An Internal Auditor’s Guide to Cybersecurity

An Internal Auditor’s Guide to Cybersecurity Part 2: Penetration Testing

Emily Swindle Senior Consultant Risk Advisory

Donel Martinez Director Risk Advisory

Jeremy Archer Managing Director Cyber Defense

Skylar Slotter Senior Manager Cyber Defense

Vulnerability Management vs. Vulnerability Assessment

Elements of Vulnerability Management

6

Team Involvement

Blue Team Purple Team Red Team

The defense team. This team may include SOC personnel, incident response teams, analysts, and security engineers.

Created when the red team and the blue team work together to test an organization’s defenses

and identify opportunities for improvement.

A dedicated attack team who emulates enemy

tactics to achieve objectives outlined by an

organization’s leaders.

What value do vulnerability assessments provide to an organization?

How do red and blue teams intersect with internal audit?

Anti-virus Deployment Use Cases

Anti-virus Configuration Example

Anti-virus Tool

Threat Modeling Series of Increasingly Difficult Tests

Wireless Example

How can internal audit help strengthen the security perimeter?

12

What are best practices for vulnerability scanning?

What is the difference between a pen test and a vulnerability

assessment?

People TechnologyProcesses

Penetration Testing Focus Areas

Why would an auditor look at a pen testing report?

Report Excerpt

Severity vs. Risk

Questions?

Focal Point Data Risk

@[email protected]

focal-point.com

Gary McIntyre Managing Director Cyber Defense

Episode 3: Internal Audit & the SOC

August 12, 2020 | 1 PM ET