CCT 218: Design and validate assessment, test, and audit strategies for the CISSP (Domain 6.1)

Unlock the secrets to safeguarding your cloud storage from becoming a cyber attack vector in our latest episode of the CISSP Cyber Training Podcast with Shon Gerber. Discover how neglected AWS S3 buckets can pose significant threats akin to the notorious SolarWinds attack. Shon breaks down the importance of auditing and access controls while providing strategic guidance aligned with domain 6.1 of the CISSP to fortify your knowledge for the exam. This episode promises to equip you with the essential tools to protect your cloud infrastructure and maintain robust security practices.

Transitioning to security testing, we explore various methodologies and the vital role they play in incident readiness and data integrity. From vulnerability assessments to penetration testing and the collaborative efforts of red, blue, and purple teams, Shon sheds light on the automation of these processes to enhance efficacy. We also demystify SOC 1 and SOC 2 reports and discuss their criticality in vendor risk management and regulatory compliance. With insights into audit standards like ISO 27001 and PCI DSS, this episode is your comprehensive guide to understanding and applying security measures across diverse sectors.

Gain exclusive access to 360 FREE CISSP Practice Questions delivered directly to your inbox! Sign up at FreeCISSPQuestions.com and receive 30 expertly crafted practice questions every 15 days for the next 6 months—completely free! Don’t miss this valuable opportunity to strengthen your CISSP exam preparation and boost your chances of certification success. Join now and start your journey toward CISSP mastery today!

TRANSCRIPT

Speaker 1: 0:00 

Welcome to the CISSP Cyber Training Podcast, where we provide you the training and tools you need to pass the CISSP exam the first time. Hi, my name is Sean Gerber and I'm your host for this action-packed, informative podcast. Join me each week as I provide the information you need to pass the CISSP exam and grow your cybersecurity knowledge. Alright, let's get started. Let's go.

Speaker 2: 0:22 

Cybersecurity knowledge All right, let's get started. Hey, I'm Sean Gerber with CISSP Cyber Training, and hope you all are having a beautifully blessed day today. Yes, it's an awesome day for me. I'm in a great place, a great location. I'm actually in Buffalo, new York, today, so that's where I'm recording this podcast. So, yeah, I'm just doing some contract work and had some time in the hotel, so I thought I would write a right. I thought I would do a podcast on some great stuff that's going on that I'm seeing in the news as well, as we're going to be talking about 6.1 of the CISSP and the CISSP ISC squared book slash manual.

Speaker 2: 1:01 

So before we get started, I wanted to talk about the abandoned AWS cloud storage, a major cyber attack vector. So one of the things we've talked about in CISSP cyber training is the use of AWS or any sort of cloud platform to store and process data, and it's a great tool. It's an awesome tool. Any of these cloud platforms can be incredibly useful for you in what you're trying to accomplish at your organization. However, there is a small challenge and I've seen this personally myself is what happens when the AWS and we'll just use AWS in this situation, but it could be any cloud storage GCP, azure or so forth but anytime the data is left orphaned and left unavailable or left not dealing with it, what ends up happening is things can go sideways, and yes, so we're going to be talking about something that potentially could be going sideways if you have an AWS cloud account. So, basically, what is this situation? Well, what it comes down to is AWS has what they call S3 buckets. Right, S3 buckets are storage locations, and you can use to store data that you want to be within S3. Now what can happen, though, is is when people don't pay their S3 or their AWS bill, what ends up happening is you can have orphaned accounts, and they can. Attackers can re-register at these neglected S3 buckets, and they can allow them to actually serve as malicious content to systems still requiring data from these specific sources.

Speaker 2: 2:29 

So let's say, for instance, you don't go and you have a server that's down, you don't deal with it from AWS, you don't pay the bill and it's just sitting there. Well, then bad guys and girls go and say, well, look, let me go turn this on, I'm going to put some bad stuff on it and let's just see who talks to it. So, in the process of doing that, you can actually end up, then it acts as a honeypot that's got a bunch of data in it or a bunch of malicious software that could be then connecting to systems that are within various aspects of your organization, and it could be where they're providing the supply chain. It could be where they are actually connecting into your servers. So there's a lot of issues that can happen to this and it potentially could end up being for a large-scale supply chain attacks, very similar to what occurred with SolarWinds, and these organizations may unknowingly or unwittingly download malware from these trusted update sources because these systems were trusted at one point in time and then they are put in a defunct status and they no longer are being used. So it's an interesting article about how this works and some of the mitigation strategies.

Speaker 2: 3:30 

Obviously around dealing with this is properly decommissioning your unused cloud storage. I would say it's probably one of the biggest aspects and I've had this happen to me where there was some cloud storage I set up and I totally forgot about it. Next thing I know, I got a bill and I went wait a minute, where's this at? And so, needless to say, I too had some cloud storage out there that was not being managed properly. That since then has been shut down. But the point is, it can happen and I'm just a little guy, right, I'm nothing compared to these companies, so if that's the case, you can only imagine that there's more of these types of situations out there.

Speaker 2: 4:02 

You also want to regularly audit and monitor your s3 buckets. You really truly want to have an application that will then go out and monitor these s3 buckets for activities. It's, it's really it's. I know they're expensive I've used this in the past with my other company and they can get very expensive. However, it's an important factor in helping you to understand what is actually out there within your organization and what you're paying for and where data is sitting and residing. You need to enforce strict and access controls that might be out there that's another option and then also, obviously, ensure software updates are being accomplished for all of this environment. So, again, this basically comes right down to is that you should really truly look at what's out there within your environment and you need to make sure that you have properly went through and decommissioned these systems as they are no longer needed. So again, interesting article. Again, it's in dark reading. The title of it is called Abandoned AWS Cloud Storage, a Major Cyber Attack Vector. So if you've got AWS or any sort of cloud, you may want to read it and then think about what do you want to do.

Speaker 2: 5:03 

Okay, let's get into what we're going to talk about today. Okay, so this is domain 6.1, design and validate assessment, test and audit strategies, and you can see this is all part of the ISC squared CISSP book. These are for folks that are studying for the CISSP, and if you are, go to CISSP cyber training and get all the good stuff there. Yes, I've got free content, gobs of it as well as, if you want to pay for it, I've got some awesome capability within my blueprint that will help you walk you through step-by-step for the CISSP exam. It'll put you in a good position to pass the test the first time. Right, I didn't pass the first time. I didn't have this book, or actually the book, but I didn't really study well, so that's kind of why CISSP Cyber Training is here.

Speaker 2: 5:46 

Okay, so an overview this is going to be. We're going to talk about some key aspects around this, and there's a few more items in here as well. We're going to be getting into CRI, we're going to be getting into Type 1, type 2, soc 1, soc 2, as well as some of these different aspects. So we're going to cover maintenance activity for these information security systems as it relates to assessments, and testing includes tests, assessments, audits. We're going to kind of get into some of that a little bit, and then we're going to ensure that the controls are functioning correctly and efficiently, and we're going to kind of get into some of the basics around that.

Speaker 2: 6:16 

Okay, so before we get started, one of the things you want to consider is building a security assessment and testing program from the ground up. Now I will tell you that this is something that if you can do, you have great opportunities for you in the consulting world. It also will help you in your organization, because building a security assessment and testing program for your company can be a bit onerous, especially if you've never done it before. But when it comes right down to is, a well-defined security assessment and testing program is really an important part of the overall security, compliance and operational integrity of any organization's IT infrastructure, and it's an important part of that, and it provides a structured approach for evaluating the controls and identifying any vulnerabilities you may have that could potentially be exploited. So it's a big factor in when you're looking at a company, and so you want to consider how do you set up your own security assessment and testing program? Now, when you're dealing with this, you want to consider how do you set up your own security assessment and testing program?

Speaker 2: 7:08 

Now, when you're dealing with this, you want to have there some buckets. You need to consider. There's risk identification and mitigation. This is where you understand the gaps within your system, and then you have applications that are associated with your applications and processes, and you understand what those are. So then at that point, you try to go in and mitigate these issues. You also need to understand are there regulatory requirements that force you to do this? Do you have to deal with any sort of the financial sector? Are you in the medical environment? All of those pieces can fall into the regulatory compliance aspects.

Speaker 2: 7:34 

Another thing to consider, though, around security assessment and this is one that I feel is not probably as well addressed is the continuous improvement. So often we get into security assessments and it's a checklist driven event, and you're like check box one, check box two, we're moving on, but in reality, it can be a very good opportunity for you to improve the structure and the security of your company. Then threat prevention and detection. This helps you proactively to identify weaknesses and then also areas where your adversary could potentially exploit. So that's part of building a security assessment program.

Speaker 2: 8:07 

Now, some other key components around this is defining objectives and scope. You want to make sure that you have good objectives, clear goals, what you're trying to accomplish, and then you define the scope, which would be the applications, your environments we talked about cloud environments could be that and that's where you kind of figure out what do you want to assess and test. Now I would recommend, if you don't have something like this in place at this point in time, start with the governance, start with building out the structure what does it look like? And then pick an area that is small and start working on that. The reason I say that is because if you start in a big area, you're going to get confused real quick on what needs to happen. It'll be overwhelming and you won't get accomplished what you want to get accomplished.

Speaker 2: 8:47 

The next thing is security baselines and policies. You need to understand industry frameworks to help you with your company. So they could be the NIST cybersecurity framework, it could be ISO 27001. It could be many different types of frameworks that are out there, but consider one A. Cri is another one that we'll kind of talk about here at the end of this. So there's different frameworks you can utilize to help build out your security assessment and testing program. You want to define the security standards for systems, applications and network configurations.

Speaker 2: 9:15 

Now, the standards are important part. What does that mean? You need to consider what is the baseline that you're going to the deploy these systems? What is the standard in which they would be specifically deployed? You also need to have some testing methodologies. This would combine automated scans with potentially manual analysis. You would use red teaming, blue teaming or even the purple teaming, which is your blue and red together, to be able to help you understand what is going on within your environment. What kind of assessment are you going to do? Are you going to do something that's broad brush? Are you going to do something that's very narrow and laser focused? This will help you kind of guide down that path.

Speaker 2: 9:51 

Some other key components around security assessments and testing is your stakeholder involvement. You need to make sure that your stakeholders, which is, your teams, your administrators, your senior leadership, they all are aware of what you're trying to accomplish and they are aligned with doing this. Another thing to consider is your external auditors, and when you're working with companies that may be in the defense industry they could be in the financial industry you want to potentially work with some of the external auditors on what may be something that would be valuable to them as far as from a security assessment standpoint. You also want to take a risk-based approach and you want to prioritize your testing based on the business impact and the overall threat intelligence to your company. So it's important you understand the risk behind this. Always focus on risk-based approach. You want reporting and remediation. This would be in implementing vulnerability and tracking systems, and also to ensure executive level reporting for your strategic decision making processes. So, again, building security assessments and the overall process by which you should do this. There's some different things you can follow to ensure that you can deploy it in a correct fashion.

Speaker 2: 11:01 

Now, the next thing we're going to talk about is security testing Now. Now this involves evaluating the organization's it systems to understand the vulnerabilities and weaknesses that may be potentially in your organization and these could also just be misconfigurations that may occur. Do you have your server set up that they're allowing external activity to outbound ip addresses, they have the internet connected to them. That would be a misconfiguration. You wouldn't want your servers connecting to the internet unless they are very specific servers dealing with web applications, so you wouldn't want that. That would be a bad thing. So it also includes various testing methods tailored to different attack vectors, and you need to kind of understand what are those that are around that. So when we're dealing with the purpose of a security testing, again it's to identify system vulnerabilities, to find the gaps in the security controls that you may currently have in place. It's also to assess the effectiveness of these controls, whether these measures that you have, the security measures that are in place, are actually being utilized to the level they should be. Are they doing what they're intended to do or are they just in name only? Okay, so you want to make sure that you understand the effectiveness, because just because a control is enabled, is it actually effective?

Speaker 2: 12:07 

Is an important part. It also helps you improve your incident response readiness. Why, well, one? When you do security testing, you understand what is out there, but also then, as you go through, you pretend you practice your incident response readiness processes. It can help you organize your, your company, in a way to help detect and respond to attacks. It all comes down to this. It's not a matter of if you're going to get attacked, it's a matter of when, and so helping you to understand your incident response process is an important part in trying to make sure that you can help ready these storms as they come your way. Now also helps you ensure data integrity and availability. This helps prevent unauthorized access, data breaches and service disruptions. So, again, security testing is an important part of any enterprise security program.

Speaker 2: 12:54 

The other thing you deal with security testing is you have what we call vulnerability assessments. These would be automated scannings of systems for known weaknesses that are out there. These are usually tied to the CVEs or CVSS scores, and that would be something that you just basically turn it on and let it run. There's lots of different programs out there that can help you, and I think I've got some tools here in a couple of slides that'll kind of just give you some examples around that. You also have penetration testing. This is where you simulate cyber attacks to test system defenses. You have white box testing, which is where you have full system knowledge. Black box, where you have no knowledge. I used to do this. You just basically they go. Okay, hey, you need to go and attack X Air Force Base, and so what I do it was black box. We had to go and sniff around and try to figure out what's going on. That's black box. Gray box is where you have some knowledge of these systems and the configurations. We would do this in the network scanning capabilities, where they would drop us inside the network so you understand the network and the IP, potentially infrastructure, but you really don't know much else about it, and so that's where the gray box testing would come into play.

Speaker 2: 13:57 

There's also fuzz testing Now. This is where you're feeding random or malformed data or potentially aspects to an application to see what happens when you do that. So you throw it some stuff and you see if it barfs, see what it throws up, see if it gives you all kinds of information. That is what we consider a fuzz testing. Now you have static application security testing, or SAST. This helps examine the overall source code of the vulnerability specifically, and this can happen within your CICD pipeline. You can have SAST application security testing involved. The other one is dynamic application security testing. This is called DAST. Now this is where it tests the application security specifically as it's running in a specific state. So again, sast is your application security testing based on the source code. Dynamic security testing is where it's actually playing with the application itself and trying to see how it's what it's going to do when it starts clicking on buttons. The more automated you can make this process, the much better off you will be in the long run, and I'd highly recommend it. Manual testing is just a pain in the bottom. So consider the dynamic piece and automate it as much as you can.

Speaker 2: 15:03 

So we talked about red team and blue teaming. Right, red teaming is an ethical hacker, simulates real world attacks, whereas a blue team will are defenders actively responding to threats. You deal with purple teams as they're working. Both red and blue teams are working together to improve your overall security posture. As an example, we would have pen testers that would come in. We knew they were coming in. We would then have a debrief at the end of the day of what they found, what they didn't find. That's more of a purple team kind of collaborative effort. So again, that's another path you can chase when you're dealing with security testing.

Speaker 2: 15:35 

Some security tools you've got. We talked about. I've mentioned some of these that we bring up Vulnerability scanning. You've got Nessus, qualys, openvos those are some of the scanners. You got pen testing frameworks such as Metasploit, kali Linux I used Metasploit quite a bit in my previous life. Web application security. You got Burp Suite, owasp, zap. Those are another ones that you can do testing around applications, and the OWASP Zap is available for anybody to use. And then code review tools where, like Sonar, cube and then Checkmarks, will actually do some code review of what you have in place. I've never used the code review tools but the other three bullets. I have definitely used those in some form or fashion.

Speaker 2: 16:11 

So you're dealing with security assessments. This is a comprehensive review of an organization's overall security controls. This is where they come in. They do a review of everything going on and these typically can be done both internally or they can be done by third folks. Now the self-assessments are. You know, I would go in, I would look at myself and I'd measure myself to this standard, but in all honesty you get a little bit of bias when you do that. Now the third-party assessments. These are external firms that will conduct an independent evaluation of where you're at and the goal of these is to determine the security measures that you have in place will align with your organizational's goals, and this helps identify risk and also develop mitigation strategies around that. So the ultimate purpose is to find these things right. It ensures compliance with internal external security policies and, potentially, some regulatory requirements that are required. Because of that, you may have situations where your auditors come in because you're a fintech type of company and you have to have annual security audits that are completed Some type of security assessments I mentioned.

Speaker 2: 17:12 

You have a self-assessment. This is where you internally review based on what's going on within your team. You have third-party assessments. This is an external security firm. We'll come in and look at it as an independent evaluation, and then the risk assessments themselves will look at, identify threats, vulnerabilities and potential impacts that may need to be mitigated, and so the risk assessments can be done, most likely by your risk team, but they can also be done by yourself and by third-party assessments. So or successors, I should say so. It just kind of depends on how you want to roll that out. Compliance assessments these will ensure that you're aligned with industry regulations and the frameworks, and this is where the regulators do come into play. Many times you have a compliance when you're doing an investigation, not an investigation, an assessment. You will involve your compliance folks, especially if there's a requirement for a regulation tail behind this, you'll want to make sure you bring them in.

Speaker 2: 18:04 

Some different methodologies you can get into around assessments. You have your cybersecurity framework or the CSF. This will help you with that. It's a very broad, general type of framework. It's good I think it's great for most companies in most places. But the general CSF is really good for most businesses. Iso 27001 security assessments this is based on international standards, so if you're an international company, you may want to consider using 27001 security assessments. You have your OWASP testing guide, which will help with your web applications. It's a very good tool that give you best practices around what you should do. And then there's the CIS benchmark, which is basically prescriptive security configurations for your systems and different applications.

Speaker 2: 18:47 

Now the NIST 853, this is your security privacy controls for federal information systems and organizations. Big words, but bottom line is is that's a standard framework that's used by the US government and it's designed to kind of give you guidance around cybersecurity and what you should do to protect it. Now, one of the things you consider is that the 853 and the CSF they work very closely together. There's some subtle differences between the two, but in reality 853 and the NIST cybersecurity framework are relatively close. So if you pick one of those unless you have a requirement that you have to do 853, you'll be pretty good. Now there's some key control families when you're dealing with 853. Access control, audit and accountability, risk assessments, security and communication protection and then continuous monitoring. Those are the main families that are tied to 853. And you can kind of read on the screen there. They deal with all different kinds of things from authentication, logging and monitoring, threat modeling, firewalls and then basically any sort of security controls and an ongoing evaluation of those. Now there's different types of implementation tiers. There's low, moderate and high, based on the risk level of your company, and you will help decide what that is, because it's up to the company to decide what level of risk they're willing to accept, what level of risk they're not willing to accept.

Speaker 2: 20:03 

Now when we get into security audits. Security audit is a formal evaluation of the organization's security controls. Now you have different types of audits. You have internal, external and third-party audits. An internal audit is conducted by your company, your organization, to assess the policies that are currently in place. External audits are performed by independent third parties E&Y, deloitte, maybe somebody else, some other, maybe niche type of brand to help with compliance validation. And then your third party audits. These also evaluate vendors and service providers. So you may be doing a third party audit as an internal person, or you may contract with an external party to do an evaluation of a vendor or a service provider as well. So those are the different types of audits that you can run into of a vendor or a service provider as well. So those are the different types of audits that you can run into.

Speaker 2: 20:47 

Now the audit process is. It is relatively simple, right, but it can be very overwhelming and be very confusing at times. But the audit process comes into. You have a planning and scoping phase Now. This is where you define the objectives and methodologies and the resources needed for the specific audit. You also have the data collection aspects, where you review logs, policies and system configurations with your data. You also have the data collection aspects where you review logs, policies and system configurations with your data. You have analysis and testing, which you identify security weaknesses, and then you report.

Speaker 2: 21:11 

And remediation is where you document all the findings and track your overall remediation efforts, and you want to have this process in place before you begin the audit. If you're working with a company that's external, they will take care of all this for you, but if're doing it yourself, these are some key things for you to consider before you start. And again, you don't want to just go well, I'm just going to start auditing everything. You want to have a good plan and you want to be able to document this well, because in the process of auditing your systems, if you're doing an internal assessment, then you are actually wasting a lot of opportunity costs to do this. So therefore, you want to make sure that you're using every possible bit that you can to make sure that this is successful.

Speaker 2: 21:52 

Now I'm going to get into SOC 1 and SOC 2 reports. Now, if you're dealing with SOC 1 and SOC 2, what are the purpose around these? A SOC 1 is a financial reporting compliance requirement and it's a focus areas on internal controls over financial transactions. We're going to get into SOC 1 and SOC 2, and then we're going to get into type 1 and type 2. Who needs these?

Speaker 2: 22:12 

Soc falls into SOC 1. You got your banking, financial institutions, anything dealing with money, payroll companies and so forth. Soc 2, this is where you deal with security, availability, confidentiality, processing integrity and privacy. That's the purpose behind it, and you're looking at IT security controls related to various aspects that could include cloud storage, data handling and overall compliance as well. Something that falls into SOC 2, and this is a certification behind it is you have cloud service providers will be SOC 2 certified, and the purpose behind that is that they know that the security controls they have put in place will protect your data, and so, therefore, if you are going to be using, let's just say, aws and you know it's SOC 2 certified, you can feel confident that they have good controls in place to manage the data that is going in. So again, soc 1, soc 2.

Speaker 2: 23:01 

Now we're getting into type 1, type 2. Now type one and type two. These are part of the SOC reports and this is part of the AICPAs. It's the American Institute of Certified Public Accountants SSAE 18 standard. Okay, lots of words, but bottom line is it's a standard that was developed by a bunch of CPAs. That was the purpose of it, and it's designed to provide transparency in how a company structures its data. It also helps businesses make informed decisions when selecting third-party vendors. It helps them to send what kind of reports do they have? And then it also helps regulatory compliance with standards such as HIPAA, gdpr, psss. All these things are PCI DSS. They're all available to you Now.

Speaker 2: 23:41 

Type one, type two what's the differences between them? Now, type one evaluates the design of the controls, whereas type two evaluates the effectiveness of the controls over a period of time. The scope, when you're dealing with type one, is a single point in time, it's just right now. But when you're dealing with type two, it monitors the controls over a period of anywhere from three to potentially 12 months. The timeframe again one-time assessment. That's when you're dealing with type one, and then you have type two. It's over a period of time.

Speaker 2: 24:07 

The real big thing that you can take out of this is your use cases. You have vendor risk management, early stage compliance. All those might fall within the type one. Just getting a snapshot where am I at? What am I doing? How am I in relation to everyone else? How am I in relation to what I should be? Best practices? Type two is where you're dealing with regulatory requirements, such as maybe you have a long-term, you're a bank or you have some sort of regulatory requirements that has a long tail behind it Lots of stuff you have to do. Then, when you're dealing with those aspects, that's where the type two would come into play and you'd want to make sure that you're SOC two type two, soc one type two.

Speaker 2: 24:43 

Now, the benefits of type one and type two reports is the third-party risk management. I should say SOC 2 type 1 or SOC 2 type 2. The benefits of type 1 and type 2 reports is that your third-party risk management. This demonstrates security, effectiveness of your customers and your partners. It's to make sure that you have a good plan for managing the risk, especially when you're dealing with third parties. Regulatory and compliance readiness we talk about that a lot.

Speaker 2: 25:07 

When you're dealing with any of the SOCs and the types you're going to be dealing with compliance aspects behind this. It also helps with a competitive advantage. Believe it or not, if you are certified in various pieces of this, what ends up happening is it could potentially set you apart from your competitors. So a good example is that if you're providing cloud-based services, you're going to want to make sure that you are certified as SOC 2 and to potentially even type 2, that would be even better. Then they use something like that. That would help differentiate you from your potential competitors.

Speaker 2: 25:39 

That being said, a lot goes into that. There's not a, it's not an easy button, right? It doesn't just say, well, I want to just pay $5,000 and I can be certified. No, there's a lot that goes into it. So it's not just that piece of it. Also, early detection of gaps Type 2 reports will help identify security weaknesses. Why? Well, because you're having to focus on it on a routine basis. So therefore, it will show up and the ultimate goal is that you see this before they become a breach or some sort of incident that you may have within your company.

Speaker 2: 26:11 

Now, when you're dealing with auditing standards, what are the different standards that are out there? Well, we kind of talked about SOC 1 and 2 already. We kind of got into that. But there's different standards. You have ISO 27001. It mentions it's international and based it's also risk-based around security controls. So you may want to consider that, depending upon what your company will do.

Speaker 2: 26:31 

Pci DSS this is credit card data, it's your process control. What is that called? Again, I just forgot. Oh, my goodness, payment card industry data security standard huh, too many acronyms. But again, it protects your payments. It also helps define around network security, encryption and so forth. So it's really good's used a lot within e-commerce and the financial areas. Hipaa again, healthcare protects healthcare data, so that is another good format or framework to use. This deals with PHI, which is protected health information, and that's a good factor. Nist 853, federal security standards we just kind of talked about that as well and with security and privacy controls, that falls under the NIST 853 federal security standards. Okay, we just kind of talked about that as well, and with security and privacy controls, that falls under the NIST 853.

Speaker 2: 27:12 

So what are some audit challenges and solutions when you're dealing with audits? And then I'm also gonna talk about internal. Let me just roll into internal and external audits real quick. Internal audit we talked about is self-assessment. External audit it's independent assessment for compliance, and then third-party audits. These external audit it's independent assessment for compliance, and then third-party audits. These are where you're going out and doing an audit of a vendor you can see on the table. This is something you can go back and reference as far as when you're studying for the cissp. It'll kind of give you just a little bit more layout of what is going on now when you're dealing with some challenges and solutions as it relates to audits.

Speaker 2: 27:42 

One of the things is around ensuring you have continuous, continuous compliance your audits. You have an audit that occurs, do you have another audit that was done, or are you maintaining your compliance between all of your audits? Do you have a plan in place that involves the findings, how you're going to fix those findings? That's a big factor that, in and of itself, can be a very monumental task. Another challenge is managing third-party vendor risks. We talked about this before. If you have a third-party risk management plan, which is, like they call it, tprm, these frameworks will help you with understanding your vendors. Now, we all know that trying to manage vendors can be a bit of a challenge, especially understanding the security posture of these vendors. You may want to look at various other tools like Black Kite's one, but different tools to help you with this overall process.

Speaker 2: 28:29 

You also handle large volumes of audit evidence. So the question is is now you get all this data that comes in, what are you going to do with it? Well, you're just going to go put it on a SharePoint and not worry about it. Yeah, that's the wrong thing to do. You want to have some level of doing evidence collection through some GRC platforms that are out there. Archer is one. You could potentially put it in ServiceNow, but you want to have it in a place that's structured and controlled. You can put it in a SharePoint site, but you want to make sure you also lock it down. Depending on the size of your company, that may be the best solution, but make sure that you do lock it down, because anytime an auditor finds something, one of the bad things that bad guys like to do is go after audit reports. Why? Because in many cases, it'll tell you about all the things that are bad within your organization and it's a really good blueprint to help you just take advantage and manipulate companies.

Speaker 2: 29:16 

Now we're going to talk about CRI, which is Cyber Resiliency Index. Now, this is something I just learned about recently. I hadn't really dealt much with it, but it's been a really interesting experience and journey and I would say that I would highly recommend you to get to take a look at it, especially if you're in the financial industry. So what? The ultimate point of a CRI is the fact that you can anticipate, withstand, recover from and adapt to cyber threats and the specific incidents that occur. Now, the ultimate goal of CRI was developed by some big banks to help have some level of consistency around the overall resiliency of these institutions, and we all know that when a cyber event happens, resiliency is key and we talk about that a lot on CISSP Cyber Training that you want to be resilient as much as you possibly can. You're going to get attacked, but you better plan on some level of resiliency.

Speaker 2: 30:07 

So why is resiliency important? Well, again, the threat landscape is doing nothing but increasing. It's getting bigger, contrary to popular belief, and especially with the way the world is today, it's going to do nothing but expand. We've also become way too dependent upon IT infrastructure. So what does that mean? It means there's lots of targets of opportunity, so it's going to expand.

Speaker 2: 30:26 

The other thing is business continuity assurance. This helps ensure that your operations remain functional even after a cyber incident. Very good process to kind of go through. It also aligns with regulatory compliance. These frameworks will help a lot when you're dealing with government entities, especially regulators and auditors, around what you're trying to accomplish. They are very aware of what the Cyber Resiliency Index is. Financial protection reduces the potential cost for security breaches because it's focusing on resiliency. And then public trust and reputation management. Again, it helps ensure the customer and stakeholder confidence remains high with your folks because you are resilient Okay, bottom line.

Speaker 2: 31:04 

So when you're dealing with resiliency scoring, they have three different areas. You have low, medium and high Okay, bottom line. So when you're dealing with resiliency scoring, they have three different areas. You have low, medium and high. Now, low is reactive, minimal security monitoring. High, reliance on manual threat detection, no formal awareness training. Proactive, which is a medium. Resilience is you have things in place, you've established an instant response process and you have some level of automation to understand where the threats are at. But if you're optimized, which is the high level, you're fully integrated with cybersecurity, you're automated response to threats and you have cloud native security and zero trust adoption within your organization. Now, I say all that. Those are really generic, right? Let's be honest, zero trust is a hard nut to crack and to say, well, I'm zero trust in one area, so I'm now optimized. Well, no, that doesn't mean that If you're fully zero trust, yeah, that's a huge deal. But you've got to understand that these are just kind of buckets that you will then go through and try to do a self-evaluation of yourself.

Speaker 2: 31:56 

Some benefits of CRI, again enhanced security visibility gives you a better, clearer picture of their cybersecurity strengths and your weaknesses Helps reduce risk. It does give you better compliance, regulatory compliance mojo. It helps you with that Operational continuity, with the overall goal is to keep your businesses up and operational and running. Again helps reduce the downtime that's occurring within your company. And then confidence in the fact that you are resilient. Now you can't just say, hey, I've done the cyber resiliency, yes, we're good. Well, no, you actually have to do something with it. But, that being said, it does help improve your stakeholders' confidence that you have a resilient platform. Some different frameworks you can use is NIST 800-160, volume 2, your MITRE Cyber Resiliency Engineering Framework, or ISO 22301. Those are some different frameworks you can use to help you with your resiliency piece. But bottom line is resiliency is an important factor with your organization.

Speaker 2: 32:50 

Okay, that is all I have for you today. This is an exciting, exciting session, so much it's riveting beyond belief. Exciting, I guarantee you. But that being said, you can go to CISSP Cyber Training and you can get access to all of my content. You really can. It's there, it's available to you. It's simple, very simple. You just pull out the credit card and you purchase. That's all you have to do. You can get it all, every bit of it All, no problem, just at your fingertips on your computer, no issues.

Speaker 2: 33:18 

Or, if you don't want to go that route, there's plenty of free stuff out there too that you can use. That will help you in your self-study resources. Again, it's, I'm here for you at CISSP Cyber Training. The goal of that is not to make money off of everybody. It's to help just fund this thing, to help pay for all the stuff that goes with it. I just want you to pass your CISSP exam. You can do this. I know you can. I trust you, I know. Just go ahead and study hard and make it happen. If you need any consulting work, go to ReduceCyberRiskcom. You also can check me out there and I've got all kinds of consulting stuff to help you and your organization be better prepared from being attacked by the evil hacker horde. Okay, have a wonderful day and we will catch you all on the flip side, see ya.