WK2 Security Audits Flashcards
we’ve covered different frameworks, controls, security principles, and compliance regulations, the question is: How do they all work together?
2 types of Security Audits
- Internal Audits
- External Audits
What team members conduct a Internal Security Audit?
An internal security audit is typically conducted by a team of people that might include an organization’s compliance officer, security manager, and other security team members.
Why are Internal Audits useful?
Internal security audits are used to help improve an organization’s security posture and help organizations avoid fines from governing agencies due to a lack of compliance. Internal security audits help security teams identify organizational risk, assess controls, and correct compliance issues.
Common elements of an Internal Security Audit
Establishing the scope and goals of the audit
Conducting a risk assessment of the organization’s assets
Completing a controls assessment
Assessing compliance
Communicating results to stakeholders
Internal Security Audit
Establishing the Scope and goals of the Audit
Scope refers to the specific criteria of an internal security audit. Scope requires organisations to identify people, assets, policies, procedures, and technologies that might impact an organisation’s security posture.
Goals are an outline of the organization’s security objectives, or what they want to achieve in order to improve their security posture.
Although more senior-level security team members and other stakeholders usually establish the scope and goals of the audit, entry-level analysts might be asked to review and understand the scope and goals in order to complete other elements of the audit.
As an example, the scope of this audit involves assessing user permissions; identifying existing controls, policies, and procedures; and accounting for the technology currently in use by the organization. The goals outlined include implementing core functions of frameworks, like the NIST CSF; establishing policies and procedures to ensure compliance; and strengthening system controls.
Internal Security Audit
Conducting a Risk Assessment
The next element is conducting a risk assessment, which is focused on identifying potential threats, risks, and vulnerabilities. This helps organizations consider what security measures should be implemented and monitored to ensure the safety of assets. Similar to establishing the scope and goals, a risk assessment is oftentimes completed by managers or other stakeholders. However, you might be asked to analyze details provided in the risk assessment to consider what types of controls and compliance regulations need to be in place to help improve the organisation’s security posture.
For example, this risk assessment highlights that there are inadequate controls, processes, and procedures in place to protect the organization’s assets. Specifically, there is a lack of proper management of physical and digital assets, including employee equipment. The equipment used to store data is not properly secured. And access to private information stored in the organisation’s internal network likely needs more robust controls in place.
Internal Security Audit
Completing a Controls Assessment
A controls assessment involves closely reviewing an organisation’s existing assets, then evaluating potential risks to those assets, to ensure internal controls and processes are effective.
To do this, entry-level analysts might be tasked with classifying controls into the following categories:
Administrative control: related to the human component of cybersecurity. They include policies and procedures that define how an organisation manages data, such as the implementation of password policies.
Technical controls: are hardware and software solutions used to protect assets, such as the use of intrusion detection systems, or IDS’s, and encryption.
Physical controls: refer to measures put in place to prevent physical access to protected assets, such as surveillance cameras and locks.
Internal Security Audit
Assessing Compliance
Determining whether or not the organization is adhering to necessary compliance regulations. As a reminder, compliance regulations are laws that organisations must follow to ensure private data remains secure.
In this example, the organization conducts business in the European Union and accepts credit card payments. So they need to adhere to the GDPR and Payment Card Industry Data Security Standard, or PCI DSS.
Internal Security Audit
Communicating results to stakeholders.
Once the internal security audit is complete, results and recommendations need to be communicated to stakeholders.
In general, this type of communication summarizes the scope and goals of the audit. Then, it lists existing risks and notes how quickly those risks need to be addressed. Additionally, it identifies compliance regulations the organisation needs to adhere to and provides recommendations for improving the organisation’s security posture
Audit checklist
It’s necessary to create an audit checklist before conducting an audit. A checklist is generally made up of the following areas of focus:
Identify the scope of the audit
Complete a risk assessment
Conduct the audit
Create a mitigation plan
Communicate results to stakeholders
Audit checklist
Identify the scope of the audit
The audit should:
List assets that will be assessed (e.g., firewalls are configured correctly, PII is secure, physical assets are locked, etc.)
Note how the audit will help the organization achieve its desired goals
Indicate how often an audit should be performed
Include an evaluation of organizational policies, protocols, and procedures to make sure they are working as intended and being implemented by employees
Audit checklist
Complete a risk assessment
A risk assessment is used to evaluate identified organizational risks related to budget, controls, internal processes, and external standards (i.e., regulations).
Audit checklist
Conduct the audit
When conducting an internal audit, you will assess the security of the identified assets listed in the audit scope.
Audit checklist
Create a mitigation plan
A mitigation plan is a strategy established to lower the level of risk and potential costs, penalties, or other issues that can negatively affect the organization’s security posture.
