Governance, Risk, & Compliance
My thoughts, observations, and readings on different facets of GRC.
All the general articles will go here.
I remember watching a Ted talk long back. I don’t remember much of it, but do remember a sentence from the talk – “The days you remember are the days you live”. Following are the few days that I’ll remember and cherish from 2023. 👉 Got promoted to Security & Compliance Director, Mar ’23 👉…
After Good to Great, I had high expectations from this book, but it fell short. The research is good, but for some reason seemed outdated e.g. comparing the greatest companies of our generation and did not have a reference to Google / Apple / Microsoft which seemed odd – no fault of the book though…
The HITECH Act HITECH is an acronym for Health Information Technology for Economic & Clinical Health. How is HITECH Act related to HIPAA? The HITECH Act is a part of an economic stimulus package introduced in 2009 during the Obama administration, the American Recovery and Reinvestment (ARRA) Act of 2009. The purpose of the HITECH…
Cloud Computing – storing your data at someone else’s computer / using someone else’s CPU to perform processing / both Infrastructure as a Service (IaaS) – Hardware, bare-metal Platform as a Service (PaaS) – Infrastructure + Operating System Software as a Service (SaaS) – Infrastructure + Operating System + Software Scalability – Easily grow based on demand Elasticity – Easily shrink…
ISACA’s CGEIT certification is aimed at IT professionals responsible for directing, managing, and supporting the governance of IT. I passed the ISACA’s CGEIT exam on Apr 26, 2020. Here’s a brief of my preparation strategy and the resources I used. Strategy: Like previous ISACA and (ISC)2 certifications, I started with the CGEIT Review Manual from ISACA…
Vulnerability Management (VM) is one of the most important exercises for keeping a system secure. In his post, I would sum up the different phases of Vulnerability Management. But before that, I would like to clarify the distinction between Vulnerability Management and Penetration Testing (PT). Difference between VM and PT VM is the practice of…
Many people use ‘Accreditation’ and ‘Certification’ interchangeably, but they are not the same. Certification is a technical review that assesses the security mechanisms and evaluates their effectiveness. Accreditation is management’s official acceptance of the information in the certification process findings. For example, if a company is planning to undergo an ISO 27001 certification. The company…
Even if you’re remotely associated with the Cloud, I am sure you must have heard about the Availability and Scalability of the instances. Even though this is one of the fundamentals of the Cloud, I have seen many people using both the services interchangeable. Please be mindful – they are NOT the same. Here is…
In the wake of the financial crisis, the IIA came up with a model for better Risk Management and called it the ‘3 Lines of Defense’ model. This model allows regulators to better assess the risks in the financial industry. Though the model was mainly written for financial services, it is widely accepted in the…
General Data Protection Regulation (GDPR) has come into effect on May 25, 2018. It will apply to all companies with operations in the EU region and to companies based anywhere in the world but stores and processes EU citizen data (even if the processing is done outside the EU). The failure to comply with the…