CCT 186: Security Audits and Assessments - From Real-World Applications to CISSP Exam Prep (Domain 6.5)

Unlock the secrets to enhancing your organization's security posture by mastering the art of security audits. Tune in to discover how security audits play a pivotal role in both the CISSP exam and real-world scenarios. Through personal anecdotes and expert insights, we explore how conducting effective audits with departments like finance can transform your approach to cybersecurity. We also introduce Vuln Hunter, an innovative open-source tool showcased at the No Hat Security Conference, designed to detect Python zero-day vulnerabilities. Learn how this tool could be a game-changer for your development team by catching issues like cross-site scripting before they make it into your live code.

Navigate the complexities of security assessments versus audits as we break down these critical processes. With a focus on setting clear parameters to ensure efficiency, we explore the importance of understanding potential risks and planning effective responses. Through discussions on the roles of internal, external, and third-party audits, we highlight the necessity of senior leadership buy-in for successful internal audits and the strategic value of aligning your security efforts with regulatory compliance frameworks such as PCI DSS, NIST, or ISO 27001.

Finally, join us as we spotlight the charitable mission of the CISSP Cyber Training program. Every dollar from this initiative goes toward supporting a nonprofit organization dedicated to helping adoptive children and their families. Driven by a personal passion for making a difference, we're dedicated to using this platform to foster both cybersecurity knowledge and positive social impact. Help us spread the word by rating us on platforms like iTunes and YouTube, and be part of a cause that matters.

Gain access to 60 FREE CISSP Practice Questions each and every month for the next 6 months by going to FreeCISSPQuestions.com and sign-up to join the team for Free. That is 360 FREE questions to help you study and pass the CISSP Certification. Join Today!

TRANSCRIPT

Speaker 1: 0:00 

Welcome to the CISSP Cyber Training Podcast, where we provide you the training and tools you need to pass the CISSP exam the first time. Hi, my name is Sean Gerber and I'm your host for this action-packed, informative podcast. Join me each week as I provide the information you need to pass the CISSP exam and grow your cybersecurity knowledge. All right, let's get started. Let's go. Cybersecurity knowledge.

Speaker 2: 0:24 

All right, let's get started. Good morning everybody. This is Sean Gerber with CISSP, cyber Trading, and hope you all are having a beautifully blessed day today. Today is Monday and today we're going to go over some great parts around the CISSP, so I hope you all are excited and strapped on, ready to go, because it's going to be a wild ride. You know it, it always is. That's also sorry.

Speaker 2: 0:48 

For that, I sound like Lou Rawls or the guy on the Arby's commercial that has got the meats because, yeah, I've got this deep voice because I've been fighting a cold for about the past week and a half. My daughter she graduated from basic military training from the Air Force and we went and saw her and got to experience that. It was a great opportunity and in the process I was exposed to around 2,000 people and of which somebody had a cold or something who knows what it is anymore. But yeah, so I have this really cool, sexy deep voice right now and maybe you're probably not thinking it's sexy. You probably all think it's quite annoying, like my wife, but that is okay because we are going to get into something around domain six today and today is domain six and we're going to be getting around the aspects of conducting security audits, and one of the aspects that you will focus on when you are doing your CISSP is around security audits and where do you do them, how do you do them, and so on and so forth. And an aspect also that you'll see in this is when you get in your own world and you're out there doing your own security stuff, you may be called upon to do security audits for different agencies, different entities within your company. I've had to do multiple audits for my finance team because they didn't understand the security aspects of these questions and I had to assist them during the audit process.

Speaker 2: 2:06 

So we'll get into a little bit of that, but before we do, I had an article that was out there in the register. It's around an open source LLM tool, which is your learning large learning module module or model. Yeah, I see I can't speak either. I sound really cool and I can't speak, so it sounds to be a great way to start a podcast, but it's primed to sniff out Python zero days, which I thought was either. I sound really cool and I can't speak, so it sounds to be a great way to start a podcast, but it's primed to sniff out Python zero days, which I thought was interesting, and this is the part where the LLMs you know people are like well, people are going to cheat. I had when I was teaching college. We thought students would cheat using LLMs, which they did, but they're getting better and better so that now they can cheat without me knowing that they're actually cheating. But that being said, that being aside, is the fact that this LLM is actually going out to sniff out Python zero days.

Speaker 2: 2:51 

Now, python as a whole is a pretty substantial amount of the code development that occurs within the overall ecosystem of the globe, and even I was exposed to Python doing teaching stuff when I was at Wichita State here in Kansas, and a lot of it is because there's big companies that are using it. Obviously, it's open source, so there's a lot of ability to reuse libraries. There's also rapid development and evolution in that whole space, and so Python would be a really good language. To start on, c Sharp maybe not so much, because it isn't as prevalent as something like python, and a lot of the open source stuff is in python. So therefore, this tool was potentially an option for that ability, and this software is called vuln hunter f-v-u-l-n, vuln hunter and then h-u-n-t-r, and it was introduced at the no hat Security Conference in Italy on Saturday, and what's interesting part about this is that it has a great capability to really help companies that have development teams to maybe run through their code to make sure that there aren't any potential zero days in there. So what their quote from them is it automatically finds project files that are likely to handle remote user inputs and they look for potential vulnerabilities and then they look for specific ways to optimize. From them is it automatically finds project files that are likely to handle remote user inputs and they look for potential vulnerabilities and then they look for specific ways to optimize and fix those vulnerabilities.

Speaker 2: 4:13 

So I think it's a really cool tool, especially if your team has a development team. You have a development team in your organization. The one part they have is it looks for cross-site scripting, cross-site request, forgery, vulnerabilities and then also privilege escalation. So there's a lot of different tools it'll work with and I'd say honestly, if you had a situation where you worked a lot in Python and you didn't know how your development team was as it relates to security issues, this might be something to put out there just to see, just to see how it would work out potentially for you and your organization, and even if it only found a few things, that's already a way up than just having it out Once your team gets done and they promote it to production. It's a good way to get started. So I think it's something to check out. Go to the register that's the registercom, and there's an article in there. Again, the open source L llm tool is primed to sniff out python zero days. So google the llm, python zero days and see what comes up, and that might be an opportunity for you to help in your organization.

Speaker 2: 5:15 

Okay, let's get started in what we're going to talk about today. Okay, this is over 6.5 of the isc square in the ISC square manual around conducting and facilitating security audits. So, as we all know, audits are an important factor in everything you do in cybersecurity, and there's also a lot of reasons why you have to do audits, and so the CISSP folk wanted you to focus on understanding how do you one, how do you conduct them to, how do you facilitate them, and then what's the importance behind them. And I think understanding that key concept is a big factor going forward. I get called on routinely to do audits for various companies, and so this is an aspect that is near and dear to my heart.

Speaker 2: 5:53 

Now I will tell you is it the most sexy thing in the world to do? No, it's not. It's not the most sexy, it is one of those that can be laborious and time-consuming, but the outcome can be very promising if they're done right. And not just that they're done right, it's the fact that where are the findings from the audit utilized by the senior executives to fix the actual problems? So that's where it's a win-win is if you actually do the audit and then, when you have to get done with doing the audit or the assessment, they you in to fix the problems. And so that's a key, really key point.

Speaker 2: 6:28 

And I've done multiple audits with Pricewater Cooper house, with Deloitte, with all these the big big three folks that do audits and my organizations. They would come in and they would find findings, but for the most part they were relatively positive findings or positive reports. And I'm not saying that to say my audits were awesome. No, they're not. We had some really good people. But what I was saying is I focused on the basics, and if you focus on the basics, if you have an audit that's coming in and say you are the security person and you get an audit that's headed your way, you're going.

Speaker 2: 7:01 

What do I do? Well, if you focus on the basics, that's what the audit teams are primarily looking at. They want to make sure that you have the things in place that will help reduce the risk to the organization and therefore reduce the risk of a potential bad thing happening. So let's get into that. So, when you're dealing with security audits, what is a security audit? Right, it's a key concept. I don't know what that is. So if you've heard first time, you've heard this term. Well, hey, welcome to the party. If not, then you know, maybe this will open up some new eyeballs, or that's really open up eyeballs. Yeah, that's really bad. Anyway.

Speaker 2: 7:35 

So a security audit is a systematic examination of an organization's information security practices to assess compliance with regulations, standards and internal policies. So a good example of this is you have in the United States government when you're dealing with the Defense Department. They have to meet the CMMC standards, which is your cybersecurity maturity model certification, and if you want to meet the CMMC model, you have to go through and have various audits. You have to meet these audits and the purpose is then to make sure that your organization is meeting the standards, in this case the Department of Defense. Now, it could be around financial audits, could be HIPAA, medical-related audits, it could be any of those. But let's boil that down to what are the main things they're looking for and focus on the fact that most of the audits are tied to a standard, which we'll get into in just a little bit. But the standards are to ensure that you are actually meeting or exceeding those standards so that if they know an auditor comes in, drops in with their parachute and says, okay, where are you at If you are following this standard? Now they know that, hey, as long as they're not lying to me, which then they ask some more questions Again, like when my kids are lying, I ask deeper questions to find out if they're really telling the truth or they're lying. They'll ask deeper questions to make sure that, hey, do you really know what you're talking about or is it just a bunch of smoke and mirrors? But again, it's around compliance with regulations, standards and, potentially, internal policies. You may have your own internal policy that maintains this level of standard within your company. So, again, the importance of them is.

Speaker 2: 9:06 

We talked about compliance and regulations ensuring your security posture meets a certain level. Now, because you may be in a governmental type environment, you have a security posture that needs to maintain at a certain spot. An example is CMMC, or maybe you have an own internal audit team that is constantly looking at your environment. That way, you will have to maintain a level of security around that. It's also to improve your operational efficiency, as an example of this is, let's say, for a point you have are currently provisioning accounts to anybody who starts in your company. Well, you have a very manual process. Anybody who starts in your company Well, you have a very manual process, but the auditors recommend an automated process to provision new accounts with new credentials, with new entitlements, and you actually then go through and you get that done. Well, now it went from taking a process that was very potentially error-ridden and taking a long time to being a very quick process where now your individuals that were doing that before can now work on something different, and so the point of that is it improves the operational efficiency of your company. So that's a great finding of the audits, but they can get overwhelming and you have to then, once you get the audit findings, break it down into a bite-sized pieces that you can actually go and implement in a time frame while doing your job at the same time, and then support business continuity.

Speaker 2: 10:26 

A big factor you see this in today's world is business continuity, business resiliency. What are you going to do when you get pwned? Because it's going to happen at some point in time, your company's going to get pwned or aspects of your company are going to get hacked and you're going to have to deal with it. So by going through the audit process, it will help support your overall business continuity and your business resiliency. So it's again important parts.

Speaker 2: 10:50 

Now, when you're conducting a security audit, you need to complete. First off, there's a complete or cyber risk assessment. Now, an assessment and an audit are two different things, but they get used and unfortunately by me, sometimes used synonymously, and they're not. They're not an assessment, it's just a quick brush, look at what's going on. It might be a deep dive into a certain area, but at the end of the day, it's just an assessment. It's an assessing of what's actually going on within your organization, where an audit is a formalized process in which someone's going to do a deep dive within your company on a specific topic.

Speaker 2: 11:29 

Now that comes into where you have to determine the scope, the boundaries and requirements of these audits. What is the limitations? How deep can they go? Where do they have to stay within? Because what can happen is I've seen it where you didn't set up a scope for these folks, they can get extremely broad and they come back with all kinds of findings and say, yes, you suck, you're a terrible organization. You guys should just quit right now and go away. You can get that right, but that can get. It's not helpful. It's expensive, because the longer they stay with you, the more money they charge you, because they're charging you per hour. So it can get very expensive and then it doesn't give you the results you want.

Speaker 2: 12:03 

So you need to if you want to focus on a very specific niche, niche A, if you want to focus on that niche, then you need to target them in that. So let's just say it's account provisioning. I want to know, I want to do an audit of my account provisioning, because I see it as one of my biggest weaknesses within my organization. Focus on that and that's what they'll do. It'll help identify potential threats, from carelessness to human error, technical threats, you know.

Speaker 2: 12:27 

Again, one of the pieces that comes into is the insider aspect. Right, I do insider risk for companies. I help them get that set up. One of the things I would ask of them to do is, first thing is, do a good quality assessment of their overall processes to determine where they may or may not have an insider risk problem. And that's another aspect of it. And this also could come back to the development part. Right, if you are a development shop and you see that they're not doing any sort of development work and they're not incorporating security within their development processes, that might be something that you would say is an internal problem we need to fix, and so that's where this audit can come back to. It helps with vulnerability identification again, and then also highlights where they might be mitigated by certain levels of controls you may have within your company, and then it also will help identify potential controls you can put in place to limit these issues that you have. And the other thing around an audit that's important between an assessment so an assessment if I do it internally I did it for a company and for maybe a part of my organization what'll end up happening is that audit finding can be go okay, hey, that's awesome, you're great, thank you. Move on to the next. But when it comes, that's an assessment.

Speaker 2: 13:39 

When it comes onto an audit, an audit typically typically not always, and we'll get into this in a minute is external and you may have an external party do an audit of you. If they do that, they'd have a piece of paper that says okay, you just spent like $100,000 on this audit. I need you now to go do what it says and use it as the template to fix the problems you have within your company. So again, those are just areas that I think about. So when you're looking to also add an audit, you need to determine the severity, assuming the vulnerability has been exploited within a company. What would happen?

Speaker 2: 14:09 

So this talked about the onboarding of new people. Say you didn't have a manual process and say that a vulnerability has exploded in your overall process in place. And now what happens? What could happen if you can no longer provision individuals? If you can no longer provision individuals Now a small organization that might not be a big deal, larger organization that maybe you have a lot of contractors and now you can't bring contractors onto your company, that could be a really big deal. So it just comes into where you have to impact the severity of that. You need to determine your risk level and this is based on the likelihood of this occurring. Where, how often will it happen within your company? And then what would be the potential impact if that were to occur? And then, lastly, is what is your response to this piece of this? So they would check to see if something bad did happen within your organization. How would you respond? How would you deal with the highest risk items first? What would you focus on? So, again, those are key aspects that you'll run into when you're dealing with an audit.

Speaker 2: 15:05 

Now, an internal audit this is we're going to break these into three different parts. So you got an internal, an external and a third party. And the external and the third party we'll get into is a little squishy, but it'll make more sense as we get into it. So, an internal audit this is conducted by an organization's own security team or personnel. So, again, this is you are of that auditing team and this can be in a cost effective way to really get a good understanding of the internal processes within your company. And we would do internal audits within my own company. I would also then act as an external auditor to other companies that I worked with, but I was still internal to the company. That's the part where it's really kind of squishy.

Speaker 2: 15:47 

But when you're dealing with an internal audit, they are very effective. They can be as long as again, repeat, as long as you have senior leadership buy-in on what you're trying to accomplish. I've done audits and assessments internally and they have been absolutely worthless and all I've done is wasted a bunch of time and wasted a bunch of money because you give them a product and the CEO is like, yeah, okay, thanks, have a nice day. The only reason I'm doing this is because checkbox done. But again, knowing that going into it, it's important for you as the person who's responsible doing this and as a CISSP with your integrity right, we got to have that. It with your integrity right, we got to have that.

Speaker 2: 16:24 

Key factor being at CISSP is that you provide them a great product so that if and when they may do make changes and they want to actually do something with it, it is there and available for them to do with it. Yeah, that was a really bad run-on sentence, but the point of it is is that that's available for them if they ever want to do it. Also, here is the CYA part of this. Again, you need to provide them the best product you possibly can. You need to give them the great service you need to make sure that it's there and with all the integrity. You have to wear out some of the highest risk to your company.

Speaker 2: 16:56 

But on the flip side, there's a little bit of CYA in the fact that if they get audited or something bad happens and they come back and say you did not do this, you have a piece of paper saying oh no, yes, I did See. Here it is Ha-ha. You didn't want to do anything about it. Also, keep very good notes. Yeah, keep notes because you never know, you could get pulled into something that you really don't want to be part of. And it's good to have notes to remember what you did, because I don't remember what I did yesterday, let alone six months to two years from here. So again, that's again.

Speaker 2: 17:26 

Internal audits, again really good. One of the disadvantages again is I didn't really mention this was the potential for bias or lack of objectivity. It is true, you know where all the dead bodies are and you can say well, I know we're going to get to that dead body sometime. It's not stinking too bad just yet. We'll come to it later. That's a bit of a problem, right? You have to be very objective as much as you can, but it can happen with internal audits, external audits these are conducted by independent third-party auditors. Now this can be. When you say independent third party, this could be like I mentioned before you could be part of an internal.

Speaker 2: 18:01 

Now I've worked with large Koch Industries. At the time I was a very large, large company, right, 140 million or 140,000 people, a multi-billion dollar company and working in security for Koch Industries. Great opportunity, super opportunity, very good company. That being said, I worked on auditors. I was an auditor for some of the other Koch companies that I'd have and I'd come in as an independent assessor and look at what they had in place, and it did give me the ability to have more of an objective look at their environment. It also I knew where some of the dead bodies were. So I wasn't as objective as I would be, coming as a completely third-party auditor, but I was much more objective than just going in without having any knowledge at all. So it was a good trade-off. So that's where I can see you as an individual working to do an audit for somebody that's internal to your organization, to your overall company, but yet not working within your specific space of that company. So the advantages of it it's objective, it's specialized expertise. Again, they pulled me in for a very specific reason. Right, insider risk is a big thing. They focused on that. That's where I would do that.

Speaker 2: 19:09 

Disadvantages you have higher cost, potential for communication gaps, and that is true when you're dealing an external auditor. It will cost. You do not go into this thinking it's going to be inexpensive. It is not. It's expensive and therefore, though you should demand because of the cost, what are you going to get out of this? I got to be able to get something out of this that is worth some value. That comes down to a lot of interviews that occur. So the conversations, interviews, deep dives into what is important, what can they fix, what can't they fix, and so forth. I've got one that I've got coming up here soon that I'm going to be doing for another company and the point of it is is I? That is an area that we'll focus on, because knowing that you're coming into a greenfield that really didn't have security before, that's the other part you're gonna have to understand is, if you go into a place doing an audit where maybe it didn't have security, you better start low and slow, and what I mean by that is if they didn't have anything, it's probably a lot of dead bodies everywhere scattered everywhere, like it's like a morgue, and you're going to have to go in and pick out the ones that are really ripe, that you need to get them buried, you need to put them away, and I know it's really not even morbid this conversation. But, that being said, you're going to have to focus on that.

Speaker 2: 20:20 

Third-party audits what are those? These are conducted by external auditors to assess security practices of third-party vendors and or suppliers, and this is a really big part in your supply chain and understanding the supply chain risks that are associated with it. A lot of companies now it's all this just-in-time type of shipping, type of supplies, and if you don't have a good handle on your supply chain, any one of those little cogs in this wheel that get busted, then your wheel ain't going to run real well. So you think about it this way it's all. It is like a gear shifter and your gear shifter has got all these little tines all the way around the gear shifter and these tines are interact with other parts of your organization, but if you were to get a hammer and bust off a tine on one of those gears, your gear isn't going to work real well. Well, so that's your supply chain. If you don't have a good handle of your supply chain and what are the risks potentially to them you bust off one of those guys, so they just get hacked, and I've had this happen multiple times. My supply chain gets hacked and I can't use anything from them for a period of time. I just bust it off a time. Now what am I going to do? Okay, so understanding that from a risk standpoint is really important. So this is where your ought, your audit, will come into play and that's what you'll focus on again, and that's folk you're going to focus on.

Speaker 2: 21:37 

Scope. Frequency and reporting requirements are going to come from these third party auditors and you're going to have to deal with it again. Coming back to expense this is going to be expensive. Do not think this is going to be inexpensive. You're going to have to deal with it Again. Coming back to expense this is going to be expensive. Do not think this is going to be inexpensive. You're going to pay in the upwards of $100,000 for a potential audit, depending on the size and scope of it.

Speaker 2: 21:55 

And you may go you know what? I'm going to scope it down so it's not quite so broad and it's still going to be $100,000. And you're going to go. What the heck? Why is that the case? Because, one, they got the expertise. You don't. Two is they're going to tell you where your dead bodies are, which you probably already know, but they're going to give you a piece of paper that says this is where they're at. And then, three, they're going to give you recommendations on how to fix those dead bodies, how to bury them, and then you're going to be up to you to go fix it. And it's really just, you're paying somebody money to tell you where your problems are, at, which you already know, in a formalized manner, and you're like, well, this is kind of counterintuitive and it is, but sometimes you got to do that to be able to move forward, because with that piece of paper, you as an individual can then go to the senior leadership and saying, okay, I need to fix these things, I need to hire five contractors tomorrow to fix these problems, whereas if you just say I need five contractors and they're going what for? Well, because I got all kinds of dead bodies, they're going to go. Well, you figure that out. I pay you good money, you go figure that out. So that's another reason why you don't have these audits done. You all are probably going on audit crazy and thinking this is absolutely nuts. I get it, totally get it.

Speaker 2: 22:59 

Audit criteria and scope. Regulatory compliance obviously big factor PCI DSS, your payment card industry, data security standards, nist, cybersecurity frameworks all these different pieces that are compliance that you may be required to follow. You may be required to follow the frameworks. You may be required, because of PICI DSS, to do an audit. There's standards and frameworks, as we talked about as ISO 27001. There's COBIT. There's different types that are out there that you may want to follow.

Speaker 2: 23:24 

I would highly recommend that if you're going to do an audit, pick one. It could be the cybersecurity framework, doesn't matter, unless you have a requirement to do ISO. I would pick the cybersecurity framework. If you're here in the United States. If you're somewhere else, another country, you have a framework that they may have that you use. If they want you to use that, use that. It doesn't really matter, but pick a framework. And I'm picking on the cybersecurity framework because it's relatively broad. It does get very narrow, but it isn't industry-specific per se.

Speaker 2: 23:55 

You want to have internal policies and procedures. That's what has been defined, what has been created, and that will help determine which ones you have. Do not go hog crazy with this and say, hey, I've got to have like 15 different policies and procedures. No, you don't. You just need to have a few and like acceptable use policy, password policy, just some basic ones you need to have and then from there move on, because what can happen is you can drown yourself in policies and nobody even listens, reads them anyway, so there's no reason for it.

Speaker 2: 24:26 

Risk assessments, ass, assess the organization's risk management, identify potential vulnerabilities within your organization. You also want to look at incident response, big factors. So if you're looking at okay, where are my holes, how do I plug my poles, and then how do I respond when they find holes that I didn't know I had, okay, that's breaking it down, that's boiling down. If you do those three things realistically, if you do an audit that can, if you do those three things realistically, if you do an audit that can break it into those three things and at a base level money, baby money. You're making money, you're saving money, your people are happy with you. So that's what I would focus on Security controls assess and implement the effectiveness of your security controls. This means access controls, encryption, network security you name it all of those things. That's where you'll want to understand the security controls that you have within your company.

Speaker 2: 25:11 

Being said, don't go hog, great, crazy wild on security controls. You can tell them from the Midwest because I bring in a lot of farm animals into my conversations, but no, you don't want to have go nuts with these security controls, because the fact of the matter is is that you will overwhelm people with well, I need to make sure that I have a 56 character password. I'm like don't do it, please don't Do something simple. Right, 18 character, 12 to 18 characters, right, but even then, make sure you give them the tools, like a password manager, to maintain those passwords, because you're going to give them 12 characters and they're going to go I can't remember 12 characters and what are they going to do? They're going to go post a note or they're going to go copy paste, copy paste, and you're going to have the same problem you had before. So you're going to have to educate them on the different types of security mechanisms you're going to put in place to help them make their lives easier.

Speaker 2: 26:03 

So an internal audit we exercise and determine the trained cybersecurity resources you may have within your company. Do you have them? How are they trained? How are they responding to situations? What do you need to do? You'll look at them as an individual and in this group and figure out what needs to happen. You're also going to evaluate your current controls and your processes within your company, and now an internal audit can be used synonymously with internal assessment. Unless you have somebody specifically telling you I need an internal audit done because of X, then I would consider what we call an assessment, where you're just doing the same type of activity, but it might be assessing one aspect of an overall bigger picture. Again though, audit and assessment internally can be used synonymously. It just depends upon the nature of what the request is for.

Speaker 2: 26:53 

You want to have a process that builds accountability to your organization, and you want to make sure that you have buy-in from your leadership. I can't stress this enough. Your job as a security resource is to influence individuals. You can bring out the hammer and hit people over the head and make them do things, but that, depending on your organization, in some organizations you can't do any of that because they just won't let you and, plus, it's physically wrong. You don't want to hurt people but, that being aside, you want to understand that you're going to have to do this through influence. You're going to have to make sure that people want to help you for a reason. They are there to help you because they want to help you, and it does build additional accountability within your organization, because then now people look to you as the leadership and as you as someone that's going to help them fix their problems.

Speaker 2: 27:38 

Now, the key aspects around this is that you need to have it works. This internal audit will work for the CEO, the CIO or the potential board. Now this has become, security is becoming a bigger factor in the fact that you are now working for the board in many ways, and that means that you are responsible to the board on what you're actually accomplishing. There could be financial aspects around this as well, from regulatory requirements, vendors requiring audits you name it all of those different things that are in place Now. There also might be vendors that are requiring an audit to be done, so you have a certain vendor that's working with you. They may require you to actually have an audit completed and they may have this document that says you may have to have that. You also may be requiring vendors to have audits before you even work with them. So understanding this overall internal aspect of an audit is an important factor in your overall journey.

Speaker 2: 28:29 

So some other aspects around an internal audit would be they're planned annually sometimes, if practical. I've had to do these. They've been annual and semi-annual, like every couple of years. It just really depends upon what you're looking at. You also want to avoid them from reducing the disruption to your company and to your operations, because doing an audit can be a bit overwhelming to people, especially if you start doing interviews and talking to people and you want to really plan for that. You'll talk with your IT, your legal human resources they all could be involved in this, depending upon what your scope of your audit is. So you'll want to be very cognizant of their time so that you're not burning it.

Speaker 2: 29:06 

Again, this comes down to the influence piece of this. One thing I've seen with IT professionals and again, I'm a pilot by trade, so I'm not a geek and I'd say some geeks would probably look at that and turn their nose up at me and go you're not as smart as me, and they're right. I'm definitely not as smart as them, for sure. But there's one thing I do have sometimes is people skills, which sometimes they don't. And so, therefore, if you want to be in a security position, you want to make sure that you have an ability to influence people, and that comes down to people's skills. And that means when you're at being, you're cognizant of people's time and asking them what works best for them and knowing that you have to get your project done, but they also have to get their projects done, and therefore, if you understand that and you work with them on this, you can go a long way in helping build a relationship with them. See, there's a nugget right there big guy and gals Well, not big gals, but, yeah, gals yeah, because I'd probably get sued for saying that, but there's a nugget there Influence people. Influence people is done by thinking about other people besides yourself.

Speaker 2: 30:11 

Now, the scope will determine your duration system facility and your group locations as well. So important to understand the different scope and to express that to the people you're working with. Now, one thing you want to understand this is actually a really good bullet here that I kind of I should have brought up from the top instead of at that bottom. But the right to audit clause. So if you have contractual agreements with a third party, say someone in your supply chain, and they are working with you, you could put in there the right to audit clause and I've done this with various companies to say, hey, at any point in time, I have the right to audit you, no more than once a year. And it's worked great, because when I've had issues with some companies I will pull this out and say, hey, let's do an audit, yay, let's have fun, and they grumble at me, but it works well, because then you kind of catch them off guard. So something to consider when you're trying to build out your program. Again, I would be very cautious with that. Make sure your legal team obviously is involved. Don't you just start adding clauses to contracts, because that will get you into trouble Again, influencing people. You know your job, they know theirs, but help them to help you.

Speaker 2: 31:21 

Responsibilities, risk assessments, internal controls and compliance, vulnerability assessments, incident response, third party management Wow, that's a lot there. Bottom line is your responsibilities. With an internal audit can deal with risk assessments. You're doing all of those within your company. They also deal with helping with the internal controls for your organization. You will deal closely with your compliance team, whether it's your governmental compliance or it's your actual internal compliance. You may have one and the same, it may be different entities, but you'll work with them all. Vulnerability assessments a lot of times the internal assessment will be part of a vulnerability assessment. That's done. I would tell you the biggest nugget out of here or actually there's two big nuggets really. I mean they're all big, but there's really the two ones it's incident response and third-party risk management. If you get those right, okay, if you get IR and business resiliency right and you get third-party risk management right and I don't mean it's got to be perfect, I just mean you have an understanding and it's got something in place that's money, baby, because that will save you when things go sideways which they will and you have a good plan for those you are going to be saving your company money with that.

Speaker 2: 32:29 

Now, external audits what are these? These are usually a broader scope we talked about a little bit already. Is that they can be done by a party outside of your organization is being audited. Again, it can be from a third party that you bring in specifically, or it could be you doing it to another organization, and this includes internal audits as well. So this can be conducted by your own employees or it can be conducted by independent auditors. It just really depends upon the amount of money and the scope in which you want to accomplish this. This will be more objective Again. It's kind of that middle road between internal and a fully dedicated third party, but it will give you some level of objectivity into your organization. So consider this.

Speaker 2: 33:08 

I would consider this if you have to have an external audit before you go out and spend the money on Pwc or deloitte, maybe do this, uh, as a, as a primer, before you bring in the pwc. So if you have to have pwc, come in one of these big, high, expensive third-party auditors. What I would recommend is doing this prior to that, because it will get your everybody kind of prepped to what to expect. If you just bring in a third party and they have never really dealt with that before, you're going to run into some challenges. Your leadership's going to go what in the heck is going on and you're going to go, I don't know and they're going to go. You're fired, you're going to go. Okay, thank you. You want to avoid that. So definitely, your wife or your husband would really like you to avoid that. Your family would like that. They want you to be making money so that they can live. Okay, third parties what is third parties? Okay, these are the external parties that provide independent assurance.

Speaker 2: 34:00 

Outside auditors, specifically from external entities, are highly sought out as subject matter experts. I will tell you that many of the PWCs in Deloitte they do have SMEs, but let's keep this in context. They bring these guys directly out of college, they give them something to do and they go dig deep into your organization. Now, I'm not saying they're not smart. They are very smart in what they do and they are very knowledgeable in those certain criteria areas. But again, if you really wanted a no-kidding, deep-end SME, you can't probably afford them because Deloitte's and PwC's can't afford them. But, that being said, they're going to come in with a different perspective which is going to be extremely valuable to you with your organization. A lot of times these will come on behalf of government or agencies. They'll send a third party in in their place because they don't have the people or the expertise to do it. But ultimate goal of an external auditor is to provide a good assessment of your organization and fix the challenges and give you some recommendations on how to fix them. But again, they're not affiliated with your organization. They do emphasize their whole aspects on independence and being independent and they are very common in regulations. Again, they're often mandated by regulations or industry standards to ensure that they have compliance and accountability on all the different audit programs.

Speaker 2: 35:23 

If you hear a cat in the background, I have tried everything in my power to get her to leave me alone, but she will not. So I apologize if you hear her. Sorry, she just won't leave me alone. I try to get rid of the dumb thing. That being said, we are moving on. That's all we have for today. I hope you all have a great day.

Speaker 2: 35:45 

Again, go to CISSP Cyber Training, get my program, get the stuff that's there. I've got some. It's always adding and getting better content in it. Again, all the proceeds that go from CISSP Cyber Training go to our nonprofit for adoptive children and their families. We've done. Again, I don't take any money from this. It's all going to charity.

Speaker 2: 35:59 

Just because I'm blessed, I don't need. I don't say I don't need money. Of course I need money, but I don't need money to make my pockets any deeper or bigger or whatever. That is that all can go to people that need it way more than me, and we feel that the need of families who are trying to adopt children. They need an extra help, and so this is going to the nonprofit. That's going to be, that is stood up or is going to be stood up for that specifically. So we're pretty excited about that. That should be done here in December and we're just hoping that everything's going to go well with that. But yeah, it's a bit of a tangent. Anyway, have a wonderful day Again. Go to CISSP Cyber Training. Give me a thumbs up on iTunes, youtube, all those wonderful places I've got out there Again. If you do that, that helps the exposure and helps more people know about CISSP Cyber Training. Thanks again, have a wonderful day and we will catch you on the flip side, see you.