Above is a quick video lesson to help learn the audits and assessment types and methods.

The topic of assessments has been updated with the 2021 common body of knowledge (CBK), so let’s take a look at what’s new.

In terms of types of assessments, we have two primary categories that you’ll need to be aware of:

Formal assessments are evaluations against a compliance standard, which includes regulatory and other legal requirements.

Informal assessments are done to provide insight, but they’re basically done the same way.  They might be done by an internal group, or in an informal setting, but the objective is what matters here – which is purely to gain insight.  An informal assessment might be done before a formal assessment as a preparatory exercise. 

There is also mention of “No-notice” assessments, which simply means that the situation being evaluated has no forewarning of the evaluation (e.g. spot check, desk audit).  A no-notice assessment isn’t really a ‘type’ of assessment, it’s basically a surprise audit, or an informal assessment where notice isn’t given.  It can likely fit into a subcategory, or type of informal assessment. 

Internal assessments are done for the purpose of seeing if controls meet risk expectations or to see if there are ways to improve efficiency of operations, and how well an organization is prepared for an external or formal audit.  An internal assessment might follow a formal process, but is most likely considered informal by nature. 

The steps of an internal audit/assessment are: Chartering, testing, reporting and remediation

Chartering includes the following activities:

• Management commitment .
• Scoping the assessment (management).
• Depth and breadth of the assessment activities.
• Schedule for the work.
• Deciding how it will be carried out.
• Reporting format for the results of the audit/assessment.
• Who actually performs the work.
• Developing a stakeholder management plan .
• Risk assessment must be performed throughout the assessment process to ensure that the risks associated with the conduct of the assessment are properly identified and controlled.

Testing includes the following:

• Beginning the work
• Using various tools:
• Vulnerability assessment
• Penetration testing

Reporting includes the following activities:

• Reporting to management
• Timing and format decided in chartering

Remediation includes the following activities:

• Resolving issues
• POAM / CAP
• Track weakness
• Identify resources
• Schedule of work

Configuration audit, is an assessment (typically an internal audit) that collects and analyzes artifacts and activities to determine the current, historical, or projected status of a system. It uses methods such as checklists, interviews, and observations.  The auditors provide areas of improvement for Configuration Management processes and procedures to be updated in the CM Plans.

External assessments, or audits are considered formal assessments performed by a third party to demonstrate that controls and practices meet a compliance standard. Compliance standards impose consequences for not meeting the standards, such as reduced federal funding or termination of data sharing. Some consequences can include criminal sanctions.

Confused yet? We’d be surprised if you weren’t. There are several different types of audits you’ll have to be aware of, which are considered formal/external, for the most part:

Compliance audits that test specific controls to determine if the controls meet a particular standard (related to laws, regulations).

Financial audits evaluate the accuracy of financial reporting.

Operational audits test the internal controls of a process.

Information systems audits evaluate controls performance in the development and operation of information systems.

Integrated audits have combined elements of both operational and financial audits. Forensic audits are focused on discovering, investigating, and reporting on fraud or other criminal activity.

Note the difference between audits and user behavior review or audit log reviews, which are part of an administrative process but could lead to something like a forensic or information systems audit.

The steps of an external audit are similar to an internal audit, but the CBK differentiates between them.  Here are the steps of an External Audit:

Chartering – the governing body within the organization being audited (i.e. not the auditor) establishes the scope, schedule, and work resources at the direction of the auditor.  The internal governing body also identifies the management responsible for coordinating the audit activities.

Pre-audit planning – includes audit checklist, areas to review, artifacts needed, and the audit schedule (note the CBK says this is part of chartering as well… So our interpretation is that the audit schedule would fit into either step).

Audit execution – this is when the auditor collects artifacts, performs the tests, conducts interviews, performs onsite work, and conducts remote testing.

Audit reporting – this is when the auditor gathers the artifacts and subjects them to analysis and review. The results are compiled into a draft report that is shared with the auditee and includes the findings and recommended action plans. Sometimes the report can have mistakes that can be clarified and corrected prior to the completion of the audit. The audit report should be consistent with the charter in its scope and breadth of findings. 

Findings within the audit report typically have the following elements:

Condition – this is a statement that describes results of the test. For example, the test discovered plaintext at rest on backup media. A condition may include a severity level, or risk level, for example ‘high severity’ might refer to critical or sensitive data associated with the finding.
Criteria – the standard or requirement that was used to measure the activity, so in our example we could say that the criteria, or requirement is that data must be encrypted at rest.
Cause – is the explanation of why a problem occurred. This could be that the application backing up the data doesn’t have any cryptographic capabilities, or that the version is deprecated and doesn’t support encrypting backups.
Effect – is the resulting impact, or the difference between the condition and the criteria, or the resulting impact. In our example, we might say that the effect is that we now have data that’s vulnerable or susceptible to exfiltration (theft), unauthorized access, or unauthorized use.
Recommendation – is the action that needs to be taken to correct the cause. So in this case we might recommend upgrading the software license or replacing the software to a newer product that supports encryption. If there is a severity level associated with the finding, the recommendation should include a minimum remediation/resolution date.

Third Party Assessments and Monitoring

Some of the new topics for 2021 include third-party assessments and monitoring in the context of ensuring security throughout the supply chain.  What’s a supply chain?  The best way to think of a supply chain is to think of how paper gets to your office or home.  The wood is cut in a shop, then sent to a facility where it can be made into paper, followed by a packaging facility with proper machinery, followed by a warehouse for storage purposes, after which it’s delivered to the store where you can purchase it.  If this were data of a sensitive classification, you would hope that it’s protected throughout the supply chain.  Each facility and organization that touches the data or product needs to provide assurance that the data/materials are protected.  This can be accomplished in a few ways, namely:

  • Governance reviews
  • On-site security surveys
  • Formal security audit
  • Penetration testing
  • Examining third-party audit reports (that would be the “third party of the third party”)

The standards and audit methodologies for assessing security of external organizations include the following:

  • ISO-certified audits:  assessed by an accredited auditor, and the target organization can earn certification after passing this audit.
  • CSA STAR evaluation:  either self-administered by the target organization or conducted by a certified external auditor, depending on the STAR Level the target organization seeks.

SSAE 16 SOC reports:  see our Domain 6 study page on SOC reports.

Ethical Disclosure

Ethical disclosure is a newer topic introduced in the 2021 Common Body of Knowledge. “Disclosure” refers to a situation when an auditor or tester stumbles upon something bad and isn’t sure what to do with it. It could be fraud, insider threat, malicious activity, inappropriate use, or any type of unethical activity that might be occurring. The nature of disclosure depends on the charter or rules of engagement, and should indicate how these situations need to be documented, communicated and resolved:

Non-Disclosure

It’s important to point out that auditors, assessors, and reviewers may be under non-disclosure agreements in addition to the charter or ROE. Depending on the circumstances, disclosure can be restricted or bound to other legal requirements, especially when it may interfere with an ongoing investigation or violate the privacy rights of the individuals involved.

Full Disclosure

Full disclosure indicates that when something bad is discovered, the discoverer should publicize the weakness as soon as possible to all affected entities.

Responsible Disclosure
Responsible disclosure is when a weakness is reported to the organization responsible for addressing that weakness, and some time is granted to address the issue before public disclosure.

Mandatory Reporting

The circumstances uncovered may require reporting to authorities regardless of NDAs or chartering. While the laws vary, computer crimes, particularly those involving minors, may have mandatory reporting in many places. Information security professionals should understand their legal obligations for reporting such activity prior to conducting any audits or examinations.

Whistleblowing

When someone feels ethically obligated to report a situation to authorities, this is called whistleblowing. Whistleblowing laws may or may not afford legal protection to the discloser. Security professionals are responsible for understanding the legal status of whistleblowing in the jurisdiction under review prior to disclosure.

Supply Chain Assessments

The UK’s National Cyber Security Centre (NCSC) has 12 proposed principles for establishing control and oversight of supply chains as they relate to cyber-related compromises:

  1. Understand what needs to be protected and why
  2. Know who your suppliers are and build an understanding of what their security looks like
  3. Understand the security risk posed by your supply chain
  4. Communicate your view of security needs to your suppliers
  5. Set and communicate minimum security requirements for your suppliers
  6. Build security considerations into your contracting processes and require that your suppliers do the same
  7. Meet your own security responsibilities as a supplier and consumer
  8. Raise awareness of security within your supply chain
  9. Provide support for security incidents
  10. Build assurance activities into your approach to managing your supply chain
  11. Encourage the continuous improvement of security within your supply chain; and
  12. Build trust with suppliers
    Several well-established standards address supply chain risk management. The ISO 28000-series of standards addresses the development and application of the supply chain security management system.

In addition, the ISO 28000 series address security in the supply chain.