happen off.
So how do audience had a had a woman's work, right? Well, the audits want to test to make sure your security framework is up to date
and does what it's supposed to do. But the test against, well, they have to test against some sore on bench more.
Now there's a couple different benchmarks that auditors contest what they can even test against their own bench more. But one of the main ones is called Kobe, which is control objectives for information and related technologies. It's really just kind of like a best practices
bench, more four ordering. So
it kind of lists out all of the objectives that on I t framework should have. And then you can match that against the framework of that particular organization.
So what? The Warners collecting? What do they do? Well,
they collect all kinds of information about your security processes and orders. Auditors Responsibilities are two things. Do things like provide independent assurance about security systems so you can say your security system is good all you want, But until 1/3 party comes in
and backs up your claim, then your claim is kind of meaningless. It's good to have that
third party assurance that you're doing the right thing.
He doesn't want to organize on analyzed security objectives. You wanna make sure your objectives are not skewed or lacking in any type of way. When you look at it and try to follow objectives consistently all the time, it's very easy
to overlook certain certain things or to gloss over them.
It's also good to check out your policies, standards, baselines, procedures, all that good stuff simply because if you look at it and at and modify it on a daily basis, you see it all the time. Things can fall through the cracks. There might be some things that you overlook or they're really just might be another point of view.
Um, with the policy of standard that you might not even be aware of,
It's always good to have another set of eyes on your security processes.
It's also good for orders to analyze the effectiveness of controls for the exact same reason you might think you're controls are lacking when, really, from an unbiased opinion, there might be a little bit more to that. Auditors also really gonna stating and explaining the scope of the system.
So what is an audit coin to cover? Well, oughta cover all kinds of things, but they're usually broken down into eight different domains. So we have, you know, the user domain, which is, you know, authentication methods, right? How do users log into a system in the morning? Right, there's
or stations. So what's kind of security do people have on their computers? Then there's application security. So what kind of security do you have in place to prevent unauthorized access to email? Database is wet applications. Then you have land, which is really just
the equipment required to create internal local area networks. For your computers to attach,
you have your land to win with Lando in which is really a local area network to a wide area network, which so basically the border between your local network and a wide area networks such as the Internet. This is where you work Diem. Steve resides.
You want to make sure you're D M Z,
and any firewalls are doing their job. That's why when is also considered one of the eight domains that an audit does cover,
there's also removed remote access to your network. How remote users get in through one type of authentication protocols. Any type of you know VPN things like that. And there's also cloud an outsource right. How do you protect your data that's not actually
in your area or neck?
so orders. Love. Looking at your system documentation. If you've ever been a part of an organization that's had an audit done, you will know exactly what I'm talking about. They always want to review every single piece of system documentation that you have.
Piece of system documentation, disaster and business recovery plans, Right? Um, whose configuration documentation they want to see. How are your host configured on the network? They want to see what kind of endpoint security might have.
They want to see what kind of baseline security configuration you might have and what steps are being done, specifically rated to security.
They also want to see what kind of acceptable use policies you might have. So that applies to things such as, you know, Internet browsing. When you're supposed to be working, that applies to any type of cell phone usage or even uses of certain protocols, you know, such as ftp for transferring files.
They want to see what your changed management process looks like. They want to make sure that all changes have been documented officially, so you can keep an eye on how your organization and I t needs move and grow. They want to see how you classify your data.
All right. It's not all Date is the same, obviously, some it is just general, while others
is, Maur very is more private. It's more confidential, and the more confidence in the data is obviously, that should be protected and, obviously business flow documentation, not white related to i t security per se. But it's very important to know how
information full flows throughout your organization.
All right, once and on it is done. There is always going to be an exit interview when an exit interview happens. They always talk about glaring issues, right? What is just over the top Wrong with your system Security,
Right? Once this is done, there's usually a presentation off findings. So
once all the glaring issues have been addressed immediately, the orders will go
Look at all of the information and everything they've gathered and put together a result sheet and that result she is presented to the management so
and this result she talked about things that are that are kind of lacking. You know what you're doing good at what needs to be improved and how you can improve things that need to be improved.
Once that is done up, the management has an opportunity to look over the results. She and then have a written response to the auditors.
Into these lectures we discussed on drink, which is really simply an evaluation of an organization's security framework.
the type of audit that is used to confirm compliance with the I T security related portions of legislative regulations. Such a Sarbanes Oxley and HIPPA is a event triggered on it.
See regulation compliance Audit, Andy Merger, acquisition on it.
If you said see, then you are correct. Remember, Sarbanes Oxley and Hip are pieces of legislation that comply organizations to do a certain Matt certain amount of work in protecting financial data and medical data.
Thank you guys for watching our Roy Hope you learned a lot in this lesson and I'll see you next time