Time
51 minutes
Difficulty
Intermediate
CEU/CPE
1

Video Transcription

00:01
Greetings, everyone. Welcome to sever Security Audit Will review Episode four
00:08
Now In this video, you will learn the definition of a control, the purpose of a control
00:13
as well as examples of controls.
00:18
Now there is no single standardized definition of the term varies across organizations and industries.
00:24
However, they all have one thing in common,
00:26
and that means controlling behaviors.
00:30
No far purposes
00:32
controls and approved unimplemented measure designed to mitigate a specific risk
00:37
measures air actions
00:39
used to control behavior activity.
00:42
And the measures could be hardware, software policies,
00:45
anything that's implemented. Order control, behaviors
00:49
and risk
00:51
are possible. Negative occurrences,
00:56
not. It controls air designed and implemented to help protect basically anything of value to the organization.
01:03
Knotted controls protect the company as well as the customers.
01:07
If you think about personal, identifiable information,
01:11
that's something of value to a hacker.
01:14
So we want to make sure that that p I
01:18
is protected,
01:19
that where the hackers can't get at it
01:23
and we're protecting ourselves from a lawsuit as well as protecting the customers from possible identity theft
01:30
and audits. Verify controls or define, implemented and followed
01:38
doesn't control examples.
01:42
These came from the stunner for Internet security wonderful organization,
01:48
and they have 20 controls that they have listed.
01:51
We're gonna take a look at the top three.
01:53
Number one inventory in control of hardware assets.
01:57
Well, you can't protect it if you don't know that you have it
02:00
simple enough, right?
02:02
Control number two. Inventory in control Software assets.
02:07
You can update her patch if you don't know that you have it.
02:12
Control Number three Procedures and tools.
02:15
Their recommendations to use vulnerability. Scanning tools?
02:19
No. Why is that?
02:23
Well, vulnerability? Skinning tools are often more effective and efficient and identifying vulnerabilities and having a person go through it on the Rome
02:32
and all the controls have sub controls associated with, um,
02:38
for example,
02:40
1.1
02:43
utilize active discovery tool
02:46
purpose that is to help build and maintain a hardware asset inventory.
02:51
Sub control 1.2
02:53
Utilize passive discovery tool once again making sure that we have a accurate hardware asset Inventory.
03:00
1.3. Use D eight C p
03:05
once again updating the hardware acid inventory
03:07
along with 1.4. Maintain a detailed asset inventory.
03:15
All right, time for another knowledge bomb.
03:19
Now, if you have an accurate inventory of all your hardware assets. That's great. It's wonderful.
03:27
If you don't, then it becomes a problem that's really gonna have to use thes voluntarily scanning tools
03:32
to go out there and give an idea of what you're never looks like.
03:38
You know, another way that you can do this is every time you purchase equipment
03:43
right down the serial numbers,
03:45
Mac addresses any other information that you find pertinent or helpful to maintaining an accurate inventory.
03:55
Nods are you're not gonna take the new piece of a club and just put it out into production.
04:00
You know, if it's a computer, for example, you're probably gonna take it out of the box
04:04
update to software
04:06
configured properly for your organization. Maybe add some software to it,
04:11
and that's the perfect time to actually take down that information
04:15
and start creating a database for yourself.
04:18
And another tip is when you're gonna go out there and actually put their computer on someone's desk,
04:26
haven't signed custody card.
04:29
It's after that. They're going to be accountable for that computer, but at least they're just verifying that
04:34
Computer 101
04:36
is now in the administration office desk. For
04:43
that, we that information
04:45
you guys can use that
04:46
to help build a topography of your network, where your assets are, what's on there, etcetera. It's very, very valuable.
04:59
All right, let's finish up sub controls.
05:02
No sub controls are also explosively going to address an acid type along with the corresponding security function.
05:10
We've identified something of value to what,
05:14
and we're also going to define how we're going to protect it
05:18
and for more information. Please take a look at the Center for Internet Security.
05:26
All right, a quiz,
05:29
you know. Please pick the right answer it controls implemented to
05:33
mitigate a specific risk,
05:36
maintain managerial dominance over employees
05:41
or increase audio failure Probability. That's my favorite, by the way.
05:49
Okay, The right answer is eight it controls implemented to mitigate a specific risk
05:56
as far as maintaining managerial dominance over employees. Well, that's not the purpose of a control. It's there to mitigate the risk.
06:04
As far as increasing audit failure probability.
06:09
Well, the controls have to be approved
06:12
and implemented, which means that there should be some sort of communication.
06:16
So if that is all taking place, then there's really no reason for there to be another failure.
06:26
All right,
06:27
in today's video, discuss the definition of a control, the purpose of a control and provided you with examples of controls.
06:34
Let's move on to the next episode.

Up Next

Cybersecurity Audit Overview

This cybersecurity audit training is a beginner level course for anyone interested in cybersecurity audits or a career as an auditor. Upon completion of the course, the student will be familiar with the concept and purpose of auditing along with control frameworks focused on cybersecurity.

Instructed By

Instructor Profile Image
Darcy Kempa
Instructor