Time
51 minutes
Difficulty
Intermediate
CEU/CPE
1

Video Transcription

00:00
Greetings, everyone and welcome to sever Security Audit Overview Episode five
00:05
Cyber Security Audit Frameworks
00:09
Now in Episode four, we talked about controls on why they're so important to an organization.
00:14
You're probably wondering to yourself, that's great. But where do I find these controls?
00:20
Well, that's the purpose of this episode.
00:22
We're gonna start talking about audit frameworks.
00:26
In this video, you will learn the definition of a framework, the purpose of framework.
00:31
This was examples of framework.
00:37
Now there is no single standardized definition, and I'm sure you're starting to get used to that.
00:42
But the Baseline Cross all
00:45
involves providing standards, controls and best practices to mitigate risks.
00:52
You know what our best practices
00:55
Well, the project management background You can think of best practices as lust was learned.
01:02
If you don't
01:03
and just think of best practices as learning from the errors of others,
01:10
basically, someone else encountered a problem and figure out a way to solve it,
01:15
and thankfully, they decided to share with the rest of us.
01:19
So far, our purposes of framework is an organized and distributed collection
01:25
of standards, controls and best practices to mitigate risks for a corresponding industry or activity
01:33
the framework has organized mean there's a logical flow to it.
01:38
And as Faras distributed, well, let's just say it's just made available to those who are interested in that type of a framework.
01:47
It's also important to remember frameworks can be different, so you have to find the right one.
01:55
No frameworks address forests and threats for specific industry or activity
02:00
provide best practice information based on experience,
02:04
and they provide a base for audit control selection. Now this is important because you'll go through different frameworks,
02:12
take a look at them, analyze them for applicability to your organization
02:17
and then select the appropriate audit controls.
02:23
Frameworks may also provide expected compliance standards
02:29
within an industry.
02:32
No, one of the most recognizable framework examples is PC, Idea says.
02:38
And the great thing about this framework is it was actually developed by the payment card in the screen.
02:46
Mean that everyone got together,
02:49
talked about past performance, you know, shared best practices,
02:53
and it came up with a framework
02:55
for everyone, and they all agreed to buy buy it.
03:00
Now, the focus of the framework
03:02
regards with many getting risks with credit cards and personal data,
03:07
and it applies to everyone that wants to process credit cards.
03:13
Now this is free.
03:15
Gets available at P. C. I security standards that work. So I said, just downloading and taking Look at your leisure.
03:23
There's also a PC Ideas US course available through savory, if you're interested.
03:32
Okay, Center for Internet Security. We talked about them in the last episode.
03:38
Another 20 controls are developed by the entire organization, which is made up of experts from around the world and in different areas.
03:46
And their focus is on mitigating risks according to impact and probability.
03:53
So the greater the impact, the worst loss dire, the chances of that loss occurring.
04:00
That's how they go through everything and in the rank. All of the controls one through 20 based on importance.
04:06
Now there is an accompanying spreadsheet available, which is very good. It's valuable,
04:13
and you can get all this information for free. But it does require registration through the organization
04:20
Coben.
04:23
It's developed by the I T Governance Institute and its focuses on a team management and control, which is different from the previous ones that we've talked about.
04:32
Where's P. C. I. D. SS was focused on the credit card in this for you
04:38
and the C. I s controls were available for everyone,
04:42
but their focus was on a risk versus reward type of format.
04:46
Kobe focuses on I t management and control, and it tries to help users match I t functions to processes into company goals,
04:55
which is a little different from the other two.
04:59
Now Kobe is free,
05:00
but it does require registration through I. Sacha,
05:05
Let's talk about the list.
05:08
This is a government organization is part of the Department of Commerce,
05:13
and it is wonderful repositories for different kinds of information, including frameworks.
05:18
It's a matter of fact. You probably call it a framework, a library if you wanted to.
05:24
Now the great thing about nest is that all the information is free.
05:30
The bad thing is that you're going to have to actually go through a lot of the different documents to figure out which ones apply to you and which ones don't.
05:41
Now, here I've provided a couple of examples.
05:44
There's a framework for improving critical infrastructure cybersecurity,
05:47
and it does have a corresponding spreadsheet available
05:51
critical infrastructure. We're talking about
05:55
power plants, dams,
05:58
water purification plants,
06:00
no critical infrastructure to the country
06:03
There's also a risk management framework for information systems and organizations,
06:09
and that's fairly applicable to all organizations.
06:13
And another great thing about this is they actually have a free program that you can use online or download
06:18
and its baseline Taylor,
06:21
and you can use that to create a framework for yourself.
06:27
All right,
06:29
a quiz. ***.
06:31
You picked the right answer. A framework provides best practice information,
06:36
cannot management slug controls
06:40
or is normally tied to a specific industry or function
06:44
well. The correct answer is only above a framework because provide best practice information.
06:49
Can I help management in defining in selecting controls?
06:54
And it's normally tied to a specific industry or function?
06:58
All right, In this video we discussed the definition of a framework, the purpose of a framework
07:02
examples of framework.
07:05
I urge you to take a look at the different websites that we've identified in this video.
07:11
Donald the different frameworks
07:14
and do a comparison side by side.
07:16
It'll really help you understand frameworks as well as controls

Up Next

Cybersecurity Audit Overview

This cybersecurity audit training is a beginner level course for anyone interested in cybersecurity audits or a career as an auditor. Upon completion of the course, the student will be familiar with the concept and purpose of auditing along with control frameworks focused on cybersecurity.

Instructed By

Instructor Profile Image
Darcy Kempa
Instructor