WK2 Security Audits Flashcards

1
Q
A
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

we’ve covered different frameworks, controls, security principles, and compliance regulations, the question is: How do they all work together?

2 types of Security Audits

A
  1. Internal Audits
  2. External Audits
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What team members conduct a Internal Security Audit?

A

An internal security audit is typically conducted by a team of people that might include an organization’s compliance officer, security manager, and other security team members.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Why are Internal Audits useful?

A

Internal security audits are used to help improve an organization’s security posture and help organizations avoid fines from governing agencies due to a lack of compliance. Internal security audits help security teams identify organizational risk, assess controls, and correct compliance issues.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Common elements of an Internal Security Audit

A

Establishing the scope and goals of the audit
Conducting a risk assessment of the organization’s assets
Completing a controls assessment
Assessing compliance
Communicating results to stakeholders

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Internal Security Audit

Establishing the Scope and goals of the Audit

A

Scope refers to the specific criteria of an internal security audit. Scope requires organisations to identify people, assets, policies, procedures, and technologies that might impact an organisation’s security posture.

Goals are an outline of the organization’s security objectives, or what they want to achieve in order to improve their security posture.

Although more senior-level security team members and other stakeholders usually establish the scope and goals of the audit, entry-level analysts might be asked to review and understand the scope and goals in order to complete other elements of the audit.

As an example, the scope of this audit involves assessing user permissions; identifying existing controls, policies, and procedures; and accounting for the technology currently in use by the organization. The goals outlined include implementing core functions of frameworks, like the NIST CSF; establishing policies and procedures to ensure compliance; and strengthening system controls.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Internal Security Audit

Conducting a Risk Assessment

A

The next element is conducting a risk assessment, which is focused on identifying potential threats, risks, and vulnerabilities. This helps organizations consider what security measures should be implemented and monitored to ensure the safety of assets. Similar to establishing the scope and goals, a risk assessment is oftentimes completed by managers or other stakeholders. However, you might be asked to analyze details provided in the risk assessment to consider what types of controls and compliance regulations need to be in place to help improve the organisation’s security posture.

For example, this risk assessment highlights that there are inadequate controls, processes, and procedures in place to protect the organization’s assets. Specifically, there is a lack of proper management of physical and digital assets, including employee equipment. The equipment used to store data is not properly secured. And access to private information stored in the organisation’s internal network likely needs more robust controls in place.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Internal Security Audit

Completing a Controls Assessment

A

A controls assessment involves closely reviewing an organisation’s existing assets, then evaluating potential risks to those assets, to ensure internal controls and processes are effective.

To do this, entry-level analysts might be tasked with classifying controls into the following categories:

Administrative control: related to the human component of cybersecurity. They include policies and procedures that define how an organisation manages data, such as the implementation of password policies.

Technical controls: are hardware and software solutions used to protect assets, such as the use of intrusion detection systems, or IDS’s, and encryption.

Physical controls: refer to measures put in place to prevent physical access to protected assets, such as surveillance cameras and locks.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Internal Security Audit

Assessing Compliance

A

Determining whether or not the organization is adhering to necessary compliance regulations. As a reminder, compliance regulations are laws that organisations must follow to ensure private data remains secure.

In this example, the organization conducts business in the European Union and accepts credit card payments. So they need to adhere to the GDPR and Payment Card Industry Data Security Standard, or PCI DSS.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Internal Security Audit

Communicating results to stakeholders.

A

Once the internal security audit is complete, results and recommendations need to be communicated to stakeholders.

In general, this type of communication summarizes the scope and goals of the audit. Then, it lists existing risks and notes how quickly those risks need to be addressed. Additionally, it identifies compliance regulations the organisation needs to adhere to and provides recommendations for improving the organisation’s security posture

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Audit checklist

A

It’s necessary to create an audit checklist before conducting an audit. A checklist is generally made up of the following areas of focus:

Identify the scope of the audit

Complete a risk assessment

Conduct the audit

Create a mitigation plan

Communicate results to stakeholders

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Audit checklist

Identify the scope of the audit

A

The audit should:

List assets that will be assessed (e.g., firewalls are configured correctly, PII is secure, physical assets are locked, etc.)

Note how the audit will help the organization achieve its desired goals

Indicate how often an audit should be performed

Include an evaluation of organizational policies, protocols, and procedures to make sure they are working as intended and being implemented by employees

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Audit checklist

Complete a risk assessment

A

A risk assessment is used to evaluate identified organizational risks related to budget, controls, internal processes, and external standards (i.e., regulations).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Audit checklist

Conduct the audit

A

When conducting an internal audit, you will assess the security of the identified assets listed in the audit scope.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Audit checklist

Create a mitigation plan

A

A mitigation plan is a strategy established to lower the level of risk and potential costs, penalties, or other issues that can negatively affect the organization’s security posture.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Audit checklist

Communicate results to stakeholders

A

The end result of this process is providing a detailed report of findings, suggested improvements needed to lower the organization’s level of risk, and compliance regulations and standards the organization needs to adhere to.