Risk frameworks are useful for organizations that require a clear roadmap for managing risk in their environments. What an organization determines is acceptable risk, its risk profile or appetite, is related to internal mission commitments and external drivers such as laws, regulations, and consumer expectations. This section will consider frameworks that can serve as tools…
Category: compliance
Data Privacy: Regulatory Transparency Requirements
Previous article in series – Data Privacy: Difference Between Data Owner/Controller and Data Custodian/Processor There are various regulatory requirements regarding data transparency and requirements that stem from data breaches. The definition of what entails a breach is as varied as the regulations and includes but is not limited to impermissible use, disclosure, probability of compromise,…
Data Privacy: Difference Between Data Owner/Controller and Data Custodian/Processor
Previous article in series – Data Privacy: Maturity Model By far the most comprehensive data protection framework that currently affects 28 nations directly and all interconnected (business trade) nations secondarily is the injunctions of the GDPR. These materials draw upon the definitions used by the European Commission to distinguish the roles related to data privacy…
North American Electric Reliability Corporation/Critical Infrastructure Protection (NERC/CIP)
NERC/CIP is committed to protecting the bulk power system against cybersecurity compromises that could lead to maloperation or instability. On November 22, 2013, Federal Energy Regulatory Commission (FERC) approved Version 5 of the critical infrastructure protection cybersecurity standards (CIP Version 5), which represent significant progress in mitigating cyber risks to the bulk power system. The…
Audit: Internal Information Security Management System
Previous article n series – Audit: Types of Audit Reports ISO/IEC 27001:2013 Domains Upon passing the audit process, an organization can have its information security management system (ISMS) certified by ISO/IEC 27001:2013. An ISMS will typically ensure that a structured, measured, and ongoing view of security is taken across an organization, allowing security impacts and…
Audit: Types of Audit Reports
Previous article in series – Audit: Assurance Challenges of Virtualization and Cloud The Service Organization Control audits framework is designed for consumers to have confidence in the provider they’ve selected and for the provider to give assurance of the design and effectiveness of controls. Consumers are provided a means to assess and address risk with…
Audit: Assurance Challenges of Virtualization and Cloud
Previous article in series – Audit: Planning Traditional methods of assurance of services and controls management in an on-premises data center or even with colocation services are no longer sufficient given the complexity of virtualization and cloud services. To gain greater assurance of expected services, we can review information available from publicly accessible registries. Cloud…
Audit: Planning
Previous article in series – Audit: Internal and External Audit Controls In line with financial, compliance, regulatory, and other risk-related audits, the requirement for scoping and ensuring the appropriate focus and emphasis on components most relevant to cloud computing (and associated outsourcing) should include the following phases: Define Audit Objectives The high-level objectives should…
Audit: Internal and External Audit Controls
As organizations begin to transition services to the cloud, there is a need for ongoing assurances from both cloud customers and cloud service providers that controls are put in place and are operating as intended. An organization’s internal audit can provide visibility into: The cloud program’s effectiveness Assurance to the board and risk management team…
Data Privacy: Maturity Model
Previous article in series – Data Privacy: Standard Requirements Maturity models are a recognized means by which organizations can measure their progress against established benchmarks. As such, they recognize that: Becoming compliant is a journey and progress along the way strengthens the organization, whether the organization has achieved all of the requirements or not In…