CCT 302: Security Audits and the CISSP Exam

Show Notes

Check us out at:  https://www.cisspcybertraining.com/

Get access to 360 FREE CISSP Questions:  https://www.cisspcybertraining.com/offers/dzHKVcDB/checkout

Get access to my FREE CISSP Self-Study Essentials Videos:  https://www.cisspcybertraining.com/offers/KzBKKouv

If audits feel like paperwork purgatory, this conversation will change your mind. We unpack Domain 6 with a clear, practical path: how to scope a security audit that executives will fund, teams will follow, and regulators will respect. Along the way, we touch on a fresh angle in the news—an open source LLM tool sniffing out Python zero days—and connect it to what development shops can do right now to lower risk without slowing delivery.

We start by demystifying what a security audit is and how it differs from an assessment. Then we get into the decisions that matter: choosing one framework to anchor your work (NIST CSF, ISO 27001, or PCI DSS where applicable), keeping policies lean enough to use under pressure, and building a scope that targets high-value processes like account provisioning or privileged access. You’ll hear why internal audits build muscle, external audits unlock credibility, and third-party audits protect your supply chain when a vendor stalls or gets breached. We talk straight about cost, bias, and the communication gaps that derail progress—and how to fix them.

From there we focus on outcomes. You’ll learn to prioritize incident response and third-party risk for the biggest return, write right-to-audit clauses that actually help, and map findings to business impact so leaders say yes to headcount and tooling. We share ways to pair tougher controls with enablement—like deploying a password manager before lengthening passphrases—so adoption sticks. Expect practical reminders on interview planning, evidence collection, and keeping stakeholders aligned without burning goodwill. It’s a playbook for turning findings into funding and audits into forward motion.

If this helped you reframe how you approach Domain 6 and security audits, subscribe, leave a review, and share it with a teammate who’s staring down their next audit. Your support helps more people find CISSP Cyber Training.

Gain exclusive access to 360 FREE CISSP Practice Questions at FreeCISSPQuestions.com and have them delivered directly to your inbox! Don’t miss this valuable opportunity to strengthen your CISSP exam preparation and boost your chances of certification success.

Join now and start your journey toward CISSP mastery today!

Chapters

• 0:00: Welcome And Episode Setup
• 0:58: Personal Update And Cold Voice
• 1:24: Domain 6 Focus: Security Audits
• 2:08: LLM Tool Hunting Python Zero Days
• 5:15: Why Audits Matter Beyond Checkboxes
• 7:22: What A Security Audit Really Is
• 9:05: Scope, Risk, And Practical Impact
• 12:05: Internal Audits: Pros, Cons, Integrity
• 16:05: External And Third-Party Audits Explained
• 19:15: Cost, Scope, And Executive Buy-In
• 22:15: Frameworks, Policies, And Controls
• 25:40: Keep It Simple: Passwords And Tools
• 27:55: Influence Over Authority In Audits
• 30:10: Right To Audit And Supply Chain Risk
• 33:00: Priorities: IR And Third-Party Risk
• 36:00: Prepping For Big-Firm Audits

Transcript

SPEAKER_00: 0:00

Welcome to the CISSP Cyber Training Podcast, where we provide you the training and tools you need to pass the CISSP exam the first time. Hi, my name is Sean Gerber and I'm your host for this action-packed informative podcast. Join me each week as I provide the information you need to pass the CISSP exam and grow your cybersecurity knowledge. Alright, let's get started.

SPEAKER_01: 0:26

Good morning, everybody. This is Sean Gerber with CISSP Cyber Trading, and hope you all are having a beautifully blessed day today. Today is Monday, and today we're gonna go over some great parts around the CISSP. So I hope you all are excited and strapped on, ready to go, because it's gonna be a wild ride. You know it, it always is. That's also sorry for that I sound like uh Lou Rawls or the guy on the Arby's commercial that has you got the meats, because yeah, I've got this deep voice because I've been fighting a cold for about the past week and a half. My uh daughter, she graduated from basic military training from the Air Force, and we went and saw her and got to experience that was a great opportunity. And in the process, I was exposed to around 2,000 people, and of which somebody had a cold or something. Who knows what it is anymore? But yeah, so I have this really cool, sexy, deep voice right now. And uh maybe you're probably not thinking it's sexy, you probably all think it's quite annoying, but like my wife. But that is okay because we are gonna get into something around domain six today. And today is domain six, and we're gonna be getting around the aspects of conducting security audits. And one of the aspects that you will focus on when you are doing your CISSP is around security audits and where do you do them, how do you do them, and so on and so forth. And an aspect also that you'll see in this is when you get in your own world and you're out there doing your own security stuff, you may be called upon to do security audits for different agencies, different entities within your company. I've had to do multiple audits for uh my finance team because they didn't understand the security aspects of these questions. And so I had to assist them during the audit process. So we'll get into a little bit of that. But before we do, I had an article that was out there in the register. It's around an open source LLM tool, which is your learning, large learning module, module or model. Yeah, see, I can't speak either. I sound really cool and I can't speak. So it sounds to be a great way to start a podcast. But it's prime to sniff out Python zero days, which I thought was interesting. And this is the part where the LLMs, you know, people are like, well, people are gonna cheat. I had when I was teaching college, we thought students would cheat using LLMs, which they did, but they're getting better and better so that now they can cheat without me knowing that they're actually cheating. But that being said, that being aside, is the fact that this LLM is actually going out to sniff out Python Zero Days. Now, Python as a whole is a pretty substantial uh amount of the code development that occurs within uh the overall ecosystem of the globe. And even I was exposed to Python doing teaching stuff when I was at Wichita State here in Kansas. And a lot of it is because there's big companies that are using it. Obviously, it's open source, so there's a lot of ability to reuse libraries. There's also rapid development and evolution in that whole space. And so uh Python would be a really good language to start on. Uh uh C sharp, maybe not so much because it isn't as prevalent as something like Python. And a lot of the open source stuff is in Python. So therefore, this tool was potentially an option for that ability. And this software is called Vol Hunter, uh F-V-U-L-N, Vol Hunter, and then H-U-N-T-R. And it was introduced at the No Hat security conference in Italy on Saturday. And it what it's an interesting part about this is that it has a great capability to really help or companies that have development teams to maybe run through their code to make sure that there aren't any zero day potential zero days in there. So it with the quote from them is it automatically finds project files that are likely to handle remote user inputs. And they look for potential vulnerabilities and then they look for specific ways to optimize and and fix those vulnerabilities. So I think it's a really cool tool, uh especially if your team has a development team, you have a development team in your organization. Uh, the one part they have is it looks for cross-site scripting, uh, cross-site request forgery vulnerabilities, and then also privilege escalation. So there's a lot of different tools it'll work with. And I'd say honestly, if you had a situation where you worked a lot in Python and you didn't know how your development team was as it relates to security issues, this might be something to put out there just to see, just to see how it would work out potentially for you and your organization. And even if it only found a few things, if that's already a way up than just having it out to get once your team gets done and they promote it to production, it's a good way to get started. So I think it's something to check out. Go to the register, uh, that's the register.com, and there's an article in there. Again, the open source LLM tool is prime to sniff out Python Zero Days. So Google the LLM Python Zero Days and see what comes up. And that might be an opportunity for you to help in your organization. Okay, let's get started in what we're gonna talk about today. Okay, this is over 6.5 of the ISC Square in the ISC Square manual around conducting and facilitating security audits. So, as we all know, audits are an important factor in everything you do in cybersecurity, and there's also a lot of reasons why you have to do audits. And so the CISSP folk wanted you to focus on understanding how do you one, how do you conduct them, two, how do you facilitate them, and then what's the importance behind them? And I think understanding that key concept is a big factor going forward. I get called on routinely to do audits for various companies, and so this is an aspect that is near and dear to my heart. Now I will tell you, is it the most sexy thing in the world to do? And no, it's not. It's not the most sexy. Uh, it is one of those that can be laborious and time consuming, but the outcome can be very promising if they're done right, and not just that they're done right, it's the fact that where are the uh findings from the audit utilized by the senior executives to fix the actual problems. So that's where it's a win-win is if you actually do the audit, and then when you do after you get done with doing the audit or the assessment, they bring you in to fix the problems. And so that's a key, really key point. And I've had multiple audits with uh Pricewater Cooper House, with Deloitte, with all these the big big three folks that do audits. And my organizations, they would come in and they would find findings, but for the most part, they were relatively positive findings or positive reports, and I'm not saying that to say my audits were awesome. No, they're not. We had some really good people, but what I was saying is I focused on the basics. And if you focus on the basics, if you have an audit that's coming in, and say you are the security person and you get an audit that's headed your way, you're going, what do I do? Well, if you focus on the basics, that's what the audit teams are primarily looking at. They want to make sure that you have the the in things in place that will help reduce the risk to the organization and therefore reduce the risk of a potential bad thing happening. So let's get into that. So when you're dealing with security audits, what is a security audit, right? It's a key concept. I don't know what that is. So if you've heard first of you've heard this term, well, hey, welcome to the party. If not, then you know, you maybe this will open up some new eyeballs or that's really open up eyeballs. Yeah, that's really bad. Anyway, so a security audit is a systematic examination of an organization's information security practices to assess compliance with regulations, standards, and internal policies. So a good example of this is you have in the United States government, uh, when you're dealing with the Defense Department, they have to meet the CMMC standards, which is your cybersecurity maturity model certification. And if you want to meet the CMMC model, you have to go through and have various audits. You have to meet these audits. And the purpose is then to make sure that your organization is meeting the standards, in this case, the Department of Defense. Now, it could be around financial audits, uh, it could be HIPAA, medical-related audits, it could be any of those. But let's boil that down to what are the main things they're looking for and focus on the fact that most of the audits are tied to a standard, which we'll get into in just a little bit. But the standards are to ensure that you are actually meeting or exceeding those standards. So that they know an auditor comes in, drops in with their parachute, and says, okay, where are you at? If you are following this standard, now they know that, hey, as long as they're not lying to me, which then they ask some more questions. Again, like when my kids are lying, I ask deeper questions to find out if they're really telling the truth or they're lying. They'll ask deeper questions to make sure that, hey, do you really know what you're talking about? Or is it just a bunch of smoke and mirrors? But again, it's around compliance with regulations, standards, and potentially internal policies. You may have your own internal policy that maintains this level of standard within your company. So, again, the importance of them is you're again, we talked about compliance and regulations, ensuring your security posture meets a certain level. Now, because you may be in a governmental type environment, you have a security posture that needs to maintain at a certain spot. Like, I example is CMMC, or maybe you have external, you have an own internal audit team that is constantly looking at your environment. That way you will have to understand, you'll have to maintain a level of security around that. It's also to improve your operational efficiency. As an example of this, is let's say for point you have are currently provisioning accounts to anybody who starts in your company. Well, you have a very manual process, but the auditors recommend an automated process to provision new accounts with new credentials, with new entitlements. And you actually then go through and you get that done. Well, now it went from taking a process that was very potentially error-ridden and taking a long time to being a very quick process where now your individuals that were doing that before can now work on something different. And so the point of that is it improves the operational efficiency of your company. So that's a great finding of the audits. But they can get overwhelming, and you have to then once you get the audit findings, break it down into a bite-sized pieces that you can actually go and implement in a time frame while doing your job at the same time. And then support business continuity. A big factor you see this in today's world is business continuity and business resiliency. What are you gonna do when you get pwned? Because it's gonna happen at some point in time, your company's gonna get pwned, or aspects of your company are gonna get hacked and you're gonna have to deal with it. So by going through the audit process, it will help support your overall business continuity and your business resiliency. So it's again important parts. Now, when you're conducting a security audit, you need to complete, first off, there's a complete or cyber risk assessment. Now, an assessment and an audit are two different things, but they get used, and unfortunately by me sometimes, uh used synonymously. And they're not. They're not an assessment, it's just a quick brush brush look at what's going on. It might be a deep dive into a certain area, but at the end of the day, it's just an assessment, it's an assessing of what's actually going on within your organization. Where an audit is a formalized process in which someone's going to do a deep dive within your company on a specific topic. Now that comes into where you have to determine the scope, uh, the boundaries and requirements of these audits. What is the limitations? What can how deep can they go? Where do they have to stay within? Because what can happen is these audits, I've seen it, where you didn't set up a scope for these folks. They can get extremely broad and they come back with all kinds of findings and say, yes, you suck. You're a terrible organization, you guys should just quit right now and go away. You can get that, right? But that can get that doesn't, it's not helpful. It's expensive because the longer they stay with you, the more the money they charge you because they're charging you per hour. So it can get very expensive, and then it doesn't give you the results you want. So you need to, if you want to focus on a very specific niche, niche, if you want to focus on that niche, then you need to target them in that. So let's just say it's account provisioning. I want to know, I want to do an audit of my account provisioning because I see it as one of my biggest weaknesses within my organization. Focus on that. And that's what they'll do. Uh, it'll help identify potential threats from carelessness to human error, technical threats. You know, again, one of the pieces that comes into is the insider aspect, right? I do insider risk for companies, I help them get that set up. One of the things I would ask of them to do is first thing is do a good quality assessment of their overall processes to determine where they may or may not have an insider risk problem. And that's another aspect of it. Uh, and this also could come back to the development part, right? If you are a development shop and you see that they're not doing any sort of development uh work and they're not incorporating security within their development processes, that might be something that you would say is an internal problem we need to fix. And so that's where this audit can come back to. It helps with vulnerability identification again, and then also highlights where they might be mitigated by certain levels of controls you may have within your company. And then it also will help identify potential controls you can put in place to limit these issues that you have. And the other thing around an audit that's important between an assessment. So, an assessment, if I do it internally, I've I did it for uh a company and for maybe a part of my organization, what'll end up happening is that audit finding can be go, okay, hey, that's awesome. You're great, thank you, move on to the next. But when it comes, that's an assessment, when it comes on to an audit, an audit typically, typically, not always, and we'll get into this in a minute, is external. And you may have an external party do an audit of you. If they do that, they'd have a piece of paper that says, okay, you just spent like$100,000 on this audit. I need you now to go do what it says and use it as the template to fix the problems you have within your company. So again, those are just areas that they think about. So when you're looking also at an audit, you need to determine the severity. Assuming the vulnerability has been exploited within a company, what would happen? Right. So this talked about the bringing the onboarding of new people. Say you didn't have a process, a manual process, and say that was a vulnerability that was exploited in your overall process in place. And now what happens? What could happen if you can no longer provision individuals? Now, a small organization, that might not be a big deal. Larger organization that maybe you have a lot of contractors, and now you can't bring contractors onto your company, that could be a really big deal. So it just comes into is where you have to impact the severity of that. You need to determine your risk level, and this is based on the likelihood of this occurring, where how often will it happen within your company, and then what would be the potential impact if that were to occur. And then lastly, is what is your response to this piece of this? So they they would check to see if something bad did happen within your organization. How would you respond? How would you deal with the highest risk items first? What would you focus on? So again, those are key aspects that you'll run into when you're dealing with an audit. Now, an internal audit, this is we're gonna break these into three different parts. So you got an internal, an external, and a third party. And the external and the third party we'll get into are a little squishy, but you will see it'll make some more sense as we get into it. So an internal audit, this is conducted by an organization's own security team or personnel. So again, this is you are part of that auditing team. And this can be in a cost-effective way to really get a good understanding of the internal processes within your company. And we would do internal audits within my own company. I would also then act as an internal external auditor to other companies that I worked with, but I was still internal to the company. That's the part where it's really kind of squishy. Um, but when you're dealing with an external internal audit, they are very effective. They can be. As long as, again, repeat, as long as you have senior leadership buy-in on what you're trying to accomplish. I've done audits and assessments internally, and they have been absolutely worthless. And all I've done is wasted a bunch of time and wasted a bunch of money because you give them a product and the the CEO is like, yeah, okay, thanks. Have a nice day. The only reason I'm doing this is because checkbox, done. And but again, knowing that going into it, it's important for you as the person who's responsible doing this and as a CISSP with your integrity, right? We've got to have that. It's a key pack factor of being a CISSP, is that you provide them a great product so that if and when they may do make changes and they want to actually do something with it, it is there and available for them to do with it. Yeah, that was a really bad run-on sentence. But the point of it is that that's available for them if they ever want to do it. Also, haha, here is the CYA part of this because again, you need to provide them the best product you possibly can. You need to give them the great service, you need to make sure that it's there and with all the integrity you have to worry about some of the highest risk to your company. But on the flip side, there's a little bit of CYA in the fact that if they get audited or something bad happens and they come back and say, you did not do this, you have a piece of paper saying, Oh no, yes, I did. See, here it is. Ha ha, you didn't want to do anything about it. Also keep very good notes. Yeah, keep notes because that you never know. You could get pulled into something that you really don't want to be part of, and it's good to have notes to remember what you did because I don't remember what I did yesterday, let alone six months to two years from here. So, again, that's again, internal audits. Again, really good. One of the disadvantages, again, is I didn't really mention this, was the potential for bias or lack of objectivity. It is true. You know where all the dead bodies are, and you can say, Well, I know we're gonna get to that dead body sometime. It's not stinking too bad just yet. We'll come to it later. Um, that's a bit of a problem, right? You you have to be very objective as much as you can, but it can happen with internal audits. External audits, these are conducted by independent third-party auditors. Now, this can be, when we say independent third party, this could be, like I mentioned before, you could be part of an internal. Now, I worked with large coke industries at the time. I was a very large, large company, right? 140 million or 140,000 people, uh, multi-billion dollar company. And working in security for Coke Industries, great opportunity, super opportunity, very good company. That being said, I worked on auditors, I was an auditor for some of the other Coke companies that I'd have, and I'd come in as an independent um assessor and look at what they had in place. And it did, it did give me the ability to have more of an objective, objective look at their environment. It also, I knew where some of the dead bodies were, so I wasn't as objective as I would be from coming as a completely third-party auditor, but I was much more objective than just going in without having without having any knowledge at all. So it was it was a good trade-off. So that's where I can see you as an individual working to do an audit for somebody that's internal to your organization, to your overall company, but yet not working within your specific space of that company. So the advantages of it, it's objective, it's specialized expertise. Again, they pulled me in for a very specific reason, right? Insider risk is a big thing. They focused on that. That's where I would do that. Disadvantages, you have higher costs, potential for communication gaps. And that is true. When you're dealing with an external auditor, it will cost you. Do not go into this thinking it's going to be inexpensive. It is not. It's expensive. And therefore, though, you should demand because of the cost, what are you going to get out of this? Right? I got to be able to get something out of this that is worth some value. That comes down to a lot of interviews that occur. So conversations, interviews, deep dives into what is important, what can they fix, what can't they fix, and so forth. I've got one that I've got coming up here soon that I'm going to be doing for another company. And the point of it is, is I that is an area that we'll focus on. Because knowing that you're coming into a greenfield that really didn't have security before, that's the other part you're going to have to understand is if you go into a place doing an audit where maybe it didn't have security, you better start low and slow. And what I mean by that is if they didn't have anything, it's probably a lot of dead bodies everywhere, scattered everywhere. Like it's like a morgue. And you're going to have to go in and pick out the ones that are really ripe that you need to, you need to get them buried. You need to put them away. Um, and I know it's really sounding morbid in this conversation. But that being said, it's you're gonna have to focus on that. Uh, third-party audits. What are those? These are conducted by external auditors to assess security practices of third-party vendors and or suppliers. And this is a really big part in your supply chain and understanding the supply chain risks that are associated with it. Uh, you have a lot of people, a lot of companies now are it's all this just in time type of shipping, type of supplies. And if you don't have a good handle on your supply chain, any one of those little cogs in this wheel that get busted, then your wheel ain't gonna run real well. So you think about it this way it's all it is, it's like a gear shifter. And your gear shifter's got all these little tines all the way around the gear shifter. And these tines are interact with other parts of your organization. But if you were to get a hammer and bust off a tine on one of those gears, your gear shift, your gear isn't gonna work real well. Well, so that's your supply chain. If you don't have a good handle of your supply chain, and what are the risks potentially to them, you bust off one of those guys. So they just get hacked, and I've had this happen multiple times. My supply chain gets hacked, and I got I can't use anything from them for a period of time. I just bust it off a time. Now what am I gonna do? Okay, so understanding that from a risk standpoint is really important. So this is where your audit will come into play, and that's what you'll focus on again. And that's folk, you're gonna focus on scope, frequency, and reporting requirements that are gonna come from these third-party auditors, and you're gonna have to deal with it. Again, coming back to expense. This is gonna be expensive. Do not think this is gonna be inexpensive. You're gonna pay in the upwards of$100,000 for a potential audit, depending on the size and scope of it. And if you may go, you know what, I'm gonna scope it down to so it's not quite so broad, and it's still gonna be$100,000. And you're gonna go, what the heck? Why is that the case? Because one, they got the expertise, you don't. Two, is they're gonna tell you where your dead bodies are, which you probably already know, but they're gonna give you a piece of paper that says this is where they're at. And then three, they're gonna give you recommendations on how to fix those dead bodies, how to bury them. And then you're gonna be up to you to go fix it. And it's really just you're paying somebody money to tell you where your problems are at, and which you already know in a formalized manner, and you're like, well, this is kind of counterintuitive. And it is, but sometimes you got to do that to be able to move forward. Because then with that piece of paper, you as an individual can then go to the senior leadership and saying, okay, I need to fix these things. I need to hire five contractors tomorrow to fix these problems. Whereas if you just say, I need five contractors, and they're gonna go, what for? Well, because I got all kinds of dead bodies. And they're gonna go, well, you figure that out. I pay you good money. You go figure that out. So that's a good and other reason why you got to have these audits done. You all are probably going on to audit crazy and thinking this is absolutely nuts. I get it. Totally get it. Audit criteria and scope. Regulatory compliance, obviously big factor PCI, DSS, your payment card industry, uh, data security standards, NIST, cybersecurity frameworks, all these different pieces that are compliance that you may be required to follow. Uh, you may be required to follow the frameworks, you may be required because of P-I-C-I-DSS to do an audit. There's standards and frameworks, as we talked about, there's ISO 27001, there's COVID, there's uh different types that are out there that you may want to follow. I would highly recommend that if you're gonna do an audit, pick one. Okay, it could be the cybersecurity framework, it doesn't matter. Unless you have a requirement to do ISO, I would pick the cybersecurity framework if you're here in the United States. If you're somewhere else, another country, you have a framework that they may have that you use. If they want you to use that, use that. Uh it doesn't really matter, but pick a framework. And I'm picking on the cybersecurity framework because it's relatively broad. It does get very narrow, but it isn't uh industry specific per se. You want to have internal policies and procedures that what has been defined, what has been created. And you determine that will help determine which ones you have. Do not go hog crazy with this and say, hey, I've got to have like 15 different policies and procedures. No, you don't. You do you just need to have a few. And like acceptable use policy, uh, password policy, just some basic ones you need to have. And then from there, move on. Because what can happen is you can drown yourself in policies and nobody even listens, reads them anyway. So there's no reason for it. Uh, risk assessments, assess the organization's risk management, identify potential vulnerabilities within your organization. You also want to look at incident response, big factor. So if you're looking at, okay, where are my holes? How do I plug my holes? And then how do I respond when they find holes that I didn't know I had? Okay, that's breaking it down, that's boiling it down. If you do those three things realistically, if you do an audit that can break it into those three things and at a base level, money, baby, money. You're making money, you're saving money, your people are happy with you. So that's what I would focus on. Security controls, assess and implement the effectiveness of your security controls. This means access controls, encryption, network security, you name it, all of those things. That's where you'll want to understand the security controls that you have within your company. Being said, don't go hog crazy wild on security controls. You can tell I'm from the Midwest because I bring in a lot of farm animals into my conversations. But no, you don't want to have go nuts with these security controls because the fact of the matter is, is that you will overwhelm people with, well, I need to make sure that I have a 50 or 36 character password. I'm like, don't do it, please don't. Uh do something simple, right? 18 characters, 12 to 18 characters, right? But even then, make sure you give them the tools like a password manager to maintain those passwords because you're gonna give them 12 characters and they're gonna go, I can't remember 12 characters. And what are they gonna do? They're gonna go post a note or they're gonna go copy, paste, copy, paste, and you're gonna have the same problem you had before. So you're gonna have to educate them on the uh different types of security mechanisms you're gonna put in place to help them make their lives easier. So internal control an internal audit. We exercise and determine the trained cybersecurity resources you may have within your company. Do you have them? Okay, how are they trained? How are they responding to issue situations? What do you need to do? You'll you'll look at them as an individual and then as a group and figure out what needs to happen. You're also going to evaluate your current controls and your processes within your company. And now an internal audit can be used synonymously with internal assessment. Unless you have somebody specifically telling you, I need an audit, an internal audit done because of X, then I would consider what we call an assessment, where you're just doing the same type of activity, but it might be assessing one aspect of an overall bigger picture. Again, though, audit and assessment internally can be used synonymously, just depends upon the nature of what the request is for. You want to have a process that builds accountability to your organization and you want to make sure that you have buy-in from your leadership. I can't stress this enough. Your job as a security as a resource is to influence individuals. You can bring out the hammer and hit people over the head and make them do things, but that depending on your organization. In some organizations, you can't do any of that because they just won't let you. And plus, it's physically wrong. You don't want to hurt people. But that that being aside, you want to understand that you're going to have to do this through influence. You're going to have to make sure that people want to help you for a reason. They are they are there to help you because they want to help you. And it does build additional accountability within your organization because then now people look to you as the leadership and as you as someone that's going to help them fix their problems. Now, the key aspects around this is that you need to have it works, this internal audit will work for the CEO, the CIO, or the potential board. Now, this is becomes security is becoming a bigger factor in the fact that you are now working for the board in many ways. And that means that you are responsible to the board on what you're actually accomplishing. There could be financial aspects around this as well, from regulatory requirements, vendors requiring audits, you name it, all of those different things that are in place. Now, there also might be vendors that are requiring an audit to be done. Say you have a certain vendor that's working for you with you. You may have to, they may require you to actually have an audit completed. And they may have this document that says you may have to have that. You also may be requiring vendors to have audits before you even work with them. So understanding this overall internal aspect of an audit is an important factor in your overall journey. So some other aspects around an internal audit would be they're planned annually, sometimes if practical. It just really depends upon what you're looking at. You also want to avoid them from reducing the disruption to your company and to your operations because doing an audit can be a bit overwhelming to people, especially if they start doing interviews and talking to people. And you want to really plan for that. Uh, you'll talk with your IT, your legal, human resources. They all could be involved in this depending upon what your scope of your audit is. So you want to be very cognizant of their time so that you're not burning it. Uh again, this comes down to the influence piece of this. You can't one thing I've seen with IT professionals, and again, I'm a pilot by trade, so I'm not a geek. And I'd say some geeks would probably look at that and turn their nose up at me and go, you're not as smart as me. And they're right, I'm definitely not as smart as them, for sure. Uh, but there's one thing I do have sometimes is people's skills, which sometimes they don't. And so, therefore, if you want to be in a security position, you want to make sure that you have an ability to influence people, and that comes down to people's skills. And that means when you're at being you're cognizant of people's time and asking them what works best for them, knowing that you have to get your project done, but they also have to get their projects done. And therefore, if you understand that and you work with them on this, you can go a long way in helping build a relationship with them. See, there's a nugget right there, big guy and gals. Uh well, not big gals, but Yeah, gals. Yeah, because I'd probably get sued for saying that. But there's a there's a nugget there. Ins influence people. Influence people is done by thinking about other people besides yourself. Now, the scope will determine your duration, system facility, and your group locations as well. So important to understand the different scope and to express that to the people you're working with. Now, one thing you want to understand, this is actually a really good bullet here that I kind of should have brought up to the top instead of at that bottom, but the right to audit clause. So if you have contractual agreements with a third party, say you know someone in your supply chain, and they are working with you, you could put in there the right to audit clause. And I've done this with various companies to say, hey, at any point in time, I have the right to audit you no more than once a year. And it's worked great because when I've had issues with some companies, I will pull this out and say, hey, let's do an audit. Yay, let's have fun. And there they grumble at me, but it works well because then they you kind of catch them off guard. So something to consider when you're trying to build out your program. Again, though, I would be very cautious with that. Make sure your legal team obviously is involved. Don't you just start adding clauses to contracts because that will get you into trouble. Again, influencing people, you know your job, they know theirs, but help them to help you. Responsibilities, risk assessments, internal controls, and compliance, vulnerability assessments, instant response, third party management. Ah, wow, that's a lot there. Bottom line is your responsibilities with an internal audit can deal with risk assessments. You're doing all of those within your company. They also deal with your in the helping with the internal controls for your organization. You will deal closely with your compliance team, uh, whether it's your governmental compliance or it's your actual internal compliance. You may have one and the same, it may be different entities, but you'll work with them all. Vulnerability assessments, a lot of times the internal assessment will be part of a vulnerability assessment that's done. I would tell you the biggest nugget out of here, or actually there's two big nuggets really. I mean they're all big, but there's really the two ones is instant response and third-party risk management. If you get those right, okay, if you get IR and business resiliency right, and you get third-party risk management right, and I don't mean you've got to be perfect, I just mean you have an understanding and it's got something in place, that's money, baby, because that will save you. When things go sideways, which they will, and you have a good plan for those, you are going to be saving your company money with that. Now, external audits, what are these? These are usually a broader scope. We talked about a little bit already, is that they can be done by a party outside of your organization is being audited. Again, it can be from a third party that you bring in specifically, or it could be you doing it to another organization. And this includes internal audits as well. So this can be conducted by your own employees, or it can be conducted by independent auditors. It just really depends upon the amount of money and the scope in which you want to accomplish this. This will be a more objective. Again, it's it's kind of that middle road between internal and a fully dedicated third party, but it will give you some level of objectivity into your organization. So consider this. I would consider this if you have to have an external audit before you go out and spend the money on PwC or Deloitte, maybe do this as a primer before you bring in the PwC. So if you have to have PWC come in, one of these big, high expensive third-party auditors, what I would recommend is doing this prior to that because it will get your everybody kind of prepped to what to expect. If you just bring in a third party and they have never really dealt with that before, you're gonna run into some challenges. Your leadership's gonna go, what in the heck is going on? And you're gonna go, I don't know. And they're gonna go, you're fired, and you're gonna go, okay, thank you. Um, you you want to avoid that. So definitely, you know, your wife or your husband would really like you to avoid that. Your family would like that. They want you to be making money so that they can live. Okay, third parties. What are third parties? Okay, these are the external prior parties that provide independent assurance. Outside auditors, specifically from external entities, are highly sought out as subject matter experts. Um, I will tell you that many of the the PWCs and Deloitte, they do have SMEs, but let's keep this in context. They bring these guys directly out of college, they give them something to do, and they go dig deep into your organization. Now, they're not not saying they're not smart. They are very smart in what they do, and they are very knowledgeable in those certain criteria areas. But again, if you really wanted a no-kidding deep end SME, you you can't probably afford them because Deloitte's and PWCs can't afford them. Uh but that being said, they're gonna come in with a different perspective, which is gonna be extremely valuable to you with your organization. A lot of times LDs will come on behalf of government or agencies, they'll send a third party in in their place because they don't have the people or the expertise to do it. But ultimate goal of an external auditor is to provide a good assessment of your organization and fix the challenges and give you some recommendations on how to fix them. But again, they're not affiliated with your organization. They they do emphasize their whole aspects on independence and being independent. And they are very common in regulations. Again, they're often mandated by regulations or industry standards to ensure that they have compliance and accountability on all the different audit pro programs. If you hear a cat in the background, I have tried everything in my power to get her to leave me alone, but she will not. So I apologize if you hear her. Uh, sorry, she just won't leave me alone. I try to get rid of the dumb thing. Um, that being said, we are moving on. That's all we have for today. I hope you all have a great day. Again, go to CISSP Cyber Training, get my program, get the stuff that's there. I've got some good, it's always get adding and getting better content in it. Um, again, all the proceeds that go from CISSP Cyber Training go to our nonprofit for adoptive children and their families. We we've done, again, I don't take any money from this. It's it's all going to charity just because I'm blessed. I don't need, and I don't say I don't need money, of course I need money, but I don't need money to make my pockets any deeper or bigger or whatever that is. That all can go to people that need it way more than me, and we feel that the need of families who are trying to adopt children, they need an extra help. And so this is going to the nonprofit that's going to be that is stood up or is going to be stood up for that specifically. So we're pretty excited about that. That should be done here in December, and uh, we're just hoping that everything's gonna go well with that. But yeah, as a diet, a bit of a tangent. Anyway, have a wonderful day. Again, go to CISSP Cyber Training. Give me a thumbs up on iTunes, YouTube, all those wonderful places I've got out there. Again, if you do that, that helps the exposure and helps more people know about CISSP Cyber Training. Thanks again. Have a wonderful day, and we will catch you on the flip side. See ya.