My thoughts, observations, and readings on different facets of GRC.
Even if you’re remotely associated with the Cloud, I am sure you must have heard about the Availability and Scalability of the instances. Even though this is one of the fundamentals of the Cloud, I have seen many people using both the services interchangeable. Please be mindful – they are NOT the same. Here is…
In the wake of the financial crisis, the IIA came up with a model for better Risk Management and called it the ‘3 Lines of Defense’ model. This model allows regulators to better assess the risks in the financial industry. Though the model was mainly written for financial services, it is widely accepted in the…
I recently met with a group who wanted to get started in the IT Audit. The members of the group had some experience in the IT Audit, I realized a common theme in their misunderstanding of ISO 27001 and SOX 404 as they used both the terms interchangeably. In this post, I will distinguish the…
Article 32: Security of processing The controller and processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk by: a) Pseudonymisation and encryption of personal data b) ensuring ongoing confidentiality, integrity, availability, and resilience of systems and services c) restoring the availability and access to personal data…
Article 25 – Data protection by design and by default A controller must: implement technical and organizational measures to protect the rights of the data subject, protect personal data at the time of implementation and design, protect personal data throughout its lifecycle, control access to that personal data. Article 47 – Binding corporate rules Any…
General Data Protection Regulation (GDPR) has come into effect on May 25, 2018. It will apply to all companies with operations in the EU region and to companies based anywhere in the world but stores and processes EU citizen data (even if the processing is done outside the EU). The failure to comply with the…
How does the cloud affect an organization’s Disaster Recovery (DR) and Business Continuity Plan (BCP)? I recently worked on a SaaS platform and there was a lot of discussion around the fact that since the product is entirely developed in the cloud, we need not have to worry about the BC or DR plans. This…
Contrary to the 9 principles of ITIL V3, ITIL V4 has only 7 principles. Following is the gist of the 7 principles of ITIL V4: Focus on value Everything we do must add value from the stakeholders’ perspective [or remove everything that doesn’t add value]. Collaborate and promote visibility Work together across boundaries for more…
As we discussed in an earlier post, the primary requirement for a SOC 2 audit is when a company provides services to a third party. As per the AICPA, the SOC 2 consists of the following Trust Services Principles (TSPs): Security (also known as Common Criteria) Availability Processing Integrity Confidentiality Privacy The scope for each…
According to an IDG report, 73% of all the companies use Cloud to run at least a portion of their application, and of the rest, 17% plan to move to the cloud in some form or the other in the next 12 months. But why there’s such a surge to move in the cloud? From…