Audits

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
3 hours 39 minutes
Difficulty
Intermediate
CEU/CPE
4
Video Transcription
00:00
>> Welcome to Module 3.3, audits.
00:00
I promise we're not going to be talking about
00:00
treasury or revenue government audits here.
00:00
We're going to be talking about audits related
00:00
to the privacy program.
00:00
I promise you that this module
00:00
will be as exciting as it can be in regard to audits.
00:00
In this module we're going to
00:00
>> discuss how audits can aid
00:00
>> a privacy program and explore examples
00:00
on what to audit to support the privacy program.
00:00
In general, an audit
00:00
is conducted by either an internal team,
00:00
an individual or a third party and can occur at
00:00
a predefined time period in response to
00:00
an incident or at
00:00
the request of an enforcement authority.
00:00
It contains a plan, can be subjective,
00:00
for example, employee interviews
00:00
and review of system logs.
00:00
The goal is to validate what is working,
00:00
what is not working,
00:00
or a collection of information at a specific period.
00:00
Audits related to the privacy program
00:00
include system penetration testing,
00:00
controlled social engineering,
00:00
audit program to framework or maturity model,
00:00
data-centers and office access,
00:00
data subject access requests,
00:00
document destruction,
00:00
media sanitization and disposal technology assets,
00:00
device security and a tip here is personal Cloud storage,
00:00
personal e-mail usage and home equipment should also
00:00
be potentially audited to
00:00
not have any PII sense of some information
00:00
exposed to individuals working from home or remotely.
00:00
Now, this is the part of
00:00
the presentation if I were alive,
00:00
I would ask someone to come to the screen
00:00
and read this infographic for me.
00:00
But not only is that not
00:00
feasible because this is an online course,
00:00
but also reading this would be very difficult.
00:00
However, I put this up here so you can
00:00
google SANS penetration testing blueprint building
00:00
a better pen tester in
00:00
your Google search engine or whatever search engine you'd
00:00
like to use and this will come up.
00:00
Essentially, this infographic gives you
00:00
an example of how penetration testing is planned,
00:00
how it is conducted,
00:00
and what exactly is tested
00:00
for you to get an audit of what is potentially
00:00
open from a network standpoint
00:00
to potentially exposed PII or
00:00
sensitive information and allow
00:00
untrusted or nefarious actors into your system.
00:00
So, having an audit
00:00
done of your system is something that I
00:00
certainly recommend to prevent any unnecessary access,
00:00
certainly at a point in time
00:00
but then reviewing that audit
00:00
to make sure that you close
00:00
any types of gaps that could exist.
00:00
One of my favorite quotes here from Kevin Mitnick,
00:00
who is a infamous,
00:00
as you can see his shirt that,
00:00
I'm not a hacker, not anymore at least,
00:00
he has written several books in regard to
00:00
social engineering and intrusion in regard
00:00
to essentially manipulating an individual
00:00
from the outside through
00:00
various means to gain information
00:00
about whether it's their username and
00:00
password or access to a system.
00:00
This quote, essentially it can be summed up
00:00
in a few phrases,
00:00
is in that you can spend all the money in
00:00
the world but if an individual who's trained in
00:00
social engineering can get access to
00:00
one trusted person and that person gives up information,
00:00
all that money spent on technology could
00:00
potentially be wasted because
00:00
that individual is able to get past.
00:00
So, there's some social engineering audits that can be
00:00
done on your organization to verify
00:00
whether employees are not
00:00
voluntarily giving up sensitive information that
00:00
could gain someone access to a system or PII,
00:00
which would certainly result in a potential breach.
00:00
I encourage you to work with
00:00
your cybersecurity team or
00:00
your managed service provider to
00:00
see if this is an option that they at least conducted or
00:00
considering to conduct on
00:00
your organization and certainly want,
00:00
just like with penetration tests
00:00
and all audits for that matter,
00:00
should be done with their correct
00:00
permissions to make sure
00:00
that nothing is done in a silo,
00:00
which could potentially create
00:00
more problems than it's intended to solve.
00:00
Another question to ask is how are
00:00
audits being conducted your organization?
00:00
You may be working in a large organization right
00:00
now where you have audits that are being conducted,
00:00
whether it's by an audit department or an outside vendor.
00:00
It's important to make sure that
00:00
you as a privacy manager,
00:00
review what's currently being audited at
00:00
the organization and see if there are
00:00
any opportunities or any potential overlap that
00:00
could potentially improve your privacy program
00:00
to help reduce risks.
00:00
Quiz question. A system penetration tests
00:00
can determine if gaps exist in a network that could
00:00
potentially expose PII or
00:00
other sensitive information, true or false?
00:00
The answer is true. Well,
00:00
we learned in this module where
00:00
we discussed an audit can improve
00:00
a privacy program and reviewed various audit examples.
Up Next