Governance, Risk, & Compliance
My thoughts, observations, and readings on different facets of GRC.
Article 32: Security of processing The controller and processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk by: a) Pseudonymisation and encryption of personal data b) ensuring ongoing confidentiality, integrity, availability, and resilience of systems and services c) restoring the availability and access to personal data…
Article 25 – Data protection by design and by default A controller must: implement technical and organizational measures to protect the rights of the data subject, protect personal data at the time of implementation and design, protect personal data throughout its lifecycle, control access to that personal data. Article 47 – Binding corporate rules Any…
General Data Protection Regulation (GDPR) has come into effect on May 25, 2018. It will apply to all companies with operations in the EU region and to companies based anywhere in the world but stores and processes EU citizen data (even if the processing is done outside the EU). The failure to comply with the…
How does the cloud affect an organization’s Disaster Recovery (DR) and Business Continuity Plan (BCP)? I recently worked on a SaaS platform and there was a lot of discussion around the fact that since the product is entirely developed in the cloud, we need not have to worry about the BC or DR plans. This…
Contrary to the 9 principles of ITIL V3, ITIL V4 has only 7 principles. Following is the gist of the 7 principles of ITIL V4: Focus on value Everything we do must add value from the stakeholders’ perspective [or remove everything that doesn’t add value]. Collaborate and promote visibility Work together across boundaries for more…
As we discussed in an earlier post, the primary requirement for a SOC 2 audit is when a company provides services to a third party. As per the AICPA, the SOC 2 consists of the following Trust Services Principles (TSPs): Security (also known as Common Criteria) Availability Processing Integrity Confidentiality Privacy The scope for each…
According to an IDG report, 73% of all the companies use Cloud to run at least a portion of their application, and of the rest, 17% plan to move to the cloud in some form or the other in the next 12 months. But why there’s such a surge to move in the cloud? From…
In case you are following my previous posts (link 1, link 2), you must be aware that I have been reading and posting a lot of thoughts on different ISO frameworks. But reading about these frameworks reminds me of a quote by Socrates – The more I know, the more I realize I know nothing….
In 2010, John Kindervag of Forrester Research piqued a new concept, the ‘Zero Trust’ model. In the traditional information security model, there are essentially 2 zones – the trusted zone which is regarded as ‘secure’ and the untrusted zone as ‘insecure’. The zero trust model essentially says not to trust anyone on the network –…
Backup and Archive are prominently used interchangeably and are considered the same, but that’s far from the case. The terms are entirely different and are best illustrated by the following definitions: A data backup is a copy of a data set currently in use that is made for the purpose of recovering from the loss…