Tags
Blog Post
Created by
Marc LeprinceCreated time
Aug 9, 2023 3:24 PM
Last edited time
Aug 13, 2023 7:29 PM
Published Date
Hello Everyone!
This will be the first of many posts where I take a handful of articles/media I have read/consumed and write brief summaries of them with links to them (if available). Follow along in my summaries as I continue my own CI/CD pipeline of my own growth!
July’s summaries were on risk & compliance
- Risk & Controls Webinar (no link)
- Learned about a risk & control framework that performs annual, quarterly and regular monitoring of controls and risks
- They define risks and controls for each activity and then a monitoring methodology for each
- They review the inherent risks (full downside problems that can arise as part of doing business) as a way to identify/prioritize risks to focus on
- These are evaluated against controls & their effectiveness to calculate residual risk (remaining downside problems that can arise now that controls have been implemented)
- These are organized into hierarchical groupings for aggregations so management can identify certain business parallels or orgs with more/less risk and focus their attention appropriately
- Automating GRC - a white paper from a GRC software vendor
- Proposes reasons to change:
- GRC (especially as it relates to cyber security) needs to move from a manual (often reactive) stance to an automated one that can ID, detect & respond to risks.
- periodic box checking is not good enough - need a comprehensive plan with continuous monitoring, that is aligned to biz objectives
- appears to hint that these controls are aligned with the business and NOT contrary to business objectives as it can often feel like
- They view risk as a continuum - and compliance as a binary result
- Neat feature: Evidence collection templates - a predefined framework for how to gather and hold evidence artifacts. This can be scrubbed programmatically and evaluated against existing controls.