Governance, Risk, & Compliance
My thoughts, observations, and readings on different facets of GRC.
Having worked in the healthcare industry for almost a year now, I feel compelled to simplify the requirements of HIPAA compliance. I hope this and the upcoming articles in the series will help you to better understand these requirements. The purpose of this series is to give an introduction to the HIPAA (Health Insurance Portability…
Cloud Computing – storing your data at someone else’s computer / using someone else’s CPU to perform processing / both Infrastructure as a Service (IaaS) – Hardware, bare-metal Platform as a Service (PaaS) – Infrastructure + Operating System Software as a Service (SaaS) – Infrastructure + Operating System + Software Scalability – Easily grow based on demand Elasticity – Easily shrink…
ISACA’s CGEIT certification is aimed at IT professionals responsible for directing, managing, and supporting the governance of IT. I passed the ISACA’s CGEIT exam on Apr 26, 2020. Here’s a brief of my preparation strategy and the resources I used. Strategy: Like previous ISACA and (ISC)2 certifications, I started with the CGEIT Review Manual from ISACA…
What is Microsegmentation? The idea behind Microsegmentation is to split a single corporate network into lots of multiple application/workflow networks that are separated by a firewall to achieve better speed and security. This process of having a dedicated microsegment also helps reduce the attack surface on a network and make the trust regions smaller. Though…
Vulnerability Management (VM) is one of the most important exercises for keeping a system secure. In his post, I would sum up the different phases of Vulnerability Management. But before that, I would like to clarify the distinction between Vulnerability Management and Penetration Testing (PT). Difference between VM and PT VM is the practice of…
Many people use ‘Accreditation’ and ‘Certification’ interchangeably, but they are not the same. Certification is a technical review that assesses the security mechanisms and evaluates their effectiveness. Accreditation is management’s official acceptance of the information in the certification process findings. For example, if a company is planning to undergo an ISO 27001 certification. The company…
I was going through ISO 27001 and COBIT to understand the Third-Party (or vendors) Risk Management process in detail. And though both the frameworks provide enough guidance on ensuring the proper due diligence on the vendors, I could not find any material on what happens before the vendors are onboard – how does the Information…
Even if you’re remotely associated with the Cloud, I am sure you must have heard about the Availability and Scalability of the instances. Even though this is one of the fundamentals of the Cloud, I have seen many people using both the services interchangeable. Please be mindful – they are NOT the same. Here is…
In the wake of the financial crisis, the IIA came up with a model for better Risk Management and called it the ‘3 Lines of Defense’ model. This model allows regulators to better assess the risks in the financial industry. Though the model was mainly written for financial services, it is widely accepted in the…
I recently met with a group who wanted to get started in the IT Audit. The members of the group had some experience in the IT Audit, I realized a common theme in their misunderstanding of ISO 27001 and SOX 404 as they used both the terms interchangeably. In this post, I will distinguish the…