A security audit is a review of an organization's security controls, policies, and procedures against a set of expectations. Connects frameworks, controls, security principles, and compliance regulations. Independent review that evaluate alignment with internal and external criteria. Internal criteria: policies, procedures, and best practices External criteria: regulatory compliance, laws, and federal regulations Security controls: safeguards designed to reduce specific security risks. 3 Control categories: 1. Administrative/Managerial: related to human component of cybersecurity; include policies and procedures o Examples: access control policies; account management policies; password policies; disaster recovery plans; least privilege; separation of duties 2. Technical: hardware and software solutions used to protect assets o Examples: firewall; IDS/IPS; encryption; backups; password management; antivirus; manual monitoring/maintenance/intervention 3. Physical: measures put in place to prevent physical access to protected assets (CCTV; locks) o Examples: time-controlled safe; adequate lighting; CCTV; locking cabinets; signage; locks; fire detection/prevention 5 Control types: 1. 2. 3. 4. 5. Preventative: designed to prevent an incident from occurring in the first place. Corrective: used to restore an asset after an incident. Detective: implemented to determine whether an incident has occurred or is in progress. Deterrent: designed to discourage attacks. Compensating: used to fortify the security of an asset when the current controls aren’t enough to adequately protect the asset. Preventative Control Examples: Least Privilege Password policies Access control policies Account management policies Firewall Password management Manual monitoring, maintenance, and intervention Locking cabinets (for network gear) Fire detection and prevention (fire alarm, sprinkler system, etc.) Locks Closed-circuit television (CCTV) Corrective Controls: Disaster recovery plans Backups Antivirus (AV) software Detective Controls: IDS/IPS Fire detection and prevention (fire alarm, sprinkler system, etc.) Closed-circuit television (CCTV) Deterrent Controls: Encryption Time-controlled safe Adequate lighting Signage indicating alarm service provider Locks These controls work together to provide defense in depth and protect assets. Goals vs. Objectives 1. Goal: A goal is a broad, high-level statement that describes the intended outcome or purpose of an organization or individual. It represents the overarching aim or direction that one wants to achieve. In cybersecurity, a goal could be to enhance the overall security posture of an organization, protect sensitive data, or minimize the impact of cyber threats. 2. Objective: Objectives, on the other hand, are specific, measurable, achievable, relevant, and time-bound (SMART) targets that support the broader goals. Objectives are more concrete and define the steps or milestones that need to be accomplished to fulfill the goals. In cybersecurity, objectives could include implementing a specific security control, conducting regular vulnerability assessments, training employees on cybersecurity best practices, or achieving compliance with industry regulations. Goals provide the broader vision and purpose, while objectives are specific and measurable targets that help achieve those goals. Goals guide the overall direction, while objectives outline the actionable steps to be taken to fulfill the goals in a tangible manner. Goal of audit: meeting industry and organizational standards Objective of audit: identify and address areas of remediation and growth Audits provide: direction and clarity by identifying current failures and developing a plan to correct them Frequency of audit: dependent on local laws and federal compliance regulations Factors that affect audits: Industry type Organization size Ties to the applicable government regulations A business’s geographical location A business decision to adhere to a specific regulatory compliance 2 main types of audits: External security audit Internal security audit: Typically conducted by a team of people that might include an organization's compliance officer, security manager, and other security team members. Used to help improve an organization's security posture and help organizations avoid fines from governing agencies due to a lack of compliance. Helps security teams identify organizational risk, assess controls, and correct compliance issues. Common elements: o Establish/Identify the scope and goals of the audit Scope: Requires organizations to identify people, assets, policies, procedures, and technologies that might impact an organization' security posture Goals: Outline of the organization's security objectives; what they want to achieve in order to improve their security posture o Conduct/Complete a risk assessment of the organization's assets Identify potential threats, risks, and vulnerabilities Considers what types of controls and compliance regulations need to be in place o Conduct the audit: Controls assessment Reviewing an organization's existing assets Evaluating potential risks to those assets Ensure internal controls and processes are effective Classify and select controls (administrative, technical, physical) Assign control priority o Conduct the audit: Compliance checklist Compliance regulations: laws that organizations must follow to ensure private data remains secure Federal Energy Regulatory Commission - North American Electric Reliability Corporation (FERC-NERC) General Data Protection Regulation (GDPR) Payment Card Industry Data Security Standard (PCI DSS) System and Organizations Controls (SOC type 1, SOC type 2) Criminal Justice Information Services (CJIS) o Communicate results to stakeholders Summarizes scope and goals List existing risks and how quickly those risks need to be addressed Identifies compliance regulations the organization needs to adhere to Provides recommendations for improving security posture