GRC

IoTSi public library 

 

 

Cyber Security Governance Principles

“Directors have a critical role to play and must seek to lift their own cyber literacy levels, recognising that this is a key risk that can never be eliminated but can be effectively managed.” — Hon Clare O’Neil MP Minister for Home Affairs and Minister for Cyber Security

 

Securing Cloud Computing Through IT Governance

This paper presents a study on implementinginformation technology (IT) governance policies andprocesses to cloud computing information security. IT governance is defined as a set of mechanisms designedto encourage behaviors that are consistent with the mission,strategy, and culture of the organization

Learning from Cyber Incidents - Adapting Aviation Safety  Models to Cybersecurity

Report on the Interdisciplinary Workshop on the Development of a National Capacity for the Investigation of Cyber Incidents.Over four months in the spring of 2021, over 70 experts participated in a (virtual) workshop on the concept of creating a “Cyber NTSB”. The workshop was funded by the National Science Foundation with additional support from the Hewlett Foundation, and organized by Harvard’s Belfer Center with support from Northeastern University’s Global Resilience Institute.

 IT  RISK FRAMEWORK

This document forms part of ISACA’s Risk IT initiative, which is dedicated to helping enterprises manage IT-related risk.The collective experience of a global team of practitioners and experts, and existing and emerging practices and methodologies for effective IT risk management, have been consulted in the development of the Risk IT framework. Risk IT is a framework based on a set of guiding principles and featuring business processes and management guidelines that conform to these principles.

The Continuous Audit Metrics Catalog

With DevOps and fast-paced technological evolutions, many cloud customers think that a third-party audit conducted once a year is no longer sufficient; they want their cloud service providers (CSPs) to offer continuous assurance of ongoing effectiveness regarding security processes and practices.

INDUSTRIAL CYBER  RISK MANAGEMENT

Critical infrastructure owners and operators have managed industrial risk for hundreds of years. This risk is usually measured in impact to health, safety, and reliability. As these industrial systems become increasingly digitized, so does the risk. What were once seen as isolated, manual processes have become reliant on communication networks and digital devices. As a result, a new category of industrial risk was created: industrial cyber risk

Financial Cybersecurity Risk Management

A major deterrent to achieving a strong cybersecurity posture in the financial services industry is the inability to understand and manage
the risk to critical systems and sensitive information.IT security leaders in financial services are keenly aware that recent well-publicized mega breaches and new cybersecurity regulations such as the New York State Department of Financial Services 23 NYCRR 500 are creating a sense of urgency among CEOs and boards of directors to address the threats facing their organizations.

Enterprise Cyber Risk Management

Cyber risk represents an ever-growing threat to public and private institutions alike due to its potentially disastrous effects on organizational information systems, reputational risk, and potential loss of consumer- and stakeholder’s confidence. With the advent of the internet and the corresponding proliferation of information technology, firms, non-profits,and governmental entities were generally unprepared for identifying and addressing this risk, but the threat has increased in both frequency and severity over time, and the nature of attacks has also changed.

Step-by-step guidance on how to establish, implement and operate cybersecurity management system (ISMS)
It is generally not recommended to start developing an IT security management system (ISMS) without first having an understanding how to establish and implement the ISMS.This document, the step-by-step guide, is intended to (1) mitigate the risks of establishing a flawed system, and (2) to describe steps to establish and implement ISMS that, if required, would be in full compliance with the ISO/IEC 27001:2013 (what the current  ISO/IEC 27003:2010 guidance does not provide).