3 hours 39 minutes
Welcome to module 3.3
I promise. We're not going to be talking about Treasury or Revenue government audits here. We're gonna be talking about audits related to the privacy program and I I promise you that this module will be as exciting as it can be in regard to audits.
Ok. In this module we're going to discuss how auditing can ada privacy program and explore examples on what to audit to support the privacy program.
So in general, an audit
Is conducted by either an internal team and individual or 3rd Party
can occur at a predefined time period in response to an incident or at the request of an enforcement authority
contains. A plan can be subjective, for example, employee interviews and review of system logs and the goal is to validate what is working, what is not working
or a collection of information at a specific period
audits related to the privacy program include system penetration testing, controlled social engineering,
audit program to framework or material model, data centers and office access data subject access requests, document destruction, media sanitization and disposal of technology assets,
device security and a tip. Here is personal cloud storage, personal email usage and home equipment should also be
Do not have any P. I. R. Sense of information exposed
two individuals working from home or remotely.
Now this is the part of the presentation. If I were alive I would ask someone to come to the screen and read this infographic for me. But not only is that not feasible because this is an online course but also reading this would be very difficult.
However, I put this up here so you can google
sands, penetration testing, blueprint, building a better
in your google search engine or whatever search engine you'd like to use.
And this will come up. And essentially this infographic gives you an example of how penetration testing is planned,
how it is conducted and what exactly is tested for you to get an audit of what is potentially open from a network standpoint to potentially expose P. Ii. Or sense of information and allow untrusted or nefarious actors into your system.
So having an audit done of your system is something that I certainly recommend to prevent any unnecessary access. Uh certainly at a point in time, but then reviewing that audit to make sure that you close any types of gaps that could exist.
One of my favorite quotes here from Kevin Mitnick who is a infamous
as you can see it sure there I'm not a hacker. Uh not anymore. At least he has written several books in regard to social engineering and intrusion,
in regard to essentially manipulating an individual from the outside through various means to gain information about whether it's their user and password or access to a system. And this quote essentially can be summed up in
a few phrases and that you can spend all the money in the world. But if
if an individual who is trained in social engineering
can get access to one trusted person and that person gives up information, all that information, all that money spent on technology could potentially be wasted because the individual is able to get past. So there's some social engineering audits that can be done on your organization to
to verify whether employees are not voluntarily giving up sensitive information that could gain someone access to a system
or or P. I. Which would certainly result in a a potential breach. And I encourage you to work with your cyber security team or your your managed service provider to see if this is an option that they at least conducted or considering to conduct on your organization. And certainly want. Just like with the penetration test and all audits for that matter. Should be done with the correct permissions to make sure that nothing is done
um in asylum, which could potentially create more problems than it's intended to solve.
Another question to ask is how audits being conducted your organization. You may be working in a large organization right now where you have audits that are being conducted, whether it's by an audit department or an outside vendor, it's important to make sure that you as a privacy manager review what's currently being audited the organization and see if there are any opportunities
potential overlap that could potentially improve your privacy program. To help reduce risk
quiz question a system penetration test can determine if gaps exist in a network that could potentially expose P or other sensitive information,
true or false.
The answer is true
what we learned in this module. Well, we discuss an audit, can improve a privacy program and reviewed various audit examples.
MS-500: Microsoft 365 Security Administration
The Microsoft 365 Security Administration (MS-500) training course is designed to prepare students to take ...
7 CEU/CPE Hours Available
Certificate of Completion Offered
Become a CISO
Taught by CISOs for CISOs, this Career Path has developed thousands of executives worldwide. Interact ...