Blog, GRC, In the News

Risk Based Compliance Management

  1. By seconize

Risk Based Compliance Management

Compliance means conforming to a rule, such as a specification, policy, standard or law. Some compliances are generic in nature catering to all kinds of organizations and sizes, example ISO 27001:2013, NIST-CSF whereas few are more industry specific like PCI-DSS which caters to the payment gateway providers. Adhering to a Compliance ensures best practices are adopted. 

Organizations adopt compliances to improve their information security practices or as it is mandated by regulations or both. In many cases, organizations adopt more than one compliance depending upon nature of business and geography. 

Process

Typically, the process of adhering to a compliance includes the following steps.

  • Identifying the scope
  • Gap assessment
  • Implementation
  • Readiness review
  • Internal Audit
  • External Audit followed by certification*.
  • Subsequent Yearly Audits.

*Certification is not mandatory for certain compliances.

The compliance efforts are usually done manually, led by qualified subject matter experts (either internal audit teams or external consultants). Depending on the size of the company and their current cybersecurity practices, the whole process may take up to several months to a year. Compliance is an ongoing process, even post certification, one must follow the standard and needs to be audited on a regular basis.

Each compliance has well defined set of information security controls broadly categorized into three aspects

  • People related controls cater to onboarding, training, and empowering human resources in an organization while carrying out their roles and responsibilities.
  • Process related controls cater to establishing, adopting, and implementing a well-defined standard operating procedure while conducting business activities.
  • Technology related controls cater to identifying relevant technical tools (both purchased or built in house) and operating, maintaining them with relevant secure configurations and measures in order to deliver business value to the stake holders.

Crux of any compliance is to adopt tried and tested controls to ensure a good cyber hygiene. And to do this optimally, by following a risk-based approach.

Compliance management should not be just gap assessment against the controls.

Compliance Management

An ideal compliance management would involve

  • Continuous Risk assessment across all the assets and processes that are in scope.
  • Prioritize mitigations based on the risk identified
  • Identify the gaps against the standard
  • Apply the controls advocated by the standard where applicable

Iterate over the above process. By doing so, you are de-risking the organization and at the same time achieving compliance.

Once compliance/certification is achieved, it is important to continue the practices established and be compliant all the time.

For regulations like GDPR, there is no certification, but the organization needs to self-regulate and be able to demonstrate their preparedness at any given time.

Seconize – DeRisk Center

Seconize DeRisk Center is a Risk and Compliance Management product which automates the Risk Assessment across assets and applications in the cloud and on-premise.

Given a specific standard and scope

  • It identifies all the risks across assets and applications – continuously
  • Automatically maps the issues identified to the technology controls in the standard
    • Extensible connector framework for additional mappings with existing IT Systems
  • Simplified workflows to enter the status of people and process related controls
  • Overall audit report
  • Assign tasks and track the progress

Seconize Generic Compliance Framework (GCF)

Typically, organizations comply to more than one regulation or standard. Auditing each one, is resource intensive and not very productive.

Seconize Generic Compliance Framework maps one standard to another.  Once a standard like ISO 27001:2013 is audited the controls can be mapped to another standard like PCI-DSS.  Saving enormous amount of time and effort.

Seconize DeRisk Center supports the following regulations/compliances/standards.

  • ISO27001_2013
  • MAS_2013
  • GDPR
  • CIS_CSC_7_1
  • COBIT_5
  • PCI_DSS_3_2_1
  • OWASP_ASVS_4_0_1
  • NIST_CSF_1_1
  • NIST_SP_800_53_Rev_4
  • OWASP_TOP_TEN_2017
  • RBI_BANKING_2016
  • IRDAI
  • CISCO_PSB_1_0
  • CIS_AWS_1_3_0
  • CIS_Azure_1_1_0
  • CIS_GCP_1_0_0
  • CCM_3_0_1
  • SOC_2
  • OWASP_MOBILE_2016

Related

23 Oct

The Securities and Exchange Board of India
Understanding SEBI’s Guidelines on Outsourci

11 Jul

RBI Master Direction on Information Technology Governance, Risk, Controls, and Assurance Practices
RBI Master Direction on Information Technology Gov

25 May

How to Design a Vulnerability Management Program?

31 Mar

Seconize featured in the news as one of the key st

15 Jun

Seconize DeRisk Centre – Part 2

22 Jul

Reduce your cyber risk exposure from months -> min

15 Jan

Seconize position validated again as being in the

07 Oct

Risk Based Vulnerability Management (RBVM)

05 Jul

Whitepaper – Seconize Risk Intelligence
Secure Migration of Java Applications

15 Jan

Seconize position validated yet again! Top 5 Cybe

Categories

GRC

RBVM

In the News

Meetings

Recent Posts

Understanding Information Security Management Systems ISMS

Understanding ISMS: Information Security Management Systems

IRDAI Cyber Security Guidelines

Navigating IRDAI Cyber Security Guidelines: A Guide for Insurers and Intermediaries

Cyber GRC Automation Paradox

The Cyber GRC Automation Paradox and the Audit Manager: A Modern-Day Kalidasa’s T

The Securities and Exchange Board of India

Understanding SEBI’s Guidelines on Outsourcing for Intermediaries

Third-Party Risk Management

Third-Party Risk Management: A Key Pillar for de-risking your business

Schedule a Demo​
Book a session with one of our senior Customer Success Specialists.​
GET IN TOUCH

About Us

Company

Career

Our Team

Partner

Contact

Use Cases

Risk-Based Vulnerability Management

Compliance Management

Vendor Risk Management

Application Security Testing​

Linkedin Facebook-f Twitter Youtube Rss
Ofofo Cyber Security Marketplace

Copyright © 2024 Seconize Technologies Pvt Ltd. All rights reserved.