Audits and Assessments (OBJ 5.5)

Audits and Assesments?

Audits and Assessments are key processes to identifying vulnerabilities, validating security measures, and maintaining compliance with regulatory standards.

Audits

• Systematic evaluations of an organization's information systems, applications, and security controls
• Types (depending on source of the audit)
  • Internal Audits
    • Conducted by the organization's own team
    • Example:
      • Organization's internal audit team conducting a review of the company's data protection policy.
      • Check if policies are up to date and with the latest regulatory requirements.
      • Verify if policies are being followed correctly by all the employees
  • External Audits
    • Performed by third-party entities
    • Example:
      • A third-party auditor being hired to evaluate an e-commerce company's compliance with the Payment Card Industry Data Security Standard (PCI DSS)
      • The auditor checks
        • Network Security
        • Data encryption methods
        • Access control mechanisms
    • Identify policies, procedures, and controls
• Purpose
  • Validate security measures
  • Identify vulnerabilities
  • Maintain compliance with regulatory standards
• Examples
  • Internal Audit Example
    • Review of data protection policies
    • Check policy relevance and compliance
  • External Audit Example
    • Evaluation of e-commerce PCI DSS compliance
    • Assess network security, data encryption, and access controls
• Significance of Audits
  • Identifying Gaps
    • Security policies, procedures, and controls
  • Ensuring Compliance
    • General Data Protection Regulation (GDPR)
    • Health Insurance Portability and Accountability (HIPAA)
    • Payment Card Industry Data Security Standard (PCI DSS)

Assessments

• Detailed analysis to identify vulnerabilities and risks
• Performed before implementing new systems or significant changes
• Goal: Understand the potential risks and threats to an organization's information system and propose mitigation strategies to address these vulnerabilities.
• Categories
  • Risk Assessments
  • Vulnerability Assessments
  • Threat Assessments

Internal Audits and Assessments

• Evaluations conducted within an organization
• Review processes, controls, and compliance
• Importance
  • Ensure operational effectiveness and adherence to internal policies

External Audits and Assessments

• Independent evaluations by external parties
• Verification Areas
  • Financial statements
  • Compliance
  • Operational practices against regulations
• Performed by a third-party, independent auditor, or assessor.

Penetration Testing

• Simulated cyber attacks to identify vulnerabilities
• Objective
  • Find vulnerabilities exploited by attackers
• Also known as “Pen Testing” or “Ethical Hacking”

Reconnaissance in Pentesting

• Gathering information before a pentest
• Types
  • Passive
  • Active
• Environment Consideration
  • Known
  • Partially Known
  • Unknown
• Use of pentest tools
  • nmap
  • metasploit
  • Get full admin access into a machine

Attestation of Findings

• Formal, written declaration of audit or assessment results
• Purpose
  • Confirmation and documentation of outcomes