This is my first blog in the GRC, hence, wanted to start by introducing myself.
My name is Harinder Sandal, and I am into IT Advisory and consultant focusing on technologies like Cloud, Enterprise Security, IT Infrastructure and Migrations/Integrations (Data Center - On-Premises/Cloud).
Security/Technology (Infrastructure, Application & Operations) Risk Management is one of the skills which I do in the Enterprise. As we have great audience in this community with diverse area of focus, thought to grab viewpoints from different experts on the following:
1. If talking about IT Risk assessment (Infrastructure, applications, operations), what Risk Management framework would like to pick to identify inherent risk? Normally , I would customize based on the organization. Frameworks. The Framework which I use is- COSO, COBIT, ITIL, FAIR, OCTAVE, TARA (Recently added), NIST RMF, BASEL. 2. For Cloud, CSA CCM is my pick. What are thoughts?
2. What safeguards (or controls) you go with? Normally I pick, SAN Top 20, CIS, NIST and customize it likewise.
3. How do you manage residual risk?
4. Do you use 3 layer defense approach?
5. We have some great GRC tools like Bitglass, Archer, Metsream etc,. Which GRC tools do you like? Do you like to go with go with hybrid approach - Manual/Automatic?
7. How are the criteria you would use to evaluate GRC tool vendors?
6. What are your take on cloud risk assessment with same set of questions mentioned above?
8. How do you map the framework with Risk, Controls and Compliance?
Always good to know from the experts!