Skip to content
Home » Google Career Certificates » Google Cybersecurity Professional Certificate » Play It Safe: Manage Security Risks » Week 2: Security frameworks and controls

Week 2: Security frameworks and controls

You will focus on security frameworks and controls, along with the core components of the confidentiality, integrity, and availability (CIA) triad. You’ll learn about Open Web Application Security Project (OWASP) security principles and security audits.

Learning Objectives

  • Define and describe the purpose of security frameworks and controls.
  • Describe the CIA triad.
  • Explain the National Institute of Standards and Technology (NIST) frameworks.
  • Identify security principles.
  • Examine how businesses use security frameworks and controls to protect business operations.
  • Define security audits.
  • Explore common elements of internal security audits.

More about frameworks and controls


Video: Welcome to module 2

As a security analyst, your job is to help keep people and organizations safe from cyber threats. Breaches that affect customers’, vendors’, and employees’ data can cause significant damage to people’s financial stability and their reputations.

The NIST Cybersecurity Framework is a valuable tool for security analysts. The framework provides a set of guidelines for mitigating organizational cybersecurity risks and ensuring the protection and compliance of customer tools and personal work devices.

In the following section of the course, you will learn more about security frameworks, controls, and design principles, and how they can be applied to security audits to help protect organizations and people.

Welcome back!
As a security analyst, your job isn’t just
keeping organizations safe. Your role is much
more important. You’re also helping
to keep people safe. Breaches that affect
customers’, vendors’, and employees’ data can
cause significant damage to people’s financial stability
and their reputations. As an analyst, your
day-to-day work will help keep people
and organizations safe. In this section of the course, we’ll discuss security
frameworks, controls, and design principles in more
detail, and how they can be applied to security
audits to help protect organizations
and people. Keeping customer
information confidential is a crucial part of my
daily work at Google. The NIST Cybersecurity Framework plays a large part in this. The framework ensures the
protection and compliance of customer tools and
personal work devices through the use of
security controls. Welcome to the world of security
frameworks and controls. Let’s get started!

Video: Frameworks

Organizations use security frameworks to create security policies and processes to protect against a variety of threats, risks, and vulnerabilities. Security frameworks are guidelines for building plans to help mitigate risks and threats to data and privacy, such as social engineering attacks and ransomware.

Security also involves the physical space, which is why many organizations have plans to maintain safety in the work environment. For example, access to a building may require using a key card or badge.

Other security frameworks provide guidance for how to prevent, detect, and respond to security breaches. This is particularly important when trying to protect an organization from social engineering attacks like phishing that target their employees.

People are the biggest threat to security. So frameworks can be used to create plans that increase employee awareness and educate them about how they can protect the organization, their co-workers, and themselves.

Educating employees about existing security challenges is essential for minimizing the possibility of a breach. Providing employee training about how to recognize red flags, or potential threats, is essential, along with having plans in place to quickly report and address security issues.

As a security analyst, it will be important for you to understand and implement the plans your organization has in place to keep the organization, its employees, and the people it serves safe from social engineering attacks, breaches, and other harmful security incidents.

Coming up, we’ll review and discuss security controls, which are used alongside frameworks to achieve an organization’s security goals.

Cybersecurity Frameworks Tutorial

What are cybersecurity frameworks?

Cybersecurity frameworks are sets of guidelines and best practices that organizations can use to improve their cybersecurity posture. They provide a structured approach to managing cybersecurity risks and help organizations to identify, protect, detect, respond to, and recover from cyber attacks.

There are a number of different cybersecurity frameworks available, including:

  • NIST Cybersecurity Framework (CSF)
  • ISO/IEC 27001
  • COBIT 5 for Information Security
  • CIS Controls
  • Risk Management Framework for Information Systems (RMF)

Each of these frameworks has its own strengths and weaknesses, and the best framework for an organization will depend on its specific needs and requirements.

Benefits of using cybersecurity frameworks

There are a number of benefits to using cybersecurity frameworks, including:

  • Reduced risk: Frameworks can help organizations to identify and mitigate cybersecurity risks.
  • Improved compliance: Many frameworks are aligned with industry regulations and standards, which can help organizations to achieve compliance.
  • Enhanced efficiency: Frameworks can help organizations to streamline their cybersecurity operations and improve efficiency.
  • Improved communication: Frameworks can help organizations to communicate their cybersecurity posture to stakeholders in a clear and concise way.

How to use cybersecurity frameworks

To use a cybersecurity framework, organizations should typically follow these steps:

  1. Select a framework: Choose a framework that is aligned with the organization’s needs and requirements.
  2. Assess the current state of the organization’s cybersecurity: Conduct an assessment to identify the organization’s current cybersecurity posture and any areas for improvement.
  3. Develop a plan to implement the framework: Based on the assessment, develop a plan to implement the framework’s guidelines and best practices.
  4. Implement the plan: Implement the plan and make necessary adjustments as needed.
  5. Monitor and improve: Continuously monitor the organization’s cybersecurity posture and make improvements to the framework’s implementation as needed.

Example of using a cybersecurity framework

The NIST Cybersecurity Framework (CSF) is a popular cybersecurity framework that can be used by organizations of all sizes and industries. The CSF is based on three core principles:

  • Risk management: The CSF helps organizations to identify, assess, and manage cybersecurity risks.
  • Integrated approach: The CSF emphasizes the importance of an integrated approach to cybersecurity, considering both technical and non-technical controls.
  • Cybersecurity lifecycle: The CSF is aligned with the cybersecurity lifecycle, which includes the following phases: identify, protect, detect, respond, and recover.

To use the CSF, organizations should begin by assessing their current cybersecurity posture. This can be done using the CSF’s self-assessment tool. Once the assessment is complete, organizations can develop a plan to implement the CSF’s guidelines and best practices.

For example, an organization may identify that it needs to improve its password management practices. To address this, the organization could implement the following CSF controls:

  • PR.AC-1: Implement a password policy that requires strong passwords and regular password changes.
  • PR.AC-2: Implement multi-factor authentication for all users.
  • PR.AC-3: Educate employees about password security best practices.

By implementing these controls, the organization can improve its password management practices and reduce its risk of being compromised by a password attack.

Conclusion

Cybersecurity frameworks are a valuable tool that can help organizations to improve their cybersecurity posture and reduce their risk of cyber attacks. By selecting the right framework and implementing its guidelines and best practices, organizations can protect their data, systems, and people from a wide range of cybersecurity threats.

In an organization, plans
are put in place to protect against a variety of threats,
risks, and vulnerabilities. However, the requirements
used to protect organizations and
people often overlap. Because of this, organizations
use security frameworks as a starting point to create their own security
policies and processes. Let’s start by quickly
reviewing what frameworks are. Security frameworks are
guidelines used for building plans to help mitigate risks and threats to data and privacy, such as social engineering
attacks and ransomware. Security involves more than
just the virtual space. It also includes the physical, which is why many
organizations have plans to maintain safety
in the work environment. For example, access
to a building may require using a
key card or badge. Other security
frameworks provide guidance for how to prevent, detect, and respond
to security breaches. This is particularly important when trying to protect
an organization from social engineering attacks like phishing that target
their employees. Remember, people are the
biggest threat to security. So frameworks can be used to
create plans that increase employee awareness and
educate them about how they can protect
the organization, their co-workers,
and themselves. Educating employees about
existing security challenges is essential for minimizing the
possibility of a breach. Providing employee
training about how to recognize red flags, or
potential threats, is essential, along with
having plans in place to quickly report and
address security issues. As an analyst, it will be important for you
to understand and implement the plans
your organization has in place to keep
the organization, its employees, and
the people it serves safe from social
engineering attacks, breaches, and other harmful
security incidents. Coming up, we’ll review and discuss security
controls, which are used alongside frameworks to achieve an organization’s
security goals.

Video: Controls

Summary:

Security controls are safeguards designed to reduce specific security risks. Three common types of controls are encryption, authentication, and authorization.

  • Encryption is the process of converting data from a readable format to an encoded format. This helps to ensure confidentiality of sensitive data.
  • Authentication is the process of verifying who someone or something is. This can be done through basic methods such as usernames and passwords, or more advanced methods such as multi-factor authentication and biometrics.
  • Authorization refers to the concept of granting access to specific resources within a system. This helps to ensure that only authorized users have access to sensitive data.

Security controls are an important part of a core security model known as the CIA triad, which stands for confidentiality, integrity, and availability. The CIA triad is a framework that security teams use to protect their organizations from a variety of security threats.

Additional notes:

The video also mentions that a lack of proper controls can lead to significant financial impacts and damage to reputation. This is because organizations can be held liable for data breaches, and their customers may lose trust in them if their data is compromised.

It is also important to note that social engineering attacks can be used to exploit security controls. For example, vishing attacks can be used to trick users into revealing their passwords or other sensitive information. Organizations should educate their employees about social engineering attacks and how to avoid them.

Cybersecurity Controls Tutorial

What are cybersecurity controls?

Cybersecurity controls are safeguards designed to reduce specific security risks. They can be technical, administrative, or physical, and they can be implemented at different layers of an organization’s IT infrastructure.

Some common examples of cybersecurity controls include:

  • Technical controls: Firewalls, intrusion detection systems (IDS), intrusion prevention systems (IPS), encryption, and multi-factor authentication (MFA).
  • Administrative controls: Security policies and procedures, employee training, and risk assessments.
  • Physical controls: Access control systems, security cameras, and environmental controls (e.g., temperature and humidity control).

Benefits of cybersecurity controls

Cybersecurity controls can provide a number of benefits for organizations, including:

  • Reduced risk: Controls can help to reduce the organization’s risk of being compromised by cyber attacks.
  • Improved compliance: Many controls are aligned with industry regulations and standards, which can help organizations to achieve compliance.
  • Enhanced protection: Controls can help to protect the organization’s data, systems, and people from a wide range of cybersecurity threats.

How to implement cybersecurity controls

To implement cybersecurity controls, organizations should typically follow these steps:

  1. Identify the organization’s security risks: Conduct a risk assessment to identify the organization’s current cybersecurity posture and any areas for improvement.
  2. Select the appropriate controls: Choose controls that are aligned with the organization’s needs and requirements.
  3. Implement the controls: Implement the controls in a way that is effective and efficient.
  4. Monitor and improve: Continuously monitor the organization’s cybersecurity posture and make adjustments to the controls as needed.

Example of implementing a cybersecurity control

One common cybersecurity control is encryption. Encryption can be used to protect data at rest (e.g., data stored on hard drives) and data in transit (e.g., data sent over the internet).

To implement encryption, organizations can use a variety of tools and technologies. For example, organizations can use software to encrypt their hard drives and email communications. Organizations can also use hardware encryption devices, such as self-encrypting drives (SEDs).

Once encryption is implemented, it is important to manage the encryption keys properly. Encryption keys should be stored securely and should only be accessible to authorized personnel.

Conclusion

Cybersecurity controls are an essential part of any organization’s cybersecurity strategy. By implementing the appropriate controls, organizations can reduce their risk of being compromised by cyber attacks and protect their data, systems, and people from a wide range of cybersecurity threats.

Additional tips

  • When selecting cybersecurity controls, it is important to consider the organization’s specific needs and requirements. There is no one-size-fits-all solution.
  • Controls should be implemented in a layered approach. This means using a variety of controls to protect data and systems from different types of attacks.
  • Controls should be monitored and updated on a regular basis. This is necessary to ensure that the controls are effective against the latest cyber threats.
  • Employees should be trained on cybersecurity controls and how to use them properly. Employees are the first line of defense against cyber attacks.

While frameworks
are used to create plans to address security risks, threats, and vulnerabilities, controls are used to
reduce specific risks. If proper controls
are not in place, an organization could face
significant financial impacts and damage to their reputation because of exposure to risks including trespassing, creating
fake employee accounts, or providing free benefits. Let’s review the
definition of controls. Security controls are safeguards designed to reduce
specific security risks. In this video, we’ll
discuss three common types of controls: encryption, authentication,
and authorization. Encryption is the process
of converting data from a readable format
to an encoded format. Typically, encryption
involves converting data from plaintext
to ciphertext. Ciphertext is the
raw, encoded message that’s unreadable to
humans and computers. Ciphertext data cannot
be read until it’s been decrypted into its
original plaintext form. Encryption is used to ensure confidentiality of
sensitive data, such as customers’
account information or social security numbers. Another control that
can be used to protect sensitive data is
authentication. Authentication is the process of verifying who someone
or something is. A real-world example
of authentication is logging into a website with
your username and password. This basic form of
authentication proves that you know the username and password and should be allowed
to access the website. More advanced methods
of authentication, such as multi-factor
authentication, or MFA, challenge the user to demonstrate that they
are who they claim to be by requiring both a password and an additional form
of authentication, like a security
code or biometrics, such as a fingerprint, voice, or face scan. Biometrics are unique
physical characteristics that can be used to verify
a person’s identity. Examples of biometrics
are a fingerprint, an eye scan, or a palm scan. One example of a social
engineering attack that can exploit
biometrics is vishing. Vishing is the exploitation of electronic voice
communication to obtain sensitive information or to impersonate a known source. For example, vishing could
be used to impersonate a person’s voice to steal their identity and
then commit a crime. Another very important security
control is authorization. Authorization refers
to the concept of granting access to specific
resources within a system. Essentially, authorization
is used to verify that a person has permission
to access a resource. As an example, if
you’re working as an entry-level security analyst for the federal government, you could have
permission to access data through the deep web or other internal data that is only accessible if you’re
a federal employee. The security controls
we discussed today are only one element of a core security model
known as the CIA triad. Coming up, we’ll talk more
about this model and how security teams use it to
protect their organizations.

Reading: The relationship between frameworks and controls

Reading

Practice Quiz: Test your knowledge: More about frameworks and controls

How do security frameworks enable security professionals to help mitigate risk?

Competitor organizations are the biggest threat to a company’s security.

Fill in the blank: Security controls are safeguards designed to reduce _ security risks.

A security analyst works on a project designed to reduce the risk of vishing. They develop a plan to protect their organization from attackers who could exploit biometrics. Which type of security control does this scenario describe?

The CIA triad: Confidentiality, integrity, and availability


Video: Explore the CIA triad

The CIA triad is a security model that helps organizations protect their sensitive assets and data from threats, risks, and vulnerabilities. It consists of three core principles: confidentiality, integrity, and availability.

Confidentiality means that only authorized users can access specific assets or data. Integrity means that the data is correct, authentic, and reliable. Availability means that the data is accessible to those who are authorized to access it.

As an entry-level security analyst, you will use the CIA triad to help protect your organization in a variety of ways. For example, you may be involved in developing and implementing security policies and procedures, designing and maintaining security systems, and monitoring for and responding to security incidents.

Here are some specific examples of how you might use the CIA triad to protect an organization:

  • Confidentiality: You might be involved in implementing encryption to protect sensitive data, or in developing and implementing access control policies to restrict who can access certain systems or data.
  • Integrity: You might be involved in developing and implementing data integrity checks, or in monitoring for and responding to unauthorized changes to data.
  • Availability: You might be involved in designing and maintaining redundant systems and backups, or in developing and implementing disaster recovery plans.

The CIA triad is a fundamental concept in information security, and it is important for all security professionals to understand and apply it in their work.

Explore the CIA triad in Cybersecurity

The CIA triad is a core security model that helps organizations protect their sensitive assets and data from threat actors. The three letters in the CIA triad stand for confidentiality, integrity, and availability.

Confidentiality means that only authorized users can access specific assets or data. Sensitive data should be available on a “need to know” basis, so that only the people who are authorized to handle certain assets or data have access.

Integrity means that the data is correct, authentic, and reliable. Determining the integrity of data and analyzing how it’s used will help you, as a security professional, decide whether the data can or cannot be trusted.

Availability means that the data is accessible to those who are authorized to access it. Inaccessible data isn’t useful and can prevent people from being able to do their jobs. As a security professional, ensuring that systems, networks, and applications are functioning properly to allow for timely and reliable access, may be a part of your everyday work responsibilities.

Here are some examples of how the CIA triad can be used in cybersecurity:

  • Confidentiality:
    • Using encryption to protect sensitive data at rest and in transit
    • Implementing access control policies to restrict who can access certain systems or data
    • Using multi-factor authentication to add an extra layer of security to logins
  • Integrity:
    • Using data integrity checks to ensure that data has not been tampered with
    • Monitoring for and responding to unauthorized changes to data
    • Implementing a backup and restore strategy to recover from data loss or corruption
  • Availability:
    • Designing and maintaining redundant systems and backups
    • Implementing disaster recovery plans to minimize downtime in the event of a disruption
    • Using load balancing to distribute traffic across multiple servers

The CIA triad is a fundamental concept in cybersecurity, and it is important for all security professionals to understand and apply it in their work.

Here are some tips for exploring the CIA triad in cybersecurity:

  • Start by understanding the basics of each component of the CIA triad. What does each component mean? What are some examples of threats to each component?
  • Think about how the CIA triad applies to your organization. What are your organization’s most sensitive assets and data? What are the biggest threats to those assets and data?
  • Identify areas where your organization can improve its security posture in relation to the CIA triad. For example, do you have encryption in place to protect all of your sensitive data? Do you have access control policies in place to restrict who can access certain systems or data? Do you have a backup and restore strategy in place?
  • Develop and implement a plan to improve your organization’s security posture in relation to the CIA triad. This plan should include specific actions that you will take, and timelines for completing those actions.
  • Continuously monitor and review your organization’s security posture to identify and address any new threats or vulnerabilities. The CIA triad is a dynamic model, and it is important to keep your security posture up-to-date with the latest threats and trends.

By exploring the CIA triad in cybersecurity, you can help your organization protect its sensitive assets and data from a variety of threats, risks, and vulnerabilities.

Fill in the blank: The CIA triad is a model that helps inform how organizations consider _____ when setting up systems and security policies.

risk

The confidentiality, integrity, availability (CIA) triad is a model that helps inform how organizations consider risk when setting up systems and security policies.

Great to see you again! While working as an entry-level security
analyst, your main responsibility is to help protect your organization’s sensitive
assets and data from threat actors. The CIA triad is a core security
model that will help you do that. In this video, we’ll explore the CIA
triad and discuss the importance of each component for keeping an organization safe
from threats, risks, and vulnerabilities. Let’s get started! The CIA triad is a model that
helps inform how organizations consider risk when setting up systems and
security policies. As a reminder, the three letters
in the CIA triad stand for confidentiality, integrity, and
availability. As an entry-level analyst, you’ll
find yourself constantly referring to these three core principles as you
work to protect your organization and the people it serves. Confidentiality means that only authorized
users can access specific assets or data. Sensitive data should be available
on a “need to know” basis, so that only the people who are authorized to
handle certain assets or data have access. Integrity means that the data is correct,
authentic, and reliable. Determining the integrity of data and
analyzing how it’s used will help you, as a security professional, decide whether
the data can or cannot be trusted. Availability means that the data
is accessible to those who are authorized to access it. Inaccessible data isn’t useful and can prevent people from
being able to do their jobs. As a security professional, ensuring
that systems, networks, and applications are functioning
properly to allow for timely and reliable access, may be a part of
your everyday work responsibilities. Now that we’ve defined the CIA triad and
its components, let’s explore how you might use the CIA
triad to protect an organization. If you work for an organization that has
large amounts of private data like a bank, the principle of confidentiality
is essential because the bank must keep people’s personal and
financial information safe. The principle of integrity
is also a priority. For example,
if a person’s spending habits or purchasing locations change dramatically,
the bank will likely disable access to the account until they
can verify that the account owner, not a threat actor, is actually
the one making purchases. The availability principle
is also critical. Banks put a lot of effort
into making sure that people can access their account
information easily on the web. And to make sure that information is
protected from threat actors, banks use a validation process to help
minimize damage if they suspect that customer accounts have been compromised. As an analyst,
you’ll regularly use each component of the triad to help protect your
organization and the people it serves. And having the CIA triad
constantly in mind, will help you keep sensitive data and
assets safe from a variety of threats, risks, and vulnerabilities including
the social engineering attacks, malware, and
data theft we discussed earlier. Coming up, we’ll explore specific
frameworks and principles that will also help you protect your organization from
threats, risks, and vulnerabilities. See you soon!

Reading: Use the CIA triad to protect organizations

Reading

Practice Quiz: Test your knowledge: The CIA triad

What is the CIA triad?

Which element of the CIA triad specifies that only authorized users can access specific information?

A security analyst discovers that certain data is inaccessible to authorized users, which is preventing these employees from doing their jobs efficiently. The analyst works to fix the application involved in order to allow for timely and reliable access. Which element of the CIA triad does this scenario describe?

Fill in the blank: According to the CIA triad, _ refers to ensuring that an organization’s data is verifiably correct, authentic, and reliable.

NIST frameworks


Video: NIST frameworks

The NIST Cybersecurity Framework (CSF) is a voluntary framework that consists of standards, guidelines, and best practices to manage cybersecurity risk. It is a widely respected and essential framework for maintaining security regardless of the organization you work for.

The CSF consists of five important core functions:

  • Identify: Develop the organizational understanding to manage cybersecurity risk to systems, assets, data, and capabilities.
  • Protect: Develop and implement the appropriate safeguards to ensure delivery of critical infrastructure services.
  • Detect: Develop and implement the appropriate activities to identify the occurrence of a cybersecurity event.
  • Respond: Develop and implement the appropriate activities to take action regarding a detected cybersecurity event.
  • Recover: Develop and implement the appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity event.

The CSF can be used to protect against threats, risks, and vulnerabilities by providing a framework for developing plans to handle incidents appropriately and quickly. It can also be used to develop plans to protect against specific threats, such as ransomware or supply chain attacks.

The NIST CSF is used by organizations of all sizes and in all industries. It is also used by the US federal government.

In the video example, the NIST CSF was used to respond to a high-risk notification that a workstation had been compromised. The security professional followed the core functions of the CSF to identify the workstation, block the unknown device, remove the infected workstation, detect any additional threat actor behavior, investigate the incident, and recover any affected files or data.

The NIST CSF is a valuable tool for security professionals to help them protect their organizations from cyber threats.

NIST Frameworks Tutorial

NIST frameworks are a set of cybersecurity standards and guidelines developed by the National Institute of Standards and Technology (NIST). These frameworks are designed to help organizations of all sizes and industries manage and reduce cybersecurity risk.

The two most popular NIST frameworks are the NIST Cybersecurity Framework (CSF) and NIST Special Publication (SP) 800-53.

NIST Cybersecurity Framework (CSF)

The NIST Cybersecurity Framework (CSF) is a voluntary framework that consists of standards, guidelines, and best practices to manage cybersecurity risk. It is a widely respected and essential framework for maintaining security regardless of the organization you work for.

The CSF consists of five important core functions:

  • Identify: Develop the organizational understanding to manage cybersecurity risk to systems, assets, data, and capabilities.
  • Protect: Develop and implement the appropriate safeguards to ensure delivery of critical infrastructure services.
  • Detect: Develop and implement the appropriate activities to identify the occurrence of a cybersecurity event.
  • Respond: Develop and implement the appropriate activities to take action regarding a detected cybersecurity event.
  • Recover: Develop and implement the appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity event.

The CSF can be used to protect against threats, risks, and vulnerabilities by providing a framework for developing plans to handle incidents appropriately and quickly. It can also be used to develop plans to protect against specific threats, such as ransomware or supply chain attacks.

NIST Special Publication (SP) 800-53

NIST Special Publication (SP) 800-53 is a framework for protecting the security of information systems within the federal government. It provides a unified framework for protecting the confidentiality, integrity, and availability (CIA triad) of information systems.

SP 800-53 is not mandatory for private sector organizations, but it is widely adopted as a best practice. It is also a requirement for organizations that contract with the federal government.

SP 800-53 contains a set of security controls that can be implemented to protect information systems. These controls are organized into 17 categories, including access control, awareness and training, audit and accountability, configuration management, incident response, and risk assessment.

How to Use NIST Frameworks

To use NIST frameworks, organizations should first identify their cybersecurity risks. Once they have identified their risks, they can develop plans to mitigate those risks using the guidance provided in the frameworks.

NIST frameworks can be used to develop a variety of cybersecurity plans, including:

  • Incident response plans
  • Risk management plans
  • Security awareness and training plans
  • System security plans

NIST frameworks can also be used to assess the effectiveness of an organization’s cybersecurity program.

Benefits of Using NIST Frameworks

There are many benefits to using NIST frameworks, including:

  • NIST frameworks are widely accepted and respected.
  • NIST frameworks are based on best practices.
  • NIST frameworks are flexible and can be adapted to meet the needs of any organization.
  • NIST frameworks are free to use.

Conclusion

NIST frameworks are a valuable tool for organizations of all sizes and industries to help them manage and reduce cybersecurity risk. The NIST Cybersecurity Framework (CSF) and NIST Special Publication (SP) 800-53 are the two most popular NIST frameworks.

Organizations can use NIST frameworks to develop a variety of cybersecurity plans, including incident response plans, risk management plans, security awareness and training plans, and system security plans. NIST frameworks can also be used to assess the effectiveness of an organization’s cybersecurity program.

Welcome back. Before
we get started, let’s quickly review the
purpose of frameworks. Organizations use frameworks as a starting point to develop
plans that mitigate risks, threats, and vulnerabilities to sensitive data and assets. Fortunately, there are
organizations worldwide that create frameworks
security professionals can use to develop those plans. In this video, we’ll
discuss two of the National Institute of
Standards and Technology, or NIST’s frameworks
that can support ongoing security efforts for
all types of organizations, including for profit and
nonprofit businesses, as well as government agencies. While NIST is a US
based organization, the guidance it provides
can help analysts all over the world understand how to implement essential
cybersecurity practices. One NIST framework that we’ll discuss throughout
the program is the NIST Cybersecurity
Framework, or CSF. The CSF is a voluntary framework that consists of standards, guidelines, and best practices to manage cybersecurity risk. This framework is widely
respected and essential for maintaining security
regardless of the organization you work for. The CSF consists of five important core
functions, identify, protect, detect,
respond, and recover, which we’ll discuss in
detail in a future video. For now, we’ll focus on how the CSF benefits
organizations and how it can be used to
protect against threats, risks, and vulnerabilities by providing a workplace example. Imagine that one
morning you receive a high-risk notification that a workstation has
been compromised. You identify the workstation, and discover that there’s an unknown device
plugged into it. You block the unknown
device remotely to stop any potential threat and
protect the organization. Then you remove the
infected workstation to prevent the spread
of the damage and use tools to detect any additional
threat actor behavior and identify the unknown device. You respond by investigating the incident to determine
who used the unknown device, how the threat occurred, what was affected, and where
the attack originated. In this case, you discover
that an employee was charging their infected phone using a USB port on their work laptop. Finally, you do your best to recover any files or data that were affected and
correct any damage the threat caused to
the workstation itself. As demonstrated by
the previous example, the core functions of
the NIST CSF provide specific guidance and direction for security
professionals. This framework is used to
develop plans to handle an incident appropriately
and quickly to lower risk, protect an organization
against a threat, and mitigate any potential
vulnerabilities. The NIST CSF also expands
into the protection of the United States
federal government with NIST special publication,
or SP 800-53. It provides a unified
framework for protecting the security of
information systems within the federal government, including the
systems provided by private companies for
federal government use. The security
controls provided by this framework are
used to maintain the CIA triad for those systems
used by the government. Isn’t it amazing how all of these frameworks and
controls work together. We’ve discussed some really
important security topics in this video that will be very useful for you as you continue your
security journey. Because they’re core elements
of the security profession, the NIST CSF is a useful framework that most security professionals
are familiar with, and having an
understanding of the NIST, SP 800-53 is crucial if you have an interest in working for the US
federal government. Coming up, we’ll
continue to explore the five NIST CSF functions and how organizations use them
to protect assets and data.

Video: Explore the five functions of the NIST Cybersecurity Framework

The five core functions of the NIST Cybersecurity Framework (CSF) are:

  1. Identify: This function is about understanding the organization’s cybersecurity risks and how they could impact its people and assets.
  2. Protect: This function is about implementing safeguards to mitigate cybersecurity threats and protect the organization’s assets.
  3. Detect: This function is about identifying potential cybersecurity incidents and improving monitoring capabilities to increase the speed and efficiency of detections.
  4. Respond: This function is about ensuring that the proper procedures are used to contain, neutralize, and analyze security incidents, and implement improvements to the security process.
  5. Recover: This function is about returning affected systems back to normal operation.

All five functions are essential for organizations to have effective cybersecurity strategies in place. Security incidents are going to happen, but an organization must have the ability to quickly recover from any damage caused by an incident to minimize their level of risk.

Here are some examples of how each function can be used to improve an organization’s security:

  • Identify: A security analyst could monitor systems and devices on the organization’s internal network to identify potential security issues.
  • Protect: A security team could implement policies and procedures to train employees on cybersecurity best practices and deploy security tools to mitigate threats.
  • Detect: A security analyst could review a new security tool’s setup to make sure it’s flagging low, medium, or high risk, and then alerting the security team about any potential threats or incidents.
  • Respond: A security analyst could work with a team to collect and organize data to document an incident and suggest improvements to processes to prevent the incident from happening again.
  • Recover: A security analyst could work with their security team to restore systems, data, and assets that have been affected by an incident like a breach.

The NIST CSF is a valuable framework for organizations of all sizes and industries to help them manage and reduce cybersecurity risk.

Explore the five functions of the NIST Cybersecurity Framework

The NIST Cybersecurity Framework (CSF) is a voluntary framework that consists of standards, guidelines, and best practices to manage cybersecurity risk. It is a widely respected and essential framework for maintaining security regardless of the organization you work for.

The CSF consists of five important core functions:

  • Identify: Develop the organizational understanding to manage cybersecurity risk to systems, assets, data, and capabilities.
  • Protect: Develop and implement the appropriate safeguards to ensure delivery of critical infrastructure services.
  • Detect: Develop and implement the appropriate activities to identify the occurrence of a cybersecurity event.
  • Respond: Develop and implement the appropriate activities to take action regarding a detected cybersecurity event.
  • Recover: Develop and implement the appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity event.

Here is a more detailed exploration of each function:

Identify

The Identify function is about understanding the organization’s cybersecurity risks and how they could impact its people and assets. This includes identifying threats, vulnerabilities, and assets, and assessing the risks associated with them.

Protect

The Protect function is about implementing safeguards to mitigate cybersecurity threats and protect the organization’s assets. This includes implementing security policies and procedures, training employees on cybersecurity best practices, and deploying security tools.

Detect

The Detect function is about identifying potential cybersecurity incidents and improving monitoring capabilities to increase the speed and efficiency of detections. This includes monitoring systems and networks for suspicious activity, and using security tools to detect known threats.

Respond

The Respond function is about ensuring that the proper procedures are used to contain, neutralize, and analyze security incidents, and implement improvements to the security process. This includes developing and implementing incident response plans, and conducting post-incident reviews to learn from mistakes.

Recover

The Recover function is about returning affected systems back to normal operation. This includes restoring systems and data, and communicating with stakeholders about the incident and its resolution.

How to use the NIST CSF

The NIST CSF can be used by organizations of all sizes and industries to improve their cybersecurity posture. To use the CSF, organizations should first identify their cybersecurity risks. Once they have identified their risks, they can develop plans to mitigate those risks using the guidance provided in the CSF.

The NIST CSF can be used to develop a variety of cybersecurity plans, including:

  • Incident response plans
  • Risk management plans
  • Security awareness and training plans
  • System security plans

The NIST CSF can also be used to assess the effectiveness of an organization’s cybersecurity program.

Conclusion

The NIST CSF is a valuable tool for organizations of all sizes and industries to help them manage and reduce cybersecurity risk. By understanding and implementing the five functions of the CSF, organizations can improve their ability to protect their assets, detect and respond to incidents, and recover from attacks.

Hello again!
I’m excited you’re here. We have so much to discuss. Previously, we covered the uses and benefits of the NIST CSF. In this video, we’ll
focus specifically on the five core functions of
the NIST CSF framework. Let’s get started. NIST CSF focuses on five
core functions: identify, protect, detect,
respond, and recover. These core functions help organizations manage
cybersecurity risks, implement risk
management strategies, and learn from
previous mistakes. Basically, when it comes
to security operations, NIST CSF functions are key for making sure
an organization is protected against
potential threats, risks, and vulnerabilities. So let’s take a little
time to explore how each function can be used to improve an
organization’s security. The first core function is identify, which is related
to the management of cybersecurity risk
and its effect on an organization’s
people and assets. For example, as a
security analyst, you may be asked to monitor
systems and devices in your organization’s internal
network to identify potential security issues The second core function is
protect, which is the strategy used to protect an organization through the implementation
of policies, procedures, training, and tools that help mitigate
cybersecurity threats. For example, as a
security analyst, you and your team
might encounter new and unfamiliar
threats and attacks. For this reason, studying
historical data and making improvements to policies and procedures is essential. The third core function
is detect, which means identifying potential
security incidents and improving monitoring
capabilities to increase the speed and
efficiency of detections. For example, as an analyst, you might be asked to review a new security tool’s setup to
make sure it’s flagging low, medium, or high risk, and then alerting the
security team about any potential threats
or incidents. The fourth function is
respond, which means making sure that the proper procedures
are used to contain, neutralize, and analyze security
incidents, and implement improvements
to the security process. As an analyst, you could be working with a team
to collect and organize data to document
an incident and suggest improvements to processes to prevent the incident
from happening again. The fifth core function is recover, which is the process of returning affected systems
back to normal operation. For example, as an
entry-level security analyst, you might work with
your security team to restore systems, data, and assets, such as financial or legal
files, that have been affected by an
incident like a breach. We’ve covered a lot of
information in this video. Hopefully, it helped you understand the value
of learning about the NIST CSF and its
five core functions. From proactive to reactive
measures, all five functions are essential for making sure
that an organization has effective security
strategies in place. Security incidents
are going to happen, but an organization must have the ability to
quickly recover from any damage caused by an incident to minimize their level of risk. Coming up, we’ll discuss security principles that
work hand-in-hand with NIST frameworks
and the CIA triad to help protect critical
data and assets.

Practice Quiz: Test your knowledge: NIST frameworks

What is the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF)?

Fill in the blank: The five core functions that make up the CSF are: identify, protect, detect, _, and recover.

Fill in the blank: The CSF _ function relates to monitoring systems and devices in an organization’s internal network to help security teams manage potential cybersecurity risks and their effects.

What does a security analyst’s work involve during the CSF recover function?

OWASP principles and security audits


Video: OWASP security principles

As a security analyst, it is important to understand how to protect an organization’s data and assets. The following OWASP security principles can be used to help security teams minimize threats and risks:

  • Minimize the attack surface area: This means reducing the number of potential vulnerabilities that an attacker could exploit. Examples of ways to minimize the attack surface area include disabling unused software features, restricting access to certain assets, and establishing complex password requirements.
  • Least privilege: This means giving users the least amount of access necessary to perform their job duties. This helps to reduce the damage that could be caused in the event of a security breach.
  • Defense in depth: This means having multiple security controls in place to protect against different types of attacks. Examples of security controls include multi-factor authentication, firewalls, and intrusion detection systems.
  • Separation of duties: This means dividing tasks among different people so that no one person has too much power. This helps to prevent fraud and illegal activity.
  • Keep security simple: Security controls should be easy to understand and implement. Avoid overly complex solutions that can be difficult to manage.
  • Fix security issues correctly: When a security incident occurs, it is important to identify the root cause and take steps to fix it. This may involve patching vulnerabilities, implementing new security controls, or educating employees about security best practices.

By understanding and applying these principles, security teams can help to protect their organizations from a wide range of threats.

OWASP security principles are a set of guidelines that can be used to help organizations improve the security of their web applications. These principles are based on the OWASP Top 10, which is a list of the most common and critical web application security risks.

The OWASP security principles are as follows:

  • Minimize the attack surface area: This means reducing the number of potential entry points for attackers. This can be done by disabling unused features, removing unnecessary services, and keeping software up to date.
  • Least privilege: This means giving users the least amount of access necessary to perform their job duties. This helps to reduce the damage that could be done if an attacker gains access to a user’s account.
  • Defense in depth: This means using multiple security controls to protect against attacks. This could include firewalls, intrusion detection systems, and input validation.
  • Separation of duties: This means dividing tasks among different people so that no one person has too much power. This helps to prevent fraud and abuse.
  • Keep security simple: Security controls should be easy to understand and implement. Avoid overly complex solutions that can be difficult to manage.
  • Fix security issues correctly: When a security issue is found, it is important to fix it correctly. This may involve patching vulnerabilities, implementing new security controls, or educating employees about security best practices.

Tutorial on how to apply OWASP security principles:

  1. Identify your organization’s assets. What are the most important systems and data that you need to protect? Once you have identified your assets, you can start to assess the risks that they face.
  2. Implement security controls to mitigate the risks. The OWASP security principles can help you to identify the appropriate security controls for your organization. For example, you can use least privilege to reduce the access that users have to your systems. You can also use defense in depth to implement multiple security controls to protect against attacks.
  3. Monitor your systems for security incidents. It is important to monitor your systems for security incidents so that you can respond to them quickly. You can use a variety of tools and techniques to monitor your systems, such as intrusion detection systems and log analysis tools.
  4. Educate your employees about security best practices. Employees are often the weakest link in the security chain. It is important to educate your employees about security best practices so that they can help to protect your organization from attack.

Benefits of applying OWASP security principles:

  • Reduced risk of security breaches: By applying OWASP security principles, you can reduce the risk of security breaches. This is because OWASP security principles are based on the most common and critical web application security risks.
  • Improved compliance: Many industry regulations require organizations to implement certain security controls. OWASP security principles can help you to comply with these regulations.
  • Increased customer confidence: Customers are more likely to do business with organizations that they trust to protect their data. By applying OWASP security principles, you can demonstrate to your customers that you are committed to protecting their data.

By applying OWASP security principles, organizations can improve the security of their web applications and reduce the risk of security breaches.

It’s important to
understand how to protect an organization’s
data and assets because that will be part of your role as a security analyst. Fortunately, there
are principles and guidelines that can
be used, along with NIST frameworks and
the CIA triad, to help security teams
minimize threats and risks. In this video, we’ll
explore some Open Web Application Security
Project, or OWASP, security principles that are useful to know as an
entry-level analyst. The first OWASP principle is to minimize the attack
surface area. An attack surface refers to all the potential
vulnerabilities that a threat actor
could exploit, like attack vectors,
which are pathways attackers use to penetrate
security defenses. Examples of common
attack vectors are phishing emails and
weak passwords. To minimize the attack surface and avoid incidents
from these types of vectors, security teams might
disable software features, restrict who can access
certain assets, or establish more complex
password requirements. The principle of least privilege means making sure
that users have the least amount of access required to perform
their everyday tasks. The main reason for
limiting access to organizational
information and resources is to
reduce the amount of damage a security
breach could cause. For example, as an
entry-level analyst, you may have access to log data, but may not have access to
change user permissions. Therefore, if a threat actor compromises
your credentials, they’ll only be able to gain limited access to digital
or physical assets, which may not be
enough for them to deploy their intended attack. The next principle we’ll
discuss is defense in depth. Defense in depth means that
an organization should have multiple security controls that address risks and threats
in different ways. One example of a
security control is multi-factor
authentication, or MFA, which requires users to take an additional step beyond simply entering their username and password to gain access
to an application. Other controls
include firewalls, intrusion detection systems, and permission
settings that can be used to create multiple
points of defense, a threat actor must get through to breach an organization. Another principle is
separation of duties, which can be used to
prevent individuals from carrying out fraudulent
or illegal activities. This principle means that
no one should be given so many privileges that
they can misuse the system. For example, the person
in a company who signs the paychecks shouldn’t also be the person who prepares them. Only two more principles
to go! You’re doing great. Keep security simple is the next principle.
As the name suggests, when implementing
security controls, unnecessarily complicated
solutions should be avoided because they
can become unmanageable. The more complex the
security controls are, the harder it is for people
to work collaboratively. The last principle is to fix
security issues correctly. Technology is a great tool, but can also present challenges. When a security incident occurs, security professionals
are expected to identify the root cause quickly. From there, it’s
important to correct any identified
vulnerabilities and conduct tests to ensure that
repairs are successful. An example of an issue
is a weak password to access an organization’s wifi because it could
lead to a breach. To fix this type
of security issue, stricter password policies
could be put in place. I know we’ve covered a lot, but understanding these
principles increases your overall security knowledge and can help you stand out
as a security professional.

Reading: More about OWASP security principles

Reading

Video: Wajih: Stay up-to-date on the latest cybersecurity threats

Wajih is a security engineer at Google working in the digital forensics department. He does not have a background in cybersecurity, but he was able to get into the field by leveraging his previous experiences and learning the fundamentals.

Here are some tips from Wajih on how to get into cybersecurity:

  • Don’t be afraid to start from scratch. You don’t need a degree in cybersecurity to get into the field. There are many resources available to help you learn the fundamentals, such as online courses, books, and articles.
  • Find a mentor. A mentor can help you learn the ropes and navigate the cybersecurity industry.
  • Network with other cybersecurity professionals. Attend conferences, meetups, and online forums to connect with other people in the field.
  • Don’t be overwhelmed. There are many different specializations within cybersecurity. It’s impossible to know everything about everything. Start by focusing on one or two areas that you’re interested in.
  • Be persistent. Cybersecurity is a challenging field, but it’s also very rewarding. Don’t give up if you don’t get your dream job right away. Keep learning and keep applying.

Wajih also emphasizes the importance of staying up to date on the latest cybersecurity trends. He recommends reading online articles and attending conferences to learn about new threats and vulnerabilities.

Overall, Wajih’s message is that it’s possible to get into cybersecurity, even if you don’t have a background in the field. Just be willing to learn, network, and be persistent.

[MUSIC] My name is Wajih and I’m a security engineer at Google working
in the digital forensics department. Do you need a background in cybersecurity? No you don’t. My past experiences is working at
a water park as a snow cone machine guy. I worked at a movie theater selling
popcorn in concession stands. During my undergrad, I was a bio
major at first like my freshman year. I met someone in a bus who was
mentioning about this cool cybersecurity startup that
just sounded really cool. Some strategies I leveraged to
keep up to date on the latest cybersecurity trends is going on
online forums such as Medium to research different security trends and
topics. I personally use Medium a lot
as I could filter by the tag of like I want to find articles
related to cybersecurity and or I want to find articles
related to cloud security. Based off their filtering algorithm,
I just go on and see like what other people are talking about and
then that’s what helps me keep up to date. If it’s more of like networking that
you’re looking forward to, then I highly recommend just
going out to those like conferences. My advice for people wanting to get into
cybersecurity is don’t be too overwhelmed with trying to understand every single
specialization within cybersecurity. There’s so much going on within the
cybersecurity field in terms of trends and it’s nice to stay up to
date with all of those but sometimes you need to take a step back and
prioritize what subjects within cybersecurity you
are staying most up to date like on. I love this job. I love the challenges. I feel like there is a shortage in
cybersecurity professionals out there from just past experiences, hearing from other
friends in computer science fields. Most of them say that oh it’s too hard,
too complicated to get in. Don’t listen to those people. I encourage you to push through. It’s definitely well worth it. First just get the fundamentals down and
be persistent.

Video: Plan a security audit

Internal security audits are reviews of an organization’s security controls, policies, and procedures against a set of expectations. They are used to help improve an organization’s security posture and help organizations avoid fines from governing agencies due to a lack of compliance.

The first two elements of an internal security audit are:

  1. Establishing the scope and goals: The scope refers to the specific criteria of the audit, such as people, assets, policies, procedures, and technologies that might impact an organization’s security posture. The goals are an outline of the organization’s security objectives, or what they want to achieve in order to improve their security posture.
  2. Completing a risk assessment: A risk assessment is focused on identifying potential threats, risks, and vulnerabilities. This helps organizations consider what security measures should be implemented and monitored to ensure the safety of assets.

Entry-level analysts may be asked to review and understand the scope and goals of the audit, or to analyze details provided in the risk assessment to consider what types of controls and compliance regulations need to be in place.

In the next video, the instructor will discuss the last three elements of an internal security audit: controls assessment, compliance assessment, and communicating results to stakeholders.

To plan a security audit in cybersecurity, you should follow these steps:

  1. Establish the scope and goals of the audit. What do you want to achieve with the audit? What specific areas of your security program do you want to assess? Once you have a clear understanding of the scope and goals, you can develop a plan to achieve them.
  2. Identify the assets to be audited. What assets do you need to protect? This could include your physical infrastructure, data, software, and intellectual property.
  3. Identify the threats and risks to your assets. What are the potential threats to your assets? What are the risks associated with those threats?
  4. Identify the controls in place to mitigate the risks. What controls do you have in place to protect your assets from the identified threats and risks?
  5. Develop an audit plan. The audit plan should outline the steps that will be taken to assess the controls in place to mitigate the risks. This should include the following:
    • Audit schedule: When will the audit be conducted?
    • Audit team: Who will be involved in the audit?
    • Audit methodology: What methods will be used to assess the controls?
    • Audit reporting: How will the results of the audit be reported?
  6. Communicate the audit plan to stakeholders. It is important to communicate the audit plan to all stakeholders, including management, staff, and customers. This will help to ensure that everyone is aware of the audit and its goals.

Here are some additional tips for planning a security audit:

  • Get buy-in from management. It is important to have the support of management before conducting a security audit. This will help to ensure that the audit is given the resources it needs to be successful.
  • Engage a qualified auditor. If you do not have the expertise to conduct a security audit yourself, you should consider engaging a qualified auditor. This will help to ensure that the audit is conducted thoroughly and professionally.
  • Be objective. It is important to be objective when conducting a security audit. This means avoiding any bias or personal opinions.
  • Be comprehensive. The audit should be comprehensive enough to cover all of the critical areas of your security program.
  • Be timely. The audit should be conducted on a regular basis to ensure that your security program is effective and up-to-date.

By following these steps, you can develop a comprehensive and effective security audit plan.

Now that we’ve covered
different frameworks, controls, security principles, and compliance regulations,
the question is: How do they all work together? The answer to that question is by conducting security audits. A security audit is a review of an organization’s
security controls, policies, and procedures
against a set of expectations. There are two main types of security audits:
external and internal. We’ll focus on internal
security audits because those are the types of audits that
entry-level analysts might be asked to contribute to. An internal security audit is typically conducted by a team of people that might include an organization’s
compliance officer, security manager, and other
security team members. Internal security audits
are used to help improve an organization’s security
posture and help organizations avoid fines from governing agencies due to a
lack of compliance. Internal security audits help security teams identify
organizational risk, assess controls, and
correct compliance issues. Now that we’ve discussed the
purposes of internal audits, let’s cover some common
elements of internal audits. These include
establishing the scope and goals of the audit, conducting a risk assessment of the organization’s assets, completing a
controls assessment, assessing compliance, and communicating
results to stakeholders. In this video, we’ll cover the first two elements, which are a part of the audit
planning process: establishing the
scope and goals, then completing a
risk assessment. Scope refers to the
specific criteria of an internal security audit. Scope requires organizations
to identify people, assets, policies, procedures, and technologies that might impact an organization’s
security posture. Goals are an outline of the organization’s
security objectives, or what they want to achieve in order to improve
their security posture. Although more senior-level
security team members and other stakeholders
usually establish the scope and goals
of the audit, entry-level analysts might be asked to review and understand the scope and goals in order to complete other
elements of the audit. As an example, the scope of this audit involves
assessing user permissions; identifying existing
controls, policies, and procedures;
and accounting for the technology currently in
use by the organization. The goals outlined include implementing core
functions of frameworks, like the NIST CSF; establishing policies
and procedures to ensure compliance; and strengthening
system controls. The next element is
conducting a risk assessment, which is focused on identifying potential threats, risks,
and vulnerabilities. This helps
organizations consider what security measures should be implemented and monitored to ensure the safety of assets. Similar to establishing
the scope and goals, a risk assessment is oftentimes completed by managers
or other stakeholders. However, you might
be asked to analyze details provided in
the risk assessment to consider what types of controls and
compliance regulations need to be in place to help improve the organization’s
security posture. For example, this
risk assessment highlights that there
are inadequate controls, processes, and procedures in place to protect the
organization’s assets. Specifically, there is a
lack of proper management of physical and digital assets, including employee equipment. The equipment used to store data is not
properly secured. And access to private
information stored in the organization’s
internal network likely needs more robust
controls in place. Now that we’ve discussed the initial planning elements of an internal security audit, coming up, we’ll focus on
the last three elements.

Video: Complete a security audit

In this video, the focus is on the final elements of an internal security audit, particularly for entry-level analysts. The process begins with a review of the audit’s scope, goals, and risk assessment. Analysts need to ask critical questions about the audit’s purpose, asset vulnerability, and control effectiveness. The subsequent steps involve:

  1. Controls Assessment: This includes categorizing controls into administrative (related to human aspects), technical (hardware/software solutions), and physical (measures to prevent physical access).
  2. Compliance Assessment: Evaluating whether the organization is adhering to relevant compliance regulations, such as GDPR and PCI DSS.
  3. Communication: Communicating audit results and recommendations to stakeholders, summarizing audit scope, identifying risks, and offering security improvement suggestions.

Internal security audits help identify gaps and security measures within organizations, enabling them to improve their security posture. Completing these audits can also be valuable for one’s professional portfolio.

Tutorial: Complete a Security Audit in Cybersecurity

A security audit is a systematic review and evaluation of an organization’s security posture. It helps organizations to identify and mitigate security risks, and to ensure that their security controls are effective. Security audits can be conducted internally or by external third-party auditors.

To complete a security audit, follow these steps:

  1. Define the scope of the audit. What assets will be audited? What types of security controls will be reviewed? What time period will be covered?
  2. Gather information. This includes reviewing security policies and procedures, interviewing staff, and examining system logs.
  3. Assess security risks and vulnerabilities. Identify potential threats to the organization’s assets, and evaluate the effectiveness of the security controls in mitigating those threats.
  4. Make recommendations. Based on the findings of the audit, develop recommendations for improving the organization’s security posture.
  5. Implement the recommendations. The organization should prioritize and implement the recommendations in a timely manner.

Here are some additional tips for conducting a security audit:

  • Involve key stakeholders. The security audit should be a collaborative effort involving all relevant stakeholders, such as IT staff, management, and end users.
  • Use a variety of audit techniques. There are a variety of audit techniques that can be used, such as interviews, surveys, documentation reviews, and technical testing.
  • Be objective and thorough. The audit should be conducted in an objective and thorough manner. Auditors should avoid making assumptions or relying on hearsay.
  • Document the findings and recommendations. The findings and recommendations of the audit should be documented in a clear and concise report.

Here is a sample security audit checklist:

  • Security policies and procedures
    • Are there documented security policies and procedures in place?
    • Are the policies and procedures comprehensive and up-to-date?
    • Are the policies and procedures communicated to and understood by staff?
  • Access control
    • Are there appropriate access controls in place for all systems and data?
    • Are access controls reviewed and updated on a regular basis?
  • System security
    • Are all systems properly configured and secured?
    • Are security patches and updates applied promptly?
    • Are systems monitored for suspicious activity?
  • Data security
    • Are sensitive data encrypted?
    • Are data backups performed regularly and stored securely?
    • Is data access restricted to authorized personnel?
  • Incident response
    • Is there an incident response plan in place?
    • Are staff trained on the incident response plan?
    • Is the incident response plan tested on a regular basis?

This checklist is just a starting point. The specific areas that are audited will vary depending on the organization’s needs and risk profile.

Conclusion

Security audits are an essential part of any cybersecurity program. By regularly conducting security audits, organizations can identify and mitigate security risks, and ensure that their security controls are effective.

Previously, we discussed the initial
planning elements of an internal security audit. In this video, we’ll cover the final
elements that an entry-level analyst might be asked to complete. As a reminder, the planning elements
of internal security audits include establishing the scope and
goals, then conducting a risk assessment. The remaining elements are completing
a controls assessment, assessing compliance, and
communicating results. Before completing these last three
elements, you’ll need to review the scope and goals, as well as the risk assessment,
and ask yourself some questions. For example: What is the audit meant to achieve?
Which assets are most at risk? Are current controls sufficient
to protect those assets? If not, what controls and compliance
regulations need to be implemented? Considering questions like
these can support your ability to complete the next element:
a controls assessment. A controls assessment involves
closely reviewing an organization’s existing assets, then evaluating
potential risks to those assets, to ensure internal controls and
processes are effective. To do this, entry-level analysts
might be tasked with classifying controls into the following categories:
administrative controls, technical controls, and physical controls. Administrative controls are related to
the human component of cybersecurity. They include policies and
procedures that define how an organization manages data, such as the implementation
of password policies. Technical controls are hardware and software solutions
used to protect assets, such as the use of intrusion detection
systems, or IDS’s, and encryption. Physical controls refer to measures
put in place to prevent physical access to protected assets, such as
surveillance cameras and locks. The next element is determining whether or not the organization is adhering to
necessary compliance regulations. As a reminder,
compliance regulations are laws that organizations must follow to ensure
private data remains secure. In this example, the organization conducts
business in the European Union and accepts credit card payments. So they need to adhere to the GDPR and Payment Card Industry Data
Security Standard, or PCI DSS. The final common element of an internal
security audit is communication. Once the internal security
audit is complete, results and recommendations need to be
communicated to stakeholders. In general, this type of communication
summarizes the scope and goals of the audit. Then, it lists existing risks and notes how
quickly those risks need to be addressed. Additionally, it identifies
compliance regulations the organization needs to adhere to and
provides recommendations for improving the organization’s
security posture. Internal audits are a great way to
identify gaps within an organization. When I worked at a previous company,
my team and I conducted an internal password audit and found that
many of the passwords were weak. Once we identified this issue,
the compliance team took the lead and began enforcing stricter
password policies. Audits are an opportunity to
determine what security measures an organization has in place and
what areas need to be improved to achieve the organization’s
desired security posture. Security audits are quite involved, yet
of extreme value to organizations. Later in the course, you’ll have an opportunity to complete
elements of an internal security audit for a fictional company, which you can
include in your professional portfolio.

Reading: More about security audits

Reading

Practice Quiz: Test your knowledge: OWASP principles and security audits

A security analyst disables certain software features to reduce the potential vulnerabilities that an attacker could exploit at their organization. Which OWASP security principle does this scenario describe?

Fill in the blank: A security _ is a review of an organization’s security controls, policies, and procedures against a set of expectations.

A security professional closely examines their organization’s network, then evaluates potential risks to the network. Their goal is to ensure internal safeguards and processes are effective. What security concept does this scenario describe?

A security professional is asked to communicate the results of an internal security audit to stakeholders. What should be included in that communication?

Quiz: Portfolio Activity: Conduct a security audit

Reading

Reading: Portfolio Activity Exemplar: Conduct a security audit

Reading

Review: Security frameworks and controls


Video: Wrap-up

In this video, you learned about different security concepts that can help an organization protect its data and assets. You covered the following topics:

  • Security frameworks: These frameworks help organizations protect their critical information.
  • Security controls: These controls protect against risks, threats, and vulnerabilities. This includes the CIA triad, which is a core security model, and two NIST frameworks: the CSF and S.P. 800-53.
  • OWASP secure design principles: These principles help organizations design secure software.
  • Security audits: These audits help organizations identify and address security risks.

Security professionals use these concepts to protect organizations’ assets, data, systems, and people.

In the next section of the course, you will learn about specific security tools that security analysts use to improve an organization’s security posture.

Great job! Now you’ve had an opportunity to
learn more about security concepts that can help an organization protect
data and assets. We’ve covered quite a bit, but it will all be valuable
knowledge for you as you continue along your journey
into the security profession. We started by defining what
security frameworks are, and how they help organizations protect critical information. We also explored
security controls and the important role they play in protecting against risks, threats, and
vulnerabilities. This included a discussion
of the CIA triad, which is a core security model,
and two NIST frameworks: the CSF and S.P. 800-53. Then, we covered some of OWASP’s
secure design principles. We ended by introducing
security audits with a focus on the elements of an
internal audit that you may be asked to complete
or contribute to. Security professionals use
the concepts we discussed to help protect
organizations’ assets, data, systems, and people. As you continue along your journey into the
security profession, a lot of these concepts
will come up repeatedly. What we’re doing
now is giving you a foundational understanding of security practices and topics that will help you
along the way. In the next section
of the course, we’ll discuss specific
security tools you may one day
use as an analyst. We’ll cover how they’re
used to improve an organization’s
security posture and how they can help
you achieve your goal of keeping organizations
and people safe. I’m excited to continue this journey with
you. See you soon!

Reading: Glossary terms from module 2

Reading

Quiz: Module 2 challenge

What is the purpose of a security framework?

Fill in the blank: A security professional uses _ to convert data from a readable format to an encoded format.

Which of the following characteristics are examples of biometrics? Select all that apply.

You work as a security analyst for a supply chain organization and need to confirm all inventory data is correct, authentic, and reliable. Which core principle of the CIA triad are you using?

Which of the following statements accurately describe the CSF?

A security team establishes controls, including permission settings that will be used to create multiple security points that a threat actor must get through to breach their organization. Which OWASP principle does this scenario describe?

What are some of the primary objectives of an internal security audit? Select three answers.

Fill in the blank: The planning elements of an internal security audit include establishing scope and _, then conducting a risk assessment.

A security analyst performs an internal security audit. They review their company’s existing assets, then evaluate potential risks to those assets. Which aspect of a security audit does this scenario describe?

What information is typically communicated to stakeholders after completion of an internal security audit? Select three answers.