Audits and Assessments - CompTIA Security+ SY0-701 - 5.5

Audits and assessments

• Not just for taxes

- There are good reasons to audit your technology

• Cybersecurity audit

- Examines the IT infrastructure, software, devices, etc.

- Checks for effectiveness of policies and procedures

- Find vulnerabilities before the attackers

- Can be performed internally or by a third-party

• Attestation

- Provides an opinion of truth or accuracy of a

company's security positioning

- An auditor will attest to a company's cybersecurity

posture

Internal audits

• Audits aren't just for third parties

- You should also have internal audits

• Compliance

- Is your organization complying with regulatory or

industry requirements?

• Audit Committee

- Oversees risk management activities

- All audits start and stop with the committee

• Self-assessments

- Have the organization perform their own checks

- Consolidate the self-assessments into ongoing reports

External Audits

• Regulatory requirements

- An independent third-party may be required to perform the audit

- Audit type and frequency are often based on the regulation

• Examinations

- Audits will often require hands-on research

- View records, compile reports, gather additional details

• Assessment

- Audit will assess current activities

- May also provide recommendation for future improvements

<>

<>