Hi Team,

This is my first blog in the GRC, hence, wanted to start by introducing myself.

My name is Harinder Sandal, and I am into IT Advisory and consultant focusing on technologies like Cloud, Enterprise Security, IT Infrastructure and Migrations/Integrations (Data Center - On-Premises/Cloud). 

Security/Technology (Infrastructure, Application & Operations) Risk Management is one of the skills which I do in the Enterprise. As we have great audience in this community with diverse area of focus, thought to grab viewpoints from different experts on the following:

1. If talking about IT Risk assessment (Infrastructure, applications, operations), what Risk Management framework would like to pick to identify inherent risk? Normally , I would customize based on the organization. Frameworks. The Framework which I use is- COSO, COBIT, ITIL, FAIR, OCTAVE, TARA (Recently added), NIST RMF, BASEL. 2. For Cloud, CSA CCM is my pick. What are thoughts?

2. What safeguards (or controls) you go with? Normally I pick, SAN Top 20, CIS, NIST and customize it likewise.

3. How do you manage residual risk?

4. Do you use 3 layer defense approach?

5. We have some great GRC tools like Bitglass, Archer, Metsream etc,. Which GRC tools do you like? Do you like to go with go with hybrid approach - Manual/Automatic? 

7. How are the criteria you would use to evaluate GRC tool vendors?

6. What are your take on cloud risk assessment with same set of questions mentioned above?

8. How do you map the framework with Risk, Controls and Compliance? 

Always good to know from the experts!

Best Regards,


Views: 695


You need to be a member of GlobalRisk community to add comments!

Join GlobalRisk community

Comment by Matthew R Hollenbeck on July 23, 2018 at 6:16pm

Great discussion Harinder!

As a service provider, we help customers address these questions all the time.

Here’s our take on question #1 - we can provide clients PCI (card industry), FFIEC or NIST-level assessments.


Our solution manages the client's regulatory needs and answers the questions in your post (#2 thru #8 above).

Comment by Harinder Pal Singh Sandal on July 14, 2018 at 4:17am

Thanks, Barrie for your thoughts. You answered from more Strategic point of view. But in order to achieve your Strategic initiative, you have to go with "tactical goal". My question was more towards the tactical end!!! I have designed ran both Strategic initiative, and achieved it tactically. As we have a great audience here, I just wanted to understand from their tactical methodology on the questions I put forward. 

Comment by Barrie on June 28, 2018 at 1:33am

Great topic. In my view the actual framework used does not matter so long as it is a workable product for the environment. The actual risks that I see al the time are:

1- no existing workflows or process maps to understand the existing environment, cannot correctly define the problem that need to be addressed

2- lack of due diligence to establish the "as is state", can not define the processes that don't work or are redundant

3- to eager to build without establishing the "future state", no understanding of the business rules, performance, useability.

In a snap shot the lack of planning and the over use of Agile only inflames the risk profile. Without the basics being in place, no risk management framework, register,  treatment plans will resolve the inherent failure points that ICT projects are renowned for.

Our Sponsors

Would you like to reach over 90,000 + Risk Professionals? 



Current Partners Include:


Join GRC Inner Circle - Get Top Risk Resources, Member Support PLUS become our patron

Business Exchange

If your organization delivers products and services that bring value to our members, you are welcome to join our partnership program.

Companies are welcome to setup a business profile page in our Multimedia Business Directory. You will get full control of the page and can include cutting edge possibilities – videos, adverts, presentations, white papers, job offers, Press Releases, product information, company blog, news feeds and more.


Our Knowledge Partners

Request our MEDIA KIT

Our Twitter feed

© 2020   Created by Boris Agranovich.   Powered by

Badges  |  Report an Issue  |  Terms of Service