Lessons Learned - Crash Course in Information Security Management System Implementation

everybody welcome b-side san antonio and this is the lessons learned crash and information security management system implementation it's my honor to introduce rose songer she's a grc consultant with cso llc and prior to joining the cso team she worked as a third party management lead at a major retailer and within that program she developed the comprehensive framework and evaluation process to assess vendors as well as integrated in automation with the cloud platform and rose has a diverse i.t and security background spanning over 13 years in network security and administration enterprise vendor risk management and security awareness program development implementation she brings over eight years of experience from her time spent in the navy as an information system technician she

also has an ms in cyber security and information insurance and a bs in advance networking our industry experience spans health care federal government and retail so with that we'll go ahead and jump into the talk here's rose hi everyone thank you for coming to my talk on lessons learned crash course and isms implementation um i decided to submit this talk for a presentation because over the past couple years i have gotten um in super crash course and all things isms um and in particular iso 27001 which we'll dig into as part of this presentation um so i decided to take all those things i learned the good the bad the ugly and figure out how i could

better enable others to not be in a position that they're learning all these things while they're doing an implementation um so we're going to dig into what are these lessons learned and how you can learn from them and what you should consider as part of your own implementation so uh first things first a little bit about me my name is rose um i am a governance risking compliance manager for skiso um and we're based in pittsburgh so as part um of what i do at my company actually what my dell company does as a whole is we work with companies that are looking to improve their security posture through various mechanisms um they could be looking to improve

cloud security enterprise security um their governance first compliance programs and all sorts of things like that and so our company works with small to mid-size companies that are looking to improve those security postures and they may be looking to do it for a variety of reasons it may be you know compliance or regulatory driven or they've had incidents in which they decided that they're going to try to put better security measures in um so what i do at csvo is i'm a governance risk and compliance manager and i oversee all of our grc services including development of those services and innovating in those services as well as the execution teams so i provide all oversight to the

grc functionality at eso um i have a master's in cyber security and a bachelor's in advanced networking i've been in it for 15 years i joined um the navy right out of high school at 18 and ended up spending a lot of time in i.t uh resulted in spending about a year as a network engineer implementing statistics on routers and switches and um i started really getting a taste of security when i did that role in the navy and so when i transit transitioned out of being in the navy um i decided to pursue security and so the last nine years has been just security focused uh and primarily governance risk and compliance have tons of industry experience um just

based on the different jobs that i've had being in the military and now being a consultant um and then also i always like to call him out because he likes to make himself known for all of my presentations that i do or any virtual meetings i do have a co-presenter with me today his name is dexter he uh may clean himself during this presentation i promise you guys i will make sure that he keeps it to a minimum uh so what i also like to do as part of my presentations because i like to do what i call show and tell um just so you guys get to know a little bit about me i'm not talking at you you're getting to

put some of the qualities of me towards what i'm actually talking about um so like i said i'm in pittsburgh i've been in pittsburgh for a couple years now since around 2017. um i have two kids one's eleven and one's nine um my 11 year old is going into middle school and i just makes me feel much much much older than i actually am and i'm married so um that's a little bit about me and my little uh little life out here in pittsburgh so let's jump into this presentation i'm sure you guys love learning all about me but that's not why you're here today you heard about learn about my lessons learned right so um before we can jump into the

lessons learned we are going to do what i call ultra crash course in isms um i want you guys to understand all the different things i'm about to talk about um so we're going to do an ultra crash course which is super teeny tiny version of all the things i've been experiencing recently um as one's the item of note i used recently used these same materials as part of a capstone that i was teaching at duquesne university here in pittsburgh i taught some students on how they would go about implementing isms so some of these materials were pulled directly from that class that i taught um so we're going to talk about what exactly is an isms

is it even worth implementing um ongoing program maintenance and iso 27001 breakdown so the iso is a big component of what we're going to talk about today um and so when i say isms keep iso 27001 in mind now what exactly is the isms i've referred to it multiple times now but what does that mean so it stands for information security management system and it's essentially it is a cycle of continuous improvement leveraging the plan do check pack so the graph there on the right you can leverage that to develop your isms and what it's going to do is take all these processes and this governance and um policies and things like that and they're going to put it

into place with the security controls and the whole idea behind this is not only are you improving um via the continuous improvement cycle but you're hitting that really important aspect of security that we always hit on in security and this confidentiality integrity and availability um any of that data or any of that data or the information in your control um so the isms is going to take those fundamentals and they're going to put it into a standardized way that you can have that ongoing management of your program so return on investment isn't even worth doing absolutely i think it is 150 worth doing um if you do it right if you don't do it right

and you miss the things that you need to do it may result in rework um extra budget and things like that so it's really important to do your due diligence before you even implement to make sure that you know what you're getting into but i promise you well worth the investment as long as you make sure you do your due diligence ahead of time to understand what you're doing um so return on investment you're gonna have better communication you're gonna have better transparency so your isms it really is all about the communication all about making sure the workforce understands all about making sure management understands and so naturally you're going to build communication and transparency

look at him told you he always pleased himself um let's see competitive advantage whenever you are providing services to another party obviously you want to have a competitive advantage over other people that maybe are delivering on those same services so um this will give you a leg up on your competition uh additionally clients are going to start requesting proof that you have security controls in place so um your iso certification is going to be able to allow you to say here your third party we have all the controls in place you can look at our certification you can look at our statement of ability and you can see all these things um improves your resilience to cyber

attacks so we've seen it over and over again recently cyber attacks are becoming more known throughout the world and the media is definitely playing a big part on highlighting these things happening um so this will allow your organization to be better prepared when those things happen so when not if because likely a lot organizations are going to have a breach um going to experience a cyber attack in some way and so this allows you just to be better prepared you're going to improve your change management so no pushes to fraud no changes in the infrastructure anything like that without making sure that security was involved in the discussions and making sure that security is good with this change

this is probably my favorite aspect of return on investment for isms it's building blocks to other frameworks um short story time i have two different clients that recently did and um an iso implementation um one client decided that they um they actually implemented iso a couple years ago we've been doing their surveillance audits they decided to build i trust on top of their framework and so they built all the high trust controls there was about 293 into their framework and they were able to leverage their isms to ensure they have compliance against those controls and then i had another client they had an aggressive timeline that was being forced by a client client said hey you have to get the

certification within the timeline that they're saying and so they did an iso implementation with soft too and so it truly is a building block to other frameworks to other things that you're trying to achieve so just keep that in mind as a good return on investment if your organization has tight dreams of wanting to get you know tons of um different frameworks implemented this is definitely your starting point and will set you up for future success and then enforces that continuous improvement lifecycle so we talked about that on the previous slide uh program management so your isms is wonderful at um building that organizational culture uh my one client that they have isms and high trust

or iso and nitrous their organization is very security focused um and that is because of all the curating of understanding non-conformities and understanding opportunities for improvement and enabling the workforce to know when to come to security and when to report and having risk management meetings and doing all these things not only that up the team the senior leadership understand this as well so you'll have really good program management um you'll have auditable artifacts so we'll get into prepping for audit um at the tail end of this presentation and then it requires top management support so you absolutely cannot do this without leadership buying and we're going to touch on that in a little bit so make sure you have that buy-in and

have it continuous buy-in you can't just have it once at implementation it needs to be during the ongoing maintenance of this program and then you're going to need to have an internal audit so you have to have internal audit um just to ensure that your program is operating right so let's talk about iso a little bit now we talked about what exactly is the isms and things like that iso 27001 um this is built off of information security management system isms and the isotropic 7001 is broken into two different areas you have clauses four through ten and you have annex a clauses four through ten are mandatory you must do every single thing listed in that clause

and keep in mind that each of the clause has sub bullets and you have to make sure that you're hitting all of them now annex a is a little bit different annex a is a catalog of information security controls that are only mandatory as a result of a risk assessment so what i mean is you did a risk assessment you have unacceptable risk you create a risk treatment plan and that risk treatment plan results in remediation of the unacceptable risk through annex a so when you look at annex a there's roughly 114 controls and you can see um on the graph on the right the bottom graph it breaks it down into the different areas that encompass those 114 controls

so when you select the controls to remediate your unacceptable risk those are going to be the mandatory controls that you have to implement now most organizations end up implementing all the nsa um so that way whenever they do get audited and you have your statement of applicability you're not going to have any exclusions to your program but just keep in mind that the only things that are mandatory are the only things that result from the risk assessment and the clause is four thirds so that's that's your high level overview like i said that was going to be a super crash course and isms and iso it's not meant to um you know give you the full breakdown

it's just meant to level set you guys um and kind of take you along with these other lessons learned that i have here so what are the must-do items um what are the things that are expected of you as you go through iso certification as you implement isms um the first thing that i want to call mandatory documents so um while we talk about the isms a large component of it is going to be governance risk and compliance um in some capacity and the very first item here is definitely hitting on that um but in addition to governance risk and compliance keep in mind there's a very high technical part of this um if you recall the one graph that i

pointed out about nxa over half of those controls are it related and i.t is vague in this sense um so just keep that in mind that while grc will largely govern the program there's going to be a technical component that will need to contribute to things like the mandatory documents and other things going on so we'll jump into the mandatory documents more um in more depth here in a second we'll also talk about the anatomy of this vote statement and what that means we'll talk about the statement of applicability um we're not going to deal with the clauses four through ten because quite frankly they're quite expensive if you are going to go down the path of

pursuing iso 27001 um highly recommend that you become very familiar with expectations of clauses 4-10 they are must-do items uh implementation of annexate controls based on unacceptable risk we talked about that on the last slide and then internal on it so you have to have internal audit and it has to be done before your audits your stage one and your stage two so um make sure that you have implemented your program fully you uh scheduled your internal audit you if you don't have an internal audit function you pick an internal auditor that's reputable that understands how to audit iso and have them come in maybe a month before you decide to do your stage one

this will allow you time to take the findings get them into a repository and take additional actions on them so mandatory documents let's talk about those real quick so mandatory documents as you guys can see that's a really long list very long um not all of these things are mandatory so it's kind of deceiving but kind of not the mandatory documents that come from the clauses are mandatory you have to do those the items noted as a.7.1.2 a dot something those come from annex a those items are only mandatory as a result of the risk assessment so common theme going on here annex a items are only applicable as a result of the risk assessment for

remediation of those unacceptable risks um so if you end up implementing all the nxa then you'll have all of these mandatory documents um and like i said it's not just going to be governance for some compliance you need you have to have an inventory of assets you need to have uh secure system engineering principles you need to have incident management um and all of those components stretch across different groups so definitely not governance risk and compliance um our group is just largely largely going to be responsible for um ensuring that we hit these things but not necessarily being the the sneeze of this data so anatomy of a scope statement this was also something that i stole from my

capstone but i stole it because i thought it was really good information to give you guys now for your iso certification you have to identify the scope of your isms what are you protecting what are you implementing this for and so the anatomy of a scope statement is really meant to highlight what exactly you're trying to do trying to illustrate via your scope statement so the isms which protects the confidentiality integrity and availability very first part of your anatomy that cia triad um you're gonna address the business processes so information and information processing facilities supporting outpatient services specializing in mental et cetera services healthcare related so those are your business processes that's your second component then you're

going to state where where are you doing these things at and then what are the applicable controls and in this case you can just point to your statement of applicability so essentially you have four parts of this anatomy statement or the scope of the anatomy of a scope statement additionally you may have an isms scope document that's much larger and a little more detailed than just the scope statement so um your iso scope document may have who you're interested parties are it may discuss the processes a little more detailed so just keep that in mind as you build this document um you definitely have to have your scope statement and it definitely needs to explain

what your isms is at a high level what you're trying to achieve with it statement of applicability highly highly highly important document this document could potentially be client facing if you are allowing um your certification to leave your control maybe you're trying to prove that you have security controls in place so for your statement of applicability it is built in a way that it highlights all of the 114 controls from annex it and it says here's the annexate control here is the statement of the control and here's a description now you're going to say whether that control is applicable or not and then you're going to provide a justification and the justification is going to be

the result of a risk assessment or maybe a legal or regulatory requirement driving you to get that um particular control in place you're gonna see the control status so uh whether it's fully implemented partially implemented etc and then any other comments so while this document i think it has about four controls on here it's gonna be much longer it's gonna have more detail and um just keep in mind that i do have it shown on here as a spreadsheet one of the things that i want to call out maybe as my first lesson learn it doesn't need to be a spreadsheet it doesn't need to be a word document it can be whatever that you want it to

be so these processes should highlight the good things that you're already doing and not burden everybody with the new things that you want to do so um if you have a way to track these things in a different way that you want to leverage absolutely do it there's no hard and fast requirement stating that you have to do it in a spreadsheet you have to do an award document um in fact i have a client who leveraged monday.com which is a project management tool to have their statement of applicability to have their governance inventory to have their access control reviews to have their interested parties all in this tool that they're already using so keep that in mind as you build this out

doesn't need to be overly complex it can absolutely leverage the things that you have in place to date so this is one of my favorite sections it's don't skip where it counts so we talked about the mandatory things um and some of these things probably could be considered mandatory however i would have called these out as don't skip in these places or you will definitely regret it um my first words of wisdom here buy and use the standard don't try to use online sources to implement isms buy the iso 27001 standard make sure you have it available because when the external auditors come they are going to want to know that you bought that standard and you implemented

everything in accordance with that standard if you did not buy it then they're going to question how you went about implementing it and so you're just going to be in a pickle buy and use that standard it has all the information in it that you need um obviously you'll want to research and do other things but it has all the things that you need to do um to implement your iso program successfully now if you want to take it a step further there is an additional standard that you can buy to support iso 27001 and that is called iso 27002 it is a um hulked up version of iso 27001 for lack of better words

so you can use the 27002 to better understand the controls in 27001 it is meant to be more informative to break it down a little bit better for you so you understand what you are doing um definitely buy buy iso 27001 iso 27002 is optional um if you feel like you need that additional support my next item here is communication exclamation point exclamation point exclamation point all in the cell is highly highly highly important we're going to talk about this a little bit more here in a second i think it's so important that it deserves its own sub bullet area so we're going to talk about that in a second um risk assessments we call it out as something that you

need to do for determining your answer items and that probably should be listed as mandatory activity please please please do a risk assessment and do it as well as you can and what i want you to do is know your environment don't let anybody tell you don't let asset owners don't let system owners process owners tell you that they don't have risk that there's no risk associated with their assets or systems applications whatever it is because i'm here to tell you today everything has risk so push back when you need to push back don't allow them to tell you that there's no risk because i guarantee you there are risks um it's just a matter of getting it down um

and know your environment spend the time doing the risk assessment i promise you it will pay off you will get to know the environment better you'll be able to secure it better and you'll be able to go back to the triad the confidentiality integrity and availability so if you know what risks are in your environment you can anticipate you can remediate you can do all these things but if you don't know your environment you're not going to be able to do that so make sure you're doing that and this is another component that is not just grc it is highly technical so keep that in mind make sure you pull your tech resources to be involved in the

conversation if you um maybe aren't in a place to do the conversation yourself pull on your resources budget so for budget um i'm not just talking about your your money or your resources i'm absolutely talking about your capacity um how you'll go about implementation of this program and then tying into the bullet that i have lower down is knowing how you're going to manage this program on an ongoing basis so your isms implementation is not a once and done um this is something that's highly important to communicate ahead of time if people believe it's a once and done then you have a lot of communication ahead of you and you need to budget appropriately um which it also includes considering

how much time you're going to need to spend on governance how many resource hours you're going to spend on that um figuring out if you need to outsource internal audit and items like that so don't skimp here make sure you dedicate some time to it and if you're not the right person find the right person help you figure out what your budget should be um leadership buy-in this is an important one we're going gonna have its own slide for it because this is a foundational item of your isms um same with corrective action process we're gonna talk about that one a little more in detail here in a couple slides so we're just gonna skip that one

for now um the next one i'm gonna tell you guys a short story i have been in two audits where i have witnessed someone getting in trouble for this fine item and it is do not use the iso logo unless you are authorized i cannot like i i can't even make this up i have seen people get in trouble for using that logo during an audit do not use the isolonkit logo do not use the iso logo that you have googled you pulled from a website just don't do it don't do it internally don't do it externally don't use that logo it is big no no bad juju comes with it i've seen it two

different times just don't do it um after you pass your certification there are approved logos that you can use make sure you work with your external auditor to have the right logo um if you use the wrong logo you are at risk of receiving a major non-conformity during your audit they may pull it they will do whatever i've seen it happen twice where they almost lost it it was very close paul so please make sure you're using the right logos um now you're interested parties so interested parties it's kind of a vague word right um interested parties are your internal so who's invested in your program could be slt it could be um you know it could be software

engineering whoever it's just who internally is invested in your program now on the other side of that you have internal and now you need external so external maybe outside legal counsel maybe clients it may be family members associated with their employees um maybe patients things like that so those are your external and then to take it a step further as part of your interested parties you also want to consider um legal regulatory and contractual obligations and you want to make sure you're tracking those things because your auditor is going to want to know that you know what is applicable to your environment and that you are checking those items and you have them implemented say for example

the anatomy of a scope statement that is a health care facility so they have a security role that the privacy rule applicable to them and auditors are going to want to understand that you know that that is something that you have to adhere to as part of the services you're delivering so make sure you know your interested parties um and have them in some sort of repository um maintain your program after implementation i have personally experienced where an isms was implemented that i was not present for six months later i was brought in to provide ongoing maintenance of their program so meaning i was providing oversight doing the day-to-day activities and for six months their

program did not operate and essentially what happened when i got my hands on the program it resulted in months of rework to re-establish their program so if you're not planning to maintain your program after implementation this is what i was talking about during return on investment or is it worth it you could risk losing a lot of money in that work that you did by having to do rework by not managing it continuously so keep that in mind make sure you're planning for it um understand your isms is not just governance for single clients i've been on this so many times please make sure that it is not siloed to grc this program is so important that

all components of your org should be involved they should know i'm going to tell you guys i spend a lot of time talking with my tech teams that are involved in these projects um to get to understand their environment to make sure that we have everything implemented that's applicable and things like that there is a high tech component here so understand not just grc um we largely govern it yes but we are definitely not the implementers of all the things so just keep that in mind and now the last bullet the item the last item of don't skip where it counts so um those are an achievable time frame work with all the people that need to be

involved understand their capacity um understand what the tech teams can take on understand what legal can take on in hr and build a timeline that is actually achievable if you build an aggressive timeline you could decrease morale you can set yourself up for unrealistic expectations you can do all these things so make it achievable for your org along with business objectives i have definitely witnessed times where there are things that needed to happen but the business did not have the capacity to implement and you don't want to be in that position so make sure that you're building this timeline i can tell you that i have personally led a very aggressive timeline we did the

iso implementation by time we were doing their stage one audit it was six months it's very doable it's very miserable it's not fun and we know that going into it so if you choose to do aggressive timeline everybody should be bottom everybody should understand this is aggressive you need to be on board for it so keep that in mind all right communication gets its own area not everybody's going to be bought in we all know this know your audience so speak the language of management speak the language of the implementers and speak the language of the workforce three distinct types of people that you need to talk to that you need to went over it's not good

enough just to have one of these groups bought in you need to make sure that everybody gets communicated and everybody's bought in um because these are the foundational pieces of your program your program is not going to be optimal unless these people are bought in and they're doing things that they need to so speak all the languages and one thing i like to tap on here a little nugget that i applied to security awareness and i got this from a um nist sands white paper a couple years ago their approach to security awareness which i love is take it from a marketing aspect what are you trying to get people to buy or invest in and market to them

in that way so we want these people to be invested well what's in it for them and how can we get them invested in it and if we can get them invested in it the communication is going to be better they're going to absorb the things we want them to do better so keep that in mind think of it as marketing and know your audience know how to market to your audience and you will be highly successful leadership buy-in assemble your best infosec team to make sure that you are building a business case and that you are selling to leadership and this ties into knowing your audience grab those return on investment items i had

at the beginning of this presentation build your business case and make sure leadership's buy-in because i promise you external auditors going to want to talk to them and your program needs to operate with leadership i am so be like the anchorman here assemble your best infosec team your best increment team and uh make sure that you're doing all this to get their buyer now the last area that we're going to dig into a little bit deeper as far as don't skipping where it counts corrective action plans please use 10.1 pause 10.1 for non-conformity and corrective action this clause tells you verbatim what is expected within a corrective action plan it is very important that you have this

process defined and in place before you go through any audit this is a foundational component of isms as well as a couple of the other things that i mentioned the repository it could be a grc tool it could be a spreadsheet it can be whatever you want again going back to that example i have seen someone use monday.com not just statement of applicability and governance inventory they used it for their corrective action plans too they used it like a ticketing system so make sure that you have that in place and don't forget your root cause analysis if you do not hit the root cause analysis the non-conformity is never really going to be resolved in the eyes

of the auditor they're going to want to see that you identified the root cause and as part of your corrective actions you remediated the root cause therefore stopping any other future occurrences of that same non-conformity so just make sure you have that addressed as part of your production plans um i just do a 5y root cause analysis for non-conformities it's simple just y all the way down the thread until you get to the bottom um and relatively simple to implement you just have to make sure that you're hitting all those components okay so that's a lot a lot we've discussed so far we have a couple more areas to go and then we'll wrap this up

actually we have one area to go and then we'll wrap this up so you've done all this work you listened to all of rose's lessons learned and you took those back and you did all the hard work don't let your hard work be in vain make sure that you put a bow on all your hard work so what i mean by that is create this nice package of things for your auditor for your program and chicken tile and make them beautiful whatever you want to call it beautiful just put a bow on it make it this nice package make it something worth presenting don't let all that hard work go to waste um so make sure that you've taken time

so um what i mean by here is have your audit artifacts for your non-deformities know your risks have all the components that you needed for your risk assessment have all these things tied together and know how they work together so take and tie the things build a manual um your isms manual is going to be essentially your one stop shop for all of your things we're gonna i'm gonna show you an example of that in the manual area then we have continuous improvement um don't let your hard work be in vain by not ensuring your continuous improvement is happening um if you implement your iso 27001 program appropriately or in accordance with clauses four through ten

you have no choice but to continuous improve so make sure that you do that and that you are constantly seeking that next maturity level um and then audit prep so i got you this part got you the lessons learned got you all these things that make sure you don't forget and there's tons more that i didn't include here audit prep is super important don't forget this part so manual this is your repository of all of your things you did through the year um that pulled together your isms um and you use your manual to take entire evidence now a huge disclaimer here it does not need to be folders like this i'm just showing you a

structure it can be in any repository that you want so common theme here is leverage what you have available to you while not creating unnecessary processes so leverage whatever repository that you want just have this stuff together it's going to make your life so much easier when you're trying to go through audits and things like that all right audit prep i went through my very first audit i was so nervous i didn't know what to expect and i got out the other side of it and it was like a huge weight was lifted off my shoulder and i thought to myself man what would have made my life easier you know what made my life easier

all these prep things that i'm about to give you guys i wish i would have known so um first things first select your auditor make sure that you are selecting a reputable auditor you do some research on it because this is going to be the team that's auditing you so make sure you do your due diligence here and figure out who you want to be doing it uh know the technology that's going to be used for the audit with the pandemic a lot of things have been virtual or you know hybrid so just make sure that you understand the technology that you have the kinks worked out in advance it seems like such a small thing but the

technology really can stress people out the day of the audit and we want to reduce stress to our counterparts the best that we can when we're going into this audit um so just make sure you understand that create a checklist so um this is probably the thing that i use the most i started getting ready for an audit um i understand all the different things that we have to do what are the mandatory things what are we you know what are the not mandatory things but they're used to support other items have your list together because what you're going to do with that list is you're going to get all of your things together you're going to assign it to

people and do all those activities but then you're going to have a prep session with your main stakeholders and what i mean by main stakeholders is people that own processes that are critical to your isms so um maybe your cso or maybe your drc lead or the person that runs vulnerability any of those type of people um that you consider the name stakeholder and what you're going to do you're going to sit down and go through that checklist that you just spent months getting together taking and trying and doing all that work and as a group you're going to review all the evidence and get everybody on the same page because what you don't want to happen is you go into your audit

everybody's on different pages you don't know what's going on so uh make sure you have that prep session i generally do it for eight hours um i promise you people are not miserable i keep the time up we build them rates um but everybody gets on the same page and we do it about three weeks ahead of the audit and it allows us time to go back and like hey that's a that's a gap you have a misspelling you have this it's like a mini qa session so um keep that in mind now taking it a step further prep the oddities so anybody that is on hook to get interviewed please make sure that you sit down with

these people you tell them what to expect what to not say what to say how much is too much wordings and things like that and give them the confidence that they need to go into these audits i promise you you will be very happy that you did that because not only are you going to reduce their stress and their anxiety you're going to be more willing to do it in the future and your audits generally going to go better so make sure that you talk with them and you get them ready for their audit um and then last piece of advice i have here is set up a private chat during your audit and um leverage it

to have offline communications regarding things that need to be um displayed to the auditor or things that you need to tell the auditor or things that you don't want to tell the auditor and this allows you to have private dialogue going on during your audit um and that not everything's happening in a black hole so um just some tips there and that's um audit prep so that's it that is my crash course and all the things that i learned i definitely think i'm missing some things here um because it's a very large program to implement there's a lot of ins and outs to it um so i have my wrap up here um because there's just so much to cover

and i didn't have it all in here if you have any questions about what i covered today or things that you want to put my brain on or you just want to get advice please feel free to reach out to me um you can reach me on twitter email or linkedin or if you are interested in hearing what ciso could do for you as a company please feel free to reach out we can work remotely we can work with all sorts of clients so feel free to reach out if you need assistance in that area or just reach out if you'd like to chat um i did include a bunch of references in this presentation um the very first

reference is actually the isis 2001 handbook that i used to teach my capstone a few weeks ago the rest of them are just a lot of different online sources that i've used in the past couple years that i thought were very um interesting that i thought you guys would benefit from so um that is it that is my presentation i want to thank all of you guys for coming today and i truly hope that you guys learned something and that um you'll be able to take these things back and apply it in your environment um so with that um have a great day in pursuit of their mission the competitive student chapter at utsa aims

to transition all members from college students to qualified entry-level cyber security professionals through providing a cybersmart community hosting professional guest speaker events facilitating collegiate cyber security competitions company spotlight events and providing support for acquiring professional cyber security certifications prior to graduating the chapter serves as a growing community resource for over 300 active student members alumni and professionals and has just been awarded the 2021 most outstanding new student organization at utsa by the university life awards we continue to extend all of our support to new talents breaking into cyber security are we interested the chapter is always looking for ways you can gain support to be able to expand this amazing community if you would like to help we are always

open to discussing possibilities for future events and we are looking for enthusiastic speakers and companies who would like to connect with utsa cyber students we are also open to collaborating with others to put on competitions such as capture the flag or other engaging events to help bring our captain members resourceful opportunities to develop if any of this grabbed your attention feel free to reach out to one of our members in this event's official discord server under our channel the comptia student chapter at utsa for any questions you may have we're looking forward to hearing from you and possibly working with you thank you for listening and hope you enjoy the event

[Music]

[Music]

so [Music] you