Regulatory Objectives and Assessing Threats and Vulnerabilities
This lesson covers the objectives of regulation with an emphasis on operational integrity. This lesson discusses how an IS auditor's job for their clients is to discover assets, threats and vulnerabilities to assess risks and then find the tools to reduce those risks. toggle_content title="Transcript" Alright, so what are the objectives of regulati...
This lesson covers the objectives of regulation with an emphasis on operational integrity. This lesson discusses how an IS auditor's job for their clients is to discover assets, threats and vulnerabilities to assess risks and then find the tools to reduce those risks. [toggle_content title="Transcript"] Alright, so what are the objectives of regulation? One thing to think about right off the top is that we want to make sure that we have operational integrity, meaning that the organization can be looked at, at any moment in time, and its transactions, its business logic, the way that it handled customer requests, the way that it handles changes, can all be well understood and is properly documented, and that there are no gaping holes in any of the processes which would allow fraud to take place easily or for even accidental problems to occur. We've got a tightly controlled organization with the right security controls in-place and that should become evident once the information is studied. Then we have to think about protecting our valuable assets. What is an asset? That could be a lot of different things. It's basically something that has some type of value to somebody, or to an organization. It could be people. It could be patents, source code, equipment, software licenses, lots of different things will apply to be classified as an asset. We have a little note here about people are not usually considered as assets. When you think about human resources, people are kind of an asset in that perspective, but they're not an asset from the perspective where we can't just say that, 'This employee is worth this much money to the organization.' 'This one is worth that much money to the organization.' So assets tend to be non-human, I guess, as a way to separate that out a little bit. When we think about assets, we also have to think about threats to those assets. Any kind of negative event that could cause a loss or damage might be categorized as a threat, and the variety of threats that an organization or an asset in particular can face is basically limitless. No matter how well you think you've documented all the possible threats, there's always something that no one thought of before that still could be a problem. We'll talk a little bit about that and how we go about analyzing threats and what that means a little bit later in the course. Then we have to think about vulnerabilities. Vulnerability is another word for weakness. So if I've got an asset and there are threats to that asset, if the asset is vulnerable then the threat might succeed. If it's an attack, for instance an adversarial threat, then if the asset's vulnerable then the adversary may take advantage of that fact. Examples might include things like default passwords on an information system, or using very low-grade encryption for your financial transactions. Not having, you know, proper security controls in-place for access to a data center. All of these things might be considered vulnerabilities which would allow adversarial threats and even non-adversarial threats, things like weather events, for instance, even non-adversarial threats could exploit vulnerabilities just because of their nature. If there's a large storm that hits, now you've lost power. You don't have a back-up generator. That's a vulnerability. That's a weakness. Now your organization cannot continue operations until power gets restored. So that's a good example of a non-adversarial threat causing damage or loss. So a simple example of some more of these here to think about - Even though we talked about people not having a dollar value associated with them, if it's a client or a customer then we can kind of categorize that as an asset because they provide income to the organization and have value in other ways. Risks that you take with the business might also be considered in the asset category because you might decide, or your organization might decide that you need some new equipment, or you need to upgrade your software, and so the expenditure of funds to do these things entails some risk. If you're spending $1 million to buy a bunch of security equipment, that might make your organization more secure, more resilient to hackers, but it also reduces the amount of money that you have available to spend on other things. So there's always some trade-off there. Your actual data itself is definitely an asset. I forgot to point out with business risks we also can consider those to be vulnerabilities. So let's say you spend money to buy something to enhance the security of your organization but you discover later that that software or that hardware that you purchased has some flaws, has some vulnerabilities of its own. So now you've reduced your available funds for new equipment and you've potentially introduced something new into the organization which could reduce your security posture. What about the decline of sales? Maybe the decline of sales is related to poor decisions. Your organization might decide to market something new, or take something off the market that was doing well. These are decisions that someone thought was a good idea at the time, but it turns out later to not be the case. So we have to think about these things as threats, even though they come from within the organization, from people who had good intentions. Poor governance: definitely a vulnerability there. If you're not able to measure something, then you can't manage it, as I mentioned earlier. So not only being able to measure and manage but being able to clearly state what the consequences are for misbehavior, or of a violation of your security policy, for instance. This could go a lot of different directions. Software licenses, those are definitely assets. When hackers attack your systems or your networks, those are obviously threats. A lack of training, maybe we could even put an X here in the threat column for that, but it's definitely a vulnerability, especially as it relates to security awareness training, or maybe proper training in how to use a software tool, or some other kind of security control. [/toggle_content]
In order to face the dynamic requirements of meeting enterprise vulnerability management challenges, CISA course covers the auditing process to ensure that you have the ability to analyze the state of your organization and make changes where needed.