Audits

00:00

Welcome to module 3.3

00:03

audits.

00:06

I promise. We're not going to be talking about Treasury or Revenue government audits here. We're gonna be talking about audits related to the privacy program and I I promise you that this module will be as exciting as it can be in regard to audits.

00:24

Ok. In this module we're going to discuss how auditing can ada privacy program and explore examples on what to audit to support the privacy program.

00:36

So in general, an audit

00:38

Is conducted by either an internal team and individual or 3rd Party

00:43

can occur at a predefined time period in response to an incident or at the request of an enforcement authority

00:49

contains. A plan can be subjective, for example, employee interviews and review of system logs and the goal is to validate what is working, what is not working

00:59

or a collection of information at a specific period

01:03

audits related to the privacy program include system penetration testing, controlled social engineering,

01:11

audit program to framework or material model, data centers and office access data subject access requests, document destruction, media sanitization and disposal of technology assets,

01:23

device security and a tip. Here is personal cloud storage, personal email usage and home equipment should also be

01:30

potentially audited.

01:32

Do not have any P. I. R. Sense of information exposed

01:37

two individuals working from home or remotely.

01:42

Now this is the part of the presentation. If I were alive I would ask someone to come to the screen and read this infographic for me. But not only is that not feasible because this is an online course but also reading this would be very difficult.

01:57

However, I put this up here so you can google

02:00

sands, penetration testing, blueprint, building a better

02:05

pen tester

02:07

in your google search engine or whatever search engine you'd like to use.

02:10

And this will come up. And essentially this infographic gives you an example of how penetration testing is planned,

02:19

how it is conducted and what exactly is tested for you to get an audit of what is potentially open from a network standpoint to potentially expose P. Ii. Or sense of information and allow untrusted or nefarious actors into your system.

02:37

So having an audit done of your system is something that I certainly recommend to prevent any unnecessary access. Uh certainly at a point in time, but then reviewing that audit to make sure that you close any types of gaps that could exist.

02:53

One of my favorite quotes here from Kevin Mitnick who is a infamous

02:59

as you can see it sure there I'm not a hacker. Uh not anymore. At least he has written several books in regard to social engineering and intrusion,

03:09

in regard to essentially manipulating an individual from the outside through various means to gain information about whether it's their user and password or access to a system. And this quote essentially can be summed up in

03:27

a few phrases and that you can spend all the money in the world. But if

03:31

if an individual who is trained in social engineering

03:35

can get access to one trusted person and that person gives up information, all that information, all that money spent on technology could potentially be wasted because the individual is able to get past. So there's some social engineering audits that can be done on your organization to

03:54

to verify whether employees are not voluntarily giving up sensitive information that could gain someone access to a system

04:03

or or P. I. Which would certainly result in a a potential breach. And I encourage you to work with your cyber security team or your your managed service provider to see if this is an option that they at least conducted or considering to conduct on your organization. And certainly want. Just like with the penetration test and all audits for that matter. Should be done with the correct permissions to make sure that nothing is done

04:29

um in asylum, which could potentially create more problems than it's intended to solve.

04:38

Another question to ask is how audits being conducted your organization. You may be working in a large organization right now where you have audits that are being conducted, whether it's by an audit department or an outside vendor, it's important to make sure that you as a privacy manager review what's currently being audited the organization and see if there are any opportunities

04:58

or any

04:59

potential overlap that could potentially improve your privacy program. To help reduce risk

05:08

quiz question a system penetration test can determine if gaps exist in a network that could potentially expose P or other sensitive information,

05:15

true or false.

05:20

The answer is true