[Before] Third-Party Risk Management

I was going through ISO 27001 and COBIT to understand the Third-Party (or vendors) Risk Management process in detail. And though both the frameworks provide enough guidance on ensuring the proper due diligence on the vendors, I could not find any material on what happens before the vendors are onboard – how does the Information…

What, when, how – Scalability v/s Elasticity v/s Availability

Even if you’re remotely associated with the Cloud, I am sure you must have heard about the Availability and Scalability of the instances. Even though this is one of the fundamentals of the Cloud, I have seen many people using both the services interchangeable. Please be mindful – they are NOT the same. Here is…

3 Lines of Defense for Cyber Security professionals

In the wake of the financial crisis, the IIA came up with a model for better Risk Management and called it the ‘3 Lines of Defense’ model. This model allows regulators to better assess the risks in the financial industry. Though the model was mainly written for financial services, it is widely accepted in the…

What, why, when – ISO 27001 vs SOX 404

I recently met with a group who wanted to get started in the IT Audit. The members of the group had some experience in the IT Audit, I realized a common theme in their misunderstanding of ISO 27001 and SOX 404 as they used both the terms interchangeably. In this post, I will distinguish the…

GDPR Articles Simplified – Part 2 – ‘Notification and communication’

Article 32: Security of processing The controller and processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk by: a) Pseudonymisation and encryption of personal data b) ensuring ongoing confidentiality, integrity, availability, and resilience of systems and services c) restoring the availability and access to personal data…

GDPR Articles Simplified – Part 1 – ‘Data protection by design and by default’

Article 25 – Data protection by design and by default A controller must: implement technical and organizational measures to protect the rights of the data subject, protect personal data at the time of implementation and design, protect personal data throughout its lifecycle, control access to that personal data. Article 47 – Binding corporate rules Any…

GDPR, GDPR compliance and 11 steps for a successful project plan

General Data Protection Regulation (GDPR) has come into effect on May 25, 2018. It will apply to all companies with operations in the EU region and to companies based anywhere in the world but stores and processes EU citizen data (even if the processing is done outside the EU). The failure to comply with the…

Cloud Security, Backup & Resilience

How does the cloud affect an organization’s Disaster Recovery (DR) and Business Continuity Plan (BCP)? I recently worked on a SaaS platform and there was a lot of discussion around the fact that since the product is entirely developed in the cloud, we need not have to worry about the BC or DR plans. This…

Guiding Principles of ITIL V4 (Simplified)

Contrary to the 9 principles of ITIL V3, ITIL V4 has only 7 principles. Following is the gist of the 7 principles of ITIL V4: Focus on value Everything we do must add value from the stakeholders’ perspective [or remove everything that doesn’t add value]. Collaborate and promote visibility Work together across boundaries for more…

12 must-have policies and procedures for ISO 27001 & SOC 2 audit

As we discussed in an earlier post, the primary requirement for a SOC 2 audit is when a company provides services to a third party. As per the AICPA, the SOC 2 consists of the following Trust Services Principles (TSPs): Security (also known as Common Criteria) Availability Processing Integrity Confidentiality Privacy The scope for each…