I'm your host, James Bowers, and together we'll work with business leaders and industry experts to dive into the misunderstood business of cybersecurity and compliance to learn how to start making money from being secure and compliant. Welcome to Cash in the Cyber Sheets.
Hey, everybody welcome back to Cash in the Cyber Sheets. I'm your host, James Bowers, Chief Security and Compliance Architect here at Input Output. Very happy to have you back here with us today.
And today, I think what we'll jump into is more of the logistics around what actually occurs during a information security audit. What's that really going to look like? What are the interactions going to look like? And overall, just what can you expect from that? Today's not really going to be a deep technical dive into exactly kind of what's being audited, but more so the approach of what are you going to experience? What does the process kind of look like at least at a high level, a start to finish? So before jumping into that, we've always got to throw it out there. Please click on that like, click on that subscribe.
If there is anything that you would like to hear from us or have us discuss, please put that in comments. We'd love to hear from you. I will also come out and say that I just realized that for whatever reason, the video, if you're watching us on YouTube, the video has been very dark.
I don't exactly get why that is because it looks super sharp here. It's something with the editing, still learning all of this as we go. We're better at security than we are at editing, but there that is.
Scrape your elbows, make things better as you go along. Rough is enough. Can't steer a parked car, yada, yada.
Okay, getting into what occurs during a security audit. Now, obviously, we've done a lot of security audits. We've done a lot of types of audits, and what I think is important is it really, it really does depend on the scope of your audit, on what you're auditing, on what exactly that's going to look like.
With that said, there's a lot of similar structure. So that's what I want to dive into here. And the very first thing before, really before getting into the audit itself, and this is probably the most important, is the scoping.
It's actually defining what type of audit you need and exactly what controls, what areas, what you're going to be auditing, and also what that report should look like. The reason that this is so important is there's important things to consider when going into any type of information security audit. One of those is, are you actually preparing for any type of certification? If you're going for an ISO 27001 or a SOC 2 or a HITRUST or a CMMC, while a lot of those controls are similar, and they're even mapped all together in our IOGRCF, there are differences to how you would want to approach that, and definitely how you would want to structure the outputs, the reporting of the audit, to best fit that need.
So that's really important to know. Are we doing this for a certification? Are we just looking to identify security risk? Are we just looking to do a real quick assessment, kind of a spot check to see where we're at? All of that's really important, and it's really going to dictate how the audit is going to proceed the entire time. Some other things you want to know during scoping is, are there any particular compliance requirements? Do we need to make sure that we're complying with PCI? Do we need to address something for our clients, any of our insurance companies, or any particular contracts? Is there a very specific use case for this? And that kind of ties into, also, are there any known concerns, trouble spots, sore spots, things like that.
Understanding that from the beginning really helps frame the entire audit and make sure that everybody's on the same page. Because while we're not going to really get into it on today's episode, there's a lot of different types of audits out there. IT security audit, gap assessments, information security audit, cybersecurity, and even though there's a lot of different names, a lot of times in actual practice, those are really just used interchangeably, meaning that one person will mean one thing when they say computer security audit, and another person will mean another.
And that can create some serious issues if your auditor's thinking one thing and you're thinking something else. At the end of it, you're not going to get the results you want. So I can't stress enough how important the scoping is to make sure that the audit is set up correctly.
That's then going to roll into the next step, the next phase in the audit process, is the kickoff. And this is where it's really extending that scoping, it's validating it, but we're going to sit down with all of the applicable stakeholders and we're going to set all of the expectations. And that's going to be expectations around the technicalities, how this audit's going to proceed, who's going to do what, how are we going to report issues, what is the scope, what are the deliverables going to look like, and how is this going to be reported.
It's very important to identify here to make sure that there's no misconceptions and that everybody's on the same page. What this will also do, and it should be pointed out in here, is identifying if we see something serious, if there's a serious security vulnerability or some major issue. How are we going to escalate that? How are we going to move that along to notify the company? It doesn't always happen.
A lot of audits, nothing like that comes up. But when it does, it is good to have that process in place. So that's a good kind of CYA and just a good general audit practice to have in place.
Next, and typically, but is where the audit's actually really starting, really jumping into it. And that's where security policies and procedures are going to get reviewed. You want to make sure the auditor has every security policy, every procedure, data flow diagrams, access controls, audit logs, things like that.
They're going to dive in and really start building out, I guess, a lot of the administrative side. Do we have the administrative? Do we have the policies? Do we have the plan in place that will later support the due, act, and check requirements? But a lot of this part of the audit is really creating even more questions. What things are we going to dive into? And when we start to have our interviews, when we start to review evidence in the next part, this is what's going to build that.
That segues into the next part where the stakeholder interviews, evidence gathering, that's really where we're seeing where the rubber meets the road. Where are we actually applying everything? And we've stated things in policy, now let's see the execution. And a real simple way to explain how this looks when all the interviews are happening, when we're looking at evidence, is we're going to ask, let's say, how do you handle access revocation? How are you terminating access when somebody leaves? Well, we disable accounts within 24 hours when somebody's terminated.
Great, now show us. And it's the great now show me part where the company's going to need to produce HR logs to show, okay, here's when somebody was terminated, and then they're going to need to show the access logs and the authorization, the permission changes. Here's when those permissions were changed.
Here was the email that we received. Here was the ticket that was closed out. And it's just walking through that process to make sure everything's being executed as it's supposed to be according to applicable standards, contract requirements, and all the other requirements out there, but also against policy.
This is really where, too, we're wanting to make sure that what your policy says is what you're actually doing. And that next step with it, that it meets your applicable requirements, whether those are regulations, whether those are with the contractors, whoever. The next part, and this also greatly depends on the scope of the audit, but it's really connecting all the dots.
It's looking at the risk and the control validation. And even in audits that aren't doing a very deep risk dive, this is still a part of it to where really what we're looking for is to make sure that your risk assessment process is supporting the controls that you have in place. It's supporting the mitigation of your risk.
And that you're applying that risk appetite, that risk control, evenly across the organization. What that means is that if we are very risk adverse over here, that over in this section, we're not completely open. It makes sure that where we can show a risk appetite, how much risk we're willing to accept, that that's pretty uniform throughout the organization.
And that's a big area that a lot of companies when they get into audits, when they have regulators come in, that they get into a lot of hot water, that it causes a lot of issue because that creates a very difficult situation to support and argue against. One of the big things that we always consider everybody to consider, using that word twice, is if you were sitting across the table from a regulator or testifying in a courtroom, could you confidently explain and defend your security decisions? Could you back up what it is you're doing and would you be confident saying, this is what we did and this is why we did it? And that's really what we push back in during the audit. And when we have findings, they may not necessarily really be a finding, but they're issues where we want to push a little bit, play that devil's advocate and say, okay, let's consider you're sitting in a courtroom.
Explain to me why you did this. And if it's in a courtroom, if it's against a regulator, it should be a pretty good explanation. You don't want to be wishy-washy there.
If it is wishy-washy, it's great because you found it in the audit, let's tighten that up. And that's where we're going to build all of our reporting and remediation recommendations really based on that, which is ultimately the last part of the audit process. That's where all the reports are being pulled together.
That's where all the remediation recommendations are being put together. And depending on your audit, depending on your auditor, those reports, that presentation will look vastly different. How it typically looks with us is we'll break that up for an executive summary.
That way we can do a quick 15 to 45 minutes with the executive team. They don't want to get deep into the weeds. We'll go over things quickly.
It's a very high-level overview. Here's where you're at. Here's the biggest issues.
Here's nice graphs and everything to make it easy to understand. And then where they want to dive in deep, we'll go there with them. But otherwise, we keep that high level.
Then we'll typically have a much deeper technical dive with the various departments and various stakeholders, especially with IT, where we'll really get into the nitty-gritty of what we found and kind of risk-reward. This is also where we'll really help the organization understand the pros and cons of addressing things or not addressing them and addressing them in certain ways. Here's the different options.
If you decide to go this way, if you decide not to do this, here's kind of where the risk is, pros and cons, because everything in security is really a seesaw. There's never a, this is absolutely the right way to do it. It's always a give and take.
That is overall the general audit process, what you're going to expect. Again, you want to make sure that you're doing the scoping up front. If you have no audit at all, at least have the scoping.
But the scoping is so important to make sure that when you finally get to that final part, the reportables, the deliverables, what you're getting from the audit, that that matches your expectations and matches what you actually need, especially if that's for like an insurance audit or if that's for a client or some other reason. You want to make sure that those align so that this investment, which you're doing, time, people, money, all of it, actually makes sense for your business. As always, we are always happy to help.
If you have any questions on an upcoming audit, you want to pick our brain, see what you should be considering, is this the right audit for us. Also, just looking at how we could help you with audits and just make the process really a lot easier for you. Because we do this a lot and we have people coming back, so even though audits aren't fun, I feel like that's a good sign for what we do.
So I think that is all that we have for today. I thank you very much for listening to us today on Cash in the Cyber Sheets and look forward to having you back with us next time. Thanks for joining us today.
Don't forget, click that subscribe button, leave us a review, and share it with your network. Remember, security and compliance aren't just about avoiding risk. They're about unlocking your business's full potential.
So stay secure, stay compliant, and we'll catch you next week on Cash in the Cyber Sheets. Goodbye for now.
