A security audit is a review of an organization's security controls, policies, and procedures against
a set of expectations. Connects frameworks, controls, security principles, and compliance
regulations. Independent review that evaluate alignment with internal and external criteria.
 Internal criteria: policies, procedures, and best practices
 External criteria: regulatory compliance, laws, and federal regulations
Security controls: safeguards designed to reduce specific security risks.
3 Control categories:
1. Administrative/Managerial: related to human component of cybersecurity; include policies and
procedures
o Examples: access control policies; account management policies; password policies;
disaster recovery plans; least privilege; separation of duties
2. Technical: hardware and software solutions used to protect assets
o Examples: firewall; IDS/IPS; encryption; backups; password management; antivirus;
manual monitoring/maintenance/intervention
3. Physical: measures put in place to prevent physical access to protected assets (CCTV; locks)
o Examples: time-controlled safe; adequate lighting; CCTV; locking cabinets; signage;
locks; fire detection/prevention
5 Control types:
1.
2.
3.
4.
5.
Preventative: designed to prevent an incident from occurring in the first place.
Corrective: used to restore an asset after an incident.
Detective: implemented to determine whether an incident has occurred or is in progress.
Deterrent: designed to discourage attacks.
Compensating: used to fortify the security of an asset when the current controls aren’t enough
to adequately protect the asset.
Preventative Control Examples:

Least Privilege

Password policies

Access control policies

Account management policies

Firewall

Password management

Manual monitoring, maintenance, and intervention

Locking cabinets (for network gear)

Fire detection and prevention (fire alarm, sprinkler system, etc.)

Locks

Closed-circuit television (CCTV)
Corrective Controls:

Disaster recovery plans

Backups

Antivirus (AV) software
Detective Controls:

IDS/IPS

Fire detection and prevention (fire alarm, sprinkler system, etc.)

Closed-circuit television (CCTV)
Deterrent Controls:

Encryption

Time-controlled safe

Adequate lighting

Signage indicating alarm service provider

Locks
These controls work together to provide defense in depth and protect assets.
Goals vs. Objectives
1. Goal: A goal is a broad, high-level statement that describes the intended outcome or purpose of
an organization or individual. It represents the overarching aim or direction that one wants to
achieve. In cybersecurity, a goal could be to enhance the overall security posture of an
organization, protect sensitive data, or minimize the impact of cyber threats.
2. Objective: Objectives, on the other hand, are specific, measurable, achievable, relevant, and
time-bound (SMART) targets that support the broader goals. Objectives are more concrete and
define the steps or milestones that need to be accomplished to fulfill the goals. In cybersecurity,
objectives could include implementing a specific security control, conducting regular
vulnerability assessments, training employees on cybersecurity best practices, or achieving
compliance with industry regulations.
Goals provide the broader vision and purpose, while objectives are specific and measurable
targets that help achieve those goals. Goals guide the overall direction, while objectives outline
the actionable steps to be taken to fulfill the goals in a tangible manner.
Goal of audit: meeting industry and organizational standards
Objective of audit: identify and address areas of remediation and growth
Audits provide: direction and clarity by identifying current failures and developing a plan to
correct them
Frequency of audit: dependent on local laws and federal compliance regulations
Factors that affect audits:





Industry type
Organization size
Ties to the applicable government regulations
A business’s geographical location
A business decision to adhere to a specific regulatory compliance
2 main types of audits:


External security audit
Internal security audit: Typically conducted by a team of people that might include an
organization's compliance officer, security manager, and other security team members. Used to
help improve an organization's security posture and help organizations avoid fines from
governing agencies due to a lack of compliance. Helps security teams identify organizational risk,
assess controls, and correct compliance issues. Common elements:
o
Establish/Identify the scope and goals of the audit

Scope: Requires organizations to identify people, assets, policies, procedures, and technologies
that might impact an organization' security posture
Goals: Outline of the organization's security objectives; what they want to achieve in order to
improve their security posture

o
Conduct/Complete a risk assessment of the organization's assets


Identify potential threats, risks, and vulnerabilities
Considers what types of controls and compliance regulations need to be in place
o
Conduct the audit: Controls assessment





Reviewing an organization's existing assets
Evaluating potential risks to those assets
Ensure internal controls and processes are effective
Classify and select controls (administrative, technical, physical)
Assign control priority
o
Conduct the audit: Compliance checklist

Compliance regulations: laws that organizations must follow to ensure private data remains
secure
 Federal Energy Regulatory Commission - North American Electric
Reliability Corporation (FERC-NERC)
General Data Protection Regulation (GDPR)




Payment Card Industry Data Security Standard (PCI DSS)
System and Organizations Controls (SOC type 1, SOC type 2)
Criminal Justice Information Services (CJIS)
o
Communicate results to stakeholders




Summarizes scope and goals
List existing risks and how quickly those risks need to be addressed
Identifies compliance regulations the organization needs to adhere to
Provides recommendations for improving security posture