up

2020-01-17

• Internal Audits
  • These guys already know about the env
  • But they come with bias
  • ‘They see something one way’
• External Audits
  • Less Bias!
  • Expensive
  • Auditors need time to get up to speed

Audit Models

• Black Box
  • Auditors get no hints
  • Supposedly simulates adversary behavior
• Grey Box
  • Some knowledge
• White Box
  • Complete knowledge of system to be tested

Non-technical models

• review
  • Is it a good standard?
• compliance
  • Do you follow the standard?

Important Steps

• Pre-engagement discussions
  • weeks to months beforehand
  • Determine type, goals, duration, scope, and depth
• Initial audit meetings
• Audit
• Audit Report
  • Quantifiable metrics
  • Realistic recommendations

Audit vs Assess

• Audit
  • The process of comparing reality against a standard
• Assessment
  • A judgment call about the truth of some claim
  • The outcome of a PCI Audit is an Assessment

General Process

• Pre-Audit
  • Contract negotiation
  • Scoping
    • What’s on the table?
    • How much is on the table?
  • NDAs
    • Could happen anytime
• Planning
  • Identify Stakeholders
    • Must understand stakeholder goals
  • Make checklists
  • Develop assessment tools
• Data Collection
  • All data should pass the “who cares?” test
  • Data must be relevant to the standard being tested
  • Use the tools
  • Meet with stakeholders
  • Quantitative
    • Binary yes/no
    • Categorical
    • Ordinal
    • Interval
    • Continuous
  • Qualitative
• Assessment
  • Review the Data
  • Know the difference between average / median
  • Reach a conclusion
• Reporting
  • Written Report
  • Presentation of Findings / Readout