Conducting Security Assessments: Lessons for those being assessed and those wanting to do it

oh sure how many people here for the 11 o'clock talk a security auditor um there'll be a slight overlap between the two talks because there is an overlap between security Audits and when I talk about here which is called there are security assessments or security risk assessments but there are some differences um the big thing was for about seven years I spent uh as a security consultant doing a lot of security risk assessment for a live marketing companies different Frameworks and standards and regulations uh now I've gotten out of that it's just working for one company dealing with high-dressing women I thought I'd do a disclaimer and I started doing this so you know the views

expressed by me or are my abuse they don't you know they're not bash with reflect abuse of my employer's current or past or B size stamp or any organization so your mileage May occurring foreign I spent several years as a security consultant I did a lot of security risk assessment Gap assessments for a wide range of companies of various sizes and industries um just to give you an idea what I mean by that it's a smallest company dealt with was a one doctor Psychology office the biggest was probably from these large Regional Hospital concerns that meant I had to support with a team of people assessing them over a couple of weeks you know driving around visiting offices doing a

lot of interviews and so on and so forth walking around campuses well with some software companies manufacturing companies a theme chain a publisher and sorry that I don't mention any names but when I worked as a consultant we did not name our clients and so I'm a little so leery about doing so but if I name someone my clients oh yeah I know them also a certain entertainment conglomerate that's in the greater Tampa Bay area in that I did a lot of different things I had HIPAA PCI Cyber City framework 27001 uh participating controls New York DFS have you ever heard of that not one stock two high Trust blah blah blah but part of this for a lot of my clients

I I personally to create what I call them Auto framework basically a structure for Gathering their evidence ongoing so when they can't beat you when we came in to assess them or they've gotten that they actually had the evidence to show this yes we're doing we say we're doing here's the evidence uh this will be actually the topic of a future presentation but I'm Lucy calling part two uh I'm not sure where that will be given we'll win hopefully this year so again this is meant to be a presentation at a very high level a very simple level uh this is probably a topic that you know honestly we would probably spend a whole uh day on or a week of

training on how to be a security assessor uh my target audience are basically two people one is those who maybe you might want to do this as a career you might want to work as a security consultant like I did and go and work with clients and companies and help them be better and assess them go forth um and also maybe you're going to face someone like me or you know coming into your company and asking you a lot of questions and you know you might understand what that is and what got involved and I you might say oh it's the scary Auditors you know um I'm terrified and kind of trying to alleviate that

um because the assessment can be done it begins a wide range of framework standard regulations I'm not going to cover any of these okay I'm basically going to do like a basically if you will a generic assessment model that can be used with any of these uh I will at the end of the presentation give you resources of where you can go and learn about these framework containers if you're not familiar with them uh I honestly several of these I've actually spoken at conferences including besides Tampa uh like my first time talking at besides Tampa was on the HIPAA regulation and they filmed it it's on YouTube so what is a security risk assessment you know basically an assessment is an

appraisal or an evaluation committency how are you doing then really good or oh my God what are you why are you doing this why aren't you doing this and everything in between and it's basically an evaluation of an organization security program we must call it an isms that's from 27001 as an information security management system uh and we try to see hey how does this compare how do what you do you're doing compare against whatever we're going to compare it against whether it's a regulation whether it's a standard whether it's a framework and what are the risks that you face because you're not doing what you're supposed to be doing and again we evaluate how well you meet

those requirements it's not just are you doing it or are you not doing it is how well you're doing it oh you're doing backups yeah that's great no no no no it's how are you doing backups explain to me how are you doing with backups oh you're doing a daily weekly you know incremental are you encrypting them you know that's where it gets into the assessment part where we take a look at how you doing and is that really well or is it oh my God are you freaking crazy um and again that's one of the one of the benefits of having worked with a lot of different companies was there was a wide range of these different companies

there was the bare handful that they were doing everything good where it was like gee can I find anything that I can say you need to improve this you know versus the other other side where it was you know we already know going in they have no policies yeah and who knows what else god-awful things we'll find you know and then the ones in between where you know you're giving me policies where's the rest oh there aren't any rest okay I think which I will kind of you know touch on before going on I want to make clear um security assessments or Investments are not audits there is a difference okay so again you know we talk about a

security assessment we're evaluating the isms again we're getting a rating of some sort and that rating could be like a you know good to bad or you know numerical rating and they're talking different ways that they can be done uh and there's another type of assessment called a gap assessment that's just it's much much easier it's quicker it's basically coming inside finding out what you're doing what you're not doing you know you're doing backups okay great great you know antivirus great yeah you are you uh the asset management place oh you don't okay that's a gap moving on Jim so that's the campus system is quicker the thing with an audit is that one it's an independent

evaluation an internal or external what is or in that place I am not independent as an assessor I am an extension of the company that's one big difference between an audit and what I do that's why somebody's making it very clear when you go talk to people in companies because I'm not an auditor you know I'm here on behalf of your company to find out how you're doing because they want me to come in and find out what's going on and what's not going on because we're here to help you and improve you um that's why so we're not necessarily independent we're also aimed at Improvement because oftentimes what happens because again I was a consultant

assessor at the end of the assessment I might say okay this is what you need to work on sometimes we're like okay great thank you we'll see you next year and some are like okay what do you do to help us so then I would start helping them put in place policies and procedures and so on and so forth which an auditor cannot do auditor cannot audit what they implement at an auditor I'm an assessor I can assess what I Implement though ideally I should get one of my colleagues to come and assess what I put in place what I put in place with the client but that's where the some of the differences are

again what's going to be assessed against all these things and probably about more I think uh except for like one I've done every one of these and thanks for like oh yeah yeah uh we're also subject to this regulation could you take a look at at and us and tell us how we're doing type thing so uh why conduct an assessment um use the management typically c-suite or upper management wants to know how their program is doing they want to make sure that they're in line with whatever whether regulation Center framework how they're doing they want to know you know what they can do to get get things improved um I actually had some clients

that and these weren't necessarily the c-suite people they were so like the stuck below they were bringing us in to assess their their program system knowing full well that they had issues but upper management was more likely to listen to us and give them money to fix the problems they knew about than they were to listen to them and give them money to fix the problems they knew about go figure you know as in you know we would sit down like oh what problems or this this this this type thing you know you don't usually have people coming in just blurt out all their all their all their uh dirty laundry but that's what would you sometimes do

so I was the purpose is to approve the overall program we give a full report to the client several different reports on you know details high level and so forth one that we also will do is we will also give them what's called a corrective action plan I.E we've looked at what what you have in place what you're missing we I have a different good idea of your capabilities so we've laid out this plan that runs out six months a year year and a half of prioritize activities you should do to fix what we think you need to be fixed which really helps them out for a lot of our clients to if you were like uh what do we do first

of a hundred thousand you know um and sometimes they want to report if they can give to their clients at least they said like yes we've had a third party commission and took a look at us and you know we're have a compliant what have you some of them are also doing this to prepare because they're going to have Auditors or whatever you want to call them come into an audit them and give them a soft two report or certify for 27001 or high pressure what have you so they want you know Ops to come in take a look at their program and figure out what what needs to be fixed and fix them this happens and

that's something that I actually did actually did I helped two companies get the first stock two we're two companies to get 27001 certified with Uber companies for high thrust certification so a lot of fun times now one thing I hopefully most of you guys are familiar with this I'm not going to spend too much time but this is the big thing of what we're doing when we do assessments is we're doing assessments against what we're call controls uh in particular nitrogen controls either activities done by people and systems I have to emphasize that because of some people who think that controls are only technical and I don't understand that no no controls or people doing things and

policies and procedures and this is something that we take a look at in terms of you know do you have policies in place there's no place controls in place let me see the evidence of that um what an auditor would do as well and this is important to managing risk and we look at all these sort of things um this is this design is from isaka you get there's various versions of this but this is the one I like the best which is why we have controls you have a threat that is it creates a threat it integrates a threat event that event impacts a vulnerability which causes an impact a breach may be and you have all these

different controls to address certain aspects you know you have to you know the detective control that just says oh that's happened you know if you take care of it nobody that we're rentive will will help things uh keep in mind that if you read the wording um you never don't see the word stop or prevent the controls do not do either they reduce you can reduce risk you cannot eliminate risk understand that so again we have technical controls firewalls encryption antivirus and so forth but we also have non-technical controls that where we have policies and procedures and you need both if you don't have both you will fail an audit or an assessment because you

have to have them on both now in doing this of course we have to gather evidence that's something I think the last couple of talks I've talked about is evidence because that's how we're an assessor whether I'm auditor how do I know the heck that you're doing what you claim you're doing but I don't have evidence um this is a methodology from Douglas Landoll with his book I'll tell you what that book is later on and it's called the riot method uh review of documents got a none of that interview he Personnel uh inspects the controlled observed Behavior test controls uh did a lot of the first two uh the last three have done hopefully a decent way of

doing it um I honestly wish I had the book but I started out in this career as an assessor I probably would have done a better job in my opinion um and there's different method method of Assessments um so these are a couple that I see a lot and this is basically where you assess risk against threat and Impact versus very common this is a three by three low medium high you know is the threat likelihood I is a low impact low that's low don't have to worry about it too much but you can also go further where you can do a five by five like this and I've seen seven by seven of course

you know the first one I can do pretty pretty decently that's what it typically did but you know you try to like think about okay is this very low or is it low or is it moderate you know and and oftentimes when I'm doing assessments I'll I'll work with someone else and then we'll go back and forth whether oh I think it's low and he thinks it's medium and you know we've got to go back and forth because to come up with what what am I going to pick so not too much fun uh here's two other different methodologies this one the first one here is from um the center for Internet Security for their assessment for security controls

they do five elements and then each one of those they have five points so policies whether you have no policies or written uh is the control implement or not is it until automated is the control reported and the thing is is that these are all then scored and then that's how they kind of score you on your assessment of having the prescription tools implemented um this one here is from high Trust here for every one of their little Patrol points they look at you have policy that addresses what they want do you have a procedure that addresses what they want have you implemented it and then they score from zero to one hundred and based upon that scoring and the

scoring of all the other controls we'll determine whether or not you pass your certification so lots of fun um and when I started talking about you know think about the assessment there's like you know facing stages but before you should even have even talk about doing an assessment if this is what you do as a career you you have what I kind of jokingly call kind of the the pre-free preparation before we even talk about getting ready to us to work with a client these are some things that you need to get taken care of beforehand you know if you're working for a company you know the consulting company order the company would have hopefully done

this um the fun thing was was the company I was working with was pretty small so a lot of the stuff either I had a heavy heavy hand in doing and so forth and it's saying like Okay are we gonna have a GRC tool to collect that evidence from this client or even have a you know just a repository for them to upload files um or we're going to use like spreadsheets and do our assessments they have all the controls that we're doing all our scoring and whatnot um do we have what's called a a document request list or evident request list that we give to clients say this is what we want from you I'll talk more about

that because that that's a very important step and then of course we want to create kind of report templates to make things a lot easier if I'm going to create if I'm going to give you know different clients or I don't want to have to create a brand new from scratch report for a different client I I want to have a template that I can take and I can modify and update and give to this client that kind that client that is you know 90 the same structure and whatnot it's just the data inside is different you know otherwise I'm spending a lot of time and also you know the assessment bottom that I might use which might be

determined by the client I might have different versions so I had multiple suspensions printed so I had a spreadsheet for oh I'm doing HIPAA assessment I have spreadsheet for that oh I'm doing assessment against Liberty framer not expressing for that oh 327001 expression for that again this is also taken from isaka I thought this was a good one this was like an audit process you know step but this is again this is the assessment process the same way you have your planning phase you know planning getting ready to to do the work what we call the field worker document phase which is usually uh this one where the this is kind of the fun part I think this is that this

is the boring part that oftentimes items desert didn't always have involvement with us using my you know upper level in the organization with a client not me you know is the more that do work and then the reporting phase which is where you take everything else you go to the client and say this is how you do and so forth which something sometimes I'm involved with someone I wasn't beautiful so the preparation you know the first step one thing we do is we Define What's called the scope and the Rules of Engagement which are put down what's called an sow statement of work okay scope um hopefully you guys know what that is but just in case the scope is what is

the scope of the assessment what are you assessing are you assessing the entire company that might not be a good idea or you're only assessing a sub part of the company so that can be important you know might have a huge company but they're like okay we have this division over here that they're working with sensitive data so okay that's just the scope we're going to look at just that little little part so that's important to Define what that scope is uh child support for the client because you know the more I have to you know as an assessor run around to do stuff the more it's going to cost you Define what is being assessed why are we

assessing it uh how are we going to do it um am I allowed to do Uninvited visits can I can I drop by you know the high locations unannounced and social interior my way in am I allowed to do that or not um we don't want to go what happened with that with the accessories that went to that Courthouse that buy company sheriffs which did happen um then decided if you do a request from the from the client um now we developed what's called a document request list and this was not just a sheet of paper saying you know give us your policies across have developed into a multi-tab spreadsheet first one was all the

documentation evidence I needed compliance that was it wasn't just giving your policies it was communicate on Asset Management do you hear policy on antivirus give me your Disaster Recovery plan give me your instant response plan in your network diagram give me a sample of your assets your asset that is a screenshot you know give me a screenshot of your password settings things like that so it had a whole list I developed over time to give the time I say this is what I need from you to be very specific then we had another one which was you know who are the people who are the key people on your company you know who's your network engineer

who's your system administrator who builds a servers who builds you know your desk moves um yeah who does your backups you know some small company that's going to be like two or three people and a big company you know there could be individual different people and responsible for different activities that was all important because I was going to interview these people so I want to know who the heck I'm going to have to interview so I go through and kind of break down everything I would also ask who are all their vendors that they rely upon I mean their data you know data centers that you have at the um that your vendors you have Cloud you know things like that I

had one tab that was all all the security tools what's the antivirus tool what's your Backup Tool what is your IDs IPS tool what is your you know email filtering tool do you have a whitelist Blacklist system and so on and so forth so I went through all the possible security tools telling me what you have in place you know right now um all the business associates um just asking for that information oftentimes sort of showing us there was issues as in uh uh I'm not sure what we have here uh you know type thing which you know it's right there to indicating I got good problems once we have that um develop the interview list and the

site visit list because if we're going to go and do interviews we're going to need to schedule those interviews it'll you know all over a week of time where I'm me and maybe in my associates that we're doing back to back to back to back interviews with different groups of people over a week which I have done um you have sites that we need to go visit we page we need to get a list of all those where the sites and work at our schedule so that I can you know so if I'm going to spend a week driving around you know visiting sites which I've done uh I think one time I went up driving across central Florida

visiting doctor offices from Monday through Friday which was so much fun um that all has to be worked out and they need to know that I'm coming and so on and so forth and then of course if we're dealing with like a larger client like say these the largest Medical Center and whatnot then I'm also or some of our team members we're going to be walking around the different departments and areas and this sort of stuff because you never know what you're going to find you know squirrel away and some hallway or mezzanine or what have you which I have um so you need to kind of be you know be prepared for all that sort of stuff

and then we get to the fun stuff which is what we call the assessment doing the field work uh first off we you know we take on all that evidence start reviewing it uh we asked for missing documentation uh I love when clients number their documents because the first thing they do I take all the documents I throw in a spreadsheet and I sort it and I love when the number because they go like okay you gave me document one two three seven eight okay there's some missing numbers there guys what's that you know and they're like oh no sorry work forgot that here you go um or you're in the documents and they give that reference to other documents

that's one thing that's one of the first things I take a look at is does the does the policy procedure document reference some other documents and they go look at my list do I got that one yeah wait a minute this one yeah hey you know I saw it mentioned oh yeah yeah sorry I hear you I'll talk more about you know the things with documents and of course we can conduct interviews I prefer having a team at least two people do interviews that's just me um because if I'm talking and asking questions I don't have the time to write them down you know I want someone else to write them down while I'm talking

because sometimes they'll say something to me and I'll spark me in my mind and this sort of stuff and if I want you okay okay that doesn't work uh one of my colleagues he refers to record them and then later on he he transcribes them uh I prefer having you know doing having two of us and then you know I'll ask questions and he'll he'll record and then we'll flip off and then sort of one thing I try to do is I try to create a list of questions so for like a network engineer I'll have some already prepared questions I want to ask that person you know and I'm going to you know understand things and so forth

um we also use the interviews to capture missing information missing evidence you know if I ask for evidence of how you do this how do you do that they don't give it to me now I refuse to find out okay show me how you do this let me take some screenshots and then on site inspection that's where we walk around we look for physical security uh we take pictures I took a lot of pictures I I kind of wish I kept them you know I really shouldn't have and that's why I got rid of them because I could really show you some really powerful thing but I saw uh at different sites so let me talk more about about

documents so this is something that I look for I look for the date of last update review and approval I don't expect documents policies procedures be updated every year I do expect them to be reviewed every year and approved every year so when I get documents and I look at it like um this hasn't been approved in two three years how do I know this is accurate that's a big that's a big uh red flag as I said I mentioned I'd look for any other documents not received I read through the positive procedures it can be really boring to make sure that it is it is hitting what is expected in the regulation standard framework or what

have you because they will expect you to have certain things explained what I'm also looking for is things like you know uh note any I look no for any tools noted in the procedures and I'm going to bring that up into in my interviews I'm going to see how the document will tell me how things are done I want to note that because I'm going to talk I'm going to ask the person when I interview them to verify it and I'm going to look for any other problems such as you know out of date things don't make sense oh who is this person I've seen named in this document oh well that person has been here for

two years uh that's a problem so something I've seen in documents um I have literally seen documents that were the title topes that one thing and our reading the document itself and it didn't match up so I had to I had to think of them for that I've seen grossly outdated documents as in haven't happened in two three years and they talk about tools they didn't use anymore or uh one talked about a Data Center and another state that didn't they didn't hadn't had for two years when the data center was in the next County over you know um I think probably the worst is when I go and I will talk to the the technical

folks and ask them how they do things and what they're telling me doesn't match the document and I'm only like well that's interesting because according to your policy here it says and I get oh I didn't know we had that foreign I'm looking for I've also seen where um they only had like half the expected document set that they needed uh and of course in other words they were in line they said then from the get-go and they didn't have any policies so part of what our job was was basically figure out how they're doing things because then we had to go and break the document policies that matches what they were doing and helped them put it into place

so again this all gets captured in for our final report for the client terms of like what they're doing good what they're doing bad uh certainly the fact that they're not they're not reviewing it and approving it on a regular basis that's a big big red flag um again not everyone was out there I mean we had something that were like wonderful I had one client that came in with a binder their policies here you go put in front of me and every single one has been dated and you know signed off by the person in charge and I'm like wow this is so this is beautiful you know I wish everyone was like that

other documents I look at other things I asked for like what's your latest pin test report what's your latest scan your antivirus scan um what I'm looking for there especially is if there's issues found in the pen test or vulnerability and have they addressed it oh we give this a pen test oh it's just here you have this guy critical issue have you taken care of this um that's not good um of course I'm also hoping that you haven't had that problem too we're like no we got another pen test we didn't think it was needed and they have uh critical data I'll ask for Network diagrams data flow diagrams um uh so like with never diagram we want

to see if it's been set up the way they kind of should be do they have it is it all a flat network is everyone on the same freaking Network including Wi-Fi is assistant data this report have they segregated the network um data flow diagrams I love especially if they have you know data that's moving between different different systems that are good as sensitive data uh and by sensor data I mean basically Phi um some people have that some people don't but in some cases I have to like figure out what the data flow is by talking to them like oh the data comes into this system and then it moves into the system and and so on and so forth

I'll look for other evidence such as do they have an asset inventory you know you know what you're how many servers you have you know how many desktops you have you know where they have them you know who has them uh get backup reports are you if the backups have failed have you done so those um what's your password settings you know you kind of look for the basic stuff like you know please God you know have at least to look take character photography passwords not six what age and of course I look for any discrepancies between what they're doing versus what's in the policy and of course but with with all evidence if there's screen charts yeah date and

time stamps and there's an easy way to do it easy way the bottom at the corner of your computer should be a date and time that we can use individual screenshots

using people aren't doing that so that's usually a pretty good Anatomy you know you'd be wondering what are you trying to hide about it uh interviewed again in entertaining how things are done validate what's in the political procedure today I prefer open-ended questions like hey so you're the network engineer run through what you cut what you do let me know just kind of let them tell me what they do I don't I don't want questions that are kind of yes or no questions I wanted questions that'll give a response and I'm kind of like I'm not trying to trick them any anything but I'm trying to ease out information that you know they may give without

realizing it like yeah so um you know so I'll ask him I think like you know hey you know have you had security awareness training they all should have done oh have you guys had to be done like an instant response exercise how did that go yeah things like that uh I validate the tools being used uh verify that the procedures in the document are what is being used um you know ask them to show me what they do things like you know like sitting you know even though someone's gonna be in a conference room or whatnot I like I'd Rather somebody just drop by their office and have them show me stuff and give me let me give me uh

screenshots and so forth um interviews can be pretty exhausting I said I've spent with some clients like frequently doing nothing but interviews and whatnot and then there's the site visits uh these are from the internet sorry this is not from Mississippi big thumb because it's sort of like kind of close some of the some of the stuff I've seen um I do I go and do a walk around at offices and sites I'm looking for the basic stuff you know are there security cameras are the security alarms or there's locks you know or are they doing stupid stuff like dropping open locked doors do they have paper physical paper of sensitive data this is substitute with medical offices

and doctor offices that have that still have paper medical records are they secure are they moving these things around you know is it you know left out there where anyone can touch it or is it put away a little bit um like I said I did a lot of doctor offices and I've seen the whole game promises that were like uh fully fully electronic no paper just wonderful and then there was the ones where they were literally drowning in paper or get away and they would had it like they stacked to the rafters and oh yeah we had this exam room down the hall that someone crashed a car from the outside and now we turn it into storage for more

records and like you got to be kidding me um and I've worked with it stuff it's just as bad too where I go in there and so there's there is all their Telecom equipment and never put right there on the wall where anyone can touch it no cage Around It Whatever uh another office I went to they had the cage they had a key in the key in the lock so uh and I talked about telling you walking around I went to one hospital and they had one of their buildings they had a mezzanine level that we went to and we went through this amazing kind of hallway area that had been turned into a Dumping Ground

for copiers it doesn't copywers and then these cardboard box full of what looked like X-rays and this were to stop and it's like what the heck and then we had also gone into another kind of weird mezzanine level in their building they had this this cage full of equipment we're seeing like stackable computers and it was unlocked you know we were doing you know but that thought we were actually doing daily um meetings with the CIO so needless to say that was something that we uh informed him how that day and I was interesting with the computer equipment in the building we were ready like I want to see that like okay go down the elevator let's go on that

stairway here there you go see there see there's the stack of these equipment and when we were here the store was not locked this one that's one of the fun fun things of a the security assessor walking around and visiting and seeing things and so forth um what also kind of really weird I never quite understood this where um in some cases I was going back working with the same clients several several years in a row so in some cases I'm going back to the same sites you know two or three years in a row and you hope to see an improvement of things and in some cases yes I did see an improvement but some cases I would see

like really odd boss all stuff like I went to one place where they had built a closet around their their computer equipment which was nice but then I you know I open up and as I where the heck do these backup tapes come from these weren't here last year you're not doing backups here where are these where do these backup dates come from and somehow backup Pages just magically appeared where there were the features there at the signings they still don't know what the heck happened there so once it's not all done you know whether you and your with your team or what have you get together you need to review all that document make sure you got all the

energy that you was there anything still missing we've actually had I've had that where we try to ask her all at the beginning and sometimes not to the very end that we finally get the missing documentation that we asked for um and so we had has all that been been taken care of do we have any outstanding questions we have to go do we have to Circle back around and ask something to someone we then review all our interview notes and they answered we know everything we do all alongside you know on-site evidence anything missing um and then we then until they start drafting at what we call is that a corrective action plan of how to address

things we need to address things um because at least for me a lot of the companies I was dealing with were kind of small okay they didn't have a huge I.T you know group and whatnot and in many cases that's part of why they brought us on board was they needed you know better of security expertise to help them out all the time sort of giving them a list of you know here here's a list of 50 things you need to fix and they're going like which I I'd rather say okay we have we found 50 things here it is and you know order of importance I've laid out you a plan that you can work out over the next

two years based upon what I know about your abilities and and time and this sort of stuff uh they appreciate a lot more you do it that way now before there's something that we did and I don't know if this is true that everyone does this before we present the final report to the client we actually would do a review with the client of the draft report and we we do not we would never give them a copy of this would do this you know we would go to their office and make a presentation but it wasn't like you know here take a look at this draft report and give us your feedback we didn't want them to have

that draft report for their protection um if we're doing car what have you and it was meant to like making sure hey did we miss anything that we misunderstand anything um in one case I had a client it was a small private school and I talked to a lot of different people and one of the folks I had talked to was their security officer who mentioned that you know not all the students didn't have ID badges with the lowest price buy because at that point pretty much most schools game students ID batches yeah so I thought that was kind of weird so I put that down as a finding and then are we doing the review with the client

that's like oh no no no no all our students have ID badges the security guard the security officer was very new to the school he had just joined in recently and we're in school break so I was given given incorrect information so that was good at finding that I would I would have been misinformed because it would I would not want somebody to go into the fire report because I mean I put it then put down his finding hey you should look into giving up your students ID badges everyone does once you do you you will probably give actually multiple reports to clients this is actually pretty standard um so often this given to senior manager

I need to see Suite uh we also will do it as a PowerPoint presentation with a high level results because we're giving it to c-level people okay these are not technical people I can't give them like nitty-gritty like oh you need to do you know through a domain trust and yeah yeah no no no no no I'll just all high level type stuff but then I get more detail reports for the technical folks because they would understand that um we would also probably do like a more detail report ones in some case if our clients wanted a letter that said yes when you come in and assess them against this regulation or that that standard

what have you and they're these were these were pretty good that yeah they're they're compliant versus that you know not the ones that were like really bad anyway that's what it is at the end you know regardless just found you want a happy client and most clients again they're they're expecting us to find issues that's part of why they brought us in there is that they they pretty much think there's issues they want us to find it so our job is to find issues it was kind of a struggle for the really well run clients which was like a small handful to find anything like hey here's something that you can improve on um you know giving them that plan to

address them is when they they like and again since we because I'm an assessor not an auditor I'm a consultant I can then help that client address those issues and Otter cannot do that they're not allowed to um and so hopefully if everything goes well they'll have us back next year and following year so forth then hopefully what I like is when I did that is like oh they kept getting better and better and better versus you know do a one-year come back and you're like oh my God I'm finding new issues no you're back sliding so uh let me give you some resources uh we're kind of near the end of times you know I want to get through this and let

you guys ask questions because there's no one following me against people so HIPAA um this is probably the best document that I know of a single document from nist I'm probably familiar with the SP 800 series so um the first one is a website it's an independent website run by a guy who is actually a member of the the special committee that develops these it is in my mind the best independent site for information on ISO standards you want to understand what all the different types of documents do and what they're all about where the Army updated that's the place to go the second one is the official site which is got some good information but they don't update as

much as they should

is coming um and I'm looking forward to that it's been updated updated to the new ISO version ISO 271 and two what I did last year three different different time in the secretary framework obviously in this website they are now in the process of creating this 2.0 um they're having meetings online and so forth I've been involved with that so that's me um the risk uh RMF risk management framework fisma whatever you want to call it um that's probably the best site for information out to get us from nist and the critical screen controls go to CIS and use all their tools and so forth uh sock two uh the first is the book from aicpa which is on top you can get

it off of Amazon or and also this is their their page at their website on uh all the soft reports uh PCI PCI site for free uh High Trust um I do high trust uh if you could avoid High trust please try to CMC two one is the um accreditation board which is going to be certifying the groups that have been certified um and then of course the dod who actually themselves runs into the documentation now I mentioned the book by Douglas Landoll acting Broad copy with me even though I had to put it in my book bag on my my home up by here uh this is the current engine you get off of Amazon

um like I said I wish I had this when I got into this field uh there's a really good book uh this is the third edition so if you want to do security risk assessments this is the one to get uh another one that might be a good resource is another SP 800 document from this guy for conducting risk assessments so training there's not any real training for assessments but there is some for auditing that I think you should be aware of isaka has these three certificates not certifications for cyber security I.T Audits and audit knowledge which they actually developed with the cloud security lines I think it's kind of cool so these are some things to look at

those are the books if you want to study then of course there is the cesa certification which yes I have the book is a little bit dated I don't know why they haven't updated that one yet uh that's a good certification to get uh be aware you have experience to get this one that's a certification you must have at least these four years with it with a degree or five years doing this sort of work to get the certification from Sans are these two sort of certifications and training uh one the first one used to be aimed at the critical security control but that they've now broadened it to other Frameworks and then there's the audit

one which I just wrote The Net was it was informed that now updated this one recently and this one does get also into assessments so so these are if you want to take a class it's a in person that's seven days and the certification is extra and so forth so I mentioned I'm working on what will be part two of this series uh creating the audit framework uh which we'll talk about like the setting up of a regular active rate of activities daily weekly so forth to gather evidence that you need for whether you know internal audits external audits assessments and data stations what have you uh whether it's going to be for stock and so forth

um I hope it'll be presented at another conference this year uh having yet written it I'm not sure where it'll be given at um I have been thinking recently of maybe uh part three maybe on security metrics you can't improve which you don't measure so that's kind of like more up in the air um what feedback I have that point uh questions yes so being in this field for so many years having loved us what will be the three things you hated about and if anyone wants to get into this field okay there was the science I was dealing with that was a pain leader you had clients that you know they might have been themselves that

they were difficult but it could work with a great it was I guess the Arrogant clients I don't I don't want to go into a doctor's office have the doctor told me like ew you don't need a firewall it doesn't say I have to have a firewall peace he had to do my hip and job I'm going to tell you in your job okay I'm using affected element of input security yeah or you know I criticized when the doctor again like ties and pile of the paper like look I'm a great doctor all my patients lucky wonderful that's not the criticism you're putting their data at risk by having in piles on your desk in the

middle of the freaking walkway so in many cases I think it was it was it was one of the cancer were made the job Pleasant um you know the ones that were it you know they appreciated the work that you did you know who were willing to be honest with you and say like hey you have issues we know we have issues these issues are we aware of you know and we can go verify it and if you can find more great that's right you had mentioned that you could come into some organizations and they would have zilch before processors do you find that in your professional career your experience that that being like game

we're gonna add that on as a feature to this assessment is that just somehow no no in some cases I was understood from the get-go is a client knew that they were missing these and so we were coming in to Damon they're they're what they had in place kind of how they're doing it and develop the policy guys okay so you came in knowing I had to build this from the ground yeah yeah yeah I mean I don't think we had any assessment we came in and just were shocked that they didn't have policy so we did have one client that was almost like that where they were a big group and this sort of stuff

and it's like we asked for policy and it's like we're doing this stuff it's like they have policies they haven't did mess the freaking policy what the heck is going on here and I literally come you know here I was saying it was here in Tampa we came here did a lot of work with them and as I'm leaving they finally gave us the policies so I was sitting in the Tampa Airport Wi-Fi pulling down the policies reviewing them before I flying but it sort of like I want those before right a few things not looking toward the end and why yes

I came I was a system administrators you know then a security architect so I I had I was faced by audits um I was I was in an organization that got assessed for DMM if you've heard of that so I actually I experienced what it was like to be assessed and this sort of stuff it went through several years of that so I had that experience of being able to receive again but I never was part of either an external internal audit process so it basically is me taking my knowledge of what should be in place and then going into another company organization say like okay because I know what you should have and see if you got it you know and going

from there this would be when they have a kind of a dip I have kind of a kind of play with in general uh it Auditors in general which is I want to see more people coming into it audit from the technical background and not a financial backance um once you said one time when I was I was assessing a client and we were talking with the the CTO of the company who had set up the whole technical structure of the company and were talking to him and I've got with my an associate with me who had been an idea he's talking about oh their structure and they had you know Subway trusts and one-way trust and development and I'm

only like okay yeah because I had been paid active direct active active directory administrator if I understand what he was talking about and we were done he left my assistant attorney's like if what he was talking and that was no slam on her because she came from my financial background I came from a technocrat I was a sad man I was an ad and I understood that you know but when you have people coming from a financial background who don't understand the technology how really effective can they be to go in and assess the company and say like oh you know your network diagram is good or bad or what have you when they don't

understand auditors

super sharp on technical stuff they're out there but it bothered me too much with these people come in from the financial side where I wanted to see people from my background and Technology like coming into it audience yes yeah so so your role as an assessor would you be um with the same line of line of defense says and monitor because they're not in defense or it would be second line of defense

I mean in terms of the defense I'm like making sure they're doing they're they're improving their their program to making it better so I mean like the levels of Defense in terms of work line