Compliance and Audit Management

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *

Already have an account? Sign In »

9 hours 59 minutes
Video Transcription
in this module. We're going to start out talking about the basics of compliance and audits.
Don't expect to see any questions in the CCS K exam on the basics of compliance and audit, However, you should expect to see questions about compliance and audits in the cloud and some of the cloud specific challenges to compliance and audits. So we're gonna cover. Those will also go over the audit management process,
and we'll finish off reviewing some popular standards and compliance certifications that you may see reference to in the exam.
For the remainder of this video, we will talk about the basics of compliance and audits, and then we'll talk about some of the unique situations that cloud brings when dealing with compliance and audits.
Let's define compliance. It's the validated awareness of an adherence to corporate obligations.
And even though we spoke about governance and risk management and earlier modules, let's refresh with a little definition. Governance is corporate obligations and values that determine how company operates
and risk management is the implementation of ongoing maintenance of controls necessary to meet the risk tolerance. And as you recall,
that risk tolerance is often highly influenced by governance, and then, obviously the governance in those policies that come out of governance and the obligations that gets set highly influenced compliance in what particular methods of compliance air needed
compliance, governance and risk management are three concepts that are highly related. In fact, they form a discipline often referred to his GRC
wanted to spend an extra bone in reviewing this because you may see references to this acronym in the exam.
So we just talked about compliance and its relationship to governance and governance, creating corporate obligations that we then need to prove with compliance.
I worked in the medical industry, and compliance is a major part of that culture. First and foremost, it helps to enforce quality of the product. It's very important that what you create is done of consistent and high quality when you're making something that could harm somebody physically or even literally kill them if it misbehaves.
Obviously, that is very important.
Beyond that, there are a lot of other motivations that come into influencing the corporate governance and what those eventual corporate obligations and policies are. These include government legislation such as the loss
broad based regulations, so that would be special kind of laws that span across industries and they're targeted to corporations and institutions. And then, of course, there are industry specific regulations. These are applicable to specific industries.
I gave the example in the medical industry, and many other industries have their own regulations insurance industries, real estate, property transfer, industry, defence industry, certainly even the utility industries such as electricity and water. And don't forget about private contracts between your company, other companies
with individuals
or other entities, such as government entities.
Those will also have an effect on your obligations and ultimately, your corporate policies.
You can't talk much about compliance without bringing in the concept of an audit
on the screen. You'll see the dictionary definition of the word audit.
You'll notice that the definition really focuses on accounts, accounting and financial things.
Then the second definition bring some important points toe light about an audit. Namely, that it needs to be systematic. It needs to be repeatable. I really like the definition that the C s a security guidance springs and that is audits are a key tool for proving or disproving compliance.
See, an audit isn't on Lee something that you use
for financial related matters. It certainly is used a lot in that context. But audits are more generally used, and it's a systematic and repeatable way and structured method determined compliance at a process level at a structure level and at a technical level
with cloud computing. Many of the philosophies and approaches that worked in the on premise environment no longer apply. This requires adjustments in many areas, and compliance is not exempt.
First and foremost, the ultimate responsibility does sit with the cloud consumer. We've hit on this theme multiple times throughout the training, but it's so important. I wanted to highlight again and also let you know that a savvy cloud customer can take advantage of the cloud providers set up to reduce the cost and effort
related to their own compliance efforts.
You need to know the physical locations of the provider that are at your disposal and the default locations that are used. You can often take advantage of this when compliance calls for not having to set up a physical data center in a separate country is a huge value, add, and it can definitely make your compliance life a lot easier.
Specifically, when we're talking about compliance related to the location of data itself.
We've talked about cloud providers rarely allow their customers to directly conduct audits. Imagine if each tenant for a large cloud provider was allowed to come on site and audit the data centers
not only would be very difficult to coordinate all these different people coming and going, what else be very risky?
Think about it. These individuals would have physical access to shared areas and equipment that is used by multiple different tenants. Somebody could do something really bad. This is why the need for third parties to conduct the audit fact. Most cloud providers will Onley allow specific third parties to perform the on it.
If a cloud customer wants to see the audit details, Cloud providers will often provide him.
But it's not unusual to expect they need to sign a non disclosure agreement and nd a.
The reason being those audits includes sensitive information about the cloud provider themselves, and those audit reports are actually proprietary information produced by the auditor itself. Compliance inheritance is an important concept. It takes advantage of passed through audits to reduce your cost of building compliance services
the way it works is a cloud customer is. You build on top of already compliant services that the provider has given to you,
and you take their compliance through the last mile by ensuring that you have continued that compliance in your own application.
So this creates a situation that even if you are building on the same compliant platform that the provider gives you, you may have some applications that need to include additional controls or implementation details that you are responsible for putting in place to retain and carry forward that compliance.
Then you may have other applications running on that same platform,
which didn't implement those controls, and they're not compliant in the same way. This can include not just technical controls, but even process and procedural controls. The simplest example I can think of is training records. It's very common to require that individuals using financial systems
have completed a certain amount of training, often times.
The requirement is that they review that training on an annual basis and you need to have training records Well, that has minimal to do with the platform that the cloud provider gave you. You need to make sure you have a system to track and retain those training records so that when you're undergoing your compliance audit, you can turn those over.
And, as you can imagine, you're gonna have to applications running side by side
on the cloud. But if one has training records and the other doesn't all a sudden one application is compliant, the other is not, and they're both running on the same platform. The last thing to keep in mind is that not all cloud providers meet the same compliance levels.
In fact, compliance levels can change for between one service offered by the same cloud provider and another service offered by the same
cloud provider. And to that end, there can even be a variant in compliance between the geographic locations that the cloud provider has. This means you need to go into that level of detail and make sure you don't falsely claim compliance inheritance when you're doing your own audits on a system that uses services which the provider themselves
hasn't audited
four compliance,
and that wraps up this particular video to summarize, we talked about the GRC disciplined governance, risk and compliance. We talked about compliance audits and basics, and then we summarized important elements of compliance and audits in the cloud
Up Next