Domain 5
5.5 Audits & Assessments
Explain types and purposes of audits and assessments.
0% Complete

Attestation and internal audits are formal evaluation processes used to verify that systems, hardware, and security controls meet specific standards, compliance requirements, and operational benchmarks.
Hardware and Software Attestation Attestation provides a mechanism to verify the authenticity and integrity of a device or software stack before it is trusted. - Hardware Roots: Ensures that authentication factors (like security keys) were manufactured on authorized machines using genuine software. - Boot Integrity: Uses technologies like TPM (Trusted Platform Module) to provide a "report" on the system state, proving that no unauthorized changes were made to the BIOS or OS. - High Maintenance: While highly secure, implementing attestation requires significant administrative upkeep to manage the standards and protocols involved.
Internal Auditing and Frameworks Audits use established frameworks to assess whether an organization is meeting its security goals or regulatory obligations. - ISACA COBIT: A framework widely used for enterprise-wide governance and IT management, focusing heavily on auditing and control management. - CIS Benchmarks: Provided by the Center for Internet Security, these offer specific, technical configuration best practices for systems of all sizes. - ISO 31000: A high-level, executive-focused framework for managing risk at an organizational level rather than a technical level. - SSAE 18: A standard used for reporting on the controls at service organizations, often resulting in SOC 2 reports which verify security, availability, and privacy.
Assessing Vulnerabilities and Threats Audits must identify weaknesses in assets that leave them open to internal or external threat actors. - Internal Vulnerabilities: Often include legacy systems (like unsupported Windows 7 machines) and software licensing/compliance issues that can lead to financial penalties. - Indicators of Compromise (IoC): Forensic artifacts left behind by attackers, such as spikes in outbound traffic, unauthorized file permission changes, or malware signatures. - Dark Web Monitoring: Proactive auditing of non-indexed sites to identify if company data or credentials are being sold in criminal marketplaces.
Risk Control Assessment Evaluating the effectiveness of a control involves understanding its impact on the organization's risk profile. - Inherent Risk: The level of risk present before any security controls or mitigations are applied. - Residual Risk: The risk that remains after a security control has been successfully implemented. - Control Risk: The specific risk that a security control will fail to function as intended or malfunction.
Quick recall - Attestation: Assures hardware/software matches required standards. - Internal Audit: Periodic evaluation of internal controls and compliance. - Legacy Systems: A common internal vulnerability involving out-of-date hardware/software. - COBIT: The primary framework for IT governance and auditing. - Residual Risk: What is left after you implement your defenses.