Compliance and Audit Management

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
9 hours 59 minutes
Difficulty
Intermediate
CEU/CPE
10
Video Transcription
00:00
>> In this module,
00:00
we're going to start out talking about
00:00
the basics of compliance and audits.
00:00
Don't expect to see any questions in
00:00
the CCSK exam on the basics of compliance and audit.
00:00
However, you should expect to see questions
00:00
about compliance and audits in the Cloud,
00:00
and some of the Cloud specific challenges
00:00
to compliance and audits.
00:00
We're going to cover those.
00:00
We'll also go over the audit management process,
00:00
and we'll finish off reviewing some popular standards in
00:00
compliance certifications that you
00:00
may see reference to in the exam.
00:00
For the remainder of this video,
00:00
we will talk about the basics of compliance and audits,
00:00
and then we'll talk about some of
00:00
the unique situations that
00:00
Cloud brings when dealing with compliance and audits.
00:00
Let's define compliance.
00:00
It's the validated awareness of
00:00
an adherence to corporate obligations.
00:00
Even though we spoke about governance and
00:00
risk management in earlier modules,
00:00
let's refresh with a little definition.
00:00
Governance, is corporate obligations
00:00
and values that determine how a company operates,
00:00
and risk management is
00:00
the implementation of ongoing maintenance of
00:00
controls necessary to meet the risk tolerance.
00:00
As you recall,
00:00
that risk tolerance is often
00:00
highly influenced by governance.
00:00
Then obviously, the governance and those policies that
00:00
come out of governance and
00:00
the obligations that gets set,
00:00
highly influence compliance and
00:00
what particular methods of compliance are needed.
00:00
Compliance, governance and risk management,
00:00
are three concepts that are highly related.
00:00
In fact, they form a discipline often referred to as GRC.
00:00
I want us to spend an extra moment in reviewing this for
00:00
you guys you may see references
00:00
to this acronym in the exam.
00:00
We just talked about compliance
00:00
and its relationship to governance,
00:00
and governance creating corporate obligations
00:00
that we then need to prove with compliance.
00:00
I worked in the medical industry and
00:00
compliance is a major part of that culture.
00:00
First and foremost, it helps to
00:00
enforce quality of the product.
00:00
It's very important that what you create,
00:00
is done of consistent and high-quality.
00:00
When you're making something that could
00:00
harm somebody physically,
00:00
or even literally kill them if it misbehaves,
00:00
obviously, that is very important.
00:00
Beyond that, there are a lot of other motivations
00:00
that come into influencing the corporate governance,
00:00
and what those eventual corporate obligations
00:00
and policies are.
00:00
These include government legislation,
00:00
such as the laws, broad-based regulations.
00:00
That would be special laws that span across industries,
00:00
and they're targeted to corporations and institutions.
00:00
Then of course, there are industry specific regulations.
00:00
These are applicable to specific industries.
00:00
I gave the example on the medical industry,
00:00
and many other industries have
00:00
their own regulations; insurance industries,
00:00
real estate property transfer industry, defense industry,
00:00
certainly, even the utility
00:00
industry such as electricity and water.
00:00
Don't forget about private contracts
00:00
between your company,
00:00
other companies with individuals,
00:00
or other entities such as government entities.
00:00
Those will also have an effect on your obligations,
00:00
and ultimately your corporate policies.
00:00
You can't talk much about compliance
00:00
without bringing in the concept of an audit.
00:00
On the screen you'll see
00:00
the dictionary definition of the word audit.
00:00
You'll notice that the definition
00:00
really focuses on accounts,
00:00
accounting, and financial things.
00:00
Then the second definition brings
00:00
some important points to light about an audit.
00:00
Namely that it needs to be systematic,
00:00
it needs to be repeatable.
00:00
I really like the definition that
00:00
the CSA security guidance brings,
00:00
and that is, audits are a key tool for
00:00
proving or disproving compliance.
00:00
An audit isn't only something that you
00:00
use for financial related matters.
00:00
It certainly, is used a lot in that context,
00:00
but audits are more generally used,
00:00
and it's a systematic and repeatable way,
00:00
and structured method determine
00:00
compliance at a process level,
00:00
at a structural level,
00:00
and at a technical level.
00:00
With Cloud computing, many of
00:00
the philosophies and approaches that
00:00
worked in the on-premise environment no longer apply.
00:00
This requires adjustments in
00:00
many areas and compliance is not exempt.
00:00
First and foremost, the ultimate responsibility
00:00
does sit with the Cloud consumer.
00:00
We've hit on this theme multiple
00:00
times throughout the training,
00:00
but it's so important, I wanted to highlight it again,
00:00
and also let you know that
00:00
a savvy Cloud customer can take advantage of
00:00
the Cloud provider setup to reduce the cost and
00:00
effort related to their own compliance efforts.
00:00
You need to know the physical locations
00:00
of the provider that are at your disposal,
00:00
and the default locations that are used.
00:00
You can often take advantage of
00:00
this when compliance calls for it.
00:00
Not having to set up a physical data center in
00:00
a separate country is a huge value add,
00:00
and it can definitely make
00:00
your compliance life a lot easier,
00:00
specifically, when we're talking about compliance
00:00
related to the location of data itself.
00:00
We've talked about Cloud providers rarely
00:00
allow their customers to directly conduct audits.
00:00
Imagine if each tenant for
00:00
a large Cloud provider was allowed to
00:00
come onsite and audit the data centers.
00:00
Not only would it be very difficult to
00:00
coordinate all these different people coming and going,
00:00
it would also be very risky. Think about it.
00:00
These individuals would have physical access to
00:00
shared areas and equipment that
00:00
is used by multiple different tenants,
00:00
somebody could do something really bad.
00:00
This is why the need for
00:00
third parties to conduct the audit.
00:00
In fact, most Cloud providers will only
00:00
allow specific third parties to perform the audit.
00:00
If a Cloud customer wants to see the audit details,
00:00
Cloud providers will often provide them,
00:00
but it's not unusual to expect they need to
00:00
sign a non-disclosure agreement, an NDA.
00:00
The reason being those audits include
00:00
sensitive information about
00:00
the Cloud provider themselves,
00:00
and those audit reports are actually
00:00
proprietary information produced by the auditor itself.
00:00
Compliance inheritance is an important concept.
00:00
It takes advantage of pass-through audits to reduce
00:00
your cost of building compliance services.
00:00
The way it works as a Cloud customer,
00:00
is you build on top of
00:00
already compliant services that
00:00
the provider has given to you,
00:00
and you take their compliance
00:00
through the last-mile by ensuring
00:00
that you have continued
00:00
that compliance in your own application.
00:00
This creates a situation that even if you are building on
00:00
the same compliant platform that the provider gives you,
00:00
you may have some applications
00:00
that need to include additional controls or
00:00
implementation details that you are
00:00
responsible for putting in place
00:00
to retain and carry forward that compliance.
00:00
Then you may have other applications
00:00
running on the same platform which
00:00
didn't implement those controls and
00:00
they're not compliant in the same way.
00:00
This can include not just technical controls,
00:00
but even process and procedural controls.
00:00
The simplest example I can think
00:00
of, is training records.
00:00
It's very common to require
00:00
that individuals using financial systems,
00:00
have completed a certain amount of training.
00:00
Oftentimes, the requirement is
00:00
that they review that training on an annual basis,
00:00
and you need to have training records.
00:00
Well, that has minimal to do with
00:00
the platform the Cloud provider gave you.
00:00
You need to make sure you have a system to
00:00
track and retain those training records,
00:00
so that when you're undergoing your compliance audit,
00:00
you can turn those over.
00:00
As you can imagine,
00:00
you can have two applications running
00:00
side-by-side on the Cloud,
00:00
but if one has training records and the other doesn't,
00:00
all of a sudden, one application is compliant,
00:00
the other is not, and they're both
00:00
running on the same platform.
00:00
The last thing to keep in mind is that
00:00
not all Cloud providers meet the same compliance levels.
00:00
In fact, compliance levels can change
00:00
from between one service offered by
00:00
the same Cloud provider and
00:00
another service offered by the same Cloud provider.
00:00
To that end, there can even be a variance in compliance
00:00
between the geographic locations
00:00
that the Cloud provider has.
00:00
This means you need to go into that level of detail,
00:00
and make sure you don't falsely claim
00:00
compliance inheritance when you're doing
00:00
your own audits on a system that uses services,
00:00
which the provider themselves
00:00
hasn't audited for compliance.
00:00
That wraps up this particular video.
00:00
To summarize, we talked about the GRC disciplined,
00:00
governance, risk, and compliance.
00:00
We talked about compliance,
00:00
audits and basics,
00:00
and then we summarized
00:00
important elements of compliance and audits in the Cloud.
Up Next