Audits and Assessments

Question 1

Audit Types

Answer 1

1: Internal Audits and Assessments
 Review processes, controls, and compliance
Importance
 Ensure operational effectiveness and adherence to internal policies

2: External Audits and Assessments
 Independent evaluations by external parties
Verification Areas
 Financial statements
 Compliance
 Operational practices

Question 2

Purpose of audits

Answer 2

 Validate security measures
 Identify vulnerabilities
 Maintain compliance with regulatory standards

Question 3

3 risk assessment categories

Answer 3

 Risk Assessments
 Vulnerability Assessments
 Threat Assessments

Question 4

Types of pen testing

Answer 4

Passive
Active

Question 5

Internal audits focus on

Answer 5

 Data protection
 Network security
 Access controls
 Incident response procedures

Question 6

Audit committee responsibilities

Answer 6

 Reviewing financial reporting
 Internal controls
 Internal and external audits
 Legal and regulatory compliance
 Addresses issues raised by auditors

Question 7

MCIT Cybersecurity Self-Assessment

Answer 7

 MCIT’s Cybersecurity Self-Assessment checklist is
designed to help organizations minimize data and
cybersecurity-related exposures

 It assists in identifying areas where data security may
need strengthening

 The checklist comprises yes-or-no questions with
sections for comments and action items

 Action items are assigned to specific individuals or
groups responsible for implementing corrective actions

Question 8

External audits focus areas

Answer 8

 Data protection
 Network security
 Access controls
 Incident response procedures

Question 9

External assessments can take various forms

Answer 9

 Risk assessments
 Vulnerability assessments
 Threat assessments

Question 10

Regulatory Compliance

Answer 10

 The goal is to ensure organizations comply with
relevant laws, policies, and regulations
 Organizations adopt consolidated and harmonized sets
of compliance controls to achieve regulatory
compliance, e.g., NIST Cybersecurity Framework
 Compliance includes adherence to industry-specific
rules (e.g., HIPAA, PCI DSS) and more generalized
regulations like GDPR

Question 11

Access controls

Answer 11

May include testing of the following
 Key personnel
 Certifications
 Standardized assessments
 Crucial for maintaining a strong security posture and regulatory compliance.

Question 12

External assessments may vary depending on:

Answer 12

 Organization’s governance
 Risk
 Compliance practices

Question 13

Preparing for a HIPAA External Assessment

Answer 13

o Examiners provide a checklist of questions that organizations must answer
 Questions are answered as either “yes” or “no”
 Evidence files, such as documents or links, must be provided to demonstrate compliance
o Sample Checklist
 Questions cover various aspects like general information, policies, procedures, and employee training
 Organizations must provide evidence files as proof of compliance
 External assessments aim to provide a quick overview of the organization’s current risk posture

Question 14

4 Types of pen testing

Answer 14

 Physical
 Offensive
 Defensive
 Integrated

Question 15

Physical pen testing and benefits

Answer 15

Evaluates an organization’s physical security measures
Examples
 Testing locks
 Access card
 Security cameras

Identifies vulnerabilities and recommends improvements for enhanced physical security

Benefits
 Improved security awareness
 Preventing unauthorized access

Question 16

Offensive pen testing and benefits

Answer 16

Known as “red teaming”

Actively seeks vulnerabilities and attempts to exploit them, like a real cyber attack

Helps uncover and report vulnerabilities to improve security

Benefits
Can simulate real-world attacks and gain support for cybersecurity investments

Question 17

Defensive pen testing and benefits

Answer 17

Known as “blue teaming”
 A reactive approach focused on strengthening systems,
detecting and responding to attacks
 Monitors for unusual activity and improves incident
response times

Benefits
 Enhances detection capabilities and helps improve
incident response

Question 18

Intergrated pen testing

Answer 18

 Known as “purple teaming”
 Combines elements of offensive and defensive testing

Question 19

Red vs Blue teams

Answer 19

Red team conducts offensive attacks, while the blue team detects and responds
o Encourages collaboration and learning between the red and blue teams

Benefits
 Comprehensive security assessment
 Promotes collaboration within cybersecurity teams
 Conducts simulated attacks and responses to improve
skills

Question 20

Importance of reconnaissance

Answer 20

 Crucial step in penetration testing
 Identifies potential vulnerabilities in the target system
 Helps plan the attack to reduce the risk of detection
and failure

Question 21

Types of reconnaissance

Answer 21

Active Reconnaissance
 Engaging with the target system directly, such as
scanning for open ports using tools like Nmap

Passive Reconnaissance
 Gathering information without direct engagement, like
using open-source intelligence or WHOIS to collect data

Reconnaissance and Environment Types
 Known Environment
 Penetration testers have detailed information about
the target infrastructure

Question 22

Attestation of findings

Answer 22

Involves formal validation or confirmation provided by an entity to assert the accuracy and authenticity of specific information

 Crucial in internal and external audits to ensure the
reliability and integrity of the following

Question 23

Attestation of Findings in Penetration Testing

Answer 23

 Used to prove that a penetration test occurred and
validate the findings
 May be required for compliance or regulatory purposes
(e.g., GLBA, HIPAA, Sarbanes-Oxley, PCI DSS)
 Includes a summary of findings and evidence of the
security assessment
 Evidence helps to prove that identified vulnerabilities
and exploits are valid

Question 24

The difference between attestation and the report

Answer 24

 Attestation includes evidence
 Report focuses on findings and recommended
remediation

Question 25

3 Types of attestation

Answer 25

1: Software Attestation
 Involves validating the integrity of software to ensure it
hasn’t been tampered with

2: Hardware Attestation
 Validates the integrity of hardware components to
confirm they haven’t been tampered with

3: System Attestation
 Validates the security posture of a system, often related
to compliance with security standards

Question 26

Attestation in Audits

Answer 26

In internal audits, attestation evaluates organizational compliance, effectiveness of internal controls, and adherence to policies and procedures

 In external audits, third-party entities provide
attestation on financial statements, regulatory
compliance, and operational efficiency
 Attestation builds trust, enhances transparency,
ensures accountability, and is essential for stakeholders
in making informed decisions