WEBVTT

1
00:00:00.000 --> 00:00:01.110
In this lesson,

2
00:00:01.110 --> 00:00:03.960
we will learn about security reviews.

3
00:00:03.960 --> 00:00:07.230
Security reviews involve dedicated evaluations

4
00:00:07.230 --> 00:00:10.710
of an organization's security policies, controls,

5
00:00:10.710 --> 00:00:13.530
and practices to ensure they are effective

6
00:00:13.530 --> 00:00:17.460
and aligned with regulatory requirements and best practices.

7
00:00:17.460 --> 00:00:20.550
These reviews can be internal or external.

8
00:00:20.550 --> 00:00:23.070
Internal reviews are conducted locally

9
00:00:23.070 --> 00:00:26.430
and focus on internal processes and practices.

10
00:00:26.430 --> 00:00:30.060
They help identify weaknesses and areas for improvement.

11
00:00:30.060 --> 00:00:34.140
External reviews are conducted by independent third parties

12
00:00:34.140 --> 00:00:37.590
and provide an objective evaluation of compliance

13
00:00:37.590 --> 00:00:39.360
and security effectiveness.

14
00:00:39.360 --> 00:00:42.900
Security review types include audits, assessments,

15
00:00:42.900 --> 00:00:44.820
and certifications.

16
00:00:44.820 --> 00:00:48.450
Audits are formal evaluations, typically conducted

17
00:00:48.450 --> 00:00:50.190
by external agencies,

18
00:00:50.190 --> 00:00:54.300
but they may also be conducted by internal security teams.

19
00:00:54.300 --> 00:00:56.160
Assessments are internal

20
00:00:56.160 --> 00:01:00.840
or external reviews, which identify vulnerabilities, risks,

21
00:01:00.840 --> 00:01:03.240
and gaps in security controls.

22
00:01:03.240 --> 00:01:07.500
Finally, certifications serve as formal validation

23
00:01:07.500 --> 00:01:10.620
that an organization meets specific security standards

24
00:01:10.620 --> 00:01:11.850
or regulations

25
00:01:11.850 --> 00:01:13.380
and are often the result

26
00:01:13.380 --> 00:01:15.870
of successful assessments or audits.

27
00:01:15.870 --> 00:01:18.690
So while audits verify compliance

28
00:01:18.690 --> 00:01:22.380
and identify areas for improvement, assessments

29
00:01:22.380 --> 00:01:25.530
help organizations understand their security posture

30
00:01:25.530 --> 00:01:29.280
and enhance their controls while certifications offer

31
00:01:29.280 --> 00:01:32.040
official recognition of their adherence

32
00:01:32.040 --> 00:01:33.600
to established standards.

33
00:01:33.600 --> 00:01:36.720
Let's walk through a few examples of audits, assessments,

34
00:01:36.720 --> 00:01:38.190
and certifications

35
00:01:38.190 --> 00:01:41.280
to understand distinguishing features of each.

36
00:01:41.280 --> 00:01:43.950
First, we have internal audits.

37
00:01:43.950 --> 00:01:45.630
Internal audits are conducted

38
00:01:45.630 --> 00:01:49.740
by the organization's own cybersecurity or compliance teams.

39
00:01:49.740 --> 00:01:51.210
Their primary goal is

40
00:01:51.210 --> 00:01:53.220
to check whether the company is adhering

41
00:01:53.220 --> 00:01:56.670
to its internal security policies and procedures.

42
00:01:56.670 --> 00:02:00.390
For example, a company might perform an internal audit

43
00:02:00.390 --> 00:02:02.280
to ensure that employee access

44
00:02:02.280 --> 00:02:05.190
to sensitive data is properly restricted,

45
00:02:05.190 --> 00:02:06.300
and that all patches

46
00:02:06.300 --> 00:02:10.050
for known vulnerabilities are applied expeditiously.

47
00:02:10.050 --> 00:02:13.950
The focus of an internal audit is on improving internal

48
00:02:13.950 --> 00:02:16.710
processes, identifying risks,

49
00:02:16.710 --> 00:02:19.980
and preventing security breaches before they occur.

50
00:02:19.980 --> 00:02:22.500
Companies can share internal audit results,

51
00:02:22.500 --> 00:02:24.990
but this is not normally required.

52
00:02:24.990 --> 00:02:27.900
Second, we have external audits.

53
00:02:27.900 --> 00:02:29.610
External audits are carried out

54
00:02:29.610 --> 00:02:32.280
by independent third party auditors.

55
00:02:32.280 --> 00:02:35.520
These auditors assess an organization's compliance

56
00:02:35.520 --> 00:02:38.100
with external regulations, standards,

57
00:02:38.100 --> 00:02:40.230
or contractual obligations.

58
00:02:40.230 --> 00:02:44.430
For instance, a financial services company might undergo an

59
00:02:44.430 --> 00:02:47.370
external audit to prove that it complies

60
00:02:47.370 --> 00:02:49.780
with the Payment Card Industry.

61
00:02:49.780 --> 00:02:52.650
Data Security Standard or PCI DSS.

62
00:02:52.650 --> 00:02:56.400
Compliance with PCI DSS is required for handling

63
00:02:56.400 --> 00:02:57.900
credit card data.

64
00:02:57.900 --> 00:03:01.620
External audits are more formal than internal audits,

65
00:03:01.620 --> 00:03:04.560
and the results are often shared with regulators,

66
00:03:04.560 --> 00:03:06.750
clients, or stakeholders.

67
00:03:06.750 --> 00:03:09.810
Third, we have internal assessments.

68
00:03:09.810 --> 00:03:12.600
Internal assessments, like internal audits,

69
00:03:12.600 --> 00:03:15.750
are also initiated by the organization,

70
00:03:15.750 --> 00:03:17.100
but they're generally broader

71
00:03:17.100 --> 00:03:20.130
and more exploratory than internal audits.

72
00:03:20.130 --> 00:03:22.950
Instead of focusing strictly on compliance,

73
00:03:22.950 --> 00:03:24.780
an internal assessment may aim

74
00:03:24.780 --> 00:03:27.900
to evaluate the overall security posture

75
00:03:27.900 --> 00:03:29.520
of the organization.

76
00:03:29.520 --> 00:03:32.520
A good example is conducting an internal assessment

77
00:03:32.520 --> 00:03:36.030
before launching a new system or migrating systems

78
00:03:36.030 --> 00:03:37.590
and data to the cloud.

79
00:03:37.590 --> 00:03:41.430
In this case, an internal assessment would help identify

80
00:03:41.430 --> 00:03:45.840
potential risks, such as insecure application programming

81
00:03:45.840 --> 00:03:47.760
interfaces, or APIs,

82
00:03:47.760 --> 00:03:50.640
or even weak encryption, allowing the company

83
00:03:50.640 --> 00:03:52.350
to take corrective action

84
00:03:52.350 --> 00:03:55.530
before vulnerabilities can be exploited.

85
00:03:55.530 --> 00:03:58.740
Fourth, we have external assessments.

86
00:03:58.740 --> 00:04:00.990
External assessments are usually done

87
00:04:00.990 --> 00:04:03.120
by cybersecurity consultants

88
00:04:03.120 --> 00:04:04.680
or third party experts

89
00:04:04.680 --> 00:04:07.380
who evaluate the organization's security

90
00:04:07.380 --> 00:04:09.390
from an outside perspective.

91
00:04:09.390 --> 00:04:12.660
These assessments are often performed when a company wants

92
00:04:12.660 --> 00:04:15.780
an impartial review of its systems

93
00:04:15.780 --> 00:04:18.480
or is preparing for an external audit.

94
00:04:18.480 --> 00:04:22.410
For instance, a healthcare company might hire an external

95
00:04:22.410 --> 00:04:26.340
firm to conduct a penetration test to ensure compliance

96
00:04:26.340 --> 00:04:28.380
with the Health Insurance Portability

97
00:04:28.380 --> 00:04:30.810
and Accountability Act or HIPAA.

98
00:04:30.810 --> 00:04:34.556
External assessments can identify unseen weaknesses

99
00:04:34.556 --> 00:04:36.900
and provide strategies for improvement,

100
00:04:36.900 --> 00:04:40.560
ensuring the organization aligns with HIPAA's security

101
00:04:40.560 --> 00:04:42.510
and privacy requirements.

102
00:04:42.510 --> 00:04:45.870
Fifth and last, we have certifications.

103
00:04:45.870 --> 00:04:48.600
Certifications provide formal recognition

104
00:04:48.600 --> 00:04:51.115
that an organization meets a specific set

105
00:04:51.115 --> 00:04:53.490
of cybersecurity standards.

106
00:04:53.490 --> 00:04:56.580
They are typically granted after a rigorous audit

107
00:04:56.580 --> 00:05:00.420
or assessment conducted by an accredited certifying body.

108
00:05:00.420 --> 00:05:03.810
For example, all major cloud service providers,

109
00:05:03.810 --> 00:05:08.810
including Amazon Web Services, or AWS, Microsoft Azure,

110
00:05:09.000 --> 00:05:14.000
and Google Cloud hold ISO 27001 certifications.

111
00:05:14.700 --> 00:05:17.280
Customers can access these certifications

112
00:05:17.280 --> 00:05:20.970
to validate that the cloud infrastructure they are using

113
00:05:20.970 --> 00:05:24.450
meets stringent security and compliance requirements.

114
00:05:24.450 --> 00:05:29.160
AWS's ISO 27001 certification can be

115
00:05:29.160 --> 00:05:33.180
accessed via AWS Artifact, a self-service portal

116
00:05:33.180 --> 00:05:37.170
that provides access to AWS's compliance documentation,

117
00:05:37.170 --> 00:05:40.260
including certifications and audit reports.

118
00:05:40.260 --> 00:05:42.390
This is particularly important

119
00:05:42.390 --> 00:05:45.750
for organizations in regulated industries like healthcare

120
00:05:45.750 --> 00:05:48.330
or finance, where demonstrating compliance

121
00:05:48.330 --> 00:05:52.380
with standards such as HIPAA or the Payment Card Industry.

122
00:05:52.380 --> 00:05:56.190
Data Security Standard, PCI DSS, is critical.

123
00:05:56.190 --> 00:06:00.030
Access to certifications allows businesses to ensure

124
00:06:00.030 --> 00:06:03.240
that their cloud environments meet industry-specific

125
00:06:03.240 --> 00:06:05.850
security and privacy requirements.

126
00:06:05.850 --> 00:06:07.260
So remember,

127
00:06:07.260 --> 00:06:11.100
security reviews involve evaluating an organization's

128
00:06:11.100 --> 00:06:15.240
security policies and practices to ensure they're effective

129
00:06:15.240 --> 00:06:17.430
and compliant with regulations.

130
00:06:17.430 --> 00:06:19.503
These reviews can be internal,

131
00:06:19.503 --> 00:06:21.930
focusing on internal processes

132
00:06:21.930 --> 00:06:24.780
or external, conducted by third parties,

133
00:06:24.780 --> 00:06:26.640
to ensure objectivity.

134
00:06:26.640 --> 00:06:29.610
Internal audits aim to identify weaknesses

135
00:06:29.610 --> 00:06:32.400
in the company's own security procedures

136
00:06:32.400 --> 00:06:34.860
while external audits assess compliance

137
00:06:34.860 --> 00:06:38.040
with regulations such as PCI DSS.

138
00:06:38.040 --> 00:06:40.200
Internal assessments are broader

139
00:06:40.200 --> 00:06:43.560
and focus on understanding an organization's overall

140
00:06:43.560 --> 00:06:45.240
security posture,

141
00:06:45.240 --> 00:06:48.852
while external assessments offer an impartial review

142
00:06:48.852 --> 00:06:52.530
of an organization from outside experts.

143
00:06:52.530 --> 00:06:56.310
Finally, certifications provide formal recognition

144
00:06:56.310 --> 00:06:58.770
of compliance with industry standards,

145
00:06:58.770 --> 00:07:02.040
such as ISO 27001,

146
00:07:02.040 --> 00:07:05.820
and certifications are important for demonstrating adherence

147
00:07:05.820 --> 00:07:08.970
to regulations in industries like healthcare,

148
00:07:08.970 --> 00:07:10.293
and finance.