Hi Team,
This is my first blog in the GRC, hence, wanted to start by introducing myself.
My name is Harinder Sandal, and I am into IT Advisory and consultant focusing on technologies like Cloud, Enterprise Security, IT Infrastructure and Migrations/Integrations (Data Center - On-Premises/Cloud).
Security/Technology (Infrastructure, Application & Operations) Risk Management is one of the skills which I do in the Enterprise. As we have great audience in this community with diverse area of focus, thought to grab viewpoints from different experts on the following:
1. If talking about IT Risk assessment (Infrastructure, applications, operations), what Risk Management framework would like to pick to identify inherent risk? Normally , I would customize based on the organization. Frameworks. The Framework which I use is- COSO, COBIT, ITIL, FAIR, OCTAVE, TARA (Recently added), NIST RMF, BASEL. 2. For Cloud, CSA CCM is my pick. What are thoughts?
2. What safeguards (or controls) you go with? Normally I pick, SAN Top 20, CIS, NIST and customize it likewise.
3. How do you manage residual risk?
4. Do you use 3 layer defense approach?
5. We have some great GRC tools like Bitglass, Archer, Metsream etc,. Which GRC tools do you like? Do you like to go with go with hybrid approach - Manual/Automatic?
7. How are the criteria you would use to evaluate GRC tool vendors?
6. What are your take on cloud risk assessment with same set of questions mentioned above?
8. How do you map the framework with Risk, Controls and Compliance?
Always good to know from the experts!
Best Regards,
Harinder
Comments
Great discussion Harinder!
As a service provider, we help customers address these questions all the time.
Here’s our take on question #1 - we can provide clients PCI (card industry), FFIEC or NIST-level assessments.
https://ncontracts.com/solutions/ncyber/
Our solution manages the client's regulatory needs and answers the questions in your post (#2 thru #8 above).
Thanks, Barrie for your thoughts. You answered from more Strategic point of view. But in order to achieve your Strategic initiative, you have to go with "tactical goal". My question was more towards the tactical end!!! I have designed ran both Strategic initiative, and achieved it tactically. As we have a great audience here, I just wanted to understand from their tactical methodology on the questions I put forward.
Great topic. In my view the actual framework used does not matter so long as it is a workable product for the environment. The actual risks that I see al the time are:
1- no existing workflows or process maps to understand the existing environment, cannot correctly define the problem that need to be addressed
2- lack of due diligence to establish the "as is state", can not define the processes that don't work or are redundant
3- to eager to build without establishing the "future state", no understanding of the business rules, performance, useability.
In a snap shot the lack of planning and the over use of Agile only inflames the risk profile. Without the basics being in place, no risk management framework, register, treatment plans will resolve the inherent failure points that ICT projects are renowned for.