We have different types of audits as I was just mentioning. Annual audits at least once a year, event triggered audit, we have a breach, we have to do an audit to figure out what went wrong. Merger and/or acquisition, what's called M and A activity, you buy a company, you do an audit to make sure you know what you're getting. It's usually pretty standard. Regulatory compliance audits, those are audits that are done again typically annually to validate compliance. And court-ordered audits, those are fairly rare. But if you're involved in a lawsuit, somebody's suing you, you're suing somebody and there's a question of due diligence or due care. There's a question of risk management or competency and liability under the law. Because you may be being sued or you may be suing somebody for malfeasance or bad action, you may have the court impose an audit to go in and validate what's happening to actually figure it out. You may do a financial audit. What's called a financial forensic audit, under court order, where if a company is accused of, or an individual is accused of embezzling or money laundering or something like that. Cooking the books, or whatever that may be, the court may order a financial audit to figure out exactly what's going on. There's different kinds of audits, and they may come from different places, in other words. So I want to make sure we're aware of that. There are methodologies that drive auditing, and we do want to have note of them. Two ISO standards of node here, ISO 27001 and 27002. These are going to give us the standing solutions not just around auditing. But a more broad discussion around what's called the ISMS, the information security management system, building out the security controls and elements all through the architecture. And the controls that are going to be used to be able to achieve certain end results. So you should be somewhat familiar with that. NIST SP 800-37 R1, we've talked about. The NIST SP 800 series, I showed you where to go find them. We've focused on 30 R1, 37 R1 also gives us audit capabilities. And then COBIT, which is a framework that ISACA has put in market. Currently, I think COBIT version 5, which is an IT governance framework, deals with what are called GRC activities, Governance Risk and Compliance activities, and auditing as part of the GRC mindset. And we would deal with COBIT framework to help drive IT governance and auditing capabilities within the organization, very important to deal with that as well. What are some of the standard responsibilities for an auditor? An auditor does a variety of things. They analyze the appropriateness of organizational security objectives and controls that are aligned to deal with that. They tell us whether or not we're doing things the right way for the right reasons, with the right outcomes in effect, and auditors are then going to be able to be impartial. At least, they should be any way. And they're going to be able to tell us all the things that look good, document the things we're doing right, and point out the things we need to improve on. This is what an auditor supposed to be able to do for us, and again, do so impartially, very important to be aware of that as well. The audit scope can be focused on any number of things, an individual user, an individual workstation, an entire network, an entire system, an entire application running on the system, remote access, cloud and outsourced. We have all these different areas where scopes, where an audit may take place in. It's the responsibility of the parties involved in the audit and the auditor to agree ahead of time on the scope of work. The statement of work will cover what the scope of the audit should be, excluding areas that are not going to be appropriate. And focusing the audit on the included areas that should be part of the audit, that should be documented, that should be examined. With regards to documentation, we have all sorts of documentation that we will look at as a result of the audit. Things like disaster and/or business recovery, plans and documentation, host configuration documentation, that will typically be found in our Configuration Management Database, or our CMDB. Our baseline security configuration documentation through each type of host, again, that would typically be part of the configuration builds that are in the CMDB as well. Acceptable use documentation, change management, data classification, the list goes on and on and on. Any or all of all these documentation items are going to be in scope for certain kinds of audits and may be out of scope for others. But, ultimately again, based on the understanding between the auditor and the business that's being audited, the scope of work, we're going to provide this documentation as part of the auditing responsibilities that we as a system owner have to let the auditor do their job. When we think about the audit being done and we focus on the audit, we have to ultimately understand how the audit ends and what the audit ending means. We have what are known as responses to the audit. Typically, there'll be an exit interview where the auditor is done. They present their findings. They give them to senior management. They will present those audit findings, and then management will have a chance to respond, right? And so the idea is you get a bound document, couple hundred pages, depending on the type of audit, how big and how wide it was. And you're going to need time to digest that, in effect. So typically, the auditor is meeting with senior management. They're going to give them the findings. They may do a quick short meeting, traditionally, to kind of just overview the findings. The details are in the documents, so they'll get a chance to present the kind of overview to senior management that will be part of the interview and the presentation. And then management has a chance later to go back, digest all that. And to respond by either taking action to fix problems that have been found and/or to file the audit because it is successful with the appropriate regulatory bodies to show that they are compliant. Or you know whatever it is that they may need to do. So as we wrap up our conversations, not just with auditing. But with our initial pass on risk, risk assessment, risk methodologies for understanding how to manage and deal with and cope with risk, how to identify risk, kind of measure risk. All the things we've being talking about in this first discussion of ours in relation to risk assessment and risk understanding and risk management. You want to make sure that as some key takeaways, you're focusing on the risk assessment methodology that we went through. You're focusing on the definition of the key terms involved with risk, and the flow of how risk starts with a threat source. And the threat source will take some sort of action that can lead to taking on or the likelihood that we will be able to assess and ultimately interact with the vulnerability, which is a weakness. And that vulnerability can lead to some sort of compromise in the system that can be distilled down and have an impact. And that impact leads to some sort of negative outcome, which is then going to deal with or be defined as some sort of risk for us, typically organizational risk within the business. Want to be able to understand all that. If you need time to go back and review those items, please make sure you take the time to do that. This foundational conversation, especially in this section in particular, is going to be very critical to a lot of the conversations we will have going forward. Identifying those key terms, identifying the thought processes, and identifying the mechanisms in the way in which we deal with risk, is going to come up again and again. And we're going to be talking about those things in different areas. So as long as you're comfortable with them, you're ready to go on. Please come back and join me for our next conversation. If you need a little extra time to get ready before you're ready to do that, take the time now. Walk away for a few minutes clear your head, make some notes, have a cup of coffee, have a soda, do whatever you need to do. But when you're ready and you feel ready to go on, come on back, I'll be here waiting for you. I will continue our conversations.
