SlideShare a Scribd company logo

Cyber Security Audits and Risk Management 20160119

FitCEO, Inc. (FCI)
FitCEO, Inc. (FCI)

This document discusses how maintaining cybersecurity documentation and controls evidence can help organizations prepare for audits and risk assessments more efficiently. It provides two lists of the key documentation and evidence that regulatory agencies expect organizations to have: List A includes policy, procedures and general documentation, while List B focuses on cybersecurity controls evidence. The document recommends investing in a Governance, Risk and Compliance (GRC) application to help organizations effectively gather and maintain this documentation and evidence.

1 of 5
Download to read offline
Restricting Authenticating Tracking User Access? 12100 Sunrise Valley Dr. Suite 290-1 Reston, VA 20191 This paper is your guide to more efficient and effective audits and risk assess- ments. Consistency in managing your cyber security controls not only reduces the time required to prepare for audits and risks assessments, it also makes any organization more secure—especially in the event of security breaches. Any regulatory agency that governs an organization provides it with guidance and a checklist of expectations for audits and risk management. HIPAA, for example, has the Audit Protocol ; GLBA uses the FFIEC IT Examination Hand Book ; PCI provides the Report on Compliance template ; and many of the regulations and standards use the NIST Cyber Security Framework . All of these are very similar in terms of what they expect you to have in place to demonstrate that your practices match what you have documented. VIMRO helps clients prepare for these audits, and also conducts audits/as- sessments for HIPAA, GLBA, and PCI (VIMRO is a PCI-QSA ), etc. Based on the commonly requested items for these regulations, we include below two lists describing what we request for cybersecurity documentation and controls evidence. One of the biggest challenges for our clients is gathering and maintaining both cybersecurity documentation and controls evidence. This is why a Gov- ernance, Risk, and Compliance (GRC) application is a must-have control in which successful organizations invest, and why the GRC is item #1 on List B. “A guide to efficient and effective audits and risk assessments.” Cyber Security Audits and Risk Management Two interdependent lists everyone should have!
COPYRIGHT © 2015 VIMRO, LLC. ALL RIGHTS RESERVED. ALL REFERENCED COMPANY NAMES AND LOGOS ARE TRADEMARKS OF THEIR RESPECTIVE OWNERS The table below explains how a GRC solution addresses some of the challenges. (800) 272 0019 Ashburn, VA | Baltimore, MD | Boston, MA | Glendale, CA | Las Vegas, NV | Reston, VA | San Diego, CA | Tampa, FL Cyber Security Audits and Risk Management Two interdependent lists everyone should have! Authored by VIMRO’s Cybersecurity Leaders
COPYRIGHT © 2015 VIMRO, LLC. ALL RIGHTS RESERVED. ALL REFERENCED COMPANY NAMES AND LOGOS ARE TRADEMARKS OF THEIR RESPECTIVE OWNERS VIMRO is vendor-agnostic, meaning that we do not sell any products, nor are we paid by any vendor to promote their products. We do however, help and guide our customers in choosing the most effective products, such as GRC solutions, based on client requirements. Whether you are just considering a GRC solution, or are in the middle of a GRC implementation project, ensure that you have the documents and evidence we list in this paper’s Lists A and B. Many of our clients conduct the GRC project in parallel with documentation/evidence collection projects. By referring to the lists, there is a lot of work required from both a security-technology mechanisms and a documentation perspective. Your goal is to have a GRC solution in place, along with the cybersecurity documentation and controls evidence required to demonstrate compli- ance and secure practices. With this goal met, your audit and risk manage- ment process is optimized, and your focus can shift to proactively main- taining an optimized process rather than reacting to audit requests. Contact VIMRO to discuss how we can help you implement your policy and procedures, evidence controls, and GRC initiatives. (800) 272 0019 Ashburn, VA | Baltimore, MD | Boston, MA | Glendale, CA | Las Vegas, NV | Reston, VA | San Diego, CA | Tampa, FL Success depends on the documents and evidence identified in the two interdependent Lists A and B Cyber Security Audits and Risk Management Two interdependent lists everyone should have!
COPYRIGHT © 2015 VIMRO, LLC. ALL RIGHTS RESERVED. ALL REFERENCED COMPANY NAMES AND LOGOS ARE TRADEMARKS OF THEIR RESPECTIVE OWNERS (800) 272 0019 Ashburn, VA | Baltimore, MD | Boston, MA | Glendale, CA | Las Vegas, NV | Reston, VA | San Diego, CA | Tampa, FL LIST A Policy, Procedures and General Documentation Request List
COPYRIGHT © 2015 VIMRO, LLC. ALL RIGHTS RESERVED. ALL REFERENCED COMPANY NAMES AND LOGOS ARE TRADEMARKS OF THEIR RESPECTIVE OWNERS (800) 272 0019 Ashburn, VA | Baltimore, MD | Boston, MA | Glendale, CA | Las Vegas, NV | Reston, VA | San Diego, CA | Tampa, FL Authored by VIMRO’s Cybersecurity Leaders Cyber Security Audits and Risk Management Two interdependent lists everyone should have! List B Cybersecurity Controls Evidence Request List Authored by VIMRO’s Cybersecurity Leaders

Recommended

Cyber Security Audits and Risk Management 20160119
Cyber Security Audits and Risk Management 20160119Cyber Security Audits and Risk Management 20160119
Cyber Security Audits and Risk Management 20160119
FitCEO, Inc. (FCI)
 
The Demystification of successful cybersecurity initiatives.
The Demystification of successful cybersecurity initiatives.The Demystification of successful cybersecurity initiatives.
The Demystification of successful cybersecurity initiatives.
FitCEO, Inc. (FCI)
 
Leveraging compliance to raise the bar on security
Leveraging compliance to raise the bar on securityLeveraging compliance to raise the bar on security
Leveraging compliance to raise the bar on security
Mike Lemire
 
PCI Breach Scenarios and the Cyber Threat Landscape with Brian Honan
PCI Breach Scenarios and the Cyber Threat Landscape with Brian HonanPCI Breach Scenarios and the Cyber Threat Landscape with Brian Honan
PCI Breach Scenarios and the Cyber Threat Landscape with Brian Honan
Tripwire
 
Integrating Cybersecurity into Supply Chain Risk Management
Integrating Cybersecurity into Supply Chain Risk ManagementIntegrating Cybersecurity into Supply Chain Risk Management
Integrating Cybersecurity into Supply Chain Risk Management
Priyanka Aash
 
Scammed: Defend Against Social Engineering
Scammed: Defend Against Social EngineeringScammed: Defend Against Social Engineering
Scammed: Defend Against Social Engineering
Resolver Inc.
 
Cybersecurity Compliance in Government Contracts
Cybersecurity Compliance in Government ContractsCybersecurity Compliance in Government Contracts
Cybersecurity Compliance in Government Contracts
Robert E Jones
 
Cyber Security in the Digital Age: A Survey and its Analysis
Cyber Security in the Digital Age: A Survey and its AnalysisCyber Security in the Digital Age: A Survey and its Analysis
Cyber Security in the Digital Age: A Survey and its Analysis
Rahul Neel Mani
 

Recommended

Cyber Security Audits and Risk Management 20160119
Cyber Security Audits and Risk Management 20160119Cyber Security Audits and Risk Management 20160119
Cyber Security Audits and Risk Management 20160119
FitCEO, Inc. (FCI)
 
The Demystification of successful cybersecurity initiatives.
The Demystification of successful cybersecurity initiatives.The Demystification of successful cybersecurity initiatives.
The Demystification of successful cybersecurity initiatives.
FitCEO, Inc. (FCI)
 
Leveraging compliance to raise the bar on security
Leveraging compliance to raise the bar on securityLeveraging compliance to raise the bar on security
Leveraging compliance to raise the bar on security
Mike Lemire
 
PCI Breach Scenarios and the Cyber Threat Landscape with Brian Honan
PCI Breach Scenarios and the Cyber Threat Landscape with Brian HonanPCI Breach Scenarios and the Cyber Threat Landscape with Brian Honan
PCI Breach Scenarios and the Cyber Threat Landscape with Brian Honan
Tripwire
 
Integrating Cybersecurity into Supply Chain Risk Management
Integrating Cybersecurity into Supply Chain Risk ManagementIntegrating Cybersecurity into Supply Chain Risk Management
Integrating Cybersecurity into Supply Chain Risk Management
Priyanka Aash
 
Scammed: Defend Against Social Engineering
Scammed: Defend Against Social EngineeringScammed: Defend Against Social Engineering
Scammed: Defend Against Social Engineering
Resolver Inc.
 
Cybersecurity Compliance in Government Contracts
Cybersecurity Compliance in Government ContractsCybersecurity Compliance in Government Contracts
Cybersecurity Compliance in Government Contracts
Robert E Jones
 
Cyber Security in the Digital Age: A Survey and its Analysis
Cyber Security in the Digital Age: A Survey and its AnalysisCyber Security in the Digital Age: A Survey and its Analysis
Cyber Security in the Digital Age: A Survey and its Analysis
Rahul Neel Mani
 
TrustedAgent GRC for Public Sector
TrustedAgent GRC for Public SectorTrustedAgent GRC for Public Sector
TrustedAgent GRC for Public Sector
Tuan Phan
 
Achieving Effective IT Security with Continuous ISO 27001 Compliance
Achieving Effective IT Security with Continuous ISO 27001 ComplianceAchieving Effective IT Security with Continuous ISO 27001 Compliance
Achieving Effective IT Security with Continuous ISO 27001 Compliance
Tripwire
 
Integrating-Cyber-Security-for-Increased-Effectiveness
Integrating-Cyber-Security-for-Increased-EffectivenessIntegrating-Cyber-Security-for-Increased-Effectiveness
Integrating-Cyber-Security-for-Increased-Effectiveness
Ayham Kochaji
 
Keep Your Guard: Stay Compliant and Be Secure
Keep Your Guard: Stay Compliant and Be SecureKeep Your Guard: Stay Compliant and Be Secure
Keep Your Guard: Stay Compliant and Be Secure
Tripwire
 
CISO-Fundamentals
CISO-FundamentalsCISO-Fundamentals
CISO-Fundamentals
Gary Hayslip CISSP, CISA, CRISC, CCSK
 
TrustedAgent and Defense Industrial Base (DIB)
TrustedAgent and Defense Industrial Base (DIB)TrustedAgent and Defense Industrial Base (DIB)
TrustedAgent and Defense Industrial Base (DIB)
Tuan Phan
 
Information Security Management
Information Security ManagementInformation Security Management
Information Security Management
EC-Council
 
Vendor Security Practices: Turn the Rocks Over Early and Often
Vendor Security Practices: Turn the Rocks Over Early and OftenVendor Security Practices: Turn the Rocks Over Early and Often
Vendor Security Practices: Turn the Rocks Over Early and Often
Priyanka Aash
 
IFCA Congress How the post-pandemic will shape the compliance agenda
IFCA Congress How the post-pandemic will shape the compliance agendaIFCA Congress How the post-pandemic will shape the compliance agenda
IFCA Congress How the post-pandemic will shape the compliance agenda
Hernan Huwyler, MBA CPA
 
Leveraging Change Control for Security
Leveraging Change Control for SecurityLeveraging Change Control for Security
Leveraging Change Control for Security
Tripwire
 
The Measure of Success: Security Metrics to Tell Your Story
The Measure of Success: Security Metrics to Tell Your StoryThe Measure of Success: Security Metrics to Tell Your Story
The Measure of Success: Security Metrics to Tell Your Story
Priyanka Aash
 
TrustedAgent GRC for Vulnerability Management
TrustedAgent GRC for Vulnerability ManagementTrustedAgent GRC for Vulnerability Management
TrustedAgent GRC for Vulnerability Management
Tuan Phan
 
Tripwire IP360 Vulnerability Management
Tripwire IP360 Vulnerability ManagementTripwire IP360 Vulnerability Management
Tripwire IP360 Vulnerability Management
Tripwire
 
So you want to be a CISO - 5 steps to Success
So you want to be a CISO - 5 steps to SuccessSo you want to be a CISO - 5 steps to Success
So you want to be a CISO - 5 steps to Success
Gary Hayslip CISSP, CISA, CRISC, CCSK
 
5 Challenges to Continuous PCI DSS Compliance
5 Challenges to Continuous PCI DSS Compliance5 Challenges to Continuous PCI DSS Compliance
5 Challenges to Continuous PCI DSS Compliance
Tripwire
 
Analyzing Your Government Contract Cybersecurity Compliance
Analyzing Your Government Contract Cybersecurity ComplianceAnalyzing Your Government Contract Cybersecurity Compliance
Analyzing Your Government Contract Cybersecurity Compliance
Robert E Jones
 
Does audit make us more secure
Does audit make us more secureDoes audit make us more secure
Does audit make us more secure
EnterpriseGRC Solutions, Inc.
 
Segregation of Duties
Segregation of DutiesSegregation of Duties
Segregation of Duties
PECB
 
HIPAA and HITECH Compliance Guide
HIPAA and HITECH Compliance GuideHIPAA and HITECH Compliance Guide
HIPAA and HITECH Compliance Guide
FitCEO, Inc. (FCI)
 
Passwords don't work multifactor controls do!
Passwords don't work multifactor controls do!Passwords don't work multifactor controls do!
Passwords don't work multifactor controls do!
FitCEO, Inc. (FCI)
 
How to determine a proper scope selection based on ISO 27001?
How to determine a proper scope selection based on ISO 27001?How to determine a proper scope selection based on ISO 27001?
How to determine a proper scope selection based on ISO 27001?
PECB
 
IT Security and Risk Management - Visionet Systems
IT Security and Risk Management - Visionet SystemsIT Security and Risk Management - Visionet Systems
IT Security and Risk Management - Visionet Systems
Visionet Systems, Inc.
 

More Related Content

What's hot

TrustedAgent GRC for Public Sector
TrustedAgent GRC for Public SectorTrustedAgent GRC for Public Sector
TrustedAgent GRC for Public Sector
Tuan Phan
 
Achieving Effective IT Security with Continuous ISO 27001 Compliance
Achieving Effective IT Security with Continuous ISO 27001 ComplianceAchieving Effective IT Security with Continuous ISO 27001 Compliance
Achieving Effective IT Security with Continuous ISO 27001 Compliance
Tripwire
 
Integrating-Cyber-Security-for-Increased-Effectiveness
Integrating-Cyber-Security-for-Increased-EffectivenessIntegrating-Cyber-Security-for-Increased-Effectiveness
Integrating-Cyber-Security-for-Increased-Effectiveness
Ayham Kochaji
 
Keep Your Guard: Stay Compliant and Be Secure
Keep Your Guard: Stay Compliant and Be SecureKeep Your Guard: Stay Compliant and Be Secure
Keep Your Guard: Stay Compliant and Be Secure
Tripwire
 
CISO-Fundamentals
CISO-FundamentalsCISO-Fundamentals
CISO-Fundamentals
Gary Hayslip CISSP, CISA, CRISC, CCSK
 
TrustedAgent and Defense Industrial Base (DIB)
TrustedAgent and Defense Industrial Base (DIB)TrustedAgent and Defense Industrial Base (DIB)
TrustedAgent and Defense Industrial Base (DIB)
Tuan Phan
 
Information Security Management
Information Security ManagementInformation Security Management
Information Security Management
EC-Council
 
Vendor Security Practices: Turn the Rocks Over Early and Often
Vendor Security Practices: Turn the Rocks Over Early and OftenVendor Security Practices: Turn the Rocks Over Early and Often
Vendor Security Practices: Turn the Rocks Over Early and Often
Priyanka Aash
 
IFCA Congress How the post-pandemic will shape the compliance agenda
IFCA Congress How the post-pandemic will shape the compliance agendaIFCA Congress How the post-pandemic will shape the compliance agenda
IFCA Congress How the post-pandemic will shape the compliance agenda
Hernan Huwyler, MBA CPA
 
Leveraging Change Control for Security
Leveraging Change Control for SecurityLeveraging Change Control for Security
Leveraging Change Control for Security
Tripwire
 
The Measure of Success: Security Metrics to Tell Your Story
The Measure of Success: Security Metrics to Tell Your StoryThe Measure of Success: Security Metrics to Tell Your Story
The Measure of Success: Security Metrics to Tell Your Story
Priyanka Aash
 
TrustedAgent GRC for Vulnerability Management
TrustedAgent GRC for Vulnerability ManagementTrustedAgent GRC for Vulnerability Management
TrustedAgent GRC for Vulnerability Management
Tuan Phan
 
Tripwire IP360 Vulnerability Management
Tripwire IP360 Vulnerability ManagementTripwire IP360 Vulnerability Management
Tripwire IP360 Vulnerability Management
Tripwire
 
So you want to be a CISO - 5 steps to Success
So you want to be a CISO - 5 steps to SuccessSo you want to be a CISO - 5 steps to Success
So you want to be a CISO - 5 steps to Success
Gary Hayslip CISSP, CISA, CRISC, CCSK
 
5 Challenges to Continuous PCI DSS Compliance
5 Challenges to Continuous PCI DSS Compliance5 Challenges to Continuous PCI DSS Compliance
5 Challenges to Continuous PCI DSS Compliance
Tripwire
 
Analyzing Your Government Contract Cybersecurity Compliance
Analyzing Your Government Contract Cybersecurity ComplianceAnalyzing Your Government Contract Cybersecurity Compliance
Analyzing Your Government Contract Cybersecurity Compliance
Robert E Jones
 
Does audit make us more secure
Does audit make us more secureDoes audit make us more secure
Does audit make us more secure
EnterpriseGRC Solutions, Inc.
 
Segregation of Duties
Segregation of DutiesSegregation of Duties
Segregation of Duties
PECB
 

What's hot (18)

TrustedAgent GRC for Public Sector
TrustedAgent GRC for Public SectorTrustedAgent GRC for Public Sector
TrustedAgent GRC for Public Sector
 
Achieving Effective IT Security with Continuous ISO 27001 Compliance
Achieving Effective IT Security with Continuous ISO 27001 ComplianceAchieving Effective IT Security with Continuous ISO 27001 Compliance
Achieving Effective IT Security with Continuous ISO 27001 Compliance
 
Integrating-Cyber-Security-for-Increased-Effectiveness
Integrating-Cyber-Security-for-Increased-EffectivenessIntegrating-Cyber-Security-for-Increased-Effectiveness
Integrating-Cyber-Security-for-Increased-Effectiveness
 
Keep Your Guard: Stay Compliant and Be Secure
Keep Your Guard: Stay Compliant and Be SecureKeep Your Guard: Stay Compliant and Be Secure
Keep Your Guard: Stay Compliant and Be Secure
 
CISO-Fundamentals
CISO-FundamentalsCISO-Fundamentals
CISO-Fundamentals
 
TrustedAgent and Defense Industrial Base (DIB)
TrustedAgent and Defense Industrial Base (DIB)TrustedAgent and Defense Industrial Base (DIB)
TrustedAgent and Defense Industrial Base (DIB)
 
Information Security Management
Information Security ManagementInformation Security Management
Information Security Management
 
Vendor Security Practices: Turn the Rocks Over Early and Often
Vendor Security Practices: Turn the Rocks Over Early and OftenVendor Security Practices: Turn the Rocks Over Early and Often
Vendor Security Practices: Turn the Rocks Over Early and Often
 
IFCA Congress How the post-pandemic will shape the compliance agenda
IFCA Congress How the post-pandemic will shape the compliance agendaIFCA Congress How the post-pandemic will shape the compliance agenda
IFCA Congress How the post-pandemic will shape the compliance agenda
 
Leveraging Change Control for Security
Leveraging Change Control for SecurityLeveraging Change Control for Security
Leveraging Change Control for Security
 
The Measure of Success: Security Metrics to Tell Your Story
The Measure of Success: Security Metrics to Tell Your StoryThe Measure of Success: Security Metrics to Tell Your Story
The Measure of Success: Security Metrics to Tell Your Story
 
TrustedAgent GRC for Vulnerability Management
TrustedAgent GRC for Vulnerability ManagementTrustedAgent GRC for Vulnerability Management
TrustedAgent GRC for Vulnerability Management
 
Tripwire IP360 Vulnerability Management
Tripwire IP360 Vulnerability ManagementTripwire IP360 Vulnerability Management
Tripwire IP360 Vulnerability Management
 
So you want to be a CISO - 5 steps to Success
So you want to be a CISO - 5 steps to SuccessSo you want to be a CISO - 5 steps to Success
So you want to be a CISO - 5 steps to Success
 
5 Challenges to Continuous PCI DSS Compliance
5 Challenges to Continuous PCI DSS Compliance5 Challenges to Continuous PCI DSS Compliance
5 Challenges to Continuous PCI DSS Compliance
 
Analyzing Your Government Contract Cybersecurity Compliance
Analyzing Your Government Contract Cybersecurity ComplianceAnalyzing Your Government Contract Cybersecurity Compliance
Analyzing Your Government Contract Cybersecurity Compliance
 
Does audit make us more secure
Does audit make us more secureDoes audit make us more secure
Does audit make us more secure
 
Segregation of Duties
Segregation of DutiesSegregation of Duties
Segregation of Duties
 

Similar to Cyber Security Audits and Risk Management 20160119

HIPAA and HITECH Compliance Guide
HIPAA and HITECH Compliance GuideHIPAA and HITECH Compliance Guide
HIPAA and HITECH Compliance Guide
FitCEO, Inc. (FCI)
 
Passwords don't work multifactor controls do!
Passwords don't work multifactor controls do!Passwords don't work multifactor controls do!
Passwords don't work multifactor controls do!
FitCEO, Inc. (FCI)
 
How to determine a proper scope selection based on ISO 27001?
How to determine a proper scope selection based on ISO 27001?How to determine a proper scope selection based on ISO 27001?
How to determine a proper scope selection based on ISO 27001?
PECB
 
IT Security and Risk Management - Visionet Systems
IT Security and Risk Management - Visionet SystemsIT Security and Risk Management - Visionet Systems
IT Security and Risk Management - Visionet Systems
Visionet Systems, Inc.
 
The Dark Net - The Devil in the Details - Larry Boettger and Michael Horsch Fizz
The Dark Net - The Devil in the Details - Larry Boettger and Michael Horsch FizzThe Dark Net - The Devil in the Details - Larry Boettger and Michael Horsch Fizz
The Dark Net - The Devil in the Details - Larry Boettger and Michael Horsch Fizz
FitCEO, Inc. (FCI)
 
Dark Net The Devil in the Details - Larry Boettger and Michael Horsch Fizz
Dark Net The Devil in the Details - Larry Boettger and Michael Horsch FizzDark Net The Devil in the Details - Larry Boettger and Michael Horsch Fizz
Dark Net The Devil in the Details - Larry Boettger and Michael Horsch Fizz
FitCEO, Inc. (FCI)
 
Unrestricted - Complex Regulation Practical Security FINAL
Unrestricted - Complex Regulation Practical Security FINALUnrestricted - Complex Regulation Practical Security FINAL
Unrestricted - Complex Regulation Practical Security FINAL
Wayne Anderson
 
Website Security Statistics Report 2013
Website Security Statistics Report 2013Website Security Statistics Report 2013
Website Security Statistics Report 2013
Bee_Ware
 
Q4_2016_Sircon Newsletter
Q4_2016_Sircon NewsletterQ4_2016_Sircon Newsletter
Q4_2016_Sircon Newsletter
Sydney Beaudreault
 
Verizon 2014 pci compliance report
Verizon 2014 pci compliance reportVerizon 2014 pci compliance report
Verizon 2014 pci compliance report
Bee_Ware
 
Verizon 2014 PCI Compliance Report
Verizon 2014 PCI Compliance ReportVerizon 2014 PCI Compliance Report
Verizon 2014 PCI Compliance Report
- Mark - Fullbright
 
Information Security Statutory Compliance
Information Security Statutory ComplianceInformation Security Statutory Compliance
Information Security Statutory Compliance
Skillmine Technology Consulting
 
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIECVendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
ControlCase
 
Security_360_Marketing_Package
Security_360_Marketing_PackageSecurity_360_Marketing_Package
Security_360_Marketing_Package
Randy B.
 
BV Company Overview Web
BV Company Overview WebBV Company Overview Web
BV Company Overview Web
jlbrewer
 
Veta compliance operations review
Veta compliance operations reviewVeta compliance operations review
Veta compliance operations review
Mark Taylor
 
Problem And Purpose Of A Project
Problem And Purpose Of A ProjectProblem And Purpose Of A Project
Problem And Purpose Of A Project
Christina Valadez
 
How Enterprises Are Modernizing Their Security, Risk Management, & Compliance...
How Enterprises Are Modernizing Their Security, Risk Management, & Compliance...How Enterprises Are Modernizing Their Security, Risk Management, & Compliance...
How Enterprises Are Modernizing Their Security, Risk Management, & Compliance...
Amazon Web Services
 
8242015 Combating cyber risk in the supply chain ­ Print Art.docx
8242015 Combating cyber risk in the supply chain ­ Print Art.docx8242015 Combating cyber risk in the supply chain ­ Print Art.docx
8242015 Combating cyber risk in the supply chain ­ Print Art.docx
evonnehoggarth79783
 
Trends in AML Compliance
Trends in AML ComplianceTrends in AML Compliance
Trends in AML Compliance
Amazon Web Services
 

Similar to Cyber Security Audits and Risk Management 20160119 (20)

HIPAA and HITECH Compliance Guide
HIPAA and HITECH Compliance GuideHIPAA and HITECH Compliance Guide
HIPAA and HITECH Compliance Guide
 
Passwords don't work multifactor controls do!
Passwords don't work multifactor controls do!Passwords don't work multifactor controls do!
Passwords don't work multifactor controls do!
 
How to determine a proper scope selection based on ISO 27001?
How to determine a proper scope selection based on ISO 27001?How to determine a proper scope selection based on ISO 27001?
How to determine a proper scope selection based on ISO 27001?
 
IT Security and Risk Management - Visionet Systems
IT Security and Risk Management - Visionet SystemsIT Security and Risk Management - Visionet Systems
IT Security and Risk Management - Visionet Systems
 
The Dark Net - The Devil in the Details - Larry Boettger and Michael Horsch Fizz
The Dark Net - The Devil in the Details - Larry Boettger and Michael Horsch FizzThe Dark Net - The Devil in the Details - Larry Boettger and Michael Horsch Fizz
The Dark Net - The Devil in the Details - Larry Boettger and Michael Horsch Fizz
 
Dark Net The Devil in the Details - Larry Boettger and Michael Horsch Fizz
Dark Net The Devil in the Details - Larry Boettger and Michael Horsch FizzDark Net The Devil in the Details - Larry Boettger and Michael Horsch Fizz
Dark Net The Devil in the Details - Larry Boettger and Michael Horsch Fizz
 
Unrestricted - Complex Regulation Practical Security FINAL
Unrestricted - Complex Regulation Practical Security FINALUnrestricted - Complex Regulation Practical Security FINAL
Unrestricted - Complex Regulation Practical Security FINAL
 
Website Security Statistics Report 2013
Website Security Statistics Report 2013Website Security Statistics Report 2013
Website Security Statistics Report 2013
 
Q4_2016_Sircon Newsletter
Q4_2016_Sircon NewsletterQ4_2016_Sircon Newsletter
Q4_2016_Sircon Newsletter
 
Verizon 2014 pci compliance report
Verizon 2014 pci compliance reportVerizon 2014 pci compliance report
Verizon 2014 pci compliance report
 
Verizon 2014 PCI Compliance Report
Verizon 2014 PCI Compliance ReportVerizon 2014 PCI Compliance Report
Verizon 2014 PCI Compliance Report
 
Information Security Statutory Compliance
Information Security Statutory ComplianceInformation Security Statutory Compliance
Information Security Statutory Compliance
 
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIECVendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
 
Security_360_Marketing_Package
Security_360_Marketing_PackageSecurity_360_Marketing_Package
Security_360_Marketing_Package
 
BV Company Overview Web
BV Company Overview WebBV Company Overview Web
BV Company Overview Web
 
Veta compliance operations review
Veta compliance operations reviewVeta compliance operations review
Veta compliance operations review
 
Problem And Purpose Of A Project
Problem And Purpose Of A ProjectProblem And Purpose Of A Project
Problem And Purpose Of A Project
 
How Enterprises Are Modernizing Their Security, Risk Management, & Compliance...
How Enterprises Are Modernizing Their Security, Risk Management, & Compliance...How Enterprises Are Modernizing Their Security, Risk Management, & Compliance...
How Enterprises Are Modernizing Their Security, Risk Management, & Compliance...
 
8242015 Combating cyber risk in the supply chain ­ Print Art.docx
8242015 Combating cyber risk in the supply chain ­ Print Art.docx8242015 Combating cyber risk in the supply chain ­ Print Art.docx
8242015 Combating cyber risk in the supply chain ­ Print Art.docx
 
Trends in AML Compliance
Trends in AML ComplianceTrends in AML Compliance
Trends in AML Compliance
 

More from FitCEO, Inc. (FCI)

Data exfiltration so many threats 2016
Data exfiltration so many threats 2016Data exfiltration so many threats 2016
Data exfiltration so many threats 2016
FitCEO, Inc. (FCI)
 
Cyber security audits and risk management 2016
Cyber security audits and risk management 2016Cyber security audits and risk management 2016
Cyber security audits and risk management 2016
FitCEO, Inc. (FCI)
 
TheDemystification_of_SuccessfulCyberSecurity_VIMRO_LB_VH_MHF_10_11_15
TheDemystification_of_SuccessfulCyberSecurity_VIMRO_LB_VH_MHF_10_11_15TheDemystification_of_SuccessfulCyberSecurity_VIMRO_LB_VH_MHF_10_11_15
TheDemystification_of_SuccessfulCyberSecurity_VIMRO_LB_VH_MHF_10_11_15
FitCEO, Inc. (FCI)
 
Cyber Security Audits and Risk Management 20160119
Cyber Security Audits and Risk Management 20160119Cyber Security Audits and Risk Management 20160119
Cyber Security Audits and Risk Management 20160119
FitCEO, Inc. (FCI)
 
Cyber security audits and risk management 2016
Cyber security audits and risk management 2016Cyber security audits and risk management 2016
Cyber security audits and risk management 2016
FitCEO, Inc. (FCI)
 
VIMRO Cyber Security Methodology
VIMRO Cyber Security MethodologyVIMRO Cyber Security Methodology
VIMRO Cyber Security Methodology
FitCEO, Inc. (FCI)
 
Strengthening the Weakest Link - Reducing Risks from Social Engineering Attacks
Strengthening the Weakest Link - Reducing Risks from Social Engineering AttacksStrengthening the Weakest Link - Reducing Risks from Social Engineering Attacks
Strengthening the Weakest Link - Reducing Risks from Social Engineering Attacks
FitCEO, Inc. (FCI)
 
Using Motive, Opportunity, and Means (M.O.M.) and ISO 27001 as Cyber Crime Pr...
Using Motive, Opportunity, and Means (M.O.M.) and ISO 27001 as Cyber Crime Pr...Using Motive, Opportunity, and Means (M.O.M.) and ISO 27001 as Cyber Crime Pr...
Using Motive, Opportunity, and Means (M.O.M.) and ISO 27001 as Cyber Crime Pr...
FitCEO, Inc. (FCI)
 
Internet of Things - A Different Kind of Scary v2
Internet of Things - A Different Kind of Scary v2Internet of Things - A Different Kind of Scary v2
Internet of Things - A Different Kind of Scary v2
FitCEO, Inc. (FCI)
 
Cyber Insurance - What you need to know
Cyber Insurance - What you need to knowCyber Insurance - What you need to know
Cyber Insurance - What you need to know
FitCEO, Inc. (FCI)
 
SCADA Exposure Will Short-Circuit US Utilities
SCADA Exposure Will Short-Circuit US UtilitiesSCADA Exposure Will Short-Circuit US Utilities
SCADA Exposure Will Short-Circuit US Utilities
FitCEO, Inc. (FCI)
 
PCI DSS Reaper - Are you ready - VIMRO
PCI DSS Reaper - Are you ready - VIMROPCI DSS Reaper - Are you ready - VIMRO
PCI DSS Reaper - Are you ready - VIMRO
FitCEO, Inc. (FCI)
 
IPV6 a tale of two protocols
IPV6 a tale of two protocolsIPV6 a tale of two protocols
IPV6 a tale of two protocols
FitCEO, Inc. (FCI)
 
CODE INSPECTION VIMRO 2015 MHF
CODE INSPECTION VIMRO 2015 MHFCODE INSPECTION VIMRO 2015 MHF
CODE INSPECTION VIMRO 2015 MHF
FitCEO, Inc. (FCI)
 
MHF-joins-VIMRO-Press-Release-FINAL3
MHF-joins-VIMRO-Press-Release-FINAL3MHF-joins-VIMRO-Press-Release-FINAL3
MHF-joins-VIMRO-Press-Release-FINAL3
FitCEO, Inc. (FCI)
 

More from FitCEO, Inc. (FCI) (15)

Data exfiltration so many threats 2016
Data exfiltration so many threats 2016Data exfiltration so many threats 2016
Data exfiltration so many threats 2016
 
Cyber security audits and risk management 2016
Cyber security audits and risk management 2016Cyber security audits and risk management 2016
Cyber security audits and risk management 2016
 
TheDemystification_of_SuccessfulCyberSecurity_VIMRO_LB_VH_MHF_10_11_15
TheDemystification_of_SuccessfulCyberSecurity_VIMRO_LB_VH_MHF_10_11_15TheDemystification_of_SuccessfulCyberSecurity_VIMRO_LB_VH_MHF_10_11_15
TheDemystification_of_SuccessfulCyberSecurity_VIMRO_LB_VH_MHF_10_11_15
 
Cyber Security Audits and Risk Management 20160119
Cyber Security Audits and Risk Management 20160119Cyber Security Audits and Risk Management 20160119
Cyber Security Audits and Risk Management 20160119
 
Cyber security audits and risk management 2016
Cyber security audits and risk management 2016Cyber security audits and risk management 2016
Cyber security audits and risk management 2016
 
VIMRO Cyber Security Methodology
VIMRO Cyber Security MethodologyVIMRO Cyber Security Methodology
VIMRO Cyber Security Methodology
 
Strengthening the Weakest Link - Reducing Risks from Social Engineering Attacks
Strengthening the Weakest Link - Reducing Risks from Social Engineering AttacksStrengthening the Weakest Link - Reducing Risks from Social Engineering Attacks
Strengthening the Weakest Link - Reducing Risks from Social Engineering Attacks
 
Using Motive, Opportunity, and Means (M.O.M.) and ISO 27001 as Cyber Crime Pr...
Using Motive, Opportunity, and Means (M.O.M.) and ISO 27001 as Cyber Crime Pr...Using Motive, Opportunity, and Means (M.O.M.) and ISO 27001 as Cyber Crime Pr...
Using Motive, Opportunity, and Means (M.O.M.) and ISO 27001 as Cyber Crime Pr...
 
Internet of Things - A Different Kind of Scary v2
Internet of Things - A Different Kind of Scary v2Internet of Things - A Different Kind of Scary v2
Internet of Things - A Different Kind of Scary v2
 
Cyber Insurance - What you need to know
Cyber Insurance - What you need to knowCyber Insurance - What you need to know
Cyber Insurance - What you need to know
 
SCADA Exposure Will Short-Circuit US Utilities
SCADA Exposure Will Short-Circuit US UtilitiesSCADA Exposure Will Short-Circuit US Utilities
SCADA Exposure Will Short-Circuit US Utilities
 
PCI DSS Reaper - Are you ready - VIMRO
PCI DSS Reaper - Are you ready - VIMROPCI DSS Reaper - Are you ready - VIMRO
PCI DSS Reaper - Are you ready - VIMRO
 
IPV6 a tale of two protocols
IPV6 a tale of two protocolsIPV6 a tale of two protocols
IPV6 a tale of two protocols
 
CODE INSPECTION VIMRO 2015 MHF
CODE INSPECTION VIMRO 2015 MHFCODE INSPECTION VIMRO 2015 MHF
CODE INSPECTION VIMRO 2015 MHF
 
MHF-joins-VIMRO-Press-Release-FINAL3
MHF-joins-VIMRO-Press-Release-FINAL3MHF-joins-VIMRO-Press-Release-FINAL3
MHF-joins-VIMRO-Press-Release-FINAL3
 

Cyber Security Audits and Risk Management 20160119

  • 1. Restricting Authenticating Tracking User Access? 12100 Sunrise Valley Dr. Suite 290-1 Reston, VA 20191 This paper is your guide to more efficient and effective audits and risk assess- ments. Consistency in managing your cyber security controls not only reduces the time required to prepare for audits and risks assessments, it also makes any organization more secure—especially in the event of security breaches. Any regulatory agency that governs an organization provides it with guidance and a checklist of expectations for audits and risk management. HIPAA, for example, has the Audit Protocol ; GLBA uses the FFIEC IT Examination Hand Book ; PCI provides the Report on Compliance template ; and many of the regulations and standards use the NIST Cyber Security Framework . All of these are very similar in terms of what they expect you to have in place to demonstrate that your practices match what you have documented. VIMRO helps clients prepare for these audits, and also conducts audits/as- sessments for HIPAA, GLBA, and PCI (VIMRO is a PCI-QSA ), etc. Based on the commonly requested items for these regulations, we include below two lists describing what we request for cybersecurity documentation and controls evidence. One of the biggest challenges for our clients is gathering and maintaining both cybersecurity documentation and controls evidence. This is why a Gov- ernance, Risk, and Compliance (GRC) application is a must-have control in which successful organizations invest, and why the GRC is item #1 on List B. “A guide to efficient and effective audits and risk assessments.” Cyber Security Audits and Risk Management Two interdependent lists everyone should have!
  • 2. COPYRIGHT © 2015 VIMRO, LLC. ALL RIGHTS RESERVED. ALL REFERENCED COMPANY NAMES AND LOGOS ARE TRADEMARKS OF THEIR RESPECTIVE OWNERS The table below explains how a GRC solution addresses some of the challenges. (800) 272 0019 Ashburn, VA | Baltimore, MD | Boston, MA | Glendale, CA | Las Vegas, NV | Reston, VA | San Diego, CA | Tampa, FL Cyber Security Audits and Risk Management Two interdependent lists everyone should have! Authored by VIMRO’s Cybersecurity Leaders
  • 3. COPYRIGHT © 2015 VIMRO, LLC. ALL RIGHTS RESERVED. ALL REFERENCED COMPANY NAMES AND LOGOS ARE TRADEMARKS OF THEIR RESPECTIVE OWNERS VIMRO is vendor-agnostic, meaning that we do not sell any products, nor are we paid by any vendor to promote their products. We do however, help and guide our customers in choosing the most effective products, such as GRC solutions, based on client requirements. Whether you are just considering a GRC solution, or are in the middle of a GRC implementation project, ensure that you have the documents and evidence we list in this paper’s Lists A and B. Many of our clients conduct the GRC project in parallel with documentation/evidence collection projects. By referring to the lists, there is a lot of work required from both a security-technology mechanisms and a documentation perspective. Your goal is to have a GRC solution in place, along with the cybersecurity documentation and controls evidence required to demonstrate compli- ance and secure practices. With this goal met, your audit and risk manage- ment process is optimized, and your focus can shift to proactively main- taining an optimized process rather than reacting to audit requests. Contact VIMRO to discuss how we can help you implement your policy and procedures, evidence controls, and GRC initiatives. (800) 272 0019 Ashburn, VA | Baltimore, MD | Boston, MA | Glendale, CA | Las Vegas, NV | Reston, VA | San Diego, CA | Tampa, FL Success depends on the documents and evidence identified in the two interdependent Lists A and B Cyber Security Audits and Risk Management Two interdependent lists everyone should have!
  • 4. COPYRIGHT © 2015 VIMRO, LLC. ALL RIGHTS RESERVED. ALL REFERENCED COMPANY NAMES AND LOGOS ARE TRADEMARKS OF THEIR RESPECTIVE OWNERS (800) 272 0019 Ashburn, VA | Baltimore, MD | Boston, MA | Glendale, CA | Las Vegas, NV | Reston, VA | San Diego, CA | Tampa, FL LIST A Policy, Procedures and General Documentation Request List
  • 5. COPYRIGHT © 2015 VIMRO, LLC. ALL RIGHTS RESERVED. ALL REFERENCED COMPANY NAMES AND LOGOS ARE TRADEMARKS OF THEIR RESPECTIVE OWNERS (800) 272 0019 Ashburn, VA | Baltimore, MD | Boston, MA | Glendale, CA | Las Vegas, NV | Reston, VA | San Diego, CA | Tampa, FL Authored by VIMRO’s Cybersecurity Leaders Cyber Security Audits and Risk Management Two interdependent lists everyone should have! List B Cybersecurity Controls Evidence Request List Authored by VIMRO’s Cybersecurity Leaders