Author: vCSO
-
Defining Third-parties or Vendors from IT GRC perspective
The focus is on a risk-based approach to managing third-party vendors in IT governance, risk, and compliance. Instead of encompassing all vendors, a vendor portfolio with essential information is recommended. Maintaining current information and conducting litmus tests to identify critical vendors is crucial, especially those handling proprietary information.
-
Establishing a Third-party or Vendor Management program
The approach to integrating cyber security into the procurement process varies based on organization size and complexity. Companies with business experience typically have a Procurement and Contract Management (ProCam) program in place. Cyber security should assess vendor risk and advise on legal contracts. Stakeholders must be identified and a roadmap devised for future vendor management…
-
The role of Cyber security within Vendor Management
Cyber security has a key role in the Vendor management process
-
Creation of IT Asset Portfolio
An organization’s choice between using a spreadsheet, a purpose-built CMDB, or another GRC tool depends on present and future needs, asset information volume, and user/stakeholder access. A spreadsheet may suffice for initial asset management, but a purpose-built GRC tool is essential for long-term governance, offering robust information capture, user access control, and workflow automation.
-
Criticality of an IT Asset Portfolio
An IT Asset portfolio is crucial for IT governance, providing a clear understanding of an organization’s assets. Key information includes business owner, technology owner, location, platform, and business impact assessment results. Regular review and metadata inclusion enhance reliability. Commercial CMDB software caters to this, but it can be created with minimal resources if budget is…
-
Handling Policy exceptions
Instances of policy non-compliance can be categorized as policy exceptions when approved by the policy or control owner. These exceptions are temporary and must prompt the search for alternative compliance methods. If not reviewed, non-compliance should be treated as issues. Exceptions should be rare and justified, to avoid chronic organizational problems.
-
What are Policy exceptions?
The objective of the Information Security policy is to articulate the Organization’s aspirations and goals at a strategic level. Under each policy, a set of controls may outline the means to achieve these objectives. A recommended approach in publishing the Information Security policy is to ensure that every user within the Organization acknowledges, reads, understands,…
-
Third-Party ChatGPT Plugins could lead to Account Takeovers
Cybersecurity researchers discovered vulnerabilities in third-party plugins for OpenAI ChatGPT, posing a threat of unauthorized access to sensitive data. The flaws enable attackers to install malicious plugins and hijack accounts. OpenAI has taken action by discontinuing new plugin installations. New tactics may lead to AI being exploited by malicious actors for data theft, putting unaware…
-
Components of Cyber security Policy
A cybersecurity policy is crucial for protecting an organization’s information systems and data from cyberattacks. It helps in risk management, compliance with regulations, protecting assets, incident response, employee awareness, vendor management, and continuous improvement. Such a policy is essential for maintaining security posture and minimizing the impact of security breaches.
-
COBIT 2019 for beginners
This content advocates for the use of frameworks in cybersecurity implementation and governance, particularly focusing on the COBIT 2019 Framework. It highlights the intricate nature of COBIT, the importance of executive sponsorship and continuous support, the need for simplification for beginners, and how COBIT aligns with industry standards like ISO 27001, ITIL, and NIST SP…
You must be logged in to post a comment.