CCT 094: Assessment, Compliance, and Improvement Strategies (CISSP Domain 6.5)

Ever wonder how safe your data really is in the cloud? Or what steps are necessary to ensure your organization's compliance with critical cybersecurity standards? You won't want to miss our latest episode where we tackle these tough questions head-on, promising to leave you more informed and prepared to safeguard your organization's valuable digital assets. We dive into the complexities of compliance assessments and audit strategies, exemplified by Japan's Space Agency's recent cyber attack. We also unpack the nuanced differences between internal and external audits, all while guiding you through the often confusing maze of legal and regulatory compliance.

In a world where cyber threats are an everyday reality, understanding how to identify vulnerabilities within your organization's systems has never been more crucial. We'll take you through the practicalities of penetration testing, and break down the differences between black box and white box tests. You'll learn how hackers use methodical, stealthy approaches to bypass your security measures, while gaining insights into how log reviews, synthetic transactions, and code testing can help bolster your defenses. Speaking of defenses, we'll also reveal why third-party involvement in website checkout processes can be a game-changer in preventing SQL injections and input flaws.

But, complexities don't end there. We also explore the perils of account management in the cloud - a topic that's indeed a double-edged sword. While the ease and accessibility of cloud services are undeniable, so are the risks. We delve into strategies for managing these risks, such as how to deal with unused or unremoved user accounts that can be easily exploited by malicious actors. We underline the importance of regular audits and management reviews, and the necessity to comply with third-party agreements and Service Level Agreements (SLAs), to ensure your cloud services are not just convenient, but secure. So, tune in to our latest episode, and take a step towards securing your digital assets like a pro.

Gain access to 30 FREE CISSP Exam Questions each and every month by going to FreeCISSPQuestions.com and sign-up to join the team for Free. 

TRANSCRIPT

Welcome to the CISSP Cyber Training Podcast, where we provide you the training and tools you need to pass the CISSP exam the first time. Hi, my name is Sean Gerber and I'm your host for this action-packed, informative podcast. Join me each week as I provide the information you need to pass the CISSP exam and grow your cybersecurity knowledge. All right, let's get started, let's go, let's go. Good morning, this is Sean Gerber with CISSP Cyber Training. How are you all doing this beautiful day? Yeah, it's a gorgeous day. Here in Kansas, we just had about six and a half inches of snow about actually right over Thanksgiving, right before Thanksgiving, so it was a pretty awesome time. But things are going great here in Kansas and we are excited, super excited to get into the various aspects around the CISSP and the various cyber domains that are associated with compliance assessment and the overall strategies associated with them. But before we get started, one thing that was kind of interesting that I saw, that popped up in the news and this came out of the register it talks about Japan Space Agency suffered a cyber attack and it points its fingers specifically at Active Directory. Now, if you are aware, active Directory actually is a tool that's used to help manage access throughout the network. It's very old, it's been around for a long time and it's used pretty much everywhere. Right, they want to move away. I mean, microsoft, this is a Microsoft product and they've been wanting to move away from the traditional Active Directory to what we call Azure Active Directory, azure AD. But there's still so many implementations of Active Directory within a most organizations and most enterprises. The interesting part is, active Directory actually is a security tool and it is used because of access that is granted through the use of that tool. Well, japan suffered a cyber attack and they're pointing their fingers specifically at their Active Directory implementation. Now, according to them, nothing has been breached, no data has been lost. I shouldn't say nothing's been breached. They've had individuals within their network or something has happened within their network, but they haven't had any actual data exfiltration, according to them. But it did shut down part of their network, including their intranet, and they're not really sure the overall extent of the incident. Now, this was as of today, wednesday, july 29th. So, an interesting part of all that is just that, as you are getting into your cybersecurity career and you are looking to expand, there's going to be a lot of opportunities for you. But one thing to consider is, as you go into these organizations, also consider the fact that what they may have in place is outdated. And then how do you work to gain their influence, their trust I should say the organization's influence and trust so that you can help make changes within that organization? I can only imagine I don't know firsthand, but I can assume that many of their deployments within the use of Active Directory might be a bit aired and they may need some assistance. So just keep that in mind as we are studying for your CISSP. You are in a great career field and have a lot of opportunities to help people and help other organizations, as well as make some good money. Okay, so let's get started, and we're going to be talking today. It's domain 6.5, and this is going to be associated around various assessments, tests and audit strategies that are associated with the CISSP and you can find within your any cybersecurity organization. So when we're looking at determining your assessments and determining which way you should go as it relates to audits, you're going to need to come up with some various key factors, and one of those, as we start off, is you're going to need to develop a strategy on how you're going to test. You're also going to have to develop some validating strategies and then you're going to have to determine which level of legal and regulatory compliance these all are tied to. So as we break this down a little bit, let's get into the security strategies. You need to kind of understand and we talk about this a lot in CISSP, cyber training is which framework are you going to follow? You need to pick a framework. It's really important that you follow one, and the reason I say that is because in a previous life we would have I had in a situation where we'd have frameworks that are part of 27,001. We had some that are part of the NIST cybersecurity framework and it was fine because all the framework does is give you guidance and direction which way to go. However, when I didn't just pick one and follow that one, then it made it very convoluted and a bit challenging. When we're trying to talk with other third parties, when they ask the question which framework do you follow? If I don't follow one I follow. Well, I follow a combination of 27,001 and a combination of the cybersecurity framework and so on and so forth. That gets very convoluted, very, very challenging. So therefore, you need to pick a standard that you are going to go by, and then you need to look at what are the appropriate assessment types that you're going to use towards that standard. Are you going to use internal audits? Are you going to bring in external audits? And when we talk about internal and external, the internal could be someone within your organization, it could be somebody outside of your organization. So if you have two companies and company A IT department is doing this assessment audit and you would like an assessment done, well then you may pull in company B's IT team to do that audit or that assessment. So that's bringing an outside audit. An external audit would be your big three. You know you're Deloitte and two. Sure, I'm just drawing a blank, but there's basically three main companies that you'll work with that can do these external audits. Now I say that I say that from a very large company that works with various audit firms. If you're a smaller company that you're going to work for when you first start off, you may not. You can still bring in smaller audit firms Just to determine what is the legal requirements around that. And so when you determine those things and what is your overall plan around a assessment, is it going to be a technical vulnerability assessment versus just a paper audit. You'll have to figure that part out as well. The strategy should be robust enough to identify your potential vulnerabilities and bring it back to the standards that are associated with the 27,000 one. So, again, you use the 27,000 one as your North Star, as something you're going to guide to. If you do that, then when you do your assessments and your audits, they can then come back to this 27,000 one series. Now something to kind of consider is that, as I brought forward with, as I'm going through this podcast, I'm recording the contents as well, and that'll be on CISP cyber training, so you can go to the website. You can watch the video while you're listening to the podcast as well, because I've seen it. It works well. When I actually listen to something as well, I am watching it. That does help out quite a bit. But there's I put in there some use cases that you how does this work? Well, let's just say, for example, you're a multinational corporation and you have to do the testing on your global security strategy. You may have regular pen testing Okay, you may have that for individuals. You may have employee phishing awareness assessments that you may do. So, basically, you're going out and testing people and then you make sure that these meet all of the international standards across all of your various companies. So you're going to do those things on a regular or routine basis. If you have some sort of regulatory requirement that forces you to do that every year, you would do that every year, but at a minimum you need to have some of that defined for your company. Now, when you're looking to validate these various testing strategies, again, you may have to tie them back to. Are there any external regulations that are forcing you to do that? So you must be remained aligned to that. I'll give you an example. So, when we do testing within the European Union, there are various entities out there that are require us to, as we go through the tests, to send them a report of how the test went, and that's very indicative and very consistent with what happens here in the United States, especially when you're dealing with small. I'll use credit unions as an example, if you're listening to this. Someplace outside of the United States, a credit union is a smaller bank and it's a bank that actually it's defined by the shareholders, by individuals. As I deposit $10,000 into a bank account, then I become part of this overall bank ecosystem and so therefore, it's member owned. All the members own this small bank. All If I've done work with credit unions in the past, and the credit union one has to have this assessment done for its shareholders for people like me to say, hey, we've done this, we're watching what's going on. But they've also had to do it for regulators within the United States and give them an output of what this report is. So you're going to need to have that defined and decided upon within your organization. Who's going to get the report? Who's going to provide the report? Another key thing to think about as you're looking and again, these things I'm telling you are covered in the CISSP. They're going to ask you questions. I'm giving you the mindset of a CISO so that when they ask you these specific questions, you can understand where they're coming from. As it relates to the test question itself. But one of the other aspects is is, as you provide this information, you have to then work with your senior leaders to determine who's going to provide this information to the bank. As an example, as a security person would not provide it, our legal team would provide that information to the bank, or I should say even, yeah, our senior leaders, senior legal team or potentially our president himself. Legal regulatory compliance again, you want to stay in alliance with all of these regulatory compliance requirements. That includes GDPR, hipaa, any other privacy requirements that you're seeing out there. You'll want to make sure you focus with it. Any other government requirement for critical infrastructure you'll want to basically follow that as well. When I say critical infrastructure, let me give you just a spin on that one. So if you are a manufacturing facility and you deal with some things let's say you're a refinery and they consider you critical infrastructure because you manage pipelines or something like that then what would may happen is is you may have to go and do assessments and audits and give that information to that leadership to ensure that you are actually doing what you say you're supposed to be doing. So you're going to need to. There's a lot of people that are involved in this overall process and therefore it's important that you do. You understand what assessments need to be accomplished so that you meet these regulatory requirements that are out there. So now you're going to be doing conducting security control, testing. What are these? So, as you're looking to do, vulnerability they're one of the aspects you've got is vulnerability assessments, penetration testments and then log review analysis, and then, obviously, you may do end up doing some level of code testing on all of this. So this is the part that falls under the control or the security control testing that you're going to accomplish. Now you may want to try regularly scan your systems to find vulnerabilities. Now you may use a tool such as Nessus or QALUS or something along those lines to do a vulnerability assessment within your organization. Now these security control testing mechanisms are designed to highlight where you may have a problem and therefore, by having this issue, you can then go out and address the problem specifically. As an example, you run QALUS within your organization. Qalus is a scanner. It's looking for vulnerabilities within systems that are inside your company and therefore you then get that information and you work with your infrastructure team, or maybe you are the infrastructure team and you go and you mitigate those issues directly. Now there also may be a time where you sit down and you go. You know what I'm going to accept the risk of these vulnerabilities because, let's say, for example, you have systems that are very older or very old and maybe a little bit antiquated, but they're critical to run your business and you have a plan to remove and replace them. But it's going to be a period X, so once that happens, you may decide. You know what. We're just going to accept some of that risk for the next four, six, 12 months. But in the process of accepting that risk, you are also going to put in some mitigating controls to limit what actually happened. Now, when you're doing this again, this process can be very time consuming. It also when you do a vulnerability scans depending upon the type of equipment. I've done these in the past where it can be very disruptive to an organization, especially if this is doing a we call it deep scan of your network. Now this again, it's pretty dated. It's been a few years since I've done a vulnerability scan, so the tools out there today may be much better that don't cause those kinds of issues. But I will say, if you do vulnerability assessments against very sensitive systems such as your process control environments, you may run into problems because they don't do well with scans this bottom line. But you'll use this vulnerability assessment tool to scan your platform and, as an example, if you're a bank, you may do that for your online banking system. You may do external scans specifically for it, because you don't want someone to take advantage of it. So, therefore, you will do this, looking for any potential out of date software, misconfigurations, anything else that could be exploited by attackers. The next thing you're going to talk to is we're going to talk about is a penetration testing. Now, the penetration testing. I did those as well, and that's what we basically are. You're trying to find one vulnerability to go into an environment. They call it you'll see it on the CISP maybe potentially called a black box test, and you may be doing a black box test against maybe potentially new web applications or something that is out there on the internet and it's externally facing. This is where it's weird you're looking for as an attacker. You're looking for one way into your organization. You're not looking for the plethora of them. The other thing you're going to notice that a pen tester or a hacker will do is they may use scan data that's on the internet, but they typically will not try to go and bang on a specific web server sitting on a on the internet. And when I say bang on it, what I mean is is that they will not go and throw everything they have at that one web server to try to break in. They're usually I say usually much more sophisticated and methodical and slower in what they're trying to accomplish. Because if you'd go and bang on this box, if you bang on this web server, you now are highlighting the fact that you are targeting this web server. If I'm a bad guy or gal, I don't want people to know that I'm actually targeting it, so therefore I won't. I really don't want to let them know that I'm actually looking at it. So you may see what those are going to be very finessed type of attacks against your company's assets that are online. But you may have this, this software. So let's use an example of a use case. There's a software company. It releases a new application, so you have this new app that's sitting out there and it wants to have a third party do a black box or a pen test against their new application that's sitting out there. The goal is that it will uncover flaws or maybe potential improper session management. They may have bad user name and password requirements, they may not have multi factor enabled, but you want them to look at this before you bring it to the public, because once it comes to the public, then everybody is going to be after it and looking at it. And, granted, if it's on the internet, everybody's looking at it. But if you now highlight it and use it as something you want your people to look at, it will become a problem as well. Log reviews and analysis. You want to make sure that you do go through and have systematic reviews of your logs and to ensure that there's any signs of malicious activity. I've seen this time and again where in a previous life we would go in and we would no-transcript modify the logs a little to try to change them from what they look like you. Typically, if you have a decent hacker, he or she will not go in and delete the logs. That's usually a bad idea, because if you go and delete the logs, you now highlight the fact that you've been there, so they will go in, they may modify them or their goal is that they also understand most attackers that people are not necessarily looking at the logs and because they don't have some level of automation in place to help them. So therefore they kind of hide in what we call the chaff. In Kansas we have wheat, and when you have wheat you want to get the seed out of the wheat. You beat on the wheat itself to get the seed out so that you can turn that into whatever bread or whatever else you want to turn it into. Well, what's left is the chaff, but there's all kinds of noise that's on within a business network. You want to hide in that noise, you want to hide in that chaff, and so, therefore, that's what ends up happening. So you, as a cybersecurity professional, really need to have some level of log reviews that you can utilize to help you find out where is the attackers within your potential, within your organization. Now, synthetic transactions and code testing. If you're doing some synthetic transactions, these are to simulate user interactions. I did this with my development team. They would actually have automated interactions that would occur with their web development environment and they would just it would act like a user when it's trying to accomplish this. You would also conduct code reviews and to find security vulnerabilities that may potentially be out there, such as, maybe, a SQL injection, maybe any sort of aspect that you may be looking for cross-site scripting attacks. You're going to want to go through and have these simulations occur to ensure that you have the proper protections in place for your organization. So the use case that we've got is like an online retailer uses a synthetic transaction to test its website checkout process. Now, if you're doing website check, if you're using some sort of online checkout for your website, I highly recommend bringing in, integrating a third party to do this for you when you try to do it yourself your development team. There are people that are very good at creating these kind of plugins for your websites. I would recommend highly recommend that you have third parties that will provide you those plugins so that you can be successful. If you have your development team do it, they may or may not be successful, and now you could open up your company to a lot of risk, but your ultimate goal is that you want to ensure that your product team, that your teams, are actually doing the right thing when it comes to these transactions, so, as they're going through the secure checkout process, you want to make sure that the team is doing this and they're not. They don't have the ability to have input flaws, where they could then do a SQL injection into your code, and a SQL injection basically is a line of code that's added to your input lines which then allows that goes in and will either be able to pull data out. You know, through using a script, it'll be able to pull the data out of the SQL process or it will make it burp and give information to you. So you're going to want to go through that overall transaction process if you're dealing with a web application. Now we're going to get into collecting your secure process data, and how does this specifically work? Now we're going to talk about some key points of account management, audits, management reviews, process reviews and compliance with any agreements that go with that. So when we're collecting the security data that's out there, you want to make sure that you are creating and maintaining the, your deleting and your user accounts. You want to make sure that any user account that you have, you are going through a process, a management of change process, so that is, a new user is created. They are then removed when they are no longer needed. See this over and over again. And now this is becoming a much bigger problem with the cloud, in that when users are created, they are never removed, and bad guys know this, and these people are then leveraging this capability where you created a IAM or a rule, an account within a cloud, that this account has certain level of privileges that it's allowed to do and it doesn't get removed. And then, therefore, which is bad, right Because. But if it's internal to your cloud, it's internal to your network, that's bad. But in many cases, they will allow some level of because it's in the cloud, it's in somebody else's data center, whether it's Google, amazon, whoever it could potentially be accessible by the internet, and if that's the case, you now are increasing your risks substantially. So what does this look like when we're dealing with a management audit? So we'll go. In the case of a university, it will conduct a regular audit of its account management process. So if you're in a university, you're checking your students, your staff are. They do they have granted access to only the necessary resources that they should have. When I was acting as a as a professor at a local college, they would do that with my account. They would. They had routine rotations of credentials. They require multi factor. They and that's a really big thing, I think, especially as you're dealing with your student body that is coming and going, as well as the leadership within your that company as well, because teachers will come and go, is. I mean, I was there for two years and then I left, so you can only assume that teachers will will come and will go as well. Now, management reviews. What are some management reviews that? What does that actually mean? Well, so I go through this process, but you're going to want someone that has understands your overall security policies and that do will follow through to ensure that they are being followed by the staff or by the people that they are going against. So if I have a security policy within my company around password management, I want to make sure that I'm reviewing the policy and I'm reviewing those, these logs, to ensure that people are actually doing what they're supposed to be doing. So you could have a semi annual management review where all departments must adhere to your company security policy and you're then going through a double checking to ensure that they are doing that, and then, on top of that, you may provide them some level of security training, followed by the overall requirement that they have to do. So it's important that you go, you have the policy set, you provide the policy to the people, you then go through and you enforce the policy by, maybe by tools that you have in place, and then you follow that back up and then you have training for the policy and then you follow that back up at the end and verify people are actually doing what they're supposed to be doing. Now we're dealing with process reviews. This you need to. Basically this is what they are. What one thing you may see within the CISSP is you may conduct interviews or walkthroughs to assess the processes and understand if they're being implemented. One aspect it may not be a physical interview, but let's say you require that all screens be locked upon. When you're done in that room, you may walk around looking for, especially, specifically, screens that have been locked, that if people are away from their computer, did they lock their screen you may be looking for? Maybe you have a shred policy where all documents must be shredded using I highly recommend a crosscut shredder, not a strip shredder. Reason is I have put lots of strip together to make lots of documents. Yes, I've sat in hotel rooms listening to lots of music, putting together strips and strips and strips of paper. You got to use crosscut. Crosscut makes it wonderful and it's also great betting for hamsters. Okay, but sorry to digress. The point, though, is is that you're going to want to go through? You can actually go through and make sure that there's no print of documents that are sitting on the printers, that the printers, the shred bins are empty, that you have gone through. You have crosscut shredders. You can do walk-arounds on these cases as well and then highlight problems that you're potentially seeing. So I've seen this time and again. When you'll go to a printer, many times people that use printers they're not used as much anymore, but people that do use them don't have a key lockout where you have to add, add in a pin to get the information out, and you'll see many times that you can go just hit print on the printer and it will burp out all kinds of files that maybe are waiting in the queue to be printed. So that's another way that you could do that when you're doing your walk-arounds. Now, what are some of the compliance with the various agreements? You may have SLAs, which is your service level agreement, or BPAs, which may deal it's kind of called a business partner agreement. You may have these in place with various third parties to meet some level of security standard. Now when you're doing this, say, for example, you have a third party that comes in that routinely works within your manufacturing facilities and say you're a tractor, you make tractor parts. You have a third party that comes in and they help you make these tractor parts. They provide the boxes, the chip. They're the chip manufacturer, whatever that is for this organization. You may have this third party come in and you may do reviews and look at what is the agreement that these folks have with you. Now, what kind of agreement could that be? It could be data sharing agreements, like they're sharing data with me because I'm a tractor manufacturer. It could be they support me from a third party in the remote management of my process. What does that SLA look like? And so you would need to go through and ensure that these SLAs are fine and are being followed. So one example might be let's use the remote access one, where you have are allowing a third party remote access into your environment. If you're allowing them to have access into your environment, do they have the proper software they're using? Do they have encryption in place? Are they utilizing the right security tools to allow access into their networks? So there's lots of opportunities there within the SLA aspect. So now we're going to get into, you're going to analyze your test output and you're going to generate reports. Now, when you generate reports, you're going to look at the overall test results and then come up with what does this look like Then? Then you're going to have those findings, those report findings, and you're going to provide those to whomever may need them within your organization and you're going to ensure that they are accurate. So, when it comes to doing your analysis of these test results, you're going to look for potential let's say, example of weak passwords, and are these weak passwords being used across multiple systems? I see this time and again that you may have weak passwords on your overall workstations, but they may utilize a multi-factor authentication to help minimize or reduce that risk. When it comes to using other products that are out there, when you're talking to passwords that are associated with servers or service accounts, you may want to run different types of tools to help you with that. You also may want to incorporate tools such as a security information and event management or SIM tool to make sure that it is looking for these various flaws that you may have within your environment. So I've used SIMs to help me root out service accounts which ones are not good, which ones have bad passwords, which ones are not being logged into. You may utilize the logs off of those to help go. You know what we're going to get rid of this X account because no one ever uses it, no one ever logs into it. You're also going to find out that most people, especially network folks within your organization, they're what we call hoarders, and what that means is when they get something, they hold on to it service accounts, other types of accounts people are hoarders and they will hold on to that information and they don't like to get rid of it. I will arbitrarily go in and if I see an account that has not been used in quite substantial amount of time, then I will disable it, and then I have a plan set up so once it's disabled, it will then be deleted, because I don't want spare accounts just floating around within my environment. Now, once you get a report, you're going to have this report and you're going to provide this report to somebody. Right, you could be to auditors. It could be internal or external auditors, it could be your senior leaders, it could be your compliance and ethics folks, it could be your CIO, but you want to have this report available to provide to them. Here's the other thing with reports you need to keep in mind and this isn't necessarily a CISSP thing, this is a cybersecurity mentoring thing is keep them simple, be brief, be brilliant, be gone. You want to have them simple simple enough that it provides the information, but not too simple where they're asking lots and lots of questions. You can do that in many different ways, but I've been offering up some consulting for individuals and cybersecurity mentorship. Get with me, we'll get you some worked up with some time on that and I can help you walk you through from a CISSP perspective, what you should do to help protect your company and ways that you can also meet with your board and so forth and around those types of items. But you want to be able to provide those types of report findings to individuals and this typically can go to the board of directors as well. I've been in front of many boards talking about the various risks that they have. One thing you're going to have to do from a mentorship standpoint is break it down in a way that they can understand it. They're very intelligent people that are on these boards, but they're not necessarily intelligent on cybersecurity, just like you may or may not be intelligent on the inner workings of a business, the profit and loss margins. They use all kinds of terms like NIAAT, you name it. You may not be up on that, so therefore, they may have to educate you, but when it comes to cybersecurity, you are the expert. You need to educate them in a way that they can understand it and they can digest it and internalize it. Then, once you get all that information, you get that report. You want to integrate that and validate it up within your company. So you want to look at different ways to validate the accuracy and the comprehensive view around your overall security posture. This typically comes around having, after you have an assessments, penetration test and code reviews. You then want to take this information you've learned and internalize it within your company. As an example, I used to have my developers I would do about every two weeks we would go through and we would meet and I would go through a security question with them, something to get their minds thinking. I would provide them documentation on what should they be looking at from a security perspective. One thing I saw recently that was really cool was pipelines within AWS and how you can utilize credential and secret storage. I heard of it but I didn't really understand it, so I had someone kind of walk me through. It makes a lot of sense, super cool, super helpful, but I will say that my knowledge what limited that is in development was extremely valuable when I talked with our my AWS guy who understood this information, so I could actually get what he was doing and the importance of it. Now you want to conduct or facilitate a security audit. Now there's various pieces that go into this security audit. You're dealing with planning, obviously in management, execution of the audit and then your audit reporting piece of this and then, lastly, your follow up. And what are you going to do around it? So when you're dealing with planning and management, you can. You wanted to define the scope. The one challenge you're going to run into when you're dealing with audits and assessments is the scope creep. And what does that scope creep mean? It means you start with one initial scope and next thing you know, somebody adds something else on and then something else gets added on and they, before you are done with your assessment, you have this very large, voluminous assessment that is beyond the initial scope, the initial criteria in which you decided to do this. So you really want to watch what that is. You also want to make sure that the methodology and the objectives are well defined for all parties. You don't want your assessment folks going off and assessing areas that aren't as valuable to you, because, especially if you're bringing in a third party, that's costing you money, you don't want them to be chasing rabbits that you don't want them chasing. You want them to chase the rabbits you want them to chase. I don't know if you ever chased rabbits yeah, I have. That's not fun. It's like chasing chickens. It doesn't work well that you run all over the place and it's really hard to catch them. So, yeah, chasing rabbits is not an easy endeavor, yeah, so anyway, sorry to digress, yes, my, my ADD brain kicked in there, but one of the use cases that comes in is a financial institution may be preparing, preparing for an upcoming audit. What is they going to do? They have to have this audit plan is done and reviewed, and it needs to be reviewed by everybody involved. So that way, when the report is provided to the regulators that which be under SOX or GLBA and you then have it's been understood by all parties, and then, when you give it to the regulators, they understand exactly what you're providing to them as well. Then you execute on the audit, right? So this is the part where you actually pull the trigger on it and you are sampling, observing. You may be doing different types of things with it. I will tell you this from a security standpoint the audits that I have accomplished have been very narrow in focus. They've been very targeted, because I don't have the resources to do them on a large scale. When they're on a larger scale, then I will bring in a third party, because they have the resources, the manpower, to be able to do that. For for me, now, that does cost money. A typical audit can cost in the upwards of $50 to $100,000, just depending upon the size and scope of it. But you may have to do that. So let's say, for example, you are a credit card company or you take credit cards for your organization and in the process of taking credit cards for your company, they want you to do an audit. Now, depending on the tiers we'll talk about PCI DSS they have various tiers in which you have to provide information to the credit card agencies. If you're a small mom and pop, they just want you to follow the guidelines. They have the network guidelines. You have a router, is it segregated? You? So on and so forth, as long as you follow that and you don't have any issues with your credit card, they'll let you have the credit card. You're getting to be a bigger company, that is, let's say, stripe or Square or something like that. They're going to have routine audits that they have to provide and then they have to report these audits to the credit card bureaus to ensure that allows them to maintain that ability to process credit cards. So you may have to provide those PCI DSS standards to that company. So again, defining the scope what is the scope of these audits? You may have multiple audits in one year. If you are a financial institution, especially one that's accepting credit cards, you may be audited on a quarterly basis or at least every six months, depending upon what is the requirement for the organizations you are working with Now. Once you get the report, you then provide these detailed findings, recommendations and management for your stakeholders. It's important that you have all that available. When you're dealing with healthcare specifically, you will have to provide that information to parties that are interested in how you're protecting this sensitive data. This would, in the case of medical, like I just mentioned, it would be meeting the HIPAA requirements. So if you get a question on your CISSP is asking about medical, first thing you should focus on is HIPAA. Now again, that doesn't mean it's going to be the answer is HIPAA, but you need to then get the mindset that if it's financial, it's SOX, maybe Grand Leach, blyli, GLBA, or it is. If it's medical, it's HIPAA, and so it's important for you to know these different regulations that are out there and more or less the focus area of them. One of the students that I have in CISSP cyber training we went back and forth quite a bit on some of these questions and she did an outstanding job. She basically her point was she followed our blueprint, maintained the blueprint, did the blueprint and then, as she was doing the blueprint, she went through the different types of podcasts that we had the content that I have on CISSP cyber training and she passed the CISSP her first time. So she did a great job with that. Very proud of her. And it again, though it comes down to she followed the plan. If you follow the plan, you will pass the CISSP. But where it gets into trouble is if you don't follow the plan and you kind of come up with your own ideas, yeah, then it's a crapshoot. And if you've played craps in the gambling world, yeah, I'd never win, ever. I always go on black and then I lose. Is that even part of craps? I don't even know. Anyway, that's roulette, let's see. See, I don't even know what I'm talking about there. So then, once you get done with that, you follow up with your audit recommendations and then you ensure that these are implemented to meet the things that you found in the assessment. So your security patches, you make sure that they're updated. Is there any of the mitigations that you put in place? Are they sufficient, or are you going to allow them to basically continue or you're going to remove them? So you're going to need to follow up after the end of that audit. And then the last thing I want to get into is the continuous improvement. Again, you want to utilize the audit outcomes, not just when I say that is so often I've seen audits that have occurred. You get the report, you then put it on a shelf and never to touch it again. You really want to utilize the outcomes of these audits to then implement changes within your company. So one example would be is I've seen numerous. If you guys go to how what's the name of it is, but Troy Hunt it's I've been poised. I think that's what it is, but you can see all the credit, all of the passwords that have been compromised, and you then the case of you say, maybe you have within your organization, all you require is username and password. Well, if you know that that's all that you require and you know that almost 99.9% of the people out there reuse passwords, you are setting yourself up for disaster if you don't put in place a stronger password policy or maybe potentially multifactor. And if you're doing that, that would be maybe a finding from the audit that you found is that they recommend put in multifactor to help reduce this risk. Now you take that information and you implement it within your organization. That's the outcome you want to try to have. You also want to get into risk management and then policy procedures and revisions. And what does that mean? So your risk management you want to then turn around and look at if you know that you're in an industry that has a higher level of risk for cyber attacks, then you need to look at what should you do in that space. So if I'm in a high risk for cyber attacks or my system is highly critical and the audit said that you know you have critical systems that could be compromised. You then need to go and have a better, stronger backup and backup policy. You need to have better resiliency within your organization, maybe have a segregated network architecture, all of those things. If the audit came back and said this to help reduce your risk, you should go do, and therefore that would be the expectation. Is that now that I did this audit, now that I know that I should go fix these things, I am now going to go fix them. And then the last thing you should avoid, or you should go and make changes to your policies and procedures to reflect these changes. So use the multi factor as an example. If I have a policy one, I increased my username and password or my password complexity, so that would be in the policy. Two is, I have multi factor is a requirement for anybody gaining access to my business information. That would be in the policy, and I would then revise my policy to meet what I'm requiring them to do. And the purpose of that is just so that people see it and they go aha, yes, I need to make changes, because this is why the multi factor kicked in is because of x, y and z. So it's important that it's an ecosystem, it's a round. It's a donut that you start at one end and you end up all the way back around, and donuts are good, but that's it right. That's what you're supposed to do. And if you follow these procedures and you follow what's in this podcast around audits and assessments, if you take that away and you just do the basics, you will create a very solid and robust program around your overall policies and your basically the overall cycle of audits and assessments. So that's basically what I have for you today. And one thing I'm going to go back over to is CISSP cyber training. There's some great training out there for you, specifically to help you pass the CISSP. I am going to tell you that the prices are going to be going up very soon. I haven't had a chance to put it in place. I wanted to put it out for Black Friday. I'm just too bloody busy, so I'll be. That will be coming. My plan is to have that in place by Christmas, but at a minimum. The prices are going up due to the fact that demand is just so much and I can't keep up with the overall capability. So the value is just going to be there for you. I guarantee you you will be happy with what you see. There's a lot more products that are coming out. With that increase, there's a lot more capability that you're going to have, and some of those you're going to have much greater access to me specifically, and so I can help you with your mentorship of your cybersecurity career, as well as I can help you with studying for your CISSP exam, because that's what I'm here for. We're putting this together. I want to see you succeed. Just because it's so important for you to get out there, I seen time and time again that there's more and more issues that are happening. I just saw another water treatment facility that got hacked. It's imperative that you all get your certifications, because you got to get your certification to get the jobs, and I feel strongly that you all will be a big factor in helping protect our global economy, our global world, from cybersecurity attackers that are coming after all these different companies. All right, again, go out to CISSP cyber training. It's amazing. You've got great content out there. If you haven't gotten in now, I highly recommend it, because the prices are going up and I just haven't had a chance to do it. So have a wonderful day and we will catch you on the flip side, see you.