From the course: Leveraging AI for Security Testing

What is a security controls assessment?

From the course: Leveraging AI for Security Testing

Start my 1-month free trial Buy for my team

What is a security controls assessment?

- [Instructor] The goal of a security controls assessment is to identify the security controls that you already have in place and to identify the potential gaps you may have in those controls. But how do you determine which controls are right for your organization? Personally, I'm a huge fan of security control frameworks. These frameworks include categories and collections of specific security controls that are recommended by the governing bodies who wrote the frameworks in the first place. The NIST Cybersecurity Framework and the ISO/IEC 27000 series are two of the most popular frameworks in the industry today. When conducting a security controls assessment, you pick a framework and document whether or not each control is in place. If you want to take it one step further, you can also document a control score that speaks to the perceived effectiveness of each control. I say perceived effectiveness because security control assessments are often conducted through interviews with technical staff and analysis of reports and config files from in scope systems and applications. The report that results from your security controls assessment will include a prioritized list of control gaps, which draw a clear picture from where your security program doesn't meet the expectations outlined in those security control frameworks. If you do a little online research around information security frameworks, you'll quickly learn that there are entirely too many of them. People who've worked with these frameworks over the years have realized that at the end of the day, most of these frameworks are essentially just saying the same things in different ways. While being in ChatGPT won't divulge which frameworks they were trained on. Bard will provide a bullet point list of frameworks that were included in its training data set. So let's see how we can leverage generative AI tools to help us with a security controls assessment.

Contents