December 1, 2025 • 36 mins
Check us out at: https://www.cisspcybertraining.com/
Get access to 360 FREE CISSP Questions: https://www.cisspcybertraining.com/offers/dzHKVcDB/checkout
Get access to my FREE CISSP Self-Study Essentials Videos: https://www.cisspcybertraining.com/offers/KzBKKouv
If audits feel like paperwork purgatory, this conversation will change your mind. We unpack Domain 6 with a clear, practical path: how to scope a security audit that executives will fund, teams will follow, and regulators will respect. Along the way, we touch on a fresh angle in the news—an open source LLM tool sniffing out Python zero days—and connect it to what development shops can do right now to lower risk without slowing delivery.
We start by demystifying what a security audit is and how it differs from an assessment. Then we get into the decisions that matter: choosing one framework to anchor your work (NIST CSF, ISO 27001, or PCI DSS where applicable), keeping policies lean enough to use under pressure, and building a scope that targets high-value processes like account provisioning or privileged access. You’ll hear why internal audits build muscle, external audits unlock credibility, and third-party audits protect your supply chain when a vendor stalls or gets breached. We talk straight about cost, bias, and the communication gaps that derail progress—and how to fix them.
From there we focus on outcomes. You’ll learn to prioritize incident response and third-party risk for the biggest return, write right-to-audit clauses that actually help, and map findings to business impact so leaders say yes to headcount and tooling. We share ways to pair tougher controls with enablement—like deploying a password manager before lengthening passphrases—so adoption sticks. Expect practical reminders on interview planning, evidence collection, and keeping stakeholders aligned without burning goodwill. It’s a playbook for turning findings into funding and audits into forward motion.
If this helped you reframe how you approach Domain 6 and security audits, subscribe, leave a review, and share it with a teammate who’s staring down their next audit. Your support helps more people find CISSP Cyber Training.
Gain exclusive access to 360 FREE CISSP Practice Questions at FreeCISSPQuestions.com and have them delivered directly to your inbox! Don’t miss this valuable opportunity to strengthen your CISSP exam preparation and boost your chances of certification success.
Join now and start your journey toward CISSP mastery today!
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
SPEAKER_00 (00:00):
Welcome to the CISSP Cyber Training Podcast, where we
provide you the training andtools you need to pass the CISSP
exam the first time.
Hi, my name is Sean Gerber andI'm your host for this
action-packed informativepodcast.
Join me each week as I providethe information you need to pass
the CISSP exam and grow yourcybersecurity knowledge.
(00:21):
Alright, let's get started.
SPEAKER_01 (00:26):
Good morning, everybody.
This is Sean Gerber with CISSPCyber Trading, and hope you all
are having a beautifully blessedday today.
Today is Monday, and today we'regonna go over some great parts
around the CISSP.
So I hope you all are excitedand strapped on, ready to go,
because it's gonna be a wildride.
You know it, it always is.
(00:46):
That's also sorry for that Isound like uh Lou Rawls or the
guy on the Arby's commercialthat has you got the meats,
because yeah, I've got this deepvoice because I've been fighting
a cold for about the past weekand a half.
My uh daughter, she graduatedfrom basic military training
from the Air Force, and we wentand saw her and got to
experience that was a greatopportunity.
And in the process, I wasexposed to around 2,000 people,
(01:09):
and of which somebody had a coldor something.
Who knows what it is anymore?
But yeah, so I have this reallycool, sexy, deep voice right
now.
And uh maybe you're probably notthinking it's sexy, you probably
all think it's quite annoying,but like my wife.
But that is okay because we aregonna get into something around
domain six today.
(01:30):
And today is domain six, andwe're gonna be getting around
the aspects of conductingsecurity audits.
And one of the aspects that youwill focus on when you are doing
your CISSP is around securityaudits and where do you do them,
how do you do them, and so onand so forth.
And an aspect also that you'llsee in this is when you get in
your own world and you're outthere doing your own security
(01:51):
stuff, you may be called upon todo security audits for different
agencies, different entitieswithin your company.
I've had to do multiple auditsfor uh my finance team because
they didn't understand thesecurity aspects of these
questions.
And so I had to assist themduring the audit process.
So we'll get into a little bitof that.
But before we do, I had anarticle that was out there in
the register.
(02:12):
It's around an open source LLMtool, which is your learning,
large learning module, module ormodel.
Yeah, see, I can't speak either.
I sound really cool and I can'tspeak.
So it sounds to be a great wayto start a podcast.
But it's prime to sniff outPython zero days, which I
thought was interesting.
And this is the part where theLLMs, you know, people are like,
(02:33):
well, people are gonna cheat.
I had when I was teachingcollege, we thought students
would cheat using LLMs, whichthey did, but they're getting
better and better so that nowthey can cheat without me
knowing that they're actuallycheating.
But that being said, that beingaside, is the fact that this LLM
is actually going out to sniffout Python Zero Days.
Now, Python as a whole is apretty substantial uh amount of
(02:54):
the code development that occurswithin uh the overall ecosystem
of the globe.
And even I was exposed to Pythondoing teaching stuff when I was
at Wichita State here in Kansas.
And a lot of it is becausethere's big companies that are
using it.
Obviously, it's open source, sothere's a lot of ability to
reuse libraries.
There's also rapid developmentand evolution in that whole
(03:15):
space.
And so uh Python would be areally good language to start
on.
Uh uh C sharp, maybe not so muchbecause it isn't as prevalent as
something like Python.
And a lot of the open sourcestuff is in Python.
So therefore, this tool waspotentially an option for that
ability.
And this software is called VolHunter, uh F-V-U-L-N, Vol
(03:39):
Hunter, and then H-U-N-T-R.
And it was introduced at the NoHat security conference in Italy
on Saturday.
And it what it's an interestingpart about this is that it has a
great capability to really helpor companies that have
development teams to maybe runthrough their code to make sure
that there aren't any zero daypotential zero days in there.
So it with the quote from themis it automatically finds
(04:01):
project files that are likely tohandle remote user inputs.
And they look for potentialvulnerabilities and then they
look for specific ways tooptimize and and fix those
vulnerabilities.
So I think it's a really cooltool, uh especially if your team
has a development team, you havea development team in your
organization.
Uh, the one part they have is itlooks for cross-site scripting,
uh, cross-site request forgeryvulnerabilities, and then also
(04:24):
privilege escalation.
So there's a lot of differenttools it'll work with.
And I'd say honestly, if you hada situation where you worked a
lot in Python and you didn'tknow how your development team
was as it relates to securityissues, this might be something
to put out there just to see,just to see how it would work
out potentially for you and yourorganization.
(04:45):
And even if it only found a fewthings, if that's already a way
up than just having it out toget once your team gets done and
they promote it to production,it's a good way to get started.
So I think it's something tocheck out.
Go to the register, uh, that'sthe register.com, and there's an
article in there.
Again, the open source LLM toolis prime to sniff out Python
(05:05):
Zero Days.
So Google the LLM Python ZeroDays and see what comes up.
And that might be an opportunityfor you to help in your
organization.
Okay, let's get started in whatwe're gonna talk about today.
Okay, this is over 6.5 of theISC Square in the ISC Square
manual around conducting andfacilitating security audits.
(05:27):
So, as we all know, audits arean important factor in
everything you do incybersecurity, and there's also
a lot of reasons why you have todo audits.
And so the CISSP folk wanted youto focus on understanding how do
you one, how do you conductthem, two, how do you facilitate
them, and then what's theimportance behind them?
And I think understanding thatkey concept is a big factor
going forward.
I get called on routinely to doaudits for various companies,
(05:50):
and so this is an aspect that isnear and dear to my heart.
Now I will tell you, is it themost sexy thing in the world to
do?
And no, it's not.
It's not the most sexy.
Uh, it is one of those that canbe laborious and time consuming,
but the outcome can be verypromising if they're done right,
and not just that they're doneright, it's the fact that where
are the uh findings from theaudit utilized by the senior
(06:14):
executives to fix the actualproblems.
So that's where it's a win-winis if you actually do the audit,
and then when you do after youget done with doing the audit or
the assessment, they bring youin to fix the problems.
And so that's a key, really keypoint.
And I've had multiple auditswith uh Pricewater Cooper House,
with Deloitte, with all thesethe big big three folks that do
(06:36):
audits.
And my organizations, they wouldcome in and they would find
findings, but for the most part,they were relatively positive
findings or positive reports,and I'm not saying that to say
my audits were awesome.
No, they're not.
We had some really good people,but what I was saying is I
focused on the basics.
And if you focus on the basics,if you have an audit that's
coming in, and say you are thesecurity person and you get an
(06:58):
audit that's headed your way,you're going, what do I do?
Well, if you focus on thebasics, that's what the audit
teams are primarily looking at.
They want to make sure that youhave the the in things in place
that will help reduce the riskto the organization and
therefore reduce the risk of apotential bad thing happening.
So let's get into that.
So when you're dealing withsecurity audits, what is a
(07:20):
security audit, right?
It's a key concept.
I don't know what that is.
So if you've heard first ofyou've heard this term, well,
hey, welcome to the party.
If not, then you know, you maybethis will open up some new
eyeballs or that's really openup eyeballs.
Yeah, that's really bad.
Anyway, so a security audit is asystematic examination of an
organization's informationsecurity practices to assess
(07:41):
compliance with regulations,standards, and internal
policies.
So a good example of this is youhave in the United States
government, uh, when you'redealing with the Defense
Department, they have to meetthe CMMC standards, which is
your cybersecurity maturitymodel certification.
And if you want to meet the CMMCmodel, you have to go through
and have various audits.
You have to meet these audits.
(08:02):
And the purpose is then to makesure that your organization is
meeting the standards, in thiscase, the Department of Defense.
Now, it could be aroundfinancial audits, uh, it could
be HIPAA, medical-relatedaudits, it could be any of
those.
But let's boil that down to whatare the main things they're
looking for and focus on thefact that most of the audits are
tied to a standard, which we'llget into in just a little bit.
But the standards are to ensurethat you are actually meeting or
(08:26):
exceeding those standards.
So that they know an auditorcomes in, drops in with their
parachute, and says, okay, whereare you at?
If you are following thisstandard, now they know that,
hey, as long as they're notlying to me, which then they ask
some more questions.
Again, like when my kids arelying, I ask deeper questions to
find out if they're reallytelling the truth or they're
lying.
They'll ask deeper questions tomake sure that, hey, do you
(08:48):
really know what you're talkingabout?
Or is it just a bunch of smokeand mirrors?
But again, it's aroundcompliance with regulations,
standards, and potentiallyinternal policies.
You may have your own internalpolicy that maintains this level
of standard within your company.
So, again, the importance ofthem is you're again, we talked
about compliance andregulations, ensuring your
(09:08):
security posture meets a certainlevel.
Now, because you may be in agovernmental type environment,
you have a security posture thatneeds to maintain at a certain
spot.
Like, I example is CMMC, ormaybe you have external, you
have an own internal audit teamthat is constantly looking at
your environment.
That way you will have tounderstand, you'll have to
(09:29):
maintain a level of securityaround that.
It's also to improve youroperational efficiency.
As an example of this, is let'ssay for point you have are
currently provisioning accountsto anybody who starts in your
company.
Well, you have a very manualprocess, but the auditors
recommend an automated processto provision new accounts with
new credentials, with newentitlements.
(09:52):
And you actually then go throughand you get that done.
Well, now it went from taking aprocess that was very
potentially error-ridden andtaking a long time to being a
very quick process where nowyour individuals that were doing
that before can now work onsomething different.
And so the point of that is itimproves the operational
efficiency of your company.
So that's a great finding of theaudits.
(10:13):
But they can get overwhelming,and you have to then once you
get the audit findings, break itdown into a bite-sized pieces
that you can actually go andimplement in a time frame while
doing your job at the same time.
And then support businesscontinuity.
A big factor you see this intoday's world is business
continuity and businessresiliency.
What are you gonna do when youget pwned?
Because it's gonna happen atsome point in time, your
(10:34):
company's gonna get pwned, oraspects of your company are
gonna get hacked and you'regonna have to deal with it.
So by going through the auditprocess, it will help support
your overall business continuityand your business resiliency.
So it's again important parts.
Now, when you're conducting asecurity audit, you need to
complete, first off, there's acomplete or cyber risk
(10:55):
assessment.
Now, an assessment and an auditare two different things, but
they get used, and unfortunatelyby me sometimes, uh used
synonymously.
And they're not.
They're not an assessment, it'sjust a quick brush brush look at
what's going on.
It might be a deep dive into acertain area, but at the end of
the day, it's just anassessment, it's an assessing of
what's actually going on withinyour organization.
(11:17):
Where an audit is a formalizedprocess in which someone's going
to do a deep dive within yourcompany on a specific topic.
Now that comes into where youhave to determine the scope, uh,
the boundaries and requirementsof these audits.
What is the limitations?
What can how deep can they go?
Where do they have to staywithin?
Because what can happen is theseaudits, I've seen it, where you
(11:39):
didn't set up a scope for thesefolks.
They can get extremely broad andthey come back with all kinds of
findings and say, yes, you suck.
You're a terrible organization,you guys should just quit right
now and go away.
You can get that, right?
But that can get that doesn't,it's not helpful.
It's expensive because thelonger they stay with you, the
more the money they charge youbecause they're charging you per
(11:59):
hour.
So it can get very expensive,and then it doesn't give you the
results you want.
So you need to, if you want tofocus on a very specific niche,
niche, if you want to focus onthat niche, then you need to
target them in that.
So let's just say it's accountprovisioning.
I want to know, I want to do anaudit of my account provisioning
because I see it as one of mybiggest weaknesses within my
organization.
(12:19):
Focus on that.
And that's what they'll do.
Uh, it'll help identifypotential threats from
carelessness to human error,technical threats.
You know, again, one of thepieces that comes into is the
insider aspect, right?
I do insider risk for companies,I help them get that set up.
One of the things I would ask ofthem to do is first thing is do
a good quality assessment oftheir overall processes to
(12:40):
determine where they may or maynot have an insider risk
problem.
And that's another aspect of it.
Uh, and this also could comeback to the development part,
right?
If you are a development shopand you see that they're not
doing any sort of development uhwork and they're not
incorporating security withintheir development processes,
that might be something that youwould say is an internal problem
(13:01):
we need to fix.
And so that's where this auditcan come back to.
It helps with vulnerabilityidentification again, and then
also highlights where they mightbe mitigated by certain levels
of controls you may have withinyour company.
And then it also will helpidentify potential controls you
can put in place to limit theseissues that you have.
And the other thing around anaudit that's important between
(13:23):
an assessment.
So, an assessment, if I do itinternally, I've I did it for uh
a company and for maybe a partof my organization, what'll end
up happening is that auditfinding can be go, okay, hey,
that's awesome.
You're great, thank you, move onto the next.
But when it comes, that's anassessment, when it comes on to
an audit, an audit typically,typically, not always, and we'll
(13:43):
get into this in a minute, isexternal.
And you may have an externalparty do an audit of you.
If they do that, they'd have apiece of paper that says, okay,
you just spent like$100,000 onthis audit.
I need you now to go do what itsays and use it as the template
to fix the problems you havewithin your company.
So again, those are just areasthat they think about.
So when you're looking also atan audit, you need to determine
(14:04):
the severity.
Assuming the vulnerability hasbeen exploited within a company,
what would happen?
Right.
So this talked about thebringing the onboarding of new
people.
Say you didn't have a process, amanual process, and say that was
a vulnerability that wasexploited in your overall
process in place.
And now what happens?
What could happen if you can nolonger provision individuals?
(14:24):
Now, a small organization, thatmight not be a big deal.
Larger organization that maybeyou have a lot of contractors,
and now you can't bringcontractors onto your company,
that could be a really big deal.
So it just comes into is whereyou have to impact the severity
of that.
You need to determine your risklevel, and this is based on the
likelihood of this occurring,where how often will it happen
within your company, and thenwhat would be the potential
(14:46):
impact if that were to occur.
And then lastly, is what is yourresponse to this piece of this?
So they they would check to seeif something bad did happen
within your organization.
How would you respond?
How would you deal with thehighest risk items first?
What would you focus on?
So again, those are key aspectsthat you'll run into when you're
dealing with an audit.
Now, an internal audit, this iswe're gonna break these into
(15:08):
three different parts.
So you got an internal, anexternal, and a third party.
And the external and the thirdparty we'll get into are a
little squishy, but you will seeit'll make some more sense as we
get into it.
So an internal audit, this isconducted by an organization's
own security team or personnel.
So again, this is you are partof that auditing team.
And this can be in acost-effective way to really get
(15:29):
a good understanding of theinternal processes within your
company.
And we would do internal auditswithin my own company.
I would also then act as aninternal external auditor to
other companies that I workedwith, but I was still internal
to the company.
That's the part where it'sreally kind of squishy.
Um, but when you're dealing withan external internal audit, they
are very effective.
(15:50):
They can be.
As long as, again, repeat, aslong as you have senior
leadership buy-in on what you'retrying to accomplish.
I've done audits and assessmentsinternally, and they have been
absolutely worthless.
And all I've done is wasted abunch of time and wasted a bunch
of money because you give them aproduct and the the CEO is like,
yeah, okay, thanks.
(16:10):
Have a nice day.
The only reason I'm doing thisis because checkbox, done.
And but again, knowing thatgoing into it, it's important
for you as the person who'sresponsible doing this and as a
CISSP with your integrity,right?
We've got to have that.
It's a key pack factor of beinga CISSP, is that you provide
them a great product so that ifand when they may do make
changes and they want toactually do something with it,
(16:32):
it is there and available forthem to do with it.
Yeah, that was a really badrun-on sentence.
But the point of it is thatthat's available for them if
they ever want to do it.
Also, haha, here is the CYA partof this because again, you need
to provide them the best productyou possibly can.
You need to give them the greatservice, you need to make sure
that it's there and with all theintegrity you have to worry
(16:54):
about some of the highest riskto your company.
But on the flip side, there's alittle bit of CYA in the fact
that if they get audited orsomething bad happens and they
come back and say, you did notdo this, you have a piece of
paper saying, Oh no, yes, I did.
See, here it is.
Ha ha, you didn't want to doanything about it.
Also keep very good notes.
Yeah, keep notes because thatyou never know.
(17:14):
You could get pulled intosomething that you really don't
want to be part of, and it'sgood to have notes to remember
what you did because I don'tremember what I did yesterday,
let alone six months to twoyears from here.
So, again, that's again,internal audits.
Again, really good.
One of the disadvantages, again,is I didn't really mention this,
was the potential for bias orlack of objectivity.
It is true.
You know where all the deadbodies are, and you can say,
(17:36):
Well, I know we're gonna get tothat dead body sometime.
It's not stinking too bad justyet.
We'll come to it later.
Um, that's a bit of a problem,right?
You you have to be veryobjective as much as you can,
but it can happen with internalaudits.
External audits, these areconducted by independent
third-party auditors.
Now, this can be, when we sayindependent third party, this
(17:58):
could be, like I mentionedbefore, you could be part of an
internal.
Now, I worked with large cokeindustries at the time.
I was a very large, largecompany, right?
140 million or 140,000 people,uh, multi-billion dollar
company.
And working in security for CokeIndustries, great opportunity,
super opportunity, very goodcompany.
That being said, I worked onauditors, I was an auditor for
(18:19):
some of the other Coke companiesthat I'd have, and I'd come in
as an independent um assessorand look at what they had in
place.
And it did, it did give me theability to have more of an
objective, objective look attheir environment.
It also, I knew where some ofthe dead bodies were, so I
wasn't as objective as I wouldbe from coming as a completely
third-party auditor, but I wasmuch more objective than just
(18:42):
going in without having withouthaving any knowledge at all.
So it was it was a goodtrade-off.
So that's where I can see you asan individual working to do an
audit for somebody that'sinternal to your organization,
to your overall company, but yetnot working within your specific
space of that company.
So the advantages of it, it'sobjective, it's specialized
(19:02):
expertise.
Again, they pulled me in for avery specific reason, right?
Insider risk is a big thing.
They focused on that.
That's where I would do that.
Disadvantages, you have highercosts, potential for
communication gaps.
And that is true.
When you're dealing with anexternal auditor, it will cost
you.
Do not go into this thinkingit's going to be inexpensive.
It is not.
It's expensive.
And therefore, though, youshould demand because of the
(19:24):
cost, what are you going to getout of this?
Right?
I got to be able to getsomething out of this that is
worth some value.
That comes down to a lot ofinterviews that occur.
So conversations, interviews,deep dives into what is
important, what can they fix,what can't they fix, and so
forth.
I've got one that I've gotcoming up here soon that I'm
going to be doing for anothercompany.
And the point of it is, is Ithat is an area that we'll focus
(19:46):
on.
Because knowing that you'recoming into a greenfield that
really didn't have securitybefore, that's the other part
you're going to have tounderstand is if you go into a
place doing an audit where maybeit didn't have security, you
better start low and slow.
And what I mean by that is ifthey didn't have anything, it's
probably a lot of dead bodieseverywhere, scattered
everywhere.
Like it's like a morgue.
And you're going to have to goin and pick out the ones that
(20:09):
are really ripe that you needto, you need to get them buried.
You need to put them away.
Um, and I know it's reallysounding morbid in this
conversation.
But that being said, it's you'regonna have to focus on that.
Uh, third-party audits.
What are those?
These are conducted by externalauditors to assess security
practices of third-party vendorsand or suppliers.
And this is a really big part inyour supply chain and
(20:30):
understanding the supply chainrisks that are associated with
it.
Uh, you have a lot of people, alot of companies now are it's
all this just in time type ofshipping, type of supplies.
And if you don't have a goodhandle on your supply chain, any
one of those little cogs in thiswheel that get busted, then your
wheel ain't gonna run real well.
So you think about it this wayit's all it is, it's like a gear
(20:51):
shifter.
And your gear shifter's got allthese little tines all the way
around the gear shifter.
And these tines are interactwith other parts of your
organization.
But if you were to get a hammerand bust off a tine on one of
those gears, your gear shift,your gear isn't gonna work real
well.
Well, so that's your supplychain.
If you don't have a good handleof your supply chain, and what
(21:12):
are the risks potentially tothem, you bust off one of those
guys.
So they just get hacked, andI've had this happen multiple
times.
My supply chain gets hacked, andI got I can't use anything from
them for a period of time.
I just bust it off a time.
Now what am I gonna do?
Okay, so understanding that froma risk standpoint is really
important.
So this is where your audit willcome into play, and that's what
(21:34):
you'll focus on again.
And that's folk, you're gonnafocus on scope, frequency, and
reporting requirements that aregonna come from these
third-party auditors, and you'regonna have to deal with it.
Again, coming back to expense.
This is gonna be expensive.
Do not think this is gonna beinexpensive.
You're gonna pay in the upwardsof$100,000 for a potential
audit, depending on the size andscope of it.
And if you may go, you knowwhat, I'm gonna scope it down to
(21:57):
so it's not quite so broad, andit's still gonna be$100,000.
And you're gonna go, what theheck?
Why is that the case?
Because one, they got theexpertise, you don't.
Two, is they're gonna tell youwhere your dead bodies are,
which you probably already know,but they're gonna give you a
piece of paper that says this iswhere they're at.
And then three, they're gonnagive you recommendations on how
to fix those dead bodies, how tobury them.
And then you're gonna be up toyou to go fix it.
(22:19):
And it's really just you'repaying somebody money to tell
you where your problems are at,and which you already know in a
formalized manner, and you'relike, well, this is kind of
counterintuitive.
And it is, but sometimes you gotto do that to be able to move
forward.
Because then with that piece ofpaper, you as an individual can
then go to the senior leadershipand saying, okay, I need to fix
these things.
I need to hire five contractorstomorrow to fix these problems.
(22:41):
Whereas if you just say, I needfive contractors, and they're
gonna go, what for?
Well, because I got all kinds ofdead bodies.
And they're gonna go, well, youfigure that out.
I pay you good money.
You go figure that out.
So that's a good and otherreason why you got to have these
audits done.
You all are probably going on toaudit crazy and thinking this is
absolutely nuts.
I get it.
Totally get it.
Audit criteria and scope.
Regulatory compliance, obviouslybig factor PCI, DSS, your
(23:03):
payment card industry, uh, datasecurity standards, NIST,
cybersecurity frameworks, allthese different pieces that are
compliance that you may berequired to follow.
Uh, you may be required tofollow the frameworks, you may
be required because ofP-I-C-I-DSS to do an audit.
There's standards andframeworks, as we talked about,
there's ISO 27001, there'sCOVID, there's uh different
types that are out there thatyou may want to follow.
(23:24):
I would highly recommend that ifyou're gonna do an audit, pick
one.
Okay, it could be thecybersecurity framework, it
doesn't matter.
Unless you have a requirement todo ISO, I would pick the
cybersecurity framework ifyou're here in the United
States.
If you're somewhere else,another country, you have a
framework that they may havethat you use.
If they want you to use that,use that.
Uh it doesn't really matter, butpick a framework.
(23:46):
And I'm picking on thecybersecurity framework because
it's relatively broad.
It does get very narrow, but itisn't uh industry specific per
se.
You want to have internalpolicies and procedures that
what has been defined, what hasbeen created.
And you determine that will helpdetermine which ones you have.
Do not go hog crazy with thisand say, hey, I've got to have
(24:06):
like 15 different policies andprocedures.
No, you don't.
You do you just need to have afew.
And like acceptable use policy,uh, password policy, just some
basic ones you need to have.
And then from there, move on.
Because what can happen is youcan drown yourself in policies
and nobody even listens, readsthem anyway.
So there's no reason for it.
Uh, risk assessments, assess theorganization's risk management,
(24:29):
identify potentialvulnerabilities within your
organization.
You also want to look atincident response, big factor.
So if you're looking at, okay,where are my holes?
How do I plug my holes?
And then how do I respond whenthey find holes that I didn't
know I had?
Okay, that's breaking it down,that's boiling it down.
If you do those three thingsrealistically, if you do an
audit that can break it intothose three things and at a base
(24:50):
level, money, baby, money.
You're making money, you'resaving money, your people are
happy with you.
So that's what I would focus on.
Security controls, assess andimplement the effectiveness of
your security controls.
This means access controls,encryption, network security,
you name it, all of thosethings.
That's where you'll want tounderstand the security controls
that you have within yourcompany.
(25:11):
Being said, don't go hog crazywild on security controls.
You can tell I'm from theMidwest because I bring in a lot
of farm animals into myconversations.
But no, you don't want to havego nuts with these security
controls because the fact of thematter is, is that you will
overwhelm people with, well, Ineed to make sure that I have a
50 or 36 character password.
(25:33):
I'm like, don't do it, pleasedon't.
Uh do something simple, right?
18 characters, 12 to 18characters, right?
But even then, make sure yougive them the tools like a
password manager to maintainthose passwords because you're
gonna give them 12 charactersand they're gonna go, I can't
remember 12 characters.
And what are they gonna do?
They're gonna go post a note orthey're gonna go copy, paste,
(25:53):
copy, paste, and you're gonnahave the same problem you had
before.
So you're gonna have to educatethem on the uh different types
of security mechanisms you'regonna put in place to help them
make their lives easier.
So internal control an internalaudit.
We exercise and determine thetrained cybersecurity resources
you may have within yourcompany.
Do you have them?
Okay, how are they trained?
How are they responding to issuesituations?
(26:15):
What do you need to do?
You'll you'll look at them as anindividual and then as a group
and figure out what needs tohappen.
You're also going to evaluateyour current controls and your
processes within your company.
And now an internal audit can beused synonymously with internal
assessment.
Unless you have somebodyspecifically telling you, I need
an audit, an internal audit donebecause of X, then I would
(26:37):
consider what we call anassessment, where you're just
doing the same type of activity,but it might be assessing one
aspect of an overall biggerpicture.
Again, though, audit andassessment internally can be
used synonymously, just dependsupon the nature of what the
request is for.
You want to have a process thatbuilds accountability to your
organization and you want tomake sure that you have buy-in
(26:58):
from your leadership.
I can't stress this enough.
Your job as a security as aresource is to influence
individuals.
You can bring out the hammer andhit people over the head and
make them do things, but thatdepending on your organization.
In some organizations, you can'tdo any of that because they just
won't let you.
And plus, it's physically wrong.
You don't want to hurt people.
But that that being aside, youwant to understand that you're
(27:20):
going to have to do this throughinfluence.
You're going to have to makesure that people want to help
you for a reason.
They are they are there to helpyou because they want to help
you.
And it does build additionalaccountability within your
organization because then nowpeople look to you as the
leadership and as you as someonethat's going to help them fix
their problems.
Now, the key aspects around thisis that you need to have it
(27:40):
works, this internal audit willwork for the CEO, the CIO, or
the potential board.
Now, this is becomes security isbecoming a bigger factor in the
fact that you are now workingfor the board in many ways.
And that means that you areresponsible to the board on what
you're actually accomplishing.
There could be financial aspectsaround this as well, from
regulatory requirements, vendorsrequiring audits, you name it,
(28:02):
all of those different thingsthat are in place.
Now, there also might be vendorsthat are requiring an audit to
be done.
Say you have a certain vendorthat's working for you with you.
You may have to, they mayrequire you to actually have an
audit completed.
And they may have this documentthat says you may have to have
that.
You also may be requiringvendors to have audits before
you even work with them.
So understanding this overallinternal aspect of an audit is
(28:26):
an important factor in youroverall journey.
So some other aspects around aninternal audit would be they're
planned annually, sometimes ifpractical.
It just really depends upon whatyou're looking at.
You also want to avoid them fromreducing the disruption to your
(28:46):
company and to your operationsbecause doing an audit can be a
bit overwhelming to people,especially if they start doing
interviews and talking topeople.
And you want to really plan forthat.
Uh, you'll talk with your IT,your legal, human resources.
They all could be involved inthis depending upon what your
scope of your audit is.
So you want to be very cognizantof their time so that you're not
burning it.
(29:06):
Uh again, this comes down to theinfluence piece of this.
You can't one thing I've seenwith IT professionals, and
again, I'm a pilot by trade, soI'm not a geek.
And I'd say some geeks wouldprobably look at that and turn
their nose up at me and go,you're not as smart as me.
And they're right, I'mdefinitely not as smart as them,
for sure.
Uh, but there's one thing I dohave sometimes is people's
skills, which sometimes theydon't.
(29:27):
And so, therefore, if you wantto be in a security position,
you want to make sure that youhave an ability to influence
people, and that comes down topeople's skills.
And that means when you're atbeing you're cognizant of
people's time and asking themwhat works best for them,
knowing that you have to getyour project done, but they also
have to get their projects done.
(29:48):
And therefore, if you understandthat and you work with them on
this, you can go a long way inhelping build a relationship
with them.
See, there's a nugget rightthere, big guy and gals.
Uh well, not big gals, but Yeah,gals.
Yeah, because I'd probably getsued for saying that.
But there's a there's a nuggetthere.
Ins influence people.
Influence people is done bythinking about other people
(30:09):
besides yourself.
Now, the scope will determineyour duration, system facility,
and your group locations aswell.
So important to understand thedifferent scope and to express
that to the people you'reworking with.
Now, one thing you want tounderstand, this is actually a
really good bullet here that Ikind of should have brought up
to the top instead of at thatbottom, but the right to audit
(30:31):
clause.
So if you have contractualagreements with a third party,
say you know someone in yoursupply chain, and they are
working with you, you could putin there the right to audit
clause.
And I've done this with variouscompanies to say, hey, at any
point in time, I have the rightto audit you no more than once a
year.
And it's worked great becausewhen I've had issues with some
(30:53):
companies, I will pull this outand say, hey, let's do an audit.
Yay, let's have fun.
And there they grumble at me,but it works well because then
they you kind of catch them offguard.
So something to consider whenyou're trying to build out your
program.
Again, though, I would be verycautious with that.
Make sure your legal teamobviously is involved.
Don't you just start addingclauses to contracts because
(31:14):
that will get you into trouble.
Again, influencing people, youknow your job, they know theirs,
but help them to help you.
Responsibilities, riskassessments, internal controls,
and compliance, vulnerabilityassessments, instant response,
third party management.
Ah, wow, that's a lot there.
Bottom line is yourresponsibilities with an
internal audit can deal withrisk assessments.
(31:34):
You're doing all of those withinyour company.
They also deal with your in thehelping with the internal
controls for your organization.
You will deal closely with yourcompliance team, uh, whether
it's your governmentalcompliance or it's your actual
internal compliance.
You may have one and the same,it may be different entities,
but you'll work with them all.
Vulnerability assessments, a lotof times the internal assessment
(31:55):
will be part of a vulnerabilityassessment that's done.
I would tell you the biggestnugget out of here, or actually
there's two big nuggets really.
I mean they're all big, butthere's really the two ones is
instant response and third-partyrisk management.
If you get those right, okay, ifyou get IR and business
resiliency right, and you getthird-party risk management
right, and I don't mean you'vegot to be perfect, I just mean
(32:17):
you have an understanding andit's got something in place,
that's money, baby, because thatwill save you.
When things go sideways, whichthey will, and you have a good
plan for those, you are going tobe saving your company money
with that.
Now, external audits, what arethese?
These are usually a broaderscope.
We talked about a little bitalready, is that they can be
done by a party outside of yourorganization is being audited.
(32:38):
Again, it can be from a thirdparty that you bring in
specifically, or it could be youdoing it to another
organization.
And this includes internalaudits as well.
So this can be conducted by yourown employees, or it can be
conducted by independentauditors.
It just really depends upon theamount of money and the scope in
which you want to accomplishthis.
This will be a more objective.
Again, it's it's kind of thatmiddle road between internal and
(32:59):
a fully dedicated third party,but it will give you some level
of objectivity into yourorganization.
So consider this.
I would consider this if youhave to have an external audit
before you go out and spend themoney on PwC or Deloitte, maybe
do this as a primer before youbring in the PwC.
So if you have to have PWC comein, one of these big, high
(33:21):
expensive third-party auditors,what I would recommend is doing
this prior to that because itwill get your everybody kind of
prepped to what to expect.
If you just bring in a thirdparty and they have never really
dealt with that before, you'regonna run into some challenges.
Your leadership's gonna go, whatin the heck is going on?
And you're gonna go, I don'tknow.
(33:43):
And they're gonna go, you'refired, and you're gonna go,
okay, thank you.
Um, you you want to avoid that.
So definitely, you know, yourwife or your husband would
really like you to avoid that.
Your family would like that.
They want you to be making moneyso that they can live.
Okay, third parties.
What are third parties?
Okay, these are the externalprior parties that provide
independent assurance.
Outside auditors, specificallyfrom external entities, are
(34:04):
highly sought out as subjectmatter experts.
Um, I will tell you that many ofthe the PWCs and Deloitte, they
do have SMEs, but let's keepthis in context.
They bring these guys directlyout of college, they give them
something to do, and they go digdeep into your organization.
Now, they're not not sayingthey're not smart.
They are very smart in what theydo, and they are very
(34:26):
knowledgeable in those certaincriteria areas.
But again, if you really wanteda no-kidding deep end SME, you
you can't probably afford thembecause Deloitte's and PWCs
can't afford them.
Uh but that being said, they'regonna come in with a different
perspective, which is gonna beextremely valuable to you with
your organization.
(34:46):
A lot of times LDs will come onbehalf of government or
agencies, they'll send a thirdparty in in their place because
they don't have the people orthe expertise to do it.
But ultimate goal of an externalauditor is to provide a good
assessment of your organizationand fix the challenges and give
you some recommendations on howto fix them.
But again, they're notaffiliated with your
(35:07):
organization.
They they do emphasize theirwhole aspects on independence
and being independent.
And they are very common inregulations.
Again, they're often mandated byregulations or industry
standards to ensure that theyhave compliance and
accountability on all thedifferent audit pro programs.
If you hear a cat in thebackground, I have tried
everything in my power to gether to leave me alone, but she
(35:28):
will not.
So I apologize if you hear her.
Uh, sorry, she just won't leaveme alone.
I try to get rid of the dumbthing.
Um, that being said, we aremoving on.
That's all we have for today.
I hope you all have a great day.
Again, go to CISSP CyberTraining, get my program, get
the stuff that's there.
I've got some good, it's alwaysget adding and getting better
content in it.
(35:48):
Um, again, all the proceeds thatgo from CISSP Cyber Training go
to our nonprofit for adoptivechildren and their families.
We we've done, again, I don'ttake any money from this.
It's it's all going to charityjust because I'm blessed.
I don't need, and I don't say Idon't need money, of course I
need money, but I don't needmoney to make my pockets any
deeper or bigger or whateverthat is.
(36:10):
That all can go to people thatneed it way more than me, and we
feel that the need of familieswho are trying to adopt
children, they need an extrahelp.
And so this is going to thenonprofit that's going to be
that is stood up or is going tobe stood up for that
specifically.
So we're pretty excited aboutthat.
That should be done here inDecember, and uh, we're just
hoping that everything's gonnago well with that.
But yeah, as a diet, a bit of atangent.
(36:32):
Anyway, have a wonderful day.
Again, go to CISSP CyberTraining.
Give me a thumbs up on iTunes,YouTube, all those wonderful
places I've got out there.
Again, if you do that, thathelps the exposure and helps
more people know about CISSPCyber Training.
Thanks again.
Have a wonderful day, and wewill catch you on the flip side.
See ya.
Welcome to the CISSP Cyber Training Podcast, where we
provide you the training andtools you need to pass the CISSP
exam the first time.
Hi, my name is Sean Gerber andI'm your host for this
action-packed informativepodcast.
Join me each week as I providethe information you need to pass
the CISSP exam and grow yourcybersecurity knowledge.
(00:21):
Alright, let's get started.
SPEAKER_01 (00:26):
Good morning, everybody.
This is Sean Gerber with CISSPCyber Trading, and hope you all
are having a beautifully blessedday today.
Today is Monday, and today we'regonna go over some great parts
around the CISSP.
So I hope you all are excitedand strapped on, ready to go,
because it's gonna be a wildride.
You know it, it always is.
(00:46):
That's also sorry for that Isound like uh Lou Rawls or the
guy on the Arby's commercialthat has you got the meats,
because yeah, I've got this deepvoice because I've been fighting
a cold for about the past weekand a half.
My uh daughter, she graduatedfrom basic military training
from the Air Force, and we wentand saw her and got to
experience that was a greatopportunity.
And in the process, I wasexposed to around 2,000 people,
(01:09):
and of which somebody had a coldor something.
Who knows what it is anymore?
But yeah, so I have this reallycool, sexy, deep voice right
now.
And uh maybe you're probably notthinking it's sexy, you probably
all think it's quite annoying,but like my wife.
But that is okay because we aregonna get into something around
domain six today.
(01:30):
And today is domain six, andwe're gonna be getting around
the aspects of conductingsecurity audits.
And one of the aspects that youwill focus on when you are doing
your CISSP is around securityaudits and where do you do them,
how do you do them, and so onand so forth.
And an aspect also that you'llsee in this is when you get in
your own world and you're outthere doing your own security
(01:51):
stuff, you may be called upon todo security audits for different
agencies, different entitieswithin your company.
I've had to do multiple auditsfor uh my finance team because
they didn't understand thesecurity aspects of these
questions.
And so I had to assist themduring the audit process.
So we'll get into a little bitof that.
But before we do, I had anarticle that was out there in
the register.
(02:12):
It's around an open source LLMtool, which is your learning,
large learning module, module ormodel.
Yeah, see, I can't speak either.
I sound really cool and I can'tspeak.
So it sounds to be a great wayto start a podcast.
But it's prime to sniff outPython zero days, which I
thought was interesting.
And this is the part where theLLMs, you know, people are like,
(02:33):
well, people are gonna cheat.
I had when I was teachingcollege, we thought students
would cheat using LLMs, whichthey did, but they're getting
better and better so that nowthey can cheat without me
knowing that they're actuallycheating.
But that being said, that beingaside, is the fact that this LLM
is actually going out to sniffout Python Zero Days.
Now, Python as a whole is apretty substantial uh amount of
(02:54):
the code development that occurswithin uh the overall ecosystem
of the globe.
And even I was exposed to Pythondoing teaching stuff when I was
at Wichita State here in Kansas.
And a lot of it is becausethere's big companies that are
using it.
Obviously, it's open source, sothere's a lot of ability to
reuse libraries.
There's also rapid developmentand evolution in that whole
(03:15):
space.
And so uh Python would be areally good language to start
on.
Uh uh C sharp, maybe not so muchbecause it isn't as prevalent as
something like Python.
And a lot of the open sourcestuff is in Python.
So therefore, this tool waspotentially an option for that
ability.
And this software is called VolHunter, uh F-V-U-L-N, Vol
(03:39):
Hunter, and then H-U-N-T-R.
And it was introduced at the NoHat security conference in Italy
on Saturday.
And it what it's an interestingpart about this is that it has a
great capability to really helpor companies that have
development teams to maybe runthrough their code to make sure
that there aren't any zero daypotential zero days in there.
So it with the quote from themis it automatically finds
(04:01):
project files that are likely tohandle remote user inputs.
And they look for potentialvulnerabilities and then they
look for specific ways tooptimize and and fix those
vulnerabilities.
So I think it's a really cooltool, uh especially if your team
has a development team, you havea development team in your
organization.
Uh, the one part they have is itlooks for cross-site scripting,
uh, cross-site request forgeryvulnerabilities, and then also
(04:24):
privilege escalation.
So there's a lot of differenttools it'll work with.
And I'd say honestly, if you hada situation where you worked a
lot in Python and you didn'tknow how your development team
was as it relates to securityissues, this might be something
to put out there just to see,just to see how it would work
out potentially for you and yourorganization.
(04:45):
And even if it only found a fewthings, if that's already a way
up than just having it out toget once your team gets done and
they promote it to production,it's a good way to get started.
So I think it's something tocheck out.
Go to the register, uh, that'sthe register.com, and there's an
article in there.
Again, the open source LLM toolis prime to sniff out Python
(05:05):
Zero Days.
So Google the LLM Python ZeroDays and see what comes up.
And that might be an opportunityfor you to help in your
organization.
Okay, let's get started in whatwe're gonna talk about today.
Okay, this is over 6.5 of theISC Square in the ISC Square
manual around conducting andfacilitating security audits.
(05:27):
So, as we all know, audits arean important factor in
everything you do incybersecurity, and there's also
a lot of reasons why you have todo audits.
And so the CISSP folk wanted youto focus on understanding how do
you one, how do you conductthem, two, how do you facilitate
them, and then what's theimportance behind them?
And I think understanding thatkey concept is a big factor
going forward.
I get called on routinely to doaudits for various companies,
(05:50):
and so this is an aspect that isnear and dear to my heart.
Now I will tell you, is it themost sexy thing in the world to
do?
And no, it's not.
It's not the most sexy.
Uh, it is one of those that canbe laborious and time consuming,
but the outcome can be verypromising if they're done right,
and not just that they're doneright, it's the fact that where
are the uh findings from theaudit utilized by the senior
(06:14):
executives to fix the actualproblems.
So that's where it's a win-winis if you actually do the audit,
and then when you do after youget done with doing the audit or
the assessment, they bring youin to fix the problems.
And so that's a key, really keypoint.
And I've had multiple auditswith uh Pricewater Cooper House,
with Deloitte, with all thesethe big big three folks that do
(06:36):
audits.
And my organizations, they wouldcome in and they would find
findings, but for the most part,they were relatively positive
findings or positive reports,and I'm not saying that to say
my audits were awesome.
No, they're not.
We had some really good people,but what I was saying is I
focused on the basics.
And if you focus on the basics,if you have an audit that's
coming in, and say you are thesecurity person and you get an
(06:58):
audit that's headed your way,you're going, what do I do?
Well, if you focus on thebasics, that's what the audit
teams are primarily looking at.
They want to make sure that youhave the the in things in place
that will help reduce the riskto the organization and
therefore reduce the risk of apotential bad thing happening.
So let's get into that.
So when you're dealing withsecurity audits, what is a
(07:20):
security audit, right?
It's a key concept.
I don't know what that is.
So if you've heard first ofyou've heard this term, well,
hey, welcome to the party.
If not, then you know, you maybethis will open up some new
eyeballs or that's really openup eyeballs.
Yeah, that's really bad.
Anyway, so a security audit is asystematic examination of an
organization's informationsecurity practices to assess
(07:41):
compliance with regulations,standards, and internal
policies.
So a good example of this is youhave in the United States
government, uh, when you'redealing with the Defense
Department, they have to meetthe CMMC standards, which is
your cybersecurity maturitymodel certification.
And if you want to meet the CMMCmodel, you have to go through
and have various audits.
You have to meet these audits.
(08:02):
And the purpose is then to makesure that your organization is
meeting the standards, in thiscase, the Department of Defense.
Now, it could be aroundfinancial audits, uh, it could
be HIPAA, medical-relatedaudits, it could be any of
those.
But let's boil that down to whatare the main things they're
looking for and focus on thefact that most of the audits are
tied to a standard, which we'llget into in just a little bit.
But the standards are to ensurethat you are actually meeting or
(08:26):
exceeding those standards.
So that they know an auditorcomes in, drops in with their
parachute, and says, okay, whereare you at?
If you are following thisstandard, now they know that,
hey, as long as they're notlying to me, which then they ask
some more questions.
Again, like when my kids arelying, I ask deeper questions to
find out if they're reallytelling the truth or they're
lying.
They'll ask deeper questions tomake sure that, hey, do you
(08:48):
really know what you're talkingabout?
Or is it just a bunch of smokeand mirrors?
But again, it's aroundcompliance with regulations,
standards, and potentiallyinternal policies.
You may have your own internalpolicy that maintains this level
of standard within your company.
So, again, the importance ofthem is you're again, we talked
about compliance andregulations, ensuring your
(09:08):
security posture meets a certainlevel.
Now, because you may be in agovernmental type environment,
you have a security posture thatneeds to maintain at a certain
spot.
Like, I example is CMMC, ormaybe you have external, you
have an own internal audit teamthat is constantly looking at
your environment.
That way you will have tounderstand, you'll have to
(09:29):
maintain a level of securityaround that.
It's also to improve youroperational efficiency.
As an example of this, is let'ssay for point you have are
currently provisioning accountsto anybody who starts in your
company.
Well, you have a very manualprocess, but the auditors
recommend an automated processto provision new accounts with
new credentials, with newentitlements.
(09:52):
And you actually then go throughand you get that done.
Well, now it went from taking aprocess that was very
potentially error-ridden andtaking a long time to being a
very quick process where nowyour individuals that were doing
that before can now work onsomething different.
And so the point of that is itimproves the operational
efficiency of your company.
So that's a great finding of theaudits.
(10:13):
But they can get overwhelming,and you have to then once you
get the audit findings, break itdown into a bite-sized pieces
that you can actually go andimplement in a time frame while
doing your job at the same time.
And then support businesscontinuity.
A big factor you see this intoday's world is business
continuity and businessresiliency.
What are you gonna do when youget pwned?
Because it's gonna happen atsome point in time, your
(10:34):
company's gonna get pwned, oraspects of your company are
gonna get hacked and you'regonna have to deal with it.
So by going through the auditprocess, it will help support
your overall business continuityand your business resiliency.
So it's again important parts.
Now, when you're conducting asecurity audit, you need to
complete, first off, there's acomplete or cyber risk
(10:55):
assessment.
Now, an assessment and an auditare two different things, but
they get used, and unfortunatelyby me sometimes, uh used
synonymously.
And they're not.
They're not an assessment, it'sjust a quick brush brush look at
what's going on.
It might be a deep dive into acertain area, but at the end of
the day, it's just anassessment, it's an assessing of
what's actually going on withinyour organization.
(11:17):
Where an audit is a formalizedprocess in which someone's going
to do a deep dive within yourcompany on a specific topic.
Now that comes into where youhave to determine the scope, uh,
the boundaries and requirementsof these audits.
What is the limitations?
What can how deep can they go?
Where do they have to staywithin?
Because what can happen is theseaudits, I've seen it, where you
(11:39):
didn't set up a scope for thesefolks.
They can get extremely broad andthey come back with all kinds of
findings and say, yes, you suck.
You're a terrible organization,you guys should just quit right
now and go away.
You can get that, right?
But that can get that doesn't,it's not helpful.
It's expensive because thelonger they stay with you, the
more the money they charge youbecause they're charging you per
(11:59):
hour.
So it can get very expensive,and then it doesn't give you the
results you want.
So you need to, if you want tofocus on a very specific niche,
niche, if you want to focus onthat niche, then you need to
target them in that.
So let's just say it's accountprovisioning.
I want to know, I want to do anaudit of my account provisioning
because I see it as one of mybiggest weaknesses within my
organization.
(12:19):
Focus on that.
And that's what they'll do.
Uh, it'll help identifypotential threats from
carelessness to human error,technical threats.
You know, again, one of thepieces that comes into is the
insider aspect, right?
I do insider risk for companies,I help them get that set up.
One of the things I would ask ofthem to do is first thing is do
a good quality assessment oftheir overall processes to
(12:40):
determine where they may or maynot have an insider risk
problem.
And that's another aspect of it.
Uh, and this also could comeback to the development part,
right?
If you are a development shopand you see that they're not
doing any sort of development uhwork and they're not
incorporating security withintheir development processes,
that might be something that youwould say is an internal problem
(13:01):
we need to fix.
And so that's where this auditcan come back to.
It helps with vulnerabilityidentification again, and then
also highlights where they mightbe mitigated by certain levels
of controls you may have withinyour company.
And then it also will helpidentify potential controls you
can put in place to limit theseissues that you have.
And the other thing around anaudit that's important between
(13:23):
an assessment.
So, an assessment, if I do itinternally, I've I did it for uh
a company and for maybe a partof my organization, what'll end
up happening is that auditfinding can be go, okay, hey,
that's awesome.
You're great, thank you, move onto the next.
But when it comes, that's anassessment, when it comes on to
an audit, an audit typically,typically, not always, and we'll
(13:43):
get into this in a minute, isexternal.
And you may have an externalparty do an audit of you.
If they do that, they'd have apiece of paper that says, okay,
you just spent like$100,000 onthis audit.
I need you now to go do what itsays and use it as the template
to fix the problems you havewithin your company.
So again, those are just areasthat they think about.
So when you're looking also atan audit, you need to determine
(14:04):
the severity.
Assuming the vulnerability hasbeen exploited within a company,
what would happen?
Right.
So this talked about thebringing the onboarding of new
people.
Say you didn't have a process, amanual process, and say that was
a vulnerability that wasexploited in your overall
process in place.
And now what happens?
What could happen if you can nolonger provision individuals?
(14:24):
Now, a small organization, thatmight not be a big deal.
Larger organization that maybeyou have a lot of contractors,
and now you can't bringcontractors onto your company,
that could be a really big deal.
So it just comes into is whereyou have to impact the severity
of that.
You need to determine your risklevel, and this is based on the
likelihood of this occurring,where how often will it happen
within your company, and thenwhat would be the potential
(14:46):
impact if that were to occur.
And then lastly, is what is yourresponse to this piece of this?
So they they would check to seeif something bad did happen
within your organization.
How would you respond?
How would you deal with thehighest risk items first?
What would you focus on?
So again, those are key aspectsthat you'll run into when you're
dealing with an audit.
Now, an internal audit, this iswe're gonna break these into
(15:08):
three different parts.
So you got an internal, anexternal, and a third party.
And the external and the thirdparty we'll get into are a
little squishy, but you will seeit'll make some more sense as we
get into it.
So an internal audit, this isconducted by an organization's
own security team or personnel.
So again, this is you are partof that auditing team.
And this can be in acost-effective way to really get
(15:29):
a good understanding of theinternal processes within your
company.
And we would do internal auditswithin my own company.
I would also then act as aninternal external auditor to
other companies that I workedwith, but I was still internal
to the company.
That's the part where it'sreally kind of squishy.
Um, but when you're dealing withan external internal audit, they
are very effective.
(15:50):
They can be.
As long as, again, repeat, aslong as you have senior
leadership buy-in on what you'retrying to accomplish.
I've done audits and assessmentsinternally, and they have been
absolutely worthless.
And all I've done is wasted abunch of time and wasted a bunch
of money because you give them aproduct and the the CEO is like,
yeah, okay, thanks.
(16:10):
Have a nice day.
The only reason I'm doing thisis because checkbox, done.
And but again, knowing thatgoing into it, it's important
for you as the person who'sresponsible doing this and as a
CISSP with your integrity,right?
We've got to have that.
It's a key pack factor of beinga CISSP, is that you provide
them a great product so that ifand when they may do make
changes and they want toactually do something with it,
(16:32):
it is there and available forthem to do with it.
Yeah, that was a really badrun-on sentence.
But the point of it is thatthat's available for them if
they ever want to do it.
Also, haha, here is the CYA partof this because again, you need
to provide them the best productyou possibly can.
You need to give them the greatservice, you need to make sure
that it's there and with all theintegrity you have to worry
(16:54):
about some of the highest riskto your company.
But on the flip side, there's alittle bit of CYA in the fact
that if they get audited orsomething bad happens and they
come back and say, you did notdo this, you have a piece of
paper saying, Oh no, yes, I did.
See, here it is.
Ha ha, you didn't want to doanything about it.
Also keep very good notes.
Yeah, keep notes because thatyou never know.
(17:14):
You could get pulled intosomething that you really don't
want to be part of, and it'sgood to have notes to remember
what you did because I don'tremember what I did yesterday,
let alone six months to twoyears from here.
So, again, that's again,internal audits.
Again, really good.
One of the disadvantages, again,is I didn't really mention this,
was the potential for bias orlack of objectivity.
It is true.
You know where all the deadbodies are, and you can say,
(17:36):
Well, I know we're gonna get tothat dead body sometime.
It's not stinking too bad justyet.
We'll come to it later.
Um, that's a bit of a problem,right?
You you have to be veryobjective as much as you can,
but it can happen with internalaudits.
External audits, these areconducted by independent
third-party auditors.
Now, this can be, when we sayindependent third party, this
(17:58):
could be, like I mentionedbefore, you could be part of an
internal.
Now, I worked with large cokeindustries at the time.
I was a very large, largecompany, right?
140 million or 140,000 people,uh, multi-billion dollar
company.
And working in security for CokeIndustries, great opportunity,
super opportunity, very goodcompany.
That being said, I worked onauditors, I was an auditor for
(18:19):
some of the other Coke companiesthat I'd have, and I'd come in
as an independent um assessorand look at what they had in
place.
And it did, it did give me theability to have more of an
objective, objective look attheir environment.
It also, I knew where some ofthe dead bodies were, so I
wasn't as objective as I wouldbe from coming as a completely
third-party auditor, but I wasmuch more objective than just
(18:42):
going in without having withouthaving any knowledge at all.
So it was it was a goodtrade-off.
So that's where I can see you asan individual working to do an
audit for somebody that'sinternal to your organization,
to your overall company, but yetnot working within your specific
space of that company.
So the advantages of it, it'sobjective, it's specialized
(19:02):
expertise.
Again, they pulled me in for avery specific reason, right?
Insider risk is a big thing.
They focused on that.
That's where I would do that.
Disadvantages, you have highercosts, potential for
communication gaps.
And that is true.
When you're dealing with anexternal auditor, it will cost
you.
Do not go into this thinkingit's going to be inexpensive.
It is not.
It's expensive.
And therefore, though, youshould demand because of the
(19:24):
cost, what are you going to getout of this?
Right?
I got to be able to getsomething out of this that is
worth some value.
That comes down to a lot ofinterviews that occur.
So conversations, interviews,deep dives into what is
important, what can they fix,what can't they fix, and so
forth.
I've got one that I've gotcoming up here soon that I'm
going to be doing for anothercompany.
And the point of it is, is Ithat is an area that we'll focus
(19:46):
on.
Because knowing that you'recoming into a greenfield that
really didn't have securitybefore, that's the other part
you're going to have tounderstand is if you go into a
place doing an audit where maybeit didn't have security, you
better start low and slow.
And what I mean by that is ifthey didn't have anything, it's
probably a lot of dead bodieseverywhere, scattered
everywhere.
Like it's like a morgue.
And you're going to have to goin and pick out the ones that
(20:09):
are really ripe that you needto, you need to get them buried.
You need to put them away.
Um, and I know it's reallysounding morbid in this
conversation.
But that being said, it's you'regonna have to focus on that.
Uh, third-party audits.
What are those?
These are conducted by externalauditors to assess security
practices of third-party vendorsand or suppliers.
And this is a really big part inyour supply chain and
(20:30):
understanding the supply chainrisks that are associated with
it.
Uh, you have a lot of people, alot of companies now are it's
all this just in time type ofshipping, type of supplies.
And if you don't have a goodhandle on your supply chain, any
one of those little cogs in thiswheel that get busted, then your
wheel ain't gonna run real well.
So you think about it this wayit's all it is, it's like a gear
(20:51):
shifter.
And your gear shifter's got allthese little tines all the way
around the gear shifter.
And these tines are interactwith other parts of your
organization.
But if you were to get a hammerand bust off a tine on one of
those gears, your gear shift,your gear isn't gonna work real
well.
Well, so that's your supplychain.
If you don't have a good handleof your supply chain, and what
(21:12):
are the risks potentially tothem, you bust off one of those
guys.
So they just get hacked, andI've had this happen multiple
times.
My supply chain gets hacked, andI got I can't use anything from
them for a period of time.
I just bust it off a time.
Now what am I gonna do?
Okay, so understanding that froma risk standpoint is really
important.
So this is where your audit willcome into play, and that's what
(21:34):
you'll focus on again.
And that's folk, you're gonnafocus on scope, frequency, and
reporting requirements that aregonna come from these
third-party auditors, and you'regonna have to deal with it.
Again, coming back to expense.
This is gonna be expensive.
Do not think this is gonna beinexpensive.
You're gonna pay in the upwardsof$100,000 for a potential
audit, depending on the size andscope of it.
And if you may go, you knowwhat, I'm gonna scope it down to
(21:57):
so it's not quite so broad, andit's still gonna be$100,000.
And you're gonna go, what theheck?
Why is that the case?
Because one, they got theexpertise, you don't.
Two, is they're gonna tell youwhere your dead bodies are,
which you probably already know,but they're gonna give you a
piece of paper that says this iswhere they're at.
And then three, they're gonnagive you recommendations on how
to fix those dead bodies, how tobury them.
And then you're gonna be up toyou to go fix it.
(22:19):
And it's really just you'repaying somebody money to tell
you where your problems are at,and which you already know in a
formalized manner, and you'relike, well, this is kind of
counterintuitive.
And it is, but sometimes you gotto do that to be able to move
forward.
Because then with that piece ofpaper, you as an individual can
then go to the senior leadershipand saying, okay, I need to fix
these things.
I need to hire five contractorstomorrow to fix these problems.
(22:41):
Whereas if you just say, I needfive contractors, and they're
gonna go, what for?
Well, because I got all kinds ofdead bodies.
And they're gonna go, well, youfigure that out.
I pay you good money.
You go figure that out.
So that's a good and otherreason why you got to have these
audits done.
You all are probably going on toaudit crazy and thinking this is
absolutely nuts.
I get it.
Totally get it.
Audit criteria and scope.
Regulatory compliance, obviouslybig factor PCI, DSS, your
(23:03):
payment card industry, uh, datasecurity standards, NIST,
cybersecurity frameworks, allthese different pieces that are
compliance that you may berequired to follow.
Uh, you may be required tofollow the frameworks, you may
be required because ofP-I-C-I-DSS to do an audit.
There's standards andframeworks, as we talked about,
there's ISO 27001, there'sCOVID, there's uh different
types that are out there thatyou may want to follow.
(23:24):
I would highly recommend that ifyou're gonna do an audit, pick
one.
Okay, it could be thecybersecurity framework, it
doesn't matter.
Unless you have a requirement todo ISO, I would pick the
cybersecurity framework ifyou're here in the United
States.
If you're somewhere else,another country, you have a
framework that they may havethat you use.
If they want you to use that,use that.
Uh it doesn't really matter, butpick a framework.
(23:46):
And I'm picking on thecybersecurity framework because
it's relatively broad.
It does get very narrow, but itisn't uh industry specific per
se.
You want to have internalpolicies and procedures that
what has been defined, what hasbeen created.
And you determine that will helpdetermine which ones you have.
Do not go hog crazy with thisand say, hey, I've got to have
(24:06):
like 15 different policies andprocedures.
No, you don't.
You do you just need to have afew.
And like acceptable use policy,uh, password policy, just some
basic ones you need to have.
And then from there, move on.
Because what can happen is youcan drown yourself in policies
and nobody even listens, readsthem anyway.
So there's no reason for it.
Uh, risk assessments, assess theorganization's risk management,
(24:29):
identify potentialvulnerabilities within your
organization.
You also want to look atincident response, big factor.
So if you're looking at, okay,where are my holes?
How do I plug my holes?
And then how do I respond whenthey find holes that I didn't
know I had?
Okay, that's breaking it down,that's boiling it down.
If you do those three thingsrealistically, if you do an
audit that can break it intothose three things and at a base
(24:50):
level, money, baby, money.
You're making money, you'resaving money, your people are
happy with you.
So that's what I would focus on.
Security controls, assess andimplement the effectiveness of
your security controls.
This means access controls,encryption, network security,
you name it, all of thosethings.
That's where you'll want tounderstand the security controls
that you have within yourcompany.
(25:11):
Being said, don't go hog crazywild on security controls.
You can tell I'm from theMidwest because I bring in a lot
of farm animals into myconversations.
But no, you don't want to havego nuts with these security
controls because the fact of thematter is, is that you will
overwhelm people with, well, Ineed to make sure that I have a
50 or 36 character password.
(25:33):
I'm like, don't do it, pleasedon't.
Uh do something simple, right?
18 characters, 12 to 18characters, right?
But even then, make sure yougive them the tools like a
password manager to maintainthose passwords because you're
gonna give them 12 charactersand they're gonna go, I can't
remember 12 characters.
And what are they gonna do?
They're gonna go post a note orthey're gonna go copy, paste,
(25:53):
copy, paste, and you're gonnahave the same problem you had
before.
So you're gonna have to educatethem on the uh different types
of security mechanisms you'regonna put in place to help them
make their lives easier.
So internal control an internalaudit.
We exercise and determine thetrained cybersecurity resources
you may have within yourcompany.
Do you have them?
Okay, how are they trained?
How are they responding to issuesituations?
(26:15):
What do you need to do?
You'll you'll look at them as anindividual and then as a group
and figure out what needs tohappen.
You're also going to evaluateyour current controls and your
processes within your company.
And now an internal audit can beused synonymously with internal
assessment.
Unless you have somebodyspecifically telling you, I need
an audit, an internal audit donebecause of X, then I would
(26:37):
consider what we call anassessment, where you're just
doing the same type of activity,but it might be assessing one
aspect of an overall biggerpicture.
Again, though, audit andassessment internally can be
used synonymously, just dependsupon the nature of what the
request is for.
You want to have a process thatbuilds accountability to your
organization and you want tomake sure that you have buy-in
(26:58):
from your leadership.
I can't stress this enough.
Your job as a security as aresource is to influence
individuals.
You can bring out the hammer andhit people over the head and
make them do things, but thatdepending on your organization.
In some organizations, you can'tdo any of that because they just
won't let you.
And plus, it's physically wrong.
You don't want to hurt people.
But that that being aside, youwant to understand that you're
(27:20):
going to have to do this throughinfluence.
You're going to have to makesure that people want to help
you for a reason.
They are they are there to helpyou because they want to help
you.
And it does build additionalaccountability within your
organization because then nowpeople look to you as the
leadership and as you as someonethat's going to help them fix
their problems.
Now, the key aspects around thisis that you need to have it
(27:40):
works, this internal audit willwork for the CEO, the CIO, or
the potential board.
Now, this is becomes security isbecoming a bigger factor in the
fact that you are now workingfor the board in many ways.
And that means that you areresponsible to the board on what
you're actually accomplishing.
There could be financial aspectsaround this as well, from
regulatory requirements, vendorsrequiring audits, you name it,
(28:02):
all of those different thingsthat are in place.
Now, there also might be vendorsthat are requiring an audit to
be done.
Say you have a certain vendorthat's working for you with you.
You may have to, they mayrequire you to actually have an
audit completed.
And they may have this documentthat says you may have to have
that.
You also may be requiringvendors to have audits before
you even work with them.
So understanding this overallinternal aspect of an audit is
(28:26):
an important factor in youroverall journey.
So some other aspects around aninternal audit would be they're
planned annually, sometimes ifpractical.
It just really depends upon whatyou're looking at.
You also want to avoid them fromreducing the disruption to your
(28:46):
company and to your operationsbecause doing an audit can be a
bit overwhelming to people,especially if they start doing
interviews and talking topeople.
And you want to really plan forthat.
Uh, you'll talk with your IT,your legal, human resources.
They all could be involved inthis depending upon what your
scope of your audit is.
So you want to be very cognizantof their time so that you're not
burning it.
(29:06):
Uh again, this comes down to theinfluence piece of this.
You can't one thing I've seenwith IT professionals, and
again, I'm a pilot by trade, soI'm not a geek.
And I'd say some geeks wouldprobably look at that and turn
their nose up at me and go,you're not as smart as me.
And they're right, I'mdefinitely not as smart as them,
for sure.
Uh, but there's one thing I dohave sometimes is people's
skills, which sometimes theydon't.
(29:27):
And so, therefore, if you wantto be in a security position,
you want to make sure that youhave an ability to influence
people, and that comes down topeople's skills.
And that means when you're atbeing you're cognizant of
people's time and asking themwhat works best for them,
knowing that you have to getyour project done, but they also
have to get their projects done.
(29:48):
And therefore, if you understandthat and you work with them on
this, you can go a long way inhelping build a relationship
with them.
See, there's a nugget rightthere, big guy and gals.
Uh well, not big gals, but Yeah,gals.
Yeah, because I'd probably getsued for saying that.
But there's a there's a nuggetthere.
Ins influence people.
Influence people is done bythinking about other people
(30:09):
besides yourself.
Now, the scope will determineyour duration, system facility,
and your group locations aswell.
So important to understand thedifferent scope and to express
that to the people you'reworking with.
Now, one thing you want tounderstand, this is actually a
really good bullet here that Ikind of should have brought up
to the top instead of at thatbottom, but the right to audit
(30:31):
clause.
So if you have contractualagreements with a third party,
say you know someone in yoursupply chain, and they are
working with you, you could putin there the right to audit
clause.
And I've done this with variouscompanies to say, hey, at any
point in time, I have the rightto audit you no more than once a
year.
And it's worked great becausewhen I've had issues with some
(30:53):
companies, I will pull this outand say, hey, let's do an audit.
Yay, let's have fun.
And there they grumble at me,but it works well because then
they you kind of catch them offguard.
So something to consider whenyou're trying to build out your
program.
Again, though, I would be verycautious with that.
Make sure your legal teamobviously is involved.
Don't you just start addingclauses to contracts because
(31:14):
that will get you into trouble.
Again, influencing people, youknow your job, they know theirs,
but help them to help you.
Responsibilities, riskassessments, internal controls,
and compliance, vulnerabilityassessments, instant response,
third party management.
Ah, wow, that's a lot there.
Bottom line is yourresponsibilities with an
internal audit can deal withrisk assessments.
(31:34):
You're doing all of those withinyour company.
They also deal with your in thehelping with the internal
controls for your organization.
You will deal closely with yourcompliance team, uh, whether
it's your governmentalcompliance or it's your actual
internal compliance.
You may have one and the same,it may be different entities,
but you'll work with them all.
Vulnerability assessments, a lotof times the internal assessment
(31:55):
will be part of a vulnerabilityassessment that's done.
I would tell you the biggestnugget out of here, or actually
there's two big nuggets really.
I mean they're all big, butthere's really the two ones is
instant response and third-partyrisk management.
If you get those right, okay, ifyou get IR and business
resiliency right, and you getthird-party risk management
right, and I don't mean you'vegot to be perfect, I just mean
(32:17):
you have an understanding andit's got something in place,
that's money, baby, because thatwill save you.
When things go sideways, whichthey will, and you have a good
plan for those, you are going tobe saving your company money
with that.
Now, external audits, what arethese?
These are usually a broaderscope.
We talked about a little bitalready, is that they can be
done by a party outside of yourorganization is being audited.
(32:38):
Again, it can be from a thirdparty that you bring in
specifically, or it could be youdoing it to another
organization.
And this includes internalaudits as well.
So this can be conducted by yourown employees, or it can be
conducted by independentauditors.
It just really depends upon theamount of money and the scope in
which you want to accomplishthis.
This will be a more objective.
Again, it's it's kind of thatmiddle road between internal and
(32:59):
a fully dedicated third party,but it will give you some level
of objectivity into yourorganization.
So consider this.
I would consider this if youhave to have an external audit
before you go out and spend themoney on PwC or Deloitte, maybe
do this as a primer before youbring in the PwC.
So if you have to have PWC comein, one of these big, high
(33:21):
expensive third-party auditors,what I would recommend is doing
this prior to that because itwill get your everybody kind of
prepped to what to expect.
If you just bring in a thirdparty and they have never really
dealt with that before, you'regonna run into some challenges.
Your leadership's gonna go, whatin the heck is going on?
And you're gonna go, I don'tknow.
(33:43):
And they're gonna go, you'refired, and you're gonna go,
okay, thank you.
Um, you you want to avoid that.
So definitely, you know, yourwife or your husband would
really like you to avoid that.
Your family would like that.
They want you to be making moneyso that they can live.
Okay, third parties.
What are third parties?
Okay, these are the externalprior parties that provide
independent assurance.
Outside auditors, specificallyfrom external entities, are
(34:04):
highly sought out as subjectmatter experts.
Um, I will tell you that many ofthe the PWCs and Deloitte, they
do have SMEs, but let's keepthis in context.
They bring these guys directlyout of college, they give them
something to do, and they go digdeep into your organization.
Now, they're not not sayingthey're not smart.
They are very smart in what theydo, and they are very
(34:26):
knowledgeable in those certaincriteria areas.
But again, if you really wanteda no-kidding deep end SME, you
you can't probably afford thembecause Deloitte's and PWCs
can't afford them.
Uh but that being said, they'regonna come in with a different
perspective, which is gonna beextremely valuable to you with
your organization.
(34:46):
A lot of times LDs will come onbehalf of government or
agencies, they'll send a thirdparty in in their place because
they don't have the people orthe expertise to do it.
But ultimate goal of an externalauditor is to provide a good
assessment of your organizationand fix the challenges and give
you some recommendations on howto fix them.
But again, they're notaffiliated with your
(35:07):
organization.
They they do emphasize theirwhole aspects on independence
and being independent.
And they are very common inregulations.
Again, they're often mandated byregulations or industry
standards to ensure that theyhave compliance and
accountability on all thedifferent audit pro programs.
If you hear a cat in thebackground, I have tried
everything in my power to gether to leave me alone, but she
(35:28):
will not.
So I apologize if you hear her.
Uh, sorry, she just won't leaveme alone.
I try to get rid of the dumbthing.
Um, that being said, we aremoving on.
That's all we have for today.
I hope you all have a great day.
Again, go to CISSP CyberTraining, get my program, get
the stuff that's there.
I've got some good, it's alwaysget adding and getting better
content in it.
(35:48):
Um, again, all the proceeds thatgo from CISSP Cyber Training go
to our nonprofit for adoptivechildren and their families.
We we've done, again, I don'ttake any money from this.
It's it's all going to charityjust because I'm blessed.
I don't need, and I don't say Idon't need money, of course I
need money, but I don't needmoney to make my pockets any
deeper or bigger or whateverthat is.
(36:10):
That all can go to people thatneed it way more than me, and we
feel that the need of familieswho are trying to adopt
children, they need an extrahelp.
And so this is going to thenonprofit that's going to be
that is stood up or is going tobe stood up for that
specifically.
So we're pretty excited aboutthat.
That should be done here inDecember, and uh, we're just
hoping that everything's gonnago well with that.
But yeah, as a diet, a bit of atangent.
(36:32):
Anyway, have a wonderful day.
Again, go to CISSP CyberTraining.
Give me a thumbs up on iTunes,YouTube, all those wonderful
places I've got out there.
Again, if you do that, thathelps the exposure and helps
more people know about CISSPCyber Training.
Thanks again.
Have a wonderful day, and wewill catch you on the flip side.
See ya.
Popular Podcasts
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.
The Joe Rogan Experience
The official podcast of comedian Joe Rogan.
Two Guys, Five Rings: Matt, Bowen & The Olympics
Two Guys (Bowen Yang and Matt Rogers). Five Rings (you know, from the Olympics logo). One essential podcast for the 2026 Milan-Cortina Winter Olympics. Bowen Yang (SNL, Wicked) and Matt Rogers (Palm Royale, No Good Deed) of Las Culturistas are back for a second season of Two Guys, Five Rings, a collaboration with NBC Sports and iHeartRadio. In this 15-episode event, Bowen and Matt discuss the top storylines, obsess over Italian culture, and find out what really goes on in the Olympic Village.