Time
8 hours 35 minutes
Difficulty
Intermediate
CEU/CPE
9

Video Description

This lesson covers the objectives of regulation with an emphasis on operational integrity. This lesson discusses how an IS auditor's job for their clients is to discover assets, threats and vulnerabilities to assess risks and then find the tools to reduce those risks. [toggle_content title="Transcript"] Alright, so what are the objectives of regulation? One thing to think about right off the top is that we want to make sure that we have operational integrity, meaning that the organization can be looked at, at any moment in time, and its transactions, its business logic, the way that it handled customer requests, the way that it handles changes, can all be well understood and is properly documented, and that there are no gaping holes in any of the processes which would allow fraud to take place easily or for even accidental problems to occur. We've got a tightly controlled organization with the right security controls in-place and that should become evident once the information is studied. Then we have to think about protecting our valuable assets. What is an asset? That could be a lot of different things. It's basically something that has some type of value to somebody, or to an organization. It could be people. It could be patents, source code, equipment, software licenses, lots of different things will apply to be classified as an asset. We have a little note here about people are not usually considered as assets. When you think about human resources, people are kind of an asset in that perspective, but they're not an asset from the perspective where we can't just say that, 'This employee is worth this much money to the organization.' 'This one is worth that much money to the organization.' So assets tend to be non-human, I guess, as a way to separate that out a little bit. When we think about assets, we also have to think about threats to those assets. Any kind of negative event that could cause a loss or damage might be categorized as a threat, and the variety of threats that an organization or an asset in particular can face is basically limitless. No matter how well you think you've documented all the possible threats, there's always something that no one thought of before that still could be a problem. We'll talk a little bit about that and how we go about analyzing threats and what that means a little bit later in the course. Then we have to think about vulnerabilities. Vulnerability is another word for weakness. So if I've got an asset and there are threats to that asset, if the asset is vulnerable then the threat might succeed. If it's an attack, for instance an adversarial threat, then if the asset's vulnerable then the adversary may take advantage of that fact. Examples might include things like default passwords on an information system, or using very low-grade encryption for your financial transactions. Not having, you know, proper security controls in-place for access to a data center. All of these things might be considered vulnerabilities which would allow adversarial threats and even non-adversarial threats, things like weather events, for instance, even non-adversarial threats could exploit vulnerabilities just because of their nature. If there's a large storm that hits, now you've lost power. You don't have a back-up generator. That's a vulnerability. That's a weakness. Now your organization cannot continue operations until power gets restored. So that's a good example of a non-adversarial threat causing damage or loss. So a simple example of some more of these here to think about - Even though we talked about people not having a dollar value associated with them, if it's a client or a customer then we can kind of categorize that as an asset because they provide income to the organization and have value in other ways. Risks that you take with the business might also be considered in the asset category because you might decide, or your organization might decide that you need some new equipment, or you need to upgrade your software, and so the expenditure of funds to do these things entails some risk. If you're spending $1 million to buy a bunch of security equipment, that might make your organization more secure, more resilient to hackers, but it also reduces the amount of money that you have available to spend on other things. So there's always some trade-off there. Your actual data itself is definitely an asset. I forgot to point out with business risks we also can consider those to be vulnerabilities. So let's say you spend money to buy something to enhance the security of your organization but you discover later that that software or that hardware that you purchased has some flaws, has some vulnerabilities of its own. So now you've reduced your available funds for new equipment and you've potentially introduced something new into the organization which could reduce your security posture. What about the decline of sales? Maybe the decline of sales is related to poor decisions. Your organization might decide to market something new, or take something off the market that was doing well. These are decisions that someone thought was a good idea at the time, but it turns out later to not be the case. So we have to think about these things as threats, even though they come from within the organization, from people who had good intentions. Poor governance: definitely a vulnerability there. If you're not able to measure something, then you can't manage it, as I mentioned earlier. So not only being able to measure and manage but being able to clearly state what the consequences are for misbehavior, or of a violation of your security policy, for instance. This could go a lot of different directions. Software licenses, those are definitely assets. When hackers attack your systems or your networks, those are obviously threats. A lack of training, maybe we could even put an X here in the threat column for that, but it's definitely a vulnerability, especially as it relates to security awareness training, or maybe proper training in how to use a software tool, or some other kind of security control. [/toggle_content]

Video Transcription

00:04
all right, So what are the objectives of regulation?
00:07
One thing to think about right off the top is that we want to make sure
00:11
that we have operational integrity, meaning that the organization can be looked at at any moment in time
00:19
and its transactions. It's business logic
00:22
the way that it handles customer requests the way that it handles changes can all be well under student and is properly documented,
00:33
and that there are no gaping holes in any of the processes which would allow
00:38
fraud to take place easily
00:40
or for even accidental
00:43
problems to occur.
00:45
We've got a tightly controlled organization with the right security controls in place.
00:51
That should become
00:53
evident once once Thea information is studied, then we have to think about
00:58
protecting our valuable assets
01:00
and what is an asset.
01:03
It could be a lot of different things, but it's basically something that has some type of value
01:07
to somebody or to an organization.
01:10
It could be people. It could be patents,
01:12
source code,
01:14
equipment,
01:15
software licenses.
01:18
Lots of different things would apply
01:19
to be classified as an asset. We have a little note here about people
01:23
are not usually considered
01:26
assets. Uh, we think about human resource is
01:30
people are kind of an asset in that perspective,
01:33
but they're not an asset from the perspective where we can't just say that
01:37
this employee is worth this much money to the organization.
01:41
This one is worth that much money to the organization,
01:44
so
01:45
assets tend to be non human, I guess is a wayto two separate that out a little bit
01:52
when we think about assets. We also have to think about threats to those assets.
01:57
Any kind of negative event
02:00
that could cause a loss or damage
02:02
might be categorized as a threat,
02:05
and the variety of threats
02:08
that an organization or an asset in particular conf Ace is basically limitless.
02:15
There's, you know, no matter how
02:16
well you think you've documented all the possible threats, there's always something that no one thought of before.
02:22
That still could be a problem.
02:23
We'll talk a little bit about that
02:27
and how we go about
02:29
analyzing threats enough and what that means.
02:31
But later on the course, then we have to think about vulnerabilities.
02:36
Vulnerability is another word for weakness.
02:39
So
02:40
if I've got an asset
02:43
and our threats to that asset,
02:45
if the assets vulnerable than the threat might succeed.
02:49
If it's an attack,
02:51
for instance, an adversarial threat,
02:53
then
02:54
if the assets vulnerable than the adversary may take advantage of that fact.
02:59
Examples might include things like
03:01
default passwords
03:02
on a information system
03:06
or using very low grade
03:09
encryption for your
03:10
financial transactions.
03:13
Not having proper security controls in place
03:16
for access to a data center. All these things might be considered vulnerabilities, which would allow threats,
03:23
adversarial threats and even non adversarial threats.
03:28
Things like weather events, for instance, even not even several threats could exploit vulnerabilities just because
03:35
of their nature. If there's a AH, large storm that hits now, you've lost power.
03:40
You don't have a backup generator. That's a vulnerability as a weakness. Now your organization cannot continue operations until power gets restored,
03:50
so that's a good example of a non adversarial threat
03:53
causing
03:54
damage or loss. So, ah, simple example of some more of these here to think about,
04:00
Uh,
04:01
even though we talked about people not having a dollar value associate with them.
04:08
If it's a client or a customer,
04:11
then we can kind of
04:13
categorize that as an asset
04:15
because they provide income to the organization
04:18
and have value in other ways.
04:21
Uh, risks that you take with the business might also be considered in the asset category because you might decide,
04:29
or your organization might decide that you need some new equipment
04:32
or you need to upgrade your software.
04:35
And so the expenditure of funds to do these things entail some risk.
04:41
If you're spending a $1,000,000 to buy a bunch of security equipment
04:46
that might make your organization more secure, more more resilient to hackers.
04:50
But it also reduces
04:53
the amount of money that you have available to spend on other things.
04:56
So there's always some trade off there,
04:59
your actual data itself.
05:00
It's definitely an asset.
05:02
Um, I forgot to point out with business risks,
05:05
we also could consider those to be vulnerabilities.
05:09
So let's say you spend money to buy something to enhance the security of your organization. But you
05:15
I discover later that that
05:16
software, or that hardware that you purchased
05:19
has some flaws, has some vulnerabilities of its own.
05:23
So now you reduce your available funds for new equipment, and you've potentially introduced
05:30
something new into the organization, which could reduce your security posture. What about the decline of sales. Maybe the decline in sales is related to poor decisions.
05:41
You might decide
05:43
your organization might decide to
05:45
market something new or take something off the market that was doing well.
05:49
These are decisions that someone thought was a good idea at the time, but
05:54
it turns out later to not be the case.
05:57
So we have to think about these things as threats, even though they come from
06:01
within the organization. For people that had good intentions,
06:06
poor governance, definitely a vulnerability there if you're not able to measure something that you can't manage it, as I mentioned earlier.
06:15
So not only being able to measure and manage,
06:18
but
06:19
being able to clearly state what the consequences are
06:24
for
06:25
misbehavior
06:28
or a violation of her security policy. For instance,
06:30
this could go a lot of different directions.
06:33
Software licenses. Those were definitely assets.
06:38
What hackers attack your systems of your networks. Those air obviously threats, lack of training. Maybe we could even put an X here in the threat column for that,
06:47
but it's definitely a vulnerability,
06:50
especially as it relates to security awareness, training
06:55
or maybe proper training in how to use a software tool
06:59
or a, uh,
07:00
some other kind of security control

Up Next

Certified Information System Auditor (CISA)

In order to face the dynamic requirements of meeting enterprise vulnerability management challenges, CISA course covers the auditing process to ensure that you have the ability to analyze the state of your organization and make changes where needed.

Instructed By

Instructor Profile Image
Dean Pompilio
CEO of SteppingStone Solutions
Instructor