Peer-Driven Insights

Security Frameworks (NIST, CIS, CSF)

Active Ambassadors in This Topic

Sven Vermeulen

Sven Vermeulen

KBC Group

Finance (non-banking), 10k+

BE
Chris Oehlerking

Chris Oehlerking

Honeywell

Manufacturing, 1k - 5k

United States
Faheem Siddiqui

Faheem Siddiqui

MAF

Banking, 10k+

AE
View All Community Ambassadors

Community Posts

What is the top data governance issue?

Limited resources13%

Siloed data40%

Lack of leadership21%

Poor data quality & context18%

Lack of data control5%

Other (please explain in the comments)

View Results

What is the most important role of corporate culture in addressing the psychological impact of digital security?

Corporate culture has no influence on digital security.15%

Prioritizing digital security above other aspects in corporate culture.51%

Creating a work environment that supports mental well-being.18%

All of the above.14%

Your own perspective (Comment).1%

View Results

What frameworks are you using for AI risk management?

We have a new GRC tool and we're selecting frameworks like NYDFS, SOC2, NIST CSF, COSO, etc.   We have financial, IT, and operational controls. What frameworks are other companies implementing with their GRC tools to map operational controls?

Our organization is embarking on ISO certification for security and privacy in the cloud. We are looking for best practices to implement ISO whilst being mindful of the rigor needed to manage with multiple standards. From our initial review we were informed of BSI's PAS 99 and wanted to understand: 1. Pros and Cons 2. Adoption i.e. has it been widely adopted across business landscape, specifically in the insurance sector embarking on ISO certifications? 3. Are there alternatives or best practice recommendations when embarking on cloud ISO security and privacy certifications? Also, we understood that the current certification I.e. ISO/IEC 27017:2015 looks to be replaced by ISO/IEC DIS 27017 - Information security, cybersecurity and privacy protection — Information security controls based on ISO/IEC 27002 for cloud services. Do you recommend waiting for the revision in its current stage or progress with the incumbent certification and have a subsequent review once the new version is published?

Is the NIST indicator of one company comparable to the NIST indicator of another company in a different industry?

Are organizations managing IT security internally, or are they outsourcing to specialized security companies?

If they are outsourcing, how do they ensure the security vendor can handle all potential threats and vulnerabilities?

Read More Comments

We are in the process of building a secure network reference architecture for member firms as guidance. Are there any good examples I can use?

Read More Comments

Do you have processes for gathering feedback on security awareness training? How can leaders create effective feedback loops to identify and make improvements when needed?

Read More Comments

How do you implement cryptography for top secret information exchange foreseeing a post quantum scenario soon and what types of algorithms do you use? What about network security, are VPN keys are more secure?

Read More Comments

If you get hired by an SMB and you’re the company’s first/only security practitioner, where should you start? (Should you focus on SANS top 20 controls? Or start with the NIST framework?)

Read More Comments

If you’ve used the NIST incident response plan as a template, what elements required the most customization to suit your org?

What platform are you using for GRC?

Drata5%

Vanta20%

Secureframe17%

KnowBe415%

Ostendio8%

AuditBoard4%

Something else -- I'll tell you in the comments6%

We’re not using a GRC platform22%

View Results

NIST cybersecurity framework 2.0 was just released – what do you think of the update so far?

Read More Comments

We are looking at implementing role-based access controls on some of our SaaS platforms due to entry into emerging markets. Does anyone have best practices to share?

Read More Comments

My security analyst is recommending we shut off access to third-party personal email accounts to reduce the risk of attack as a result of phishing attempts through these platforms.  Is this something many companies do?

Read More Comments