- CPA to Cybersecurity
- Posts
- GRC Masterclass Chapter 2. Compliance and Audit Work
GRC Masterclass Chapter 2. Compliance and Audit Work
Simply Cyber Study Notes
Steve McMichael
July 02, 2023
Chapter 2. Compliance and Audit Work
Table of Contents
What I Learned
Mindset
🗻 Learning your first security standard is a tall hill to climb, but then the rest are quite easy to scale
💙 Audit is a wonderful place to get a foot in the door of a cybersecurity career
🏋️ Start in Compliance and then grow into Risk
🙌 You can add a lot of value on the people and process side if you’re still early ramping up your technical acumen
Frameworks comprehensively cover People, Process and Technology
While technology is a large component, important capabilities like Incident Response communications are very people and process focused
Methods
💡 BIG INSIGHT: CSF Offers a BEST Logical Grouping of Controls
It would be backwards to have compliance driving your cybersecurity risk management program
Why SOC2? Elevator Pitch 🔥(see my hot take)
SOC2 learning materials from the AICPA
Risk Management Framework (RMF)
💡 BIG INSIGHT/”Hard Truth”: RMF steps 1 and 2 can be done quickly, since 80% of systems are typically categorized as "moderate" due to cost and effort of "high" controls
NIST Special Pubs: 800-37, 800-53, 800-53A, 800-53B, 800-60 Vol I , 800-60 Vol II, 800-18, (FIPS) 199, FIPS 200
Audit process 🔥(my hot take below)
Test procedures 🔥(my hot take below)
Audit workpapers 🔥(my hot take below)
Skills
Technical Competencies
Domain 1: Information Systems Auditing Process
Domain 6: Security Assessment and Testing
Enabling Competencies
Acting Ethically & Professionally: Integrity & Trustworthiness, Questioning Mindset, Due Care, Objectivity
Collaborating: Relationship Building, Project Management
Adding Value: Business Context
Solving Problems & Making Decisions: Issue Identification, Analysis
Communicating: Active Listening, Communication
Resume Bullets Unlocked
Prepared, executed, and reported on audit of subset of NIST SP 800-53 cybersecurity controls to include interview, document review, and testing of systems to support compliance audit activities.
Knowledgeable on NIST Cybersecurity Framework and how the Identify, Protect, Detect, Respond, and Recover categories comprise and facilitate an information security program
2.1 Introduction - “Grab Your Clipboard!”
Audit is the activity of validating the compliance to a standard. So we have GRC people walking around, talking to the technology folks, talking to the business folks, Legal, HR, asking, “Hey, are you doing these things right?”
Compliance work expresses to internal leadership, insurance companies externally, customers and partners that you are in fact meeting a minimum standard that organizations agree to comply with.
We do what we say we do
It’s about trust and assurance
Audit is a wonderful place to start in cybersecurity. If you're going to be getting in and you're not super technical or you're not.
2.3 Cybersecurity Frameworks
Implementing a comprehensive cybersecurity framework takes work but enables better risk management and communication.
Frameworks are vetted, comprehensive ways of implementing a cybersecurity program, documenting best practices and lessons learned.
Most frameworks (ISO27k, SOC2, CIS, NIST, COBIT) have 85% overlap in fundamental controls.
💡 BIG INSIGHT: CSF Offers a BEST Logical Grouping of Controls
“It’s not just about the controls in the framework, it’s the approach to laying them out. ISO27k just pukes a bunch of controls out, and in my opinion there’s no logical grouping of it. I mean they have some but it’s not great. With NIST cybersecurity framework, it is basically written for practitioners in the context of how an information security program should work” -Gerald Auger
Wow huge pivot point for me here to finally get a “Generally Accepted Accounting Principles” equivalent for cybersecurity after struggling with the logical grouping of ISO27k and others.
Since Gerry’s note above, ISO27001 adopted the NIST CSF functions in it’s 2022 update to the previous revision in 2013.
NIST Cybersecurity Framework is free, voluntary, and has good logical grouping of controls.
IDENTIFY and PROTECT are "left of boom" controls that can be done anytime.
DETECT, RESPOND and RECOVER are "right of boom" controls for after cybersecurity incidents occur.
This distinction that comes from the military is key for several reasons:
It emphasizes resilience
It acknowledges that disruptive events will happen
It considers all elements of the “kill chain” (MITRE ATT&CK framework) that attackers use
The NIST Cybersecurity Framework has 6 functions with 22 Categories. These drill down further into sub-categories which map to granular controls from:
The “control dictionary” NIST SP800-53, or other frameworks like
Frameworks enable baselining current state, identifying gaps, and making a roadmap for improvement.
Cybersecurity is really about cyber resiliency - keeping the business running when incidents happen.
Implementing a framework takes months of work to baseline, roadmap, get leadership buy-in.
Having a framework-based program enables better communication of security posture to partners, e.g. cyber insurers.
2.4 Regulations and Compliance Standards: Do I Have To?!
Regulations and compliance standards externally mandate cybersecurity, but true compliance is challenging and doesn't guarantee security
Achieving true compliance is challenging due to the difficulty of comprehensively implementing controls
For example, controlling patient data in Doctor emails that they can technically forward anywhere
Maximum compliance equals minimum security. Just because you're doing the minimum does not mean you're actually secure.
Tailoring allows organizations to remove non-applicable controls while still maintaining compliance
Cybersecurity frameworks and cyber risk management should be the foundation, with compliance requirements mapped to them
You shouldn't have compliance driving your cybersecurity program. That's backwards, right?
Use technical controls where possible to enforce desired behaviors, not just administrative policies
Examples:
2.4b SOC2
Two Elevator Pitches (Both Solid): Why SOC2? 🔥
Simply Cyber GRC Masterclass
Due Diligence
Customer Demand
Audits
Vendor Questionnaires
Fiduciary Duty
Audit Once, Report Many
Audit fatigue
Internal resources
Time Spend
Corporate Governance
CPA to Cybersecurity
Customers need trust and assurance
Contractual commitments
Security questionnaires, RFPs and vendor risk management inquiries
More efficient for all parties than client specific audits
Demonstrate leadership
Providing transparency
Externally and internally for management, operators, customers, business partners
Continuously improving
Foundation for security and risk management program
Improve maturity of controls for people, processes and technology
Reduce risk
Learning SOC2 from the Source: AICPA 🔥
Overview
Example Report: Note 5 Sections
Section 1 - Management Assertion
Section 2 - Independent Service Auditor’s Report
Opinion
Section 3 - Description of Service Organization’s System
Section 4 - Criteria, Controls, Test Steps and Results
Section 5 - Other Information Provided by Management not Covered by the Service Auditor’s Report
E.g. Management response to exceptions noted
Why You Might See Customer Contracts Asking for “SSAE No. 18”
For Section 3: Description of the System (Kind of Like an SSP)
DC1 Types of services provided
DC2 Principal service commitments and system requirements
DC3 Components of the system used to provide the services (infrastructure, software, people, procedures, data)
DC4 Identified system incidnets
Nature of each incident
Timing
Extent (or effect) of the incident and its dispositon
DC5 Applicable Trust Services Criteria
DC6 CUECs
DC7 Subservice organization (inclusive or carve-out method)
DC8 Specific criterion of the applicable Trust Service Criteria that is not relevant to the system and the reasons it is not relevant
DC9 For type 2 exams, details of significant changes to the system and relevant controls
2.4c RMF
(Note this RMF lab continues in Chapter 4)
The NIST Risk Management Framework (RMF) is a comprehensive and still used, but a bureaucratic process for securing federal systems that requires deep understanding to implement effectively.
It’s a 6-step process (with 7th step “prepare” throughout) for implementing security controls on federal IT systems.
Step 1 (categorize system) and Step 2 (select controls) can be done quickly
💡”Hard truth”: 80% of systems are typically categorized as "moderate" due to cost and effort of "high" controls
Do it in 20 minutes
Going from Low to High has a more objective, clear distinction than Moderate to High, which is more subjective
A system gets the high watermark of the most sensitive data it stores, processed or transmits
This is why you don’t want the toxic waste of credit card data in your IT system if you don’t have PCI DSS compliance in your portfolio - hire a Service Provider who can pass you anonymized tokens
Most systems are moderate and here's why: The level of control that needs to be implemented for high systems is very, very robust. Once system owners figure out that, “oh my gosh, it's gonna cost how much, and it's gonna take how long to get high?” Then they'll be like, “yeah, we're not really high!”
Step 2 (select controls) is fast if you’re in a regulated of prescriptive compliance setting and the controls are selected for you
Step 3 (implement controls) is the most time-consuming and requires the most work
Step 4 (assess controls) is typically done by an independent auditor and also takes a lot of work
Step 5 (authorize system) usually goes quickly with a 1 pager executive briefing
Step 6 (monitor controls) is ongoing maintenance of good security practices
RMF provides helpful structure, is seen as clunky, slow and cumbersome compared to newer, lighter, NIST Cybersecurity Framework
References
NIST Special Publication 800-37 defining the Risk Management Framework
More on this in Chapter 4 of GRC Masterclass
An alternative to the RMF for commercial security programs
NIST Special Publication 800-53 - Security and Privacy Controls for Systems
Dictionary of controls
NIST Special Publication 800-53A - Assessing Security and Privacy Controls
Control assessment guide for Auditors
NIST Special Publication 800-53B - Control Baselines for Systems and Organizations
Simplify the process of selecting security controls by offering standard control baselines. Three levels:
Low Impact: For systems where the loss of confidentiality, integrity, or availability would have a limited adverse effect on operations, assets, or individuals.
Moderate Impact: For systems where the loss would have a serious adverse effect.
High Impact: For systems where the loss would have a severe or catastrophic adverse effect.
It also provides guidance for organizations on tailoring controls for their unique:
Missions
Business functions
Legal and regulatory requirements
Threat enviornment
Risk appetite
NIST Special Publication 800-60 Vol I - Guide for Mapping Types of Information and Systems
Guidelines for federal agencies to categorize information and information systems based on the potential impact of a security breach
Based on FIPS 100
NIST Special Publication 800-60 Vol II - Appendices to
Guide for Mapping Types of Information and Information Systems to Security Categories
A lookup table for your assessments with examples
NIST Special Publication 800-18 - Guide for Developing System Security Plans
Federal Information Processing Standard (FIPS) 199 - Standards for Security Categorization of Federal Information and Systems
FIPS 200 - Minimum Security Requirements for Federal Information and Systems
To meet these requirements, select from the dictionary of controls in 800-53
OMB Circular A-130 - Managing Information as a Strategic Resource
Policy document issued by the Office of Management and Budget (OMB) that guides federal agencies in managing information as a strategic resource.
It ensures that agencies adopt effective practices for IT governance, risk management, security, privacy, and records management, thereby enhancing the overall efficiency and security of federal operations.
Federal Information Security Modernization Act (FISMA)
Agencies must develop, document, and implement information security programs that include:
Periodic Risk Assessments
Policies and Procedures
Security Awareness Training
Incident Response
Continuity Planning
2.5 Practical Auditing (Practical Lab)
Two Approaches (Both Solid) 🔥
Simply Cyber GRC Masterclass: Prep, Logistics, On-Site Audit, Post Audit Reconciliation, Analysis, Reporting
Auditing is the technique to check the efficacy of the controls themselves that you have in your environment.
There are several phases to an audit: audit prep, audit logistics, the actual audit itself on site, post audit reconciliation, analysis, and reporting.
In audit prep, you get together all your materials, for example the NIST 800-171 Excel sheet with the list of controls for an audit of protecting Controlled Unclassified Information.
It's important to read through all the controls in advance, especially ones you'll interview on, to understand what you're asking. Reread controls you don't understand.
For audit logistics, you need to schedule meetings with the right people, bundle meetings together, and request policies/documentation to review in advance.
On site, focus on high impact interviews, take notes, record if possible. Follow up on outstanding items before leaving.
Post audit, reconcile artifacts and evidence to controls. Ensure data supports conclusions.
In the analysis phase, determine if each control is in place, partially implemented, or not in place based on the evidence.
The audit report includes:
Executive summary
Purpose
Score
What was audited
Who was interviewed
Results
Link to your detailed spreadsheet and work-papers in the report, so findings can be traced to evidence. Conclusions must be objectively defensible.
Auditors sometimes lose credibility by not understanding the controls and just re-reading them to the auditee. Preparation is key.
Audits check if an organization is actually following the processes they say they have in place, not just that documentation exists.
The audit report should allow tracing from a finding all the way back to the supporting evidence for that conclusion.
AAduditing and reporting on compliance is separate from analyzing the risk of control gaps. Risk analysis comes after.
CPA to Cybersecurity: Lead the Orchestra - Plan, Execute Report
2.5b Audit Lab
Two Approaches to Get Provably Compliant (Both Solid) 🔥
Test Procedures
Simply Cyber GRC Masterclass / NIST SP-800 53A Background
| CPA to Cybersecurity / SOX Background Test Procedures
Assertions
|
Workpapers
Simply Cyber GRC Masterclass
| CPA to Cybersecurity
|
How to Make Business Cases for Control Investment
The importance of making business cases was emphasized in this chapter but details of how to do so were out of scope. Here’s a related blog/video if you’re looking for more info on that topic.
