cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Highlighted
Newcomer II

Looking For Audit Framework Resources

Hello all - happy Thursday.

 

I've been looking for a generic audit framework that is flexible enough to support CIS (i.e. energy field sites) down to small businesses (i.e. medical, mom and pop stores, etc).  Everything I've found (or know about) is either gargantuan and wonderful for a Fortune 500 company, or is a basic checklist that doesn't really provide value as it's meant for checkbox security.

 

Has anyone come across anything, know of any books or resources that I should dig into?  I'm hesitant to build something from scratch if there's already something close to what I need, but figured the smart folks in here probably have some great suggestions for me.

 

Cheers!

Tags (1)
8 Replies
Highlighted
Community Champion

Re: Looking For Audit Framework Resources

Try using the CSA tool "CAIQ Lite" and port it to Google Forms or Microsoft
Forms and get the job done that way. I have always found that to be a happy
medium. Good luck!

@Lamont29
Lamont Robertson
M.S., M.A., CISSP, CISM, CISA, CRISC, CDPSE, MCSE
Highlighted
Newcomer III

Re: Looking For Audit Framework Resources

The more complex and resource-hungry the resource/framework, the finer the
level of detail so to some extent and organisation's size and risk appetite
define what will work best for it. That said, the UK National Cyber
Security Centre's Cyber Essentials framework isn't a bad starting point.
It's aimed at SMEs but answering the questions with the implications for
larger organisations in mind can be educational. Sometimes great attention
to detail in one area is paired with missing out the basics in another.
See https://www.cyberessentials.ncsc.gov.uk/. NCSCs other advice to
businesses is generally pretty good and pragmatic, too.
Best of luck 🙂
Highlighted
Newcomer II

Re: Looking For Audit Framework Resources

Those both look like wonderful resources at first glance.  I'll have a better read later, but you might have nailed it for me.

 

Thank you both!

Highlighted
Community Champion

Re: Looking For Audit Framework Resources

Yes. Hopefully it works out for you. With that GRC spread sheet, you can
port the revant questions to your form choice and send that out to your
customers or business units and customize your reports. Unless you require
an enterprise solution, that will work great!

Lamont
Lamont Robertson
M.S., M.A., CISSP, CISM, CISA, CRISC, CDPSE, MCSE
Highlighted
Newcomer I

Re: Looking For Audit Framework Resources

https://www.cisecurity.org/controls/cis-controls-list/

Is this what you meant by CIS in your post? This is a good place to start.
Highlighted
Newcomer III

Re: Looking For Audit Framework Resources

One thing to think about if using cloud service forms - they're a popular
phishing vector these days and many organisations tag forms links in emails
as potentially malicious. If you're going to ask correspondents to use a
form tell them beforehand so that they have a degree of confidence in them
and you can be alerted if their technical measures block the links...
Highlighted
Newcomer II

Re: Looking For Audit Framework Resources

@TroyCIS - Critical Infrastructure Systems, but your link looks very good as well.  Thank you!

 

@TimGYea, I wouldn't use a cloud form.  I leverage a secure file sharing service when absolutely necessary to transfer files, however, I try to avoid forms.  There's an incredible amount of information missed out by not having conversations (in person or on the phone).

 

Cheers again everyone - really appreciate the info!

Highlighted
Newcomer I

Re: Looking For Audit Framework Resources

Well it's a manual process but here's how I would approach it, this is of course if you don't have software to do it.

 

1. Check all of the groups his admin account is a member of, it may give you a clue where he has access

2. Find a script that will query all of the servers and write the names of everyone in the local admins groups to a csv file and verify they are valid active accounts

3. Verify all of the accounts in the Enterprise Admins, Schema Admins, Domain Admins, and AD Admins groups are actual users (or service accounts)

 

Again, manual process, you're gonna have to do some detective work 🙂