How do you deal with multiple security audits all requiring different security credentialing?

Security & GRCGovernance, Risk & Compliance
3.1k viewscircle icon1 Upvotecircle icon2 Comments
Sort by:
Senior Security and Compliance Auditor in Software6 years ago

If you are asking how to efficiently manage overlapping audits for say GDPR, PCI, HIPAA etc then mapping is the key.  I go with a baseline of ISO27001 (I'm up to 118 infosec policies) and then map all applicable frameworks and regulations.  So when The HIPAA auditor asks for password policy you grab policy 9.3.1.  When you need the PW policy for PCI its also 9.3.1.  Ideally you enforce the strictest rule but if not practical the details of the policy will break it out in more detail (8 character 3 of 4 for email....MFA added for Finance...yubikey added for Prod...)   If you have a requirement that doesn't quite fit then you make a new policy.  This makes it very easy to absorb frameworks with decreasing effort.....If your question is more about the different rules for different applications the same example applies.  You start with your minimum standard and then make it tighter.  If making it tighter (48 character PW with yubikey and secret handshake) is too cumbersome, then you document and apply the supersized PW requirements to only those areas/tools/people/facilities that require it to meet you contractual and regulatory obligations.  

Lightbulb on1
Director of Information Security Operations in Consumer Goods6 years ago

Prepare general statement

Lightbulb on1

Content you might like

In your opinion, which function SHOULD own AI governance at your org?

IT19%

Data and analytics23%

Infosec9%

Privacy5%

GRC10%

Cross-functional working group/center of excellence33%

Something else (explain in a comment)1%

View Results

Have you read the White House’s "Executive Order on the Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence"?

https://www.whitehouse.gov/briefing-room/presidential-actions/2023/10/30/executive-order-on-the-safe-secure-and-trustworthy-development-and-use-of-artificial-intelligence/

Yes, I’ve read the whole thing7%

Yes, but I haven’t finished reading it53%

I’ve skimmed it22%

No, but I’ve read news coverage about it13%

Haven’t had the chance yet2%

View Results

I am looking for insights on establishing an Architecture Review Board (ARB) within our organization. As we aim to enhance our architectural governance and ensure alignment with our strategic objectives, we recognize the importance of setting up an effective ARB. To this end, I would greatly appreciate your guidance on the following aspects:       1. Establishing a Charter: What key elements should be included in the ARB        charter to clearly define its purpose, scope, and authority?       2. Member Selection: What criteria should we consider when selecting members for the ARB to ensure a diverse and knowledgeable board?       3. Review Process: Could you share best practices for structuring the review process to ensure thorough and consistent evaluations of architectural proposals?       4. Decision-Making: What are effective methods for making decisions within the ARB, and how can we ensure transparency and accountability?       5. Documentation and Communication: What templates or tools would you recommend for documenting reviews and communicating decisions to stakeholders?      6. Measuring Success: How can we establish criteria for measuring the success and impact of the ARB on our architectural practices? Your expertise and experience in this area would be invaluable to us as we embark on this initiative. Any additional insights or resources you could provide would be greatly appreciated. 

Read More Comments

Has anyone gone through the UK's Cybersecurity Essentials Plus certification and if so, would you be willing to share with me your experience and what was involved? I just want to make sure I understand what is involved and what is in scope.

Procurement of bitcoin in ransomware situation.  What are folks doing to prepare for the need of a large purchase of bitcoin in the need to pay ransomware. Yes ideally we would take the "we'll never pay approach" however, I think it's important to be realistic and in certain circumstances you may need to cross that line. 
Are you tied into a retainer of some sort with an exchange or Bitcoin holding firm?

Read More Comments