Data Audit Policy

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
12 hours 57 minutes
Difficulty
Intermediate
CEU/CPE
13
Video Transcription
00:00
>> We've talked about the importance
00:00
of the retention policy,
00:00
but now we're going to talk about the importance
00:00
of data audit policy.
00:00
The learning objectives for this
00:00
>> lesson are talking about
00:00
>> the components of an effective data audit policy,
00:00
and then also what you should consider
00:00
when implementing an audit policy.
00:00
Then lastly, we'll talk about the challenges that come
00:00
with enforcing a data audit policy
00:00
>> in cloud environments.
00:00
>> What is an audit policy?
00:00
Well, as we've talked about in past lessons,
00:00
auditing isn't about being able to enforce traceability
00:00
and non-repudiation when it comes
00:00
to actions taken within environments.
00:00
But auditing in general is really about
00:00
applying that set of standards or a particular framework,
00:00
or a set of regulatory requirements to a set of systems.
00:00
Some of the components of
00:00
the audit policy first and foremost is the audit period.
00:00
Different types of third-party audits
00:00
really have different periods.
00:00
The period is the amount of
00:00
time that the audit is going to go through,
00:00
whether this audit is really a point in
00:00
time where it looks at our specific controls in place,
00:00
or is it over a period, meaning a number.
00:00
It can be three months or a whole year to establish
00:00
whether controls are maintained and
00:00
enforced throughout that period of time.
00:00
Now the audit scope is important
00:00
because this really includes what is being audited,
00:00
and it usually entails all the hardware, data, people,
00:00
and processes that are associated
00:00
with whatever the overall scope is,
00:00
whether it's an organization or an individual product.
00:00
It's also very important if you're
00:00
not an auditor to also think about,
00:00
if I'm moving a system or adding new applications to it,
00:00
you're expanding the scope of the audit,
00:00
and you should let your audit function
00:00
know that new systems are being included.
00:00
Or if you make business decisions to
00:00
expand to different geographic regions,
00:00
as we talked about,
00:00
there could be different requirements
00:00
related to regulations and
00:00
that also changes the nature of the audits
00:00
that need to be done over those environments.
00:00
Let's also talk about the audit responsibilities.
00:00
Well, the internal auditors may be focused on
00:00
ensuring that you're meeting
00:00
your concurrent obligations that
00:00
are regulatory in nature.
00:00
External auditors are looking at
00:00
whether or not the
00:00
organization and objectives are meeting
00:00
their controlled criteria related
00:00
to what you say you put in place.
00:00
The same is true for regulatory auditors.
00:00
Are your controls meeting
00:00
the spirit of the regulatory controls?
00:00
One of the biggest and most important pieces of
00:00
having effective auditing is independence,
00:00
especially some organizations,
00:00
you have internal audit functions,
00:00
but you don't want them to get too
00:00
close to the people doing the work because
00:00
then they form personal relationships or maybe are less
00:00
objective about their evaluation of
00:00
control effectiveness and the quality of evidence.
00:00
Independence is easier to maintain with
00:00
external auditors as well as regulators.
00:00
One of the other very important pieces of
00:00
effective auditing is in ensuring
00:00
that the chain of custody is maintained.
00:00
One of the things that comes up in
00:00
audits are potential violations.
00:00
When auditing, you want to ensure
00:00
that if a violation is found,
00:00
that is properly documented and
00:00
that the evidence is maintained so that
00:00
if there is evidence of
00:00
a potential crime in the case of a regulatory violation,
00:00
in some cases, not all cases,
00:00
that that evidence can be maintained through
00:00
any legal proceedings that may
00:00
be arising as a result of its discovery.
00:00
Another very important piece of maintaining
00:00
an effective audit policy is
00:00
to have effective processes and
00:00
procedures for collecting audit evidence.
00:00
Now, this is where the cloud contexts
00:00
gets a little difficult
00:00
because you don't have
00:00
the same level of visibility into data,
00:00
the systems, and the architecture that you
00:00
might for an on-premise situation.
00:00
Getting the necessary timestamps for audit evidence or
00:00
regulatory requirements quality can
00:00
be difficult in cloud-based environments.
00:00
One of the ways you can address this risk is
00:00
by having favorable contracts of
00:00
their service provider and really establishing
00:00
the needs related to audit quality,
00:00
what data is available,
00:00
and your right to audit
00:00
different aspects of the cloud environment.
00:00
Then ultimately,
00:00
your audit policies should set the cadence for how
00:00
the controls and requirements set out in
00:00
your audit policy are maintained and enforced.
00:00
Ultimately, you should really think of
00:00
the audit policy as setting the rules of the road and
00:00
engagement for how you are going to
00:00
use auditing as a tool to ensure that
00:00
your controls are done effectively and that you are
00:00
meeting all your obligations to your customers,
00:00
whether these requirements are based
00:00
on regulations or your own internal standards.
00:00
Quiz question. A SaaS company has started to
00:00
use a new cloud-service provider for storage,
00:00
what is the primary aspect of
00:00
the audit that this would affect?
00:00
The audit period, the audit responsibilities,
00:00
or the audit scope?
00:00
If you said scope, you're correct.
00:00
The audit period will probably remain the same.
00:00
It shouldn't necessarily be affected or changed as
00:00
a result of bringing on a new cloud service provider.
00:00
Audit responsibilities.
00:00
The responsibilities of the auditor is as well as
00:00
those people maintaining
00:00
the controls don't really change.
00:00
They may adapt slightly if the environment is
00:00
different or if different controls
00:00
need to be adapted to this new provider,
00:00
but ultimately, the scope is changed.
00:00
Perhaps the old provider is no longer in scope
00:00
if all the data is transported over,
00:00
or it no longer is relevant,
00:00
but this new provider is
00:00
included in the scope of the new audit.
00:00
The scope has expanded to include this new provider.
00:00
In summary, we've talked about what an audit policy is.
00:00
How audit policies support security and some of
00:00
those challenges that come
00:00
with auditing cloud environments.
00:00
I'll see you in the next lesson.
Up Next