Creating a RACI matrix (Responsible, Accountable, Consulted, Informed) for NIST 800-171 controls can help clarify roles and responsibilities when implementing these security requirements for the protection of Controlled Unclassified Information (CUI). Below is a high-level overview of how you can assign RACI roles to some of the control families outlined in NIST 800-171. This is …
What is Compliant is Not Secure For the simple reason that what is Marked as Compliant as of today actually represents the Past activities and does not necessarily mean that the same set of practices are performed as of today.
We all talk about enhancement in cyber security and various new tools and technologies to protect the environment. All tools and technologies provide us the features however there are some basics which are applicable to them as well. However, how frequently we work on the basics of security and hygiene in environment. Let’s discuss few …
Many a times we encounter situations where we find that certain Information Security Policy requirements and considerations are not in line with the Global Security Best Practices and they actually are not in-line with the Global Standards to that effect. But, the major mistake that we make at such a point is to take into …
PCI-DSS and requirement of Risk Assessment have a very close relationship. In effect PCI-DSS has specified the requirement for an annual risk assessment as per the control 12.2 and has mentioned the requirement under guidance for requirement 10.6.2 and Testing Procedures for requirement 11.5. PCI-DSS requirement 12.2 establishes the requirement for implementing a risk assessment …
Post my previous post, I received a mail from one of my Friend around SSAE 16 / ISAE 3402 and I provided the reply to the friend and then thought, why not share the explanation with the wider Audiences for the good. May be if somewhere I made a mistake, I would also get to …
Pretty recently was indulged in a discussion around the need of Certification to the Need of Assurance. It was a pretty interesting discussion that led me to evaluate the conceptions and misconceptions that prevail in the industry. I thought why not share it with the rest of the folks who would like to participate in …
As I wrote the previous Post – BYOD Program & Controls Requirement I received the comment on WFH, but I am certainly not covering that in this article, as that is a separate topic of discussion. What is more interesting that broke out as a discussion point with a colleague over a cup of coffee. The discussion …
BYOD or Bring Your Own Device is the way organizations are planning to take. The talk is going abuzz in the corporate world as it would help organizations reduce their IT budget and increase operational efficiency. In my view it is not that bad an idea, but would require looking a bit deeper at the …
Organizations have done a lot to secure their infrastructure, get compliance efforts in place and get going with the emerging requirements that are hard pressing them to move to excellence on the Security Front. But how much to secure is secure? It should not be the case where Security that is supposed to be the …