Time
10 hours 19 minutes
Difficulty
Intermediate
CEU/CPE
12

Video Transcription

00:05
with many intertwined moving parts within a cyber environment. Routine checks or verifications are needed to confirm processes, and service's are performing effectively.
00:14
The landscape, including technologies, threats and methods, continue to evolve. In turn, policies that controls implemented to secure operations call for regular review and potential updates.
00:25
Whenever changes are made to an environment, whether it be a policy update or addition of a new security control, actions are required to confirm functionality and effectiveness,
00:34
Verification and quality control. Process is exist for security professionals to walk through these checks and validate or identify areas of concern.
00:43
Internal assessments like a vulnerability scan using Microsoft's Baseline Security Analyzer or NBS A. Scans devices looking for weaknesses.
00:51
1/3 party could also conduct an audit, thoroughly examining the environment and the technical controls in place and compare the results to a standard or a baseline.
01:00
Audits are conducted internally and externally and on an annual basis. Minimally, some industries and regulations may require audits more frequently.
01:08
There is a formal guidance for auditing methods, such as the statement on standards for at a station engagements number 16 or S s E. 16
01:18
the S S a. 16 Auto reports are leveraged by organizations to demonstrate the effectiveness of their controls and compliance with requirements like Sarbanes Oxley Financial Reporting,
01:27
the S S. A. A. 16. Reports include information on control, design objectives, implementation and their overall effectiveness.
01:37
They're different types of the reports. Sock one sock to and sock three
01:42
sock stands for service organization controls.
01:46
Sock one details. Controls on financial reporting, such as payroll processors or medical claims processors.
01:53
A sock one type one reports on Lee the designer controls in operation during the time of the audit.
01:59
Type two reports the same information but includes control test results over a longer time frame, generally between six months to a year.
02:07
Both socked to and sock three report results for internal controls that relate to compliance or operations, focusing on security, confidentiality, processing, integrity, availability and or privacy.
02:20
The difference is between sock to reports are for management and regulators,
02:23
while Sock three reports are publicly available.
02:28
A successful audit is one that establishes a strong security baseline, sets a definitive objective, utilizes security experience. Auditors involves the necessary business managers, includes judgments based on experience and produces a report detailing everything addressed in the initial objective
02:45
evaluations can be conducted internally and externally and are typically done using a checklist.
02:51
Security measures can be evaluated against known baselines to gauge their effectiveness and ensure their matching their intended purpose.
02:58
Some common security measures that are regularly evaluated our configuration settings, group policies and physical controls
03:06
to help organizations incorporate a secure development process into their operations. Guidelines such as the Capability maturity model, Integration C mm, I can be utilized
03:16
the CMM i guys organizations through the process of assessing vulnerabilities, determining controls, adjusting security policies and procedures and conducting audits.
03:28
The five stages of the maturity model process. Our initial managed, defined, quantitatively managed and optimizing
03:37
organizations and even federal directives may require security professionals Holden Industry certification
03:43
It is very common for job postings to dictate that a specific certification is a requirement of a candidate.
03:51
This distinction indicates the individual has fulfilled the requirements for assessment in that focus area and experience level.
03:57
Similarly, organizations may need to obtain certifications for system components.
04:02
Accreditation, as it's known, is achieved on a specific process or operations is approved by an authoritative neutral third party,
04:11
the National Information Assurance Certification and Accreditation Process, or Nyah cap is used to certify and a credit in organizations information security management system by measuring specific activities, general tasks and the management structure.
04:26
This process is broken into four phases. Definition, verification, validation and post accreditation.
04:32
There are three types of accreditation
04:34
type system in sight.
04:38
A type accreditation evaluates applications or systems distributed in different locations.
04:43
The system accreditation evaluates a specific application or support system, and the site accreditation evaluates an application or system at a specific location.
04:53
DIA Cap is the federal version of Sienna Guidance that applies to departments and agencies within the Department of Defense.
05:00
The ice. So I see 27,000 and one is another suite of standards to certify information security management systems.
05:08
The certification validates the security process in place used to manage assets like intellectual property or customer data.
05:15
The ice. So I'II see 27,002 standards include 14 content areas ranging from asset management to compliance.
05:24
More information about the standards can be found at eso dot or GE.
05:29
Performing, verification and quality control on policies and processes across an environment is important
05:33
regularly scheduled, and when changes occur, audits, evaluations or assessments and achieving certifications and credit ations, where applicability will demonstrate in organizations compliance and adherence to best practices for establishing, implementing, maintaining and continually improving their information management systems.

Up Next