This Framework was released April 16, 2018 and focuses on using business drivers to guide cybersecurity activities and consider cybersecurity risks as part of the organization’s risk management processes. The Framework consists of three parts: Framework Core A set of cybersecurity activities, desired outcomes, and applicable references that are common across critical infrastructure sectors. The…
ISO 31000:2018 Risk Framework
Risk frameworks are useful for organizations that require a clear roadmap for managing risk in their environments. What an organization determines is acceptable risk, its risk profile or appetite, is related to internal mission commitments and external drivers such as laws, regulations, and consumer expectations. This section will consider frameworks that can serve as tools…
Data Privacy: Regulatory Transparency Requirements
Previous article in series – Data Privacy: Difference Between Data Owner/Controller and Data Custodian/Processor There are various regulatory requirements regarding data transparency and requirements that stem from data breaches. The definition of what entails a breach is as varied as the regulations and includes but is not limited to impermissible use, disclosure, probability of compromise,…
Data Privacy: Difference Between Data Owner/Controller and Data Custodian/Processor
Previous article in series – Data Privacy: Maturity Model By far the most comprehensive data protection framework that currently affects 28 nations directly and all interconnected (business trade) nations secondarily is the injunctions of the GDPR. These materials draw upon the definitions used by the European Commission to distinguish the roles related to data privacy…
North American Electric Reliability Corporation/Critical Infrastructure Protection (NERC/CIP)
NERC/CIP is committed to protecting the bulk power system against cybersecurity compromises that could lead to maloperation or instability. On November 22, 2013, Federal Energy Regulatory Commission (FERC) approved Version 5 of the critical infrastructure protection cybersecurity standards (CIP Version 5), which represent significant progress in mitigating cyber risks to the bulk power system. The…
Audit: Internal Information Security Management System
Previous article n series – Audit: Types of Audit Reports ISO/IEC 27001:2013 Domains Upon passing the audit process, an organization can have its information security management system (ISMS) certified by ISO/IEC 27001:2013. An ISMS will typically ensure that a structured, measured, and ongoing view of security is taken across an organization, allowing security impacts and…
Audit: Types of Audit Reports
Previous article in series – Audit: Assurance Challenges of Virtualization and Cloud The Service Organization Control audits framework is designed for consumers to have confidence in the provider they’ve selected and for the provider to give assurance of the design and effectiveness of controls. Consumers are provided a means to assess and address risk with…
Oracle Cloud Announcement June 2021
Are you an Oracle customer? If yes, it’s time to cash in with this awesome program Oracle just launched. For every dollar you spend on OCI, you get a discount of 25 cents on your Oracle Support bill! And the cherry on the top? Oracle will lift your workloads to OCI for free! Oh wait,…
Audit: Assurance Challenges of Virtualization and Cloud
Previous article in series – Audit: Planning Traditional methods of assurance of services and controls management in an on-premises data center or even with colocation services are no longer sufficient given the complexity of virtualization and cloud services. To gain greater assurance of expected services, we can review information available from publicly accessible registries. Cloud…
Audit: Planning
Previous article in series – Audit: Internal and External Audit Controls In line with financial, compliance, regulatory, and other risk-related audits, the requirement for scoping and ensuring the appropriate focus and emphasis on components most relevant to cloud computing (and associated outsourcing) should include the following phases: Define Audit Objectives The high-level objectives should…