Security Audit Preparation Without Tears

Transcript

1. © 2025 Cisco Systems, Inc. / Security Business Group /

   all rights reserved. So there! Cisco Public Audit preparation without tears Tony Rice Duo Security Risk & Compliance

2. © 2025 Cisco Systems, Inc. / Security Business Group /

   all rights reserved. So there! Cisco Public Agenda + Too many controls + If you've never done this before + Get organized + Automate + Continuous Audit + Iterate

3. © 2025 Cisco Systems, Inc. / Security Business Group /

   all rights reserved. So there! Cisco Public Cisco Secure Access products

4. 1100+ 325 300+ 100 ? 93 250 114 73 12

   800+ 223 3400 controls? 93 controls
5. None

6. © 2025 Cisco Systems, Inc. / Security Business Group /

   all rights reserved. So there! Cisco Public Add photo over this circle How did you do that? nonsense courtesy: RCG Productions / FX Networks / Paddy's Pub LLC

7. © 2025 Cisco Systems, Inc. / Security Business Group /

   all rights reserved. So there! Cisco Public Add photo over this circle Cloud Security Alliance Tools

8. © 2025 Cisco Systems, Inc. / Security Business Group /

   all rights reserved. So there! Cisco Public Where to start nonsense courtesy: ZAZ / Paramount CCM v4.0 Auditing Guidelines

9. © 2025 Cisco Systems, Inc. / Security Business Group /

   all rights reserved. So there! Cisco Public Getting started CCM v4.0 Auditing Guidelines

10. © 2025 Cisco Systems, Inc. / Security Business Group /

    all rights reserved. So there! Cisco Public Get Organized + A&A - Audit & Assurance + AIS - Application & Interface Security + BCR - Business Continuity Mgmt & Op Resilience + CCC - Change Control & Configuration Management + CEK - Cryptography, Encryption, & Key Management + DCS - Datacenter Security + DSP - Data Security & Privacy + GRC - Governance, Risk Management, & Compliance + HRS - Human Resources Security + IAM - Identity & Access Management + IPY - Interoperability & Portability + IVS - Infrastructure & Virtualization Security + LOG - Logging & Monitoring + SEF - Sec. Incident Mgmt, E-Disc & Cloud Forensics + STA - Supply Chain Mgmt, Transparency, & Accountability + TVM - Threat & Vulnerability Management + UEM - Universal Endpoint Management

11. Track evidence gathering efforts using common controls

12. map controls to other frameworks and certifications

13. track areas for improvement

14. track automation and documentation efforts

15. © 2025 Cisco Systems, Inc. / Security Business Group /

    all rights reserved. So there! Cisco Public #!/bin/bash # Gather a list of rds snapshots as evidence of our nightly snapshots aws rds describe-db-snapshots \ --query "DBSnapshots[*]. {Identifier:DBSnapshotIdentifier,Encrypted:Encrypted,KmsKeyId:KmsKeyId}" \ --region us-west-2 \ --output table \ >> "$COLLECTION_FILE_NAME" for region in eu-west-1 us-east-2 do echo $region >> "$AUTOMATED_BACKUP_FILE_NAME" aws rds describe-db-instances \ --region $region \ --query "DBInstances[*].[DBInstanceIdentifier]" \ >> "$AUTOMATED_BACKUP_FILE_NAME" aws rds describe-db-instance-automated-backups \ --region $region \ >> "$AUTOMATED_BACKUP_FILE_NAME" done BCR-08 Periodically backup data stored in the cloud. Ensure the confidentiality, integrity and availability of the backup, and verify data restoration from backup for resiliency.

16. © 2025 Cisco Systems, Inc. / Security Business Group /

    all rights reserved. So there! Cisco Public Runbooks for the rest

17. © 2025 Cisco Systems, Inc. / Security Business Group /

    all rights reserved. So there! Cisco Public Add photo over this circle Don't repeat yourself Identify controls common across teams or products • password management • user onboarding / access provisioning • data protection • privacy • contingent workers • PII and other HR data handling

18. © 2025 Cisco Systems, Inc. / Security Business Group /

    all rights reserved. So there! Cisco Public Continuous Audit nonsense courtesy: Zoë Roth / Mebane Fire Department The Continuous Audit Metrics Catalog Version 1.0

19. © 2025 Cisco Systems, Inc. / Security Business Group /

    all rights reserved. So there! Cisco Public workflow & guardrail ideas and how to measure them The Continuous Audit Metrics Catalog Version 1.0

20. © 2025 Cisco Systems, Inc. / Security Business Group /

    all rights reserved. So there! Cisco Public Questions? linkedin.com/in/tonyrrice/ speakerdeck.com/tonyrice

21. © 2025 Cisco Systems, Inc. / Security Business Group /

    all rights reserved. So there! Cisco Public CONFIDENTIAL INFORMATION PROPERTY OF DUO SECURITY, INC.