►
From YouTube: Handling Security Audits
Description
Devin Harris, Senior Security Analyst with the Field Security Team shares information about how to handle security audits and introduces some new improvements to the process.
A
What's
up
party
people,
thank
you
for
joining
us
for
another,
exciting
installment
of
the
CES
skills
exchange.
We
have
the
honor
today
to
have
Devin
Harris
with
us,
and
a
supporting
cast
is
Todd
Swinehart,
so
they
are
here
to
talk
to
us
about
security
audits
and
how
to
handle
them.
They've
got
some
really
exciting.
Updates
I've
got
the
agenda
in
the
chat.
So
please
ask
your
questions.
This
is
a
friendly
audience.
I
think
they've
got
some
really
great
updates.
So
Devin
the
floor
is
yours.
All.
B
Right
cool,
let
me
go
ahead
and
share
my
screen
right
now.
First
off
I
see
a
bunch
of
familiar
faces
in
the
in
the
chat.
A
couple
people
I
haven't
worked
with
yet,
but
this
has
been
an
area
that
has
been
very
painful
for
us
and
transition
and
skelling,
as
many
of
you
know,
so
we
decided
we
wanted
to
come
and
you
know
talk
to
you
and
try
to
figure
out
how
we
can
be
better
partners.
B
So,
first
off
this
is
our
team.
We
have
three
of
us
Rob.
Is
our
manager
he's
also
in
charge
of
three
other
teams,
so
he's
not
really
our
manager,
but
he
provides
some
management
functions
and
then
it's
Todd
and
I
I'm
in
central
time
zone
Todd's
over
in
the
Eastern
time
zone,
and
we
just
created
a
new
slack
channel.
You
can
see
that
here
on
the
on
the
slide.
It's
sec
filled
security,
that's
public!
It's
a
place,
you
can
come,
engage
us
anytime.
You
need
anything
and
oftentimes.
B
It's
a
quick
way
to
just
reach
out
to
us
so
like
there
have
been
times
that
things
have
been
assigned
to
our
board,
that
we
weren't
notified
of
and
just
a
quick
reach
out
and
say,
like
hey.
This
has
been
here
for
a
couple
days,
can
can
really
make
a
big
difference
there,
alright
cool,
so
we're
going
to
talk
about
productivity
and
workflow.
B
Most
of
you
know
this
and
not
much
has
changed,
but
the
first
thing
you
want
to
do
is
refer
customers
to
public
statements
on
security
via
the
security,
trust,
Center
and
compliance
put
together
a
really
great
security
compliance
controls,
page,
in
fact,
I
think
I
forgot
to
load
the
security
compliance
controls
page,
oh
all
right,
so
the
trust
Center.
Most
of
you
are
already
familiar
with
it's
just
high
level.
B
B
So,
for
instance,
one
that
I
know
that
we're
not
doing
good
is
inventory
management.
We're
looking
at
mature
here,
and
it
will
straight
up
say
right
here
we
are
not
currently
tracking
back
in
inventories
are
not
maintained,
so
I
mean
we're
pretty
bare
and
on
the
table
at
the
bottom
you'll
see
we
have
framework
mappings
to
all
the
different
frameworks
that
they've
mapped
the
control
statement
to
so
that's
extremely
helpful
in
helping
customers
self-serve
see
so
we're
coming
up
with
some
industry
accepted
questionnaires
more
about
that
in
the
near
future,
like
in
future
slides.
B
You
guys
always
take
a
first
pass
on
it.
Then
you
look
at
the
essay
triage
board,
and
this
is
an
area
where
we've
had
some
sticking
until
it's
tagged
security
ready
for
review,
we
don't
get
a
notification
on
it,
so
make
sure
that
you're
tagging
at
security
ready
for
review
once
you've
done
your
first
pass
near
ready
for
us
to
look
at
it.
We
try
to
turn
these
around
in
ten
days.
B
I
know
that
has
not
been
the
experience
that
some
of
you
have
had
and
we
are
really
trying
to
kill
down
our
backlog
right
now,
but
we
have
such
a
huge
backlog
and
your
team
has
been
so
great
at
working
with
us
getting
through
that
if
there
was
not
a
first
pass
done,
we'll
return
the
questionnaire
to
you
and
unlabeled
it
security
ready
for
review
with
the
wrong
way
here.
Alright,
so
demand
has
been
so
great.
You
guys
are
killing
it
with
cells.
B
Right
now
and
in
recent
conversations
we
decided
there's
gonna
be
a
floor
of
$20,000
on
any
questionnaires
that
we're
going
to
touch
us
field
security.
If
you
have
something
on
the
board
already
that
doesn't
apply
but
moving
forward
if
it's
less
than
$20,000
field,
Security's,
not
gonna
answer
the
questionnaire,
but
we
are
going
to
provide
some
self-service
options.
B
There
have
been
changes.
The
essay
template
to
reflect
that,
and
here
so
on
the
essay
template.
Now
everything
requires
having
a
completion
date.
If
you
don't
put
in
a
completion
date,
it
should
default
to
January
of
2021,
which
I
don't
think
anybody's
trying
to
have
their
questionnaire
done.
That
late
and
then
there
is
a
tier
level.
Where
is
the
cheer
level.
B
For
summary,
oh
here
we
go
the
the
tears.
So
if
you
look
here,
the
tears
are
based
off
of
a
CV.
So
if
it's
under
five
hundred
thousand
dollars,
it's
not
a
Tier
one.
If
it's
between
100
and
500
thousand
dollars,
it's
a
tier
two
and
then
if
it's
between
20
and
100
thousand
dollars
in
its
at
tier
3
and
competing
issues,
will
be
based
off
of
tears.
B
All
right,
so
this
is
what
I
mentioned
a
couple
slides
ago.
That
said,
is
coming
so
we're
working
on
a
security
deflection
package.
It's
something
we're
really
excited
about
once
we
get
it
out,
I
think
it'll
help
a
ton
when
I
was
at
duo.
Before
this
we
had
one
we've
talked
to
several
people
in
the
industry
that
this
is
what
they're
doing
to
scale
their
programs.
These
are
some
things
that
will
be
in
the
package,
so
our
suck
two
type
one
letter
of
add
to
station'
should
help
a
lot.
B
That
way,
we
don't
have
to
necessarily
point
people
to
links
in
the
handbook
for
those
customers
that
want
a
point-in-time
snapshot
with
an
updated
network
flow
and
data
flow
diagram
for
get
lab,
comm
we're
already
providing
the
penetration
test
report
and
remediation
status,
but
all
that's
going
to
be
rolled
into
a
single
package
and
you
can
track
the
status
of
that
here
in
this
tracking
issue.
That's
linked!
B
So
you
know
you
can
see.
The
cig
is
on
hold
right
now
until
we
have
that
license,
see,
keep
going
the
wrong
way
here,
all
right
once
we
roll
this
out
is
pretty
important
that
we
understand
like
how
effective
this
is,
and
you
know
we'd
like
your
help
with
that
to
understand
who's.
B
Taking
it
and
saying
like
hey,
this
is
great
I,
don't
need
anything
else,
I
think
the
majority
will
be
customers
that
take
it
and
say
like
hey,
can
you
answer
these
extra
couple
questions,
or
can
you
provide
clarification
which
would
be
great
and
then,
of
course,
we're
gonna?
Have
some
customers,
who
probably
say
no
you've
got
to
do
it
our
way,
because
this
is
the
way
we
do
it,
and
you
know
we'd
like
to
measure
what
that's
looking
like
right
now.
B
We
understand
that
our
results
are
less
than
optimal
as
a
team,
and
we
are
truly
sorry
that
were
kind
of
letting
you
guys
down,
but
we're
working
very
hard
to
skill.
The
deflection
pack
is
gonna
help
with
that
a
lot
you
guys
have
been
fantastic,
fantastic
partners.
You
know
the
essays
that
I've
worked
with
have
been
very
positive.
B
You
know
we're
trying
to
get
out
of
your
way
as
much
as
possible.
We
want
to
not
be
a
friction
point
and
you're
in
your
cell
cycle,
so
we're
a
team
of
two,
and
this
is
where
first
passes
are
really
important.
The
better
first
pass
comes
in
the
quicker
we
can
turn
it
around.
So
some
of
our
early
metrics
are
showing
that
without
a
first
pass
or
where
the
first
pass,
it
has
to
be
redone
we're
taking
about
two
and
a
half
minutes
a
question.
B
Please
ask
you:
don't
put
us
in
direct
contact
with
customers,
especially
for
first
meetings,
we're
happy
to
meet
with
them
and
we're
happy
to
talk
to
customers.
It's
something
we
love
doing,
but
we
don't
understand
the
account
background
of
customers
and
the
individual
dynamics
there,
and
the
last
thing
we
want
to
do
is
tank,
a
relationship
that
the
sales
team
has
worked
really
hard
to
build
follow-up
questionnaires
we
treat
as
new
questionnaires
so
the
other
day
we
got
a
question
area
and
I'm
like
Friday.
B
That
was
a
hundred
and
ten
new
questions
that
the
customer
wanted
Monday
and
that
just
that
can't
happen,
and
you
know
we
would
love
to
be
able
to
scale
to
that.
But
right
now,
that's
not
possible
for
us
to
do
so.
First
passes
we're
trying
to
help
here
a
lot
with
good
resources.
I
know
that
the
resources
stink
historically
we've
had
this
completed
questionnaires
folder,
which
I
hate
using
it
is
not
much
fun.
Some
of
these
are
really
dated.
B
So,
like
you
know,
you
can
select
this
folder
and
search
for
like
specific
items,
but
it's
terrible.
So
we're
doing
a
beta
program
in
the
interim
to
try
to
help
with
this.
We
started
a
QA
pair
board
where
everything
is
questioned
in
the
title
and
then
the
issue
goes
over,
like
the
answer
and
everything's
tagged,
either
verified
or
unverified
unverified
doesn't
mean
it's
not
good
to
sin.
It
just
means
there's
not
a
definitive
link
to
it
or
a
definitive
source.
So
we've
got
our
answers
here.
B
B
One
day,
hopefully
soon
we'll
have
a
full
featured
knowledge,
manage
our
FP
system
and
not
something
homegrown
like
an
rfp
IO
RFP
360,
a
lupillo.
Some
of
those
systems
are
pretty
advanced
on
what
you
like,
Lotus,
spreadsheet,
n,
it'll,
auto
populate
it
and
say,
like
hey,
we
weren't
able
to
find
answers
for
these
four
things
and
it
can
be
super
helpful,
but
they're
very
costly
and
obviously
it's
onboarding
a
new
vendor.
So
you
know
we
wanted
to
put
a
stopgap
in
place
for
the
time
being.
B
B
Oh,
that
is
actually
a
really
fantastic
idea.
We
will
definitely
take
that
on
board
because
there
are
some
differences.
Thank
you.
Thank
you,
Tim
all
right,
so
there's
multiple
teams
that
go
into
a
lot
of
these
questionnaires.
There's
one
team
that
you
have
to
engage
with
outside
of
us
and
that's
legal
legal
has
their
very
own
way
that
they
want
customer
questions,
answered
and
I've
linked
it
here.
If
I've
worked
with
you
recently
on
a
ticket
I've
tried
to
pull
out
like
hey.
These
are
the
ones
that
have
to
go
to
legal
early.
B
So
that
way,
it's
not
like
our
review
is
done.
Now
you
got
to
go
to
legal,
but
there's
a
customer
related
contracts
and
questions,
and
it's
in
Salesforce,
and
we
can't
even
get
to
that
area
in
Salesforce
like
we're
gated
access
there,
but
that's
how
legal
wants
to
answer
questions
for
their
metrics
and
then
a
lot
of
times.
B
I'm
sure
that
many
of
you
have
had
the
experience
where,
like
Cindy
Blake,
has
to
come
on
to
talk
about
secure
or
you
know,
just
the
other
day,
I
had
to
bring
an
application
security
engineer
on
to
talk
about
something
very
deep
in
the
weeds
on
application.
Security
will
engage
those
teams
and
get
the
answers
and
that's
a
lot
of
what
we're
doing
we're
building
relationships
to
try
to
minimize
those
like
one
single
point
of
failure
areas,
but
you
know
a
lot
of
times.
B
B
Basically
just
come
in
and
put
who's
requesting
it
date
and
time.
The
medium
is,
you
know
you
can
leave
that
blank
if
you're
actually
submitting
the
issue,
but
it's
for
us
like
if
we're
saying
like
hey,
we
were
asked
and
select
two
business
days
would
be
super
helpful.
So
that
way
we
can
prep
for
it
and
make
sure
we're
not
messed
up
once
again.
Any
topics
that
you
can
get
ahead
of
time
will
be
super
helpful.
So,
like
I've
seen,
fake
statements
like
customer
wants
to
talk
about
securing
get
lab
comm.
B
B
So
yeah
once
again,
if,
if
the
account
executive
or
the
Solutions
Architect,
aren't
able
to
be
on
the
call
or
both
please
for
a
first
call,
don't
put
us
on
a
call
by
ourselves
for
follow-up
conversations.
That's
fine,
but
we
really
don't
want
to
tank
that
relationship
and
do
damage
to
the
cell
cycle.
Here.
C
B
B
No
I'm
talking
about
me
too
I
I,
would
actually
probably
be
a
little
bit
freaked
out
if
I
had
to
be
on
a
call
by
myself
with
a
customer
for
the
first
time
and
didn't
know
anything
about
them.
I
mean
I've,
made
the
mistake
once
or
twice
about
filling
out
like
for
calm,
when
it's
really
a
self
managed
product
and
that
system
painful.
B
But
we
hear
you
things
are
painful,
we're
working
super
hard
to
scale
and
we're
not
purposefully
letting
your
tasks
drop,
we're
working
very
hard,
but
we
need
your
help
and
we're
in
this
together.
Those
of
you
who
are
doing
really
great
first
passes.
Please
keep
that
up.
It
makes
a
huge
difference
for
us
we're
open
to
feedback
and
suggestions.
We've
got
the
new
slack
channel
opened
up,
you
guys
have
been
great
partners
and
the
last
thing
that,
like
I'm
gonna
leave
you
with
I
penned
this
as
the
discussion
topic
in
our
select
Channel.
B
Actually
now
that
I
say
that
I
don't
know
if
I
have
yet
but
I
will
as
a
handout
for
field
security,
we'll
keep
this
up
to
date,
just
like
on
the
job.
If
you
want
something
quick
to
reference
who
we
are,
how
to
reach
us
a
link
to
the
security
security
questionnaire
process,
that
doesn't
mean
you
can't
come
in
and
ask
questions
about
things
that
are
under
20
grand
if
you're
engaging
in
a
questionnaire.
That's
just
we're
not
going
to
take
a
pass
on
that
questionnaire.
B
Customer
call
issue,
request,
template
skelling
and
then
links
to
two
of
the
big
projects
that
we're
working
on
and
Tim
I've
got
your
feedback
there
on
creating
a
calm
and
a
self-managed
I
think
I
might
implement
those
as
labels.
But
if
you
have
specific
feedback
on
that,
it'd
be
cool
to
be
able
to
talk
on
your
specific
pod.