It is important to understand the capabilities and policies of your supporting vendors. Emergency communication paths should be established and tested with all vendors. Categorizing, or ranking, a vendor/supplier on some sort of scale is critical when managing the relationship with that vendor/supplier appropriately. Strategic suppliers are deemed to be mission critical and cannot be…
Category: security
Risk Treatment: 4 Responses & Common Criteria
Before ISO/IEC 27005:2018: Information technology — Security techniques — Information security risk management, the typical four responses to risk or risk treatment were avoid, mitigate, transfer, and accept. ISO/IEC 27005:2018 rebrands the definitions in risk treatment to modification, retention, avoidance, and sharing. Modification: Course of action that implements controls that are technical, environmental, or cultural…
Risk Assessment: Key Metrics
Assessing risk requires the careful analysis of threat and vulnerability information to determine the extent to which circumstances or events could adversely impact an organization and the likelihood that such circumstances or events will occur. Metrics for Risk Management Quantitative assessments typically employ a set of methods, principles, or rules for assessing risk based on…
NIST SP 800-37r2: Risk Management Framework for Information Systems and Organizations
NIST SP 800-37 is subtitled, “A System Lifecycle Approach for Security and Privacy.” There are seven steps in the Risk Management Framework (RMF), a preparatory step to ensure that organizations are ready to execute the process and six main steps. All seven steps are essential for the successful execution of the RMF. The steps are:…
NIST Framework for Improving Critical Infrastructure Cybersecurity, Version 1.1
This Framework was released April 16, 2018 and focuses on using business drivers to guide cybersecurity activities and consider cybersecurity risks as part of the organization’s risk management processes. The Framework consists of three parts: Framework Core A set of cybersecurity activities, desired outcomes, and applicable references that are common across critical infrastructure sectors. The…
North American Electric Reliability Corporation/Critical Infrastructure Protection (NERC/CIP)
NERC/CIP is committed to protecting the bulk power system against cybersecurity compromises that could lead to maloperation or instability. On November 22, 2013, Federal Energy Regulatory Commission (FERC) approved Version 5 of the critical infrastructure protection cybersecurity standards (CIP Version 5), which represent significant progress in mitigating cyber risks to the bulk power system. The…
Audit: Internal Information Security Management System
Previous article n series – Audit: Types of Audit Reports ISO/IEC 27001:2013 Domains Upon passing the audit process, an organization can have its information security management system (ISMS) certified by ISO/IEC 27001:2013. An ISMS will typically ensure that a structured, measured, and ongoing view of security is taken across an organization, allowing security impacts and…
Audit: Types of Audit Reports
Previous article in series – Audit: Assurance Challenges of Virtualization and Cloud The Service Organization Control audits framework is designed for consumers to have confidence in the provider they’ve selected and for the provider to give assurance of the design and effectiveness of controls. Consumers are provided a means to assess and address risk with…
Audit: Assurance Challenges of Virtualization and Cloud
Previous article in series – Audit: Planning Traditional methods of assurance of services and controls management in an on-premises data center or even with colocation services are no longer sufficient given the complexity of virtualization and cloud services. To gain greater assurance of expected services, we can review information available from publicly accessible registries. Cloud…
Audit: Planning
Previous article in series – Audit: Internal and External Audit Controls In line with financial, compliance, regulatory, and other risk-related audits, the requirement for scoping and ensuring the appropriate focus and emphasis on components most relevant to cloud computing (and associated outsourcing) should include the following phases: Define Audit Objectives The high-level objectives should…