5.5 Flashcards
internal security audit
operates by
attesting that all organizational information
systems are adhering to a set of internal or
external criteria regulating data security,
network security, and infrastructure security
Internal criteria include:
the company’s IT
policies, procedures, and security controls
Internal audit should objectively assess what?
the organization’s overall strategy for handling emerging threats from a governance,
architectural, operational, and technology standpoint
audit committee
is responsible for assisting
independent auditors to examine the organization’s
security reporting system
how does the audit committee examine?
- Offering critical oversight of the corporation’s reporting
processes, internal controls, and independent auditing - Providing checks and balances
- Allowing a forum for discussing security concerns candidly
and objectively
self-assessment with independent validation
(SAIV)
approach is a more cost-effective
assessment solution
self-assessment with independent validation
(SAIV) goal?
to deliver an independent validation of the internal audit activity’s self-assessment
assessment
An assessment could be seen as an “audit
plus”
* Assessments compare with both standards
and industry practices, the auditor’s
knowledge and experience, etc.
external audit
an organization compares itself to an
established standard
*ISO 27001 is an example of a compliance audit with a
certification as the result
assessment example
Payment Card Industry Data
Security Standard (PCI DSS) is an audit, but
organizations are required to go through a penetration test as well, which is an
assessment
* Therefore, PCI DSS can also be called an assessment
Security examinations
used to certify security
professionals at various experience levels to
participate in auditing and assessments
Common examples of security examinations are:
- CompTIA Security+
- CompTIA Advanced Security Practitioner (CASP+)
- Certified Information Systems Security Professional (CISSP)
from ISC2 - Certified Information Security Manager (CISM) from ISACA
Independent third-party audit
The audit of information security is a comprehensive assessment that evaluates, often
with gap analysis, the current state of security
controls in the organization
When applied to DevSecOps, a third-party security
audit is:
an exhaustive assessment of all code,
documentation, and processes related to a software
system by an independent security firm
The goal of an audit is:
to uncover potential security
risks which can then be patched by the software’s
developer
Penetration testing
a process used to collect
information and actively expose vulnerabilities in a
system or application by conducting actual exploits
and red team attacks
Penetration testing is conducted as a:
known
environment, partially known environment, or
unknown environment, where the tester assumes
the attacker role to discover vulnerabilities and
weaknesses
Penetration testing can also be useful for determining:
- How well the system tolerates real world-style attack
patterns - The likely level of sophistication an attacker needs to
successfully compromise the system - Additional countermeasures that could mitigate
threats against the system - The defenders’ ability to detect attacks and respond
appropriately
SSAF
framework provided by Open Information Systems
Security Group (OISSG); a not-for-profit organization based
in London
OSSTMM
open-source security testing created by
Institute for Security and Open Methodologies (ISECOM)
OWASP
– popular methodology used widely by security
professionals, created by a non-profit organization focused
on advancing software security
PTES
Penetration Testing Execution Standard
methodology was developed to cover the key parts of a
penetration test
NIST
National Institute of Standards and Technology
provides a manual that is best suited to improve the
overall cybersecurity of an organization
phishing campaign
an email hoax designed to replicate a real attack against employees as part of security awareness training
The phishing campaign goal is not to:
entrap and punish employees but
rather raise awareness and instruct
Security training monitoring and reporting must be
scoped to the specific audience to deliver different types of security training:
- Basic security awareness training
- Technical security training
- Security management training
- Compliance training
The Net Promoter Score (NPS)
gold standard customer experience metric
NPS score measures participant loyalty by looking at their probability of
recommending a given security training experience