CCT 170: Assessment, Compliance, and Improvement Strategies for the CISSP Exam (Domain 6.5)

Ever wondered how to ensure your organization's cybersecurity measures meet international standards? Join us for an action-packed episode as we unpack Domain 6.5 of the CISSP exam, exploring crucial assessments, tests, and audit strategies every cybersecurity professional should master. Learn the importance of choosing a consistent framework like ISO 27001 or the NIST Cybersecurity Framework to steer your audit processes. We'll dive into internal and external audits and the pivotal role they play in aligning security measures with legal and regulatory compliance.

Discover the essentials of security control testing within your organization. We discuss various mechanisms such as vulnerability assessments, penetration testing, and log review analysis, focusing on their significance in pinpointing and mitigating potential security threats. Highlighting tools like Nessus and Qualys, we examine their effectiveness in regular vulnerability scanning, along with the importance of log reviews to detect malicious activities. From black box testing on web applications to understanding how hackers manipulate logs, we cover all the bases to fortify your defenses.

In our cloud security management segment, we tackle the risks associated with orphaned accounts and offer best practices for managing cloud-based accounts. Regular management audits, multi-factor authentication, and semi-annual reviews are just a few of the key strategies we discuss to ensure robust cloud security. We also emphasize the importance of cybersecurity audit planning and reporting, sharing practical examples and tips for creating actionable reports for different stakeholders. Finally, we underline the value of mentorship and the importance of certifications like CISSP for advancing your career in cybersecurity, highlighting the critical role certified professionals play in safeguarding our global economy from cyber threats.

Gain access to 60 FREE CISSP Practice Questions each and every month for the next 6 months by going to FreeCISSPQuestions.com and sign-up to join the team for Free. That is 360 FREE questions to help you study and pass the CISSP Certification. Join Today!

TRANSCRIPT

Speaker 1: 0:00 

Welcome to the CISSP Cyber Training Podcast, where we provide you the training and tools you need to pass the CISSP exam the first time. Hi, my name is Sean Gerber and I'm your host for this action-packed, informative podcast. Join me each week as I provide the information you need to pass the CISSP exam and grow your cybersecurity knowledge. All right, let's get started. Let's go. Cybersecurity knowledge All right, let's get started. Okay, so, let's get started, and we're going to be talking today. It's domain 6.5. And this is going to be associated around various assessments, tests and audit strategies that are associated with the CISSP and you can find within your any cybersecurity organization. So, when we're looking at determining your assessments and determining which way you should go as it relates to audits, you're going to need to come up with some various key factors, and some of those, as we start off, is you're going to need to develop a strategy on how you're going to test. You're also going to have to develop some validating strategies and then you're going to have to determine which level of legal and regulatory compliance these all are tied to. So, as we break this down a little bit, let's get into the security strategies.

Speaker 1: 1:12 

You need to kind of understand, and we talk about this a lot in cissp, cyber training is which framework are you going to follow? You need to pick a framework. It's really important that you follow one, and the reason reason I say that is because in a previous life we would have I had a situation where we'd have frameworks that are part of 27001. We had some that are part of the NIST cybersecurity framework and it was fine, because all the framework does is give you guidance and direction which way to go. However, when I didn't just pick one and follow that one, then it made it very convoluted and a bit challenging. When we're trying to talk with other third parties, when they ask the question, which framework do you follow? And if I don't follow one I follow, well, I follow a combination of 27,001 and a combination of the cybersecurity framework and so on and so forth. That gets very convoluted, very, very challenging. So, therefore, you need to pick a standard that you are going to go by and then you need to look at what are the appropriate assessment types that you're going to use towards that standard.

Speaker 1: 2:17 

Are you going to use internal audits? Are you going to bring in external audits? And when we talk about internal and external, the internal could be someone within your organization, it could be somebody outside of your organization. So if you have two companies and company A IT department is doing this assessment audit and you would like an assessment done, well then you may pull in company B's IT team to do that audit or that assessment. So that's bringing in an outside audit. An external audit would be your big three. You know your Deloitte and Touche, your I'm just drawing a blank but there's basically three main companies that you'll work with that can do these external audits.

Speaker 1: 3:00 

Now I say that from a very large company that works with various audit firms. If you're a smaller company that you're going to work for when you first start off, you may not. You can still bring in smaller audit firms just to determine what is the legal requirements around that. And so when you determine those things and what is your overall plan around an assessment, is it going to be a technical vulnerability assessment versus just a paper audit? You'll have to figure that part out as well. The strategy should be robust enough to identify your potential vulnerabilities and bring it back to the standards that are associated with the 27001. So, again, you use the 27001 as your North Star, as something you're going to guide to. If you do that, then when you do your assessments and your audits, they can then come back to this 27001 series.

Speaker 1: 3:53 

Now, something to kind of consider is that, as I brought forward with as I'm going through this podcast, I'm recording the contents as well, and that'll be on CISSP Cyber Training, so you can go to the website, you can watch the video while you're listening to the podcast as well, because I've seen it. It works well. When I actually listen to something as well, I am watching it. That does help out quite a bit. But there's I put in there some use cases that you how does this work?

Speaker 1: 4:19 

Well, let's just say, for example, you're a multinational corporation and you have to do the testing on your global security strategy. You may have regular pen testing Okay, you may have that for individuals. You may have employee phishing, awareness assessments that you may do. So basically, you're going out and testing people and then you make sure that these meet all of the international standards across all of your various companies. So you're going to do those things on a regular or routine basis. If you have some sort of regulatory requirement that forces you to do that every year, you would do that every year, but at a minimum you need to have some of that defined for your company. Now, when you're looking to validate these various testing strategies again, you may have to tie them back to. Are there any external regulations that are forcing you to do that? So you must remain aligned to that.

Speaker 1: 5:09 

I'll give you an example. So when we do testing within the European Union, there are various entities out there that require us to, as we go through the tests, to send them a report of how the test went. And that's very indicative and very consistent with what happens here in the United States, especially when you're dealing with small. I'll use credit unions as an example. If you're listening to this someplace outside of the United States, a credit union is a smaller bank and it's a bank that actually it's defined by the shareholders, by individuals. As I deposit $10,000 into a bank account, then I become part of this overall bank ecosystem and so therefore, it's member-owned. All the members own this small bank. Well, if I've done work with credit unions in the past and the credit union one has to have this assessment done for its shareholders.

Speaker 1: 6:04 

For people like me to say, hey, we've done this, we're watching what's going on, but they've also had to do it for regulators within the United States and give them an output of what this report is. So you need to have that defined and decided upon within your organization. Who's going to get the report? Who's going to provide the report? Another key thing to think about as you're looking and again, these things I'm telling you are covered in the CISSP. They're going to ask you questions. I'm giving you the mindset of a CISO so that when they ask you these specific questions, you can understand where they're coming from, as it relates to the test question itself. But one of the other aspects is is, as you provide this information, you have to then work with your senior leaders to determine who's going to provide this information to the bank, as an example, I, as a security person, would not provide it. Our legal team would provide that information to the bank, or I should say even our senior leaders, senior legal team or potentially our president himself.

Speaker 1: 7:05 

Legal and regulatory compliance again, you want to stay in alliance with all of these regulatory compliance requirements. That includes GDPR, hipaa, any other privacy requirements that you're seeing out there. You'll want to make sure you focus with it. Any other government requirement for critical infrastructure you'll want to basically follow that as well. When I say critical infrastructure, let'll want to basically follow that as well. When I say critical infrastructure, let me give you just a spin on that one. So if you are a manufacturing facility and you deal with something let's say you're a refinery and they consider you critical infrastructure because you manage pipelines or something like that, then what would may happen is is you will may have to go and do assessments and audits and give that information to that leadership to ensure that you are actually doing what you say you're supposed to be doing. So you're going to need to. There's a lot of people that are involved in this overall process and and therefore it's important that you do you understand what assessments need to be accomplished so that you meet these regulatory requirements that are out there.

Speaker 1: 8:06 

So now you're going to be doing conducting security control testing. What are these? So, as you're looking to do vulnerability, they're one of the aspects you've got is vulnerability assessments, penetration testaments and then log review analysis, and then obviously you may do end up doing some level of code testing on all of this. So this is the part that falls under the falls under the security control testing that you're going to accomplish Now. You may want to try regularly scan your systems to find vulnerabilities. Now you may use a tool such as Nessus or Qualys or something along those lines to do a vulnerability assessment within your organization. Now, these security control testing mechanisms are designed to highlight where you may have a problem and therefore, by having this issue, you can then go out and address the problem specifically. As an example, you run Qualys within your organization. Qualys is a scanner. It's looking for vulnerabilities within systems that are inside your company and therefore you then get that information and you work with your infrastructure team, or maybe you are the infrastructure team and you go and you mitigate those issues directly.

Speaker 1: 9:14 

Now there also may be a time where you sit down and you go. You know what. I'm going to accept the risk of these vulnerabilities because, let's say, for example, you have systems that are very old and maybe a little bit antiquated, but they're critical to run your business and you have a plan to remove and replace them, but it's going to be at period X. So once that happens, you may decide. You know what. We're just going to accept some of that risk for the next 4, 6, 12 months, but in the process of accepting that risk for the next 4, 6, 12 months. But in the process of accepting that risk, you are also going to put in some mitigating controls to limit what actually happened.

Speaker 1: 9:54 

Now, when you're doing this, again, this process can be very time consuming. It also when you do vulnerability scans, depending upon the type of equipment. I've done these in the past where it can be very disruptive to an organization, especially if this is doing what we call a deep scan of your network. Now this again, it's pretty dated. It's been a few years since I've done a vulnerability scan. So the tools out there today may be much better that don't cause those kinds of issues. But I will say, if you do vulnerability assessments against very sensitive systems such as your process control environments, you may run into problems because they don't do well with scans, just bottom line. But you'll use this vulnerability assessment tool to scan your platform and, as an example, if you're a bank, you may do that for your online banking system. You may do external scans specifically for it because you don't want someone to take advantage of it. So therefore, you will do this, looking for any potential out-of-date software, misconfigurations, anything else that could be exploited by attackers.

Speaker 1: 10:59 

The next thing you're going to talk to is, or we're going to talk about, is a penetration testing. Now, the penetration testing. I did those as well and that's what we basically are trying to find one vulnerability to go into an environment. They call it you'll see it on the CISSP maybe potentially called a black box test, and you may be doing a black box test against maybe potentially new web applications or something that is out there on the internet and it's externally facing. This is where it's where you're looking for as an attacker. You're looking for one way into your organization. You're not looking for the plethora of them.

Speaker 1: 11:36 

The other thing you're going to notice that a pen tester or a hacker will do is they may use scan data that's on the internet, but they typically will not try to go and bang on a specific web server sitting on the internet. And when I say bang on it, what I mean is that they will not go and throw everything they have at that one web server to try to break in. They're usually I say usually much more sophisticated and methodical and slower in what they're trying to accomplish. Because if you go and bang on this box, if you bang on this web server, you now are highlighting the fact that you are targeting this web server. If I'm a bad guy or gal, I don't want people to know that I'm actually targeting it, so therefore, I really don't want to let them know that I'm actually looking at it. So you may see what those are going to be very finessed type of attacks against your company's assets that are online.

Speaker 1: 12:34 

But you may have this software. So let's use an example of a use case. There's a software company. It releases a new application, so you have this new app that's sitting out there and it wants to have a third party do a black box or a pen test against their new application that's sitting out there. The goal is that it will uncover flaws or maybe potential improper session management. They may have bad username and password requirements, they may not have multi-factor enabled, but you want them to look at this before you bring it to the public, because once it comes to the public, then everybody is going to be after it and looking at it. Now, granted, if it's on the internet, everybody's looking at it, but if you now highlight it and use it as something you want your people to look at, it will become a problem as well.

Speaker 1: 13:25 

Log reviews and analysis. You want to make sure that you do go through and have systematic reviews of your logs and to ensure that there's any signs of malicious activity. I've seen this time and again where in a previous life we would go in and we would modify the logs a little to try to change them from what they look like. Typically, if you have a decent hacker, he or she will not go in and delete the logs. That's usually a bad idea, because if you go and delete the logs, you now highlight the fact that you've been there. So they will go in, they may modify them, or their goal is that they also understand most attackers that people are not necessarily looking at the logs and because they don't have some level of automation in place to help them. So therefore they kind of hide in.

Speaker 1: 14:10 

We call the chaff in. In kansas we have wheat and when you have wheat you want to get the, the seed out of the wheat. You beat on the wheat itself to get the, the seed out so that you can turn that into whatever bread or whatever else you want to turn it into. Well, what's left is the chaff, but there's all kinds of noise that's on within a business network. You want to hide in that noise, you want to hide in that chaff, and so, therefore, that's what ends up happening. So you, as a cybersecurity professional, really need to have some level of log reviews that you can utilize to help you find out where is the attackers within your potential, within your organization.

Speaker 1: 14:52 

Now, synthetic transactions and code testing. If you're doing some synthetic transactions, these are to simulate user interactions. I did this with my development team. They would actually have automated interactions that would occur with their web development environment and it would act like a user when it's trying to accomplish this. You would also conduct code reviews to find security vulnerabilities that may potentially be out there, such as, maybe, a SQL injection, maybe any sort of aspect that you may be looking for cross-site scripting attacks. You're going to want to go through and have these simulations occur to ensure that you have the proper protections in place for your organization. So the use case that we've got is like an online retailer uses a synthetic transaction to test its website checkout process.

Speaker 1: 15:39 

Now, if you're doing website check, if you're using some sort of online checkout for your website, I highly recommend bringing in, integrating a third party to do this for you when you try to do it yourself, your development team. There are people that are very good at creating these kind of plugins for your websites. I would recommend highly recommend that you have third parties that will provide you those plugins so that you can be. Highly recommend that you have third parties that will provide you those plugins so that you can be successful If you have your development team do it. They may or may not be successful, and now you could open up your company to a lot of risk, but your ultimate goal is that you want to ensure that your product team, that your teams, are actually doing the right thing when it comes to these transactions, so, as they're going through the secure checkout process, you want to make sure that the team is doing this and they're not. They don't have the ability to have input flaws where they could then do a SQL injection into your code, and a SQL injection basically is a line of code that's added to your input lines which then allows that goes in and will either be able to pull data out you know, through using a script, it'll be able to pull the data out of the SQL process or it will make it burp and give information to you. So you're going to want to go through that overall transaction process if you're dealing with a web application.

Speaker 1: 17:02 

Now we're going to get into collecting your secure process data, and how does this specifically work? Now we're gonna talk about some key points of account management, audits, management reviews, process reviews and compliance within the agreements that go with that. So, when we're collecting the security data that's out there, you wanna make sure that you are creating and maintaining your deleting and your user accounts. You want to make sure that any user account that you have, you have a process, a management of change process, so that, as a new user is created, they are then removed when they are no longer needed. See this over and over again.

Speaker 1: 17:42 

And now this is becoming a much bigger problem with the cloud, in that when users are created, they are never removed, and bad guys know this, and these people are then leveraging this capability. Where you created a IAM or a rule, an account within a cloud, that this account has certain level of privileges that it's allowed to do and it doesn't get removed. And then therefore, which is bad, right, because, but if it's internal to your cloud, it's internal to your network, that's bad, but in many cases, they will allow some level of, because it's in the cloud, it's in somebody else's data center, whether it's google, amazon, whoever it could potentially be accessible by the internet and and if that's the case, you now are increasing your risk substantially. So what does this look like?

Speaker 1: 18:29 

When we're dealing with a management audit? So we'll go in the case of a university. It will conduct a regular audit of its account management process. So if you're in a university, you're checking your students, your staff, do they have granted access to only the necessary resources that they should have. When I was acting as a professor at a local college, they would do that with my account. They had routine rotations of credentials. They require multi-factor, and that's a really big thing, I think, especially as you're dealing with your student body that is coming and going, as well as the leadership within your that company as well, because teachers will come and go, as I mean, I was there for two years and then I left, so you can only assume that teachers will will come and will go as well.

Speaker 1: 19:16 

Now, management reviews. What are some management reviews that? What does that actually mean? Well, so I go through this process, but you're going to want someone that has understands your overall security policies and that will follow through and ensure that they are being followed by the staff or by the people that they are going against. So if I have a security policy within my company around password management, I want to make sure that I'm reviewing the policy and I'm reviewing these logs to ensure that people are actually doing what they're supposed to be doing. So you could have a semi-annual management review where all departments must adhere to your company's security policy and you're then going through and double checking to ensure that they are doing that, and then, on top of that, you may provide them some level of security training, followed by the overall requirement that they have to do. So it's important that you go, you have the policy set, you provide the policy to the people. You then go through and you enforce the policy by maybe technically, by tools that you have in place, and then you follow that back up and then you have training for the policy and then you follow that back up at the end and verify people are actually doing what they're supposed to be doing. Now we're dealing with process reviews. This you need to. Basically, this is what they are.

Speaker 1: 20:32 

What one thing you may see within the CISSP is you may conduct interviews or walkthroughs to assess the processes and understand if they're being implemented. One aspect it may not be a physical interview, but let's say you require that all screens be locked upon when you're done in that room you may walk around looking for, specifically, screens that have been locked, that if people are away from their computer did they lock their screen you may be looking for. Maybe you have a shred policy where all documents must be shredded using I highly recommend a crosscut shredder, not a strip shredder. Reason is I have put lots of strip together to make lots of documents. Yes, I've sat in hotel rooms listening to lots of music putting together strips and strips and strips of paper. You got use crosscut. Crosscut makes it wonderful and it's also great bedding for hamsters. Okay, but sorry to digress.

Speaker 1: 21:28 

The point, though, is is that you're going to want to go through. You can actually go through and make sure that there's no print of documents that are sitting on the printers, that the printers, the shred bins, are empty, that you have gone through and you have crosscut shredders. You can do walk-arounds on these cases as well and then highlight problems that you're potentially seeing. So I've seen this time and again where you'll go to a printer Many times. People that use printers they're not used as much anymore, but people that do use them don't have a key lockout where you have to add in a pin to get the information out, and you'll see many times that you can go, just hit print on the printer and it will burp out all kinds of files that maybe are waiting in the queue to be printed. So that's another way that you could do that when you're doing your walkarounds.

Speaker 1: 22:15 

Now what are some of the compliance with the various agreements? You may have SLAs, which is your service level agreement, or BPAs, which may deal it's kind of called a business partner agreement. You may have these in place with various third parties to meet some level of security standard. Now, when you're doing this, say, for example, you have a third party that comes in that routinely works within your manufacturing facilities and say you're a tractor, you make tractor parts. You have a third party that comes in and they help you make these tractor parts. They provide the boxes, they're the chip manufacturer, whatever that is for this organization. You may have this third party come in and you may do reviews and look at what is the agreement that these folks have with you. Now what kind of agreement could that be? Could be data sharing agreements, like they're sharing data with me because I'm a tractor manufacturer. It could be they support me from a third party in the remote management of my process. What does that SLA look like? And so you would need to go through and ensure that these SLAs are fine and are being followed. So one example might be let's use the remote access one, where you are allowing a third party remote access into your environment. If you're allowing them to have access into your software they're using, do they have encryption in place? Are they utilizing the right security tools to allow access into their networks? So there's lots of opportunities there within the SLA aspect.

Speaker 1: 23:52 

So now we're going to get into. You're going to analyze your test output and you're going to generate reports. Now, when you generate reports, you're going to look at the overall test results and then come up with what does this look like? Then you're going to look at the overall test results and then come up with what does this look like? And then you're going to have those findings, those report findings, and you're going to provide those to whomever may need them within your organization and you're going to ensure that they are accurate. So, when it comes to doing your analysis of these test results, you're going to look for potential let's say, example of weak passwords. And are these weak passwords being used across multiple systems? I see this time and again that you may have weak passwords. And are these weak passwords being used across multiple systems? I see this time and again that you may have weak passwords on your overall workstations, but they may utilize a multi-factor authentication to help minimize or reduce that risk.

Speaker 1: 24:36 

When it comes to using other products that are out there, when you're talking to passwords that are associated with servers or service accounts you may want to run that are associated with servers or service accounts. You may want to run different types of tools to help you with that. You also may want to incorporate tools such as a security information and event management or SIM tool to make sure that it is looking for these various flaws that you may have within your environment. So I've used SIMs to help me root out service accounts which ones are not good, which ones have bad passwords, which ones are not being logged into. You may utilize the logs off of those to help go. You know what? We're gonna get rid of this X account because no one ever uses it, no one ever logs into it. You're also gonna find out that most people, especially network folks within your organization, they're what we call hoarders, and what that means is when they get something, they hold on to it Service accounts, other types of accounts. People are hoarders and they will hold on to that information and they don't like to get rid of it. I will arbitrarily go in and if I see an account that has not been used in quite substantial amount of time, then I will disable it, and then I have a plan set up so once it's disabled, it will then be deleted, because I don't want spare accounts just floating around within my environment.

Speaker 1: 25:54 

Now, once you get a report, you're gonna have this report and you're gonna provide this report to somebody. Right? You could be to auditors. It could be internal or external auditors. It could be your auditors. It could be internal or external auditors. It could be your senior leaders. It could be your compliance and ethics folks, it could be your CIO, but you want to have this report available to provide to them.

Speaker 1: 26:12 

Here's the other thing with reports you need to keep in mind and this isn't necessarily a CISSP thing. This is a cybersecurity mentoring thing is keep them simple, be brief, be brilliant, be gone. You want to have them simple simple enough that it provides the information, but not too simple where they're asking lots and lots of questions. You can do that in many different ways, but I've been offering up some consulting for individuals and cybersecurity mentorship. Get with me, we'll get you some worked up with some time on that, on that, and I can help you walk you through, from a CISO's perspective, what you should do to help protect your company and ways that you can also meet with your board and so forth and around those types of items. But you want to be able to provide those types of report findings to individuals and this typically can go to the board of directors as well. I've been in front of many boards talking about the various risks that they have.

Speaker 1: 27:06 

One thing you're going to have to do from a mentorship standpoint is break it down in a way that they can understand it. They're very intelligent people that are on these boards, but they're not necessarily intelligent on cybersecurity, just like you may or may not be intelligent on the inner workings of a business, the profit and loss margins. They use all kinds of terms like NIAT, you name it. You may not be up on that, so therefore, they may have to educate you, but when it comes to cybersecurity, you are the expert. You need to educate them in a way that they can understand it and they can digest it and internalize it. Then, once you get all that information, you get that report. You want to integrate that and validate it within your company. So you want to look at different ways to validate the accuracy and the comprehensive view around your overall security posture. This typically comes around having, after you have an assessments, penetration tests and code reviews.

Speaker 1: 27:59 

You then want to take this information you've learned and internalize it within your company. As an example, I used to have my developers. I would do well, about every two weeks we would go through and we would meet and I would go through a security question with them, something to get their minds thinking. I would provide them documentation on what should they be looking at from a security perspective. One thing I saw recently that was really cool was pipelines within AWS and how you can utilize credential and secret storage. I heard of it, but I didn't really understand it, so I had someone kind of walk me through. It Makes a lot of sense Super cool, super helpful. But I will say that my knowledge what limited that is in development was extremely valuable when I talked with our my AWS guy, who understood this information, so I could actually get what he was doing and the importance of it.

Speaker 1: 28:56 

Now you want to conduct or facilitate a security audit. Now, there's various pieces that go into this security audit. You're dealing with planning, obviously, and management, execution of the audit, and then your audit reporting piece of this and then, lastly, your follow-up and what are you going to do around it? So, when you're dealing with planning and management, again, you want to define the scope. The one challenge you're going to run into when you're dealing with audits and assessments is the scope creep. And what does that scope creep mean? It means you start with one initial scope and, next thing, you know, somebody adds something else on and then something else gets added on and before you are done with your assessment, you have this very large, voluminous assessment that is beyond the initial scope, the initial criteria in which you decided to do this. So you really want to watch what that is. You also want to make sure that the methodology and the objectives are well-defined for all parties.

Speaker 1: 29:49 

You don't want your assessment folks going off and assessing areas that aren't as valuable to you, because, especially if you're bringing in a third party, that's costing you money. You don't want them to be chasing rabbits that you don't want them chasing. You want them to chase the rabbits you want them to chase I don't know. Have you ever chased rabbits? Yeah, I have.

Speaker 1: 30:08 

That's not fun. It's like chasing chickens. It doesn't work real well. You run all over the place and it's really hard to catch them.

Speaker 1: 30:15 

So, yeah, chasing rabbits is not an easy endeavor, yeah, so anyway, sorry to digress, yes, my ADD brain kicked in there, but one of the use cases that comes in is if financial institution may be preparing for an upcoming audit, what is they gonna do? They have to have this audit plan is done and reviewed, and it needs to be reviewed by everybody involved. So that way, when the report is provided to the regulators now, which be under SOX or GLBA, and you then have it's been understood by all parties, and then when you give it to the regulators, they understand exactly what you're providing to them as well. Then you execute on the audit, right? So this is the part where you actually pull the trigger on it and you are sampling, observing. You may be doing different types of things with it.

Speaker 1: 31:00 

I will tell you this from a security standpoint the audits that I have accomplished have been very narrow in focus. They've been very targeted, because I don't have the resources to do them on a large scale. When they're on a larger scale, then I will bring in a third party, because they have the resources, the manpower, to be able to do that for me. Now, that does cost money. A typical audit can cost in the upwards of $50,000 to $100,000, just depending upon the size and scope of it. But you may have to do that.

Speaker 1: 31:30 

So let's say, for example, you are a credit card company or you take credit cards for your organization and in the process of taking credit cards for your company, they want you to do an audit. Now, depending on the tiers we'll talk about PCI DSS they have various tiers in which you have to provide information to the credit card agencies. If you're a small mom and pop, they just want you to follow the guidelines. They have the network guidelines. You have a router, is it segregated? You? So on and so on and so forth, as long as you follow that and you don't have any issues with your credit card, they'll let you have the credit card you get into be a bigger company, that is, let's say, stripe or Square or somebody like that they're going to have routine audits that they have to provide and then they have to report these audits to the credit card bureaus to ensure that allows them to maintain that ability to process credit cards. So you may have to provide those PCI DSS standards to that company. So again, defining the scope what is the scope of these audits? You may have multiple audits in one year.

Speaker 1: 32:37 

If you are a financial institution, especially one that's accepting credit cards, you may be audited on a quarterly basis or at least every six months, depending upon what is a requirement for the organizations you are working with Now. Once you get the report, you then provide these detailed findings, recommendations and management for your stakeholders. It's important that you have all that available. When you're dealing with healthcare specifically, you will have to provide that information to parties that are interested in how you're protecting this sensitive data. In the case of medical, like I just mentioned, it would be meeting the HIPAA requirements. So if you get a question on your CISSP that's asking about medical, first thing you should focus on is HIPAA. Now, again, that doesn't mean it's going to be the answer is HIPAA, but you need to then get the mindset that if it's financial, it's SOX, maybe Grand Leach, bliley, glba, or it is. If it's medical, it's HIPAA, and so it's important for you to know these different regulations that are out there and more or less the focus area of them.

Speaker 1: 33:41 

One of the students that I have in CISSP cyber training we went back and forth quite a bit on some of these questions and she did an outstanding job. She basically her point was she followed our blueprint, maintained the blueprint, did the blueprint and then, as she was doing the blueprint, she went through the different types of podcasts that we had the content that I have on CISSP Cyber Training and she passed the CISSP her first time. So she did a great job with that. Very proud of her. And again, though it comes down to, she followed the plan.

Speaker 1: 34:15 

If you follow the plan, you will pass the CISSP, but where it gets into trouble is if you don't follow the plan and you kind of come up with your own ideas, yeah, then it's a crapshoot. And if you've played craps in the gambling world, yeah, I'd never win ever. I always go on black and then I lose. Is that even part of craps? I don't even know. Anyway, that's roulette, let's see. I don't even know what I'm talking about there.

Speaker 1: 34:40 

So then, once you get done with that, you follow up with your audit recommendations and then you ensure that these are implemented to meet the things that you found in the assessment. So your security patches, you make sure that they're updated. Is there any of the mitigations that you put in place? Are they sufficient, or are you going to allow them to basically continue or you're going to remove them? So you're going to need to follow up after the end of that audit. And then the last thing I want to get into is the continuous improvement.

Speaker 1: 35:09 

Again, you want to utilize the audit outcomes, not just and when I say that it's so often I've seen audits that have occurred you get the report, you then put it on a shelf and never to touch it again. You really want to utilize the outcomes of these audits to then implement changes within your company. So one example would be is I've seen numerous. If you guys go to what's the name of it? It's with Troy Hunt. I've been pwned, I think that's what it is. But you can see all of the passwords that have been compromised. And then the case of you say maybe you have within your organization, all you require is username and password. Well, if you know that that's all that you require and you know that almost 99.9% of the people out there reuse passwords, you are setting yourself up for disaster if you don't put in place a stronger password policy, or maybe potentially multi-factor. And if you're doing that, that would be maybe a finding from the audit that you found is that they recommend put in multi-factor to help reduce this risk. Now you take that information and you implement it within your organization. That's the outcome you want to try to have.

Speaker 1: 36:19 

You also want to get into risk management and then policy procedures and revisions. And what does that mean? So your risk management you want to then turn around and look at if you know that you're in an industry that has a higher level of risk for cyber attacks, then you need to look at what should you do in that space. So if I'm at a high risk for cyber attacks or my system is highly critical and the audit said that you know you have critical systems that could be compromised, you then need to go and have a better, stronger backup policy. You need to have better resiliency within your organization, maybe have a segregated network architecture, all of those things. If the audit came back and said this to help reduce your risk, you should go do and therefore that would be the expectation is that now that I did this audit, now that I know that I should go fix these things, I am now going to go fix them. And then the last thing you should avoid, or you should go and make changes to your policies and procedures to reflect these changes.

Speaker 1: 37:20 

So use the multi-factor as an example. If I have a policy one, I increased my username and password, my password complexity, so that would be in the policy. Two is I have multi-factor as a requirement for anybody gaining access to my business information. That would be in the policy and I would then revise my policy to meet what I'm requiring them to do. And the purpose of that is just so that people see it and they go aha, yes, I need to make changes, because this is why the multi-factor kicked in is because of X, y and Z. So it's important that it's an ecosystem. It's a round, it's a donut that you start at one end and you end up all the way back around and, yeah, donuts are good, but that's it right. That's what you're supposed to do, and if you follow these procedures and you follow what's in this podcast around audits and assessments, if you take that away and you just do the basics, you will create a very solid and robust program around your overall policies and your basically the overall cycle of audits and assessments. So that's basically what I have for you today, and one thing I'm going to go back over to is CISSP cyber training. There's some great training out there for you, specifically to help you pass the CISSP.

Speaker 1: 38:35 

I am going to tell you that the prices are going to be going up very soon. I haven't had a chance to put it in place. I wanted to put it out for Black Friday. I'm just too bloody busy, so that will be coming. My plan is to have that in place by Christmas, but at a minimum. The prices are going up due to the fact that demand is just so much and I can't keep up with the overall capabilities. So the value is just going to be there for you. I guarantee you you will be happy with what you see.

Speaker 1: 39:01 

There's a lot more products that are coming out with that increase. There's a lot more products that are coming out with that increase. There's a lot more capability that you're going to have. In some of those. You're going to have much greater access to me specifically, and so I can help you with your mentorship of your cybersecurity career as well as I can help you with studying for your CISSP exam, because that's what I'm here for.

Speaker 1: 39:22 

Right, we're putting this together. I want to see you succeed. Just because it's so important for you to get out there, I've seen time and time again that there's more and more issues that are happening. I just saw another water treatment facility that got hacked. It's imperative that you all get your certifications, because you got to get your certification to get the jobs, and I feel strongly that you all will be a big factor in helping protect our global economy, our global world, from cybersecurity attackers that are coming after all these different companies. All right, again, go out to CISSP Cyber Training. It's amazing. You've got great content out there. If you haven't gotten in now, I highly recommend it, because the prices are going up and I just haven't had a chance to do it. So have a wonderful day and we will catch you on the flip side, see ya.