comptia security+ Audits and Assessments

Audits

Systematic evaluations of an organization's information systems, applications, and security controls.

Internal Audits

Audits conducted by the organization's own team.

External Audits

Audits performed by third-party entities.

Purpose of Audits

Validate security measures, identify vulnerabilities, and maintain regulatory compliance.

Internal Audit Example

Reviewing data protection policies for relevance and compliance.

External Audit Example

Evaluating PCI DSS compliance for an e-commerce system, including network security and encryption.

Significance of Audits

Helps identify security gaps and ensures compliance with regulations like GDPR, HIPAA, PCI DSS.

Assessments

Detailed analyses to identify vulnerabilities and risks, often performed before major system changes.

Types of Assessments

Risk Assessments, Vulnerability Assessments, Threat Assessments.

Internal Audits and Assessments

Review internal processes and compliance to ensure operational effectiveness.

External Audits and Assessments

Independent evaluations verifying financial, compliance, and operational practices.

Penetration Testing (Pentesting)

Simulated cyber attacks to identify vulnerabilities; also called ethical hacking.

Reconnaissance in Pentesting

Initial information-gathering phase of a pentest, can be passive or active.

Reconnaissance Types

Passive (indirect info gathering) and Active (direct interaction like port scans).

Environments in Pentesting

Known (insider view), Partially Known (limited info), Unknown (external attacker simulation).

Attestation of Findings

Formal declaration of audit/assessment results to confirm accuracy and document outcomes.

Internal Audit Focus Areas

Data protection, access controls, network security, incident response procedures.

Internal Audit Process

Review policies, examine access, test controls, document findings and make recommendations.

Audit Committee

Board-level group overseeing audits, compliance, and financial reporting.

Internal Assessments

Identify and evaluate system risks before implementation or changes.

Self-Assessments

Internal checks for standards/regulation compliance (e.g., threat modeling, vulnerability scans).

Assisted Internal Assessments

Performed by dedicated groups using tools like checklists and guided evaluations.

MCIT Cybersecurity Checklist

Used to identify and correct cybersecurity risks; contains yes/no questions and action items.

Collaborative Internal Assessment

Involves various departments like IT, administration, and cybersecurity teams.

External Assessments

Third-party analysis identifying system vulnerabilities using tools and manual testing.

External Assessment Examples

HIPAA compliance assessment using checklists and required documentation.

Preparing for HIPAA Assessment

Answer checklist questions and provide evidence files to demonstrate compliance.

Penetration Testing Types

Physical, Offensive (Red Team), Defensive (Blue Team), and Integrated (Purple Team).

Physical Penetration Testing

Tests physical controls like locks and cameras for vulnerabilities.

Offensive PenTesting (Red Teaming)

Actively exploit vulnerabilities to simulate real-world attacks.

Defensive PenTesting (Blue Teaming)

Monitors and strengthens defenses, responds to attacks, and improves detection.

Integrated PenTesting (Purple Teaming)

Combines red and blue team efforts for a full security picture.

Metasploit

A powerful tool used in penetration testing for exploiting vulnerabilities.

Attestation in Pentesting

Proves a pentest occurred and confirms findings; often required for compliance.

Difference: Attestation vs. Report

Attestation includes evidence; report provides findings and remediation steps.

Types of Attestation

Software (software integrity), Hardware (hardware integrity), System (security posture).

Attestation in Internal Audits

Validates compliance and control effectiveness within the organization.

Attestation in External Audits

Third-party confirmation of financials, regulatory adherence, and operations.