Audits and Assessments Flashcards
Audit Types
1: Internal Audits and Assessments
Review processes, controls, and compliance
Importance
Ensure operational effectiveness and adherence to internal policies
2: External Audits and Assessments
Independent evaluations by external parties
Verification Areas
Financial statements
Compliance
Operational practices
Purpose of audits
Validate security measures
Identify vulnerabilities
Maintain compliance with regulatory standards
3 risk assessment categories
Risk Assessments
Vulnerability Assessments
Threat Assessments
Types of pen testing
Passive
Active
Internal audits focus on
Data protection
Network security
Access controls
Incident response procedures
Audit committee responsibilities
Reviewing financial reporting
Internal controls
Internal and external audits
Legal and regulatory compliance
Addresses issues raised by auditors
MCIT Cybersecurity Self-Assessment
MCIT’s Cybersecurity Self-Assessment checklist is
designed to help organizations minimize data and
cybersecurity-related exposures
It assists in identifying areas where data security may
need strengthening
The checklist comprises yes-or-no questions with
sections for comments and action items
Action items are assigned to specific individuals or
groups responsible for implementing corrective actions
External audits focus areas
Data protection
Network security
Access controls
Incident response procedures
External assessments can take various forms
Risk assessments
Vulnerability assessments
Threat assessments
Regulatory Compliance
The goal is to ensure organizations comply with
relevant laws, policies, and regulations
Organizations adopt consolidated and harmonized sets
of compliance controls to achieve regulatory
compliance, e.g., NIST Cybersecurity Framework
Compliance includes adherence to industry-specific
rules (e.g., HIPAA, PCI DSS) and more generalized
regulations like GDPR
Access controls
May include testing of the following
Key personnel
Certifications
Standardized assessments
Crucial for maintaining a strong security posture and regulatory compliance.
External assessments may vary depending on:
Organization’s governance
Risk
Compliance practices
Preparing for a HIPAA External Assessment
o Examiners provide a checklist of questions that organizations must answer
Questions are answered as either “yes” or “no”
Evidence files, such as documents or links, must be provided to demonstrate compliance
o Sample Checklist
Questions cover various aspects like general information, policies, procedures, and employee training
Organizations must provide evidence files as proof of compliance
External assessments aim to provide a quick overview of the organization’s current risk posture
4 Types of pen testing
Physical
Offensive
Defensive
Integrated
Physical pen testing and benefits
Evaluates an organization’s physical security measures
Examples
Testing locks
Access card
Security cameras
Identifies vulnerabilities and recommends improvements for enhanced physical security
Benefits
Improved security awareness
Preventing unauthorized access
Offensive pen testing and benefits
Known as “red teaming”
Actively seeks vulnerabilities and attempts to exploit them, like a real cyber attack
Helps uncover and report vulnerabilities to improve security
Benefits
Can simulate real-world attacks and gain support for cybersecurity investments
Defensive pen testing and benefits
Known as “blue teaming”
A reactive approach focused on strengthening systems,
detecting and responding to attacks
Monitors for unusual activity and improves incident
response times
Benefits
Enhances detection capabilities and helps improve
incident response
Intergrated pen testing
Known as “purple teaming”
Combines elements of offensive and defensive testing
Red vs Blue teams
Red team conducts offensive attacks, while the blue team detects and responds
o Encourages collaboration and learning between the red and blue teams
Benefits
Comprehensive security assessment
Promotes collaboration within cybersecurity teams
Conducts simulated attacks and responses to improve
skills
Importance of reconnaissance
Crucial step in penetration testing
Identifies potential vulnerabilities in the target system
Helps plan the attack to reduce the risk of detection
and failure
Types of reconnaissance
Active Reconnaissance
Engaging with the target system directly, such as
scanning for open ports using tools like Nmap
Passive Reconnaissance
Gathering information without direct engagement, like
using open-source intelligence or WHOIS to collect data
Reconnaissance and Environment Types
Known Environment
Penetration testers have detailed information about
the target infrastructure
Attestation of findings
Involves formal validation or confirmation provided by an entity to assert the accuracy and authenticity of specific information
Crucial in internal and external audits to ensure the
reliability and integrity of the following
Attestation of Findings in Penetration Testing
Used to prove that a penetration test occurred and
validate the findings
May be required for compliance or regulatory purposes
(e.g., GLBA, HIPAA, Sarbanes-Oxley, PCI DSS)
Includes a summary of findings and evidence of the
security assessment
Evidence helps to prove that identified vulnerabilities
and exploits are valid
The difference between attestation and the report
Attestation includes evidence
Report focuses on findings and recommended
remediation
3 Types of attestation
1: Software Attestation
Involves validating the integrity of software to ensure it
hasn’t been tampered with
2: Hardware Attestation
Validates the integrity of hardware components to
confirm they haven’t been tampered with
3: System Attestation
Validates the security posture of a system, often related
to compliance with security standards
Attestation in Audits
In internal audits, attestation evaluates organizational compliance, effectiveness of internal controls, and adherence to policies and procedures
In external audits, third-party entities provide
attestation on financial statements, regulatory
compliance, and operational efficiency
Attestation builds trust, enhances transparency,
ensures accountability, and is essential for stakeholders
in making informed decisions
