Customer was required to adhere to RBI Master Directions IT Framework for NBFCs before 30th June 2018.
Customer pursued CSA STAR certification and a review of the Information Security program to address Investor and customer requirements on information security and cloud security.
Customer was required to adhere to RBI Master Directions IT Framework for NBFCs before 30th June 2018
Customer was required to conduct a Gap Assessment against GDPR requirements as a Data Processor for a leading European FMCG company. This was to be completed before the deadline of 25th May 2018.
Customer wanted an independent and objective assessment of Information Security against ISO 27001:2013 ISMS, to understand the gaps and opportunities for enhancing the security posture.
Customer was required to adhere to RBI Master Directions IT Framework for NBFC Peer to Peer Lending Companies as part of their license application to RBI.
Fifteen years ago, cloud infrastructure was a new and untested concept. Today it is the dominant form of data storage and computing services. With this shift, cybercriminals have also found ways to make their attacks more effective for smaller organizations. To prepare for the coming year, we have compiled 5 benefits of cloud infrastructure security in 2022.
It is important for all internet-connected devices to be secured by the most advanced cybersecurity solutions. The rise in smart home IoT devices has created more potential points of vulnerability for security breaches. The cloud moves changes data from a centralized data center to a decentralized storage service, which is considered a key differentiator when it comes to network security. Cloud infrastructure security providers must have the ability to not only protect corporate networks but individual users as well, with a focus on privacy and control.
Companies are realizing the benefits of cloud infrastructure. They are quicker to scale, cheaper to maintain, and more flexible. Many organizations are considering adoption due to these reasons. One thing to keep in mind is that all companies face new security threats as they move their operations into the cloud. If you don't already have a robust cybersecurity strategy in place, now's the time to make sure you're covered before jumping ship.
Cloud Infrastructure Security 2022 may be the best option for companies looking to cut costs while simultaneously improving their existing security measures. Public cloud computing has become an increasingly popular alternative to on-premises private cloud deployments. Public cloud deployments offer several benefits over on-premises deployments, including lower upfront costs, elastic scalability, and the ability to scale up and down as needed.
Disaster recovery processes have improved dramatically in recent years with the advent of cloud infrastructure security services. These services are cost-effective for businesses that are looking to grow, improve their customer retention rates, or want to reduce their capital expenses. These services affect all levels of the cloud infrastructure from firewalls and network security to data storage and encryption. In particular, the availability and affordability of cloud infrastructure security services have allowed companies to focus on their core business.
Economic growth has seen many benefits since the introduction of cloud infrastructure. One of the most prominent advantages is that it has helped to create jobs in the technology sector, which in turn has created more competition in an industry with high barriers to entry. Cloud data storage has allowed organizations to save money on hardware and operating expenses, while also allowing them to access their information anywhere they need it.
Cloud infrastructure security is a complex and diverse field. The number of IT professionals who specialize in cloud infrastructure security is growing at an exponential rate, but the demand for qualified talent outpaces supply. It's important for organizations to make sure they have a comprehensive understanding of what cloud infrastructure security entails and how it can add value to their company.
Cloud security services are very important for businesses that want to keep their data safe. There are many cloud security companies in Bangalore that can help you with this. Cloud computing allows you to store your data in the cloud and access it from anywhere. This is very convenient, but it also comes with some risks. It’s important to make sure that you choose a reputable cloud security company that will keep your data safe.
Executive leaders of organizations and board members are ultimately responsible for ensuring the long-term security of their organization, and it helps in mitigating cyber risks. As board members realize how critical risk and security management is, they ask leaders more nuanced and complex questions. Interest in security and risk management (SRM) is all-time high at the board level. In 2019, Gartner conducted the security and risk survey and realized that four out of five respondents noted that security risk influences decisions at the board level.
The Gartner research helps security and risk management leaders analyze five categories of questions that should be prepared to answer at any executive or board-level meetings. Here are those questions.
Let’s discuss each of these in detail.
The Trade-Off Question - Are we 100% Secure?
The trade-off question is that the security and management risk leaders struggle a lot. The question "Are we secure?" needs improvising and is generally asked by the board members who are uneducated and unaware of the impact of security risks on the business. In this scenario, it is impossible to prohibit 100% of the incidents. The CISO's responsibility is to help identify and evaluate the potential risks for an organization and allocate resources to manage them.
According to Gartner's report, a security and risk management leader in response to this question might say,
"It is impossible to remove all resources of the information risk considering the evolving nature of the cyber threat landscape. My responsibility is to work with other aspects of the business to execute controls for managing security risks that can prevent us from improving operational efficiency and brand image. There is no such thing as 'perfect protection' in security. We have to reassess continually how much risk is appropriate as the business grows. We aim to develop a sustainable program to balance the requirements to protect against the needs to run a business”.
The Landscape Question - How bad is it out there?
Most of the board members want to know their security compared to peer organizations. They read threat reports and blogs, listen to the broadcast, and even are forced by the regulation to understand such things. Gartner recognizes the need to discuss this landscape. Leaders need to avoid trying to quantify risks to possible extent and attaching certain budget figures to the mitigation cost depending on something external. Moreover, when benchmarks give some material for conversation, they must be a negligible factor in the decision-making process.
Here are some responses that security and risk management leaders can give while discussing the wider security landscape.
| External Events | Responses |
| Our primary competitor experienced a public, successful attack. | We have a similar vulnerability that can facilitate the attack, and we are addressing that weakness. Enhanced monitoring abilities have been implemented. |
| There is an increased number of attacks against the electricity grids in three of the national presence points. | We don't expect to become a direct target. Business continuity plans are being tested and updated to overcome the prolonged outage. |
| We fall under the scope of the new EU General Data Protection requirements. | We have conservative and cautious privacy practices in place. |
The Risk Question - Do we know what our risks are?
A risk outside the tolerance needs an antidote to bring it within tolerance. It does not require dramatic changes in a short time, so beware of overreacting. In the Gartner report, they present a way to defend the risk management decision, and you can change it according to your organization's risk tolerance.
One of the most common issues encountered in the report is that the evaluations are subjective and depend on flawed methodology. Security leaders must have evidence to support the evaluation, even when they are not called to present it. Another aspect that needs to be considered is whether to depict the typical outcome or the worst. For instance, most incidents in mild outcomes are within the ability of most companies to absorb. However, there is an infrequent incident that can result in a catastrophic outcome.
The Performance Question - Are we appropriately allocating resources?
Security is always a moving target. The security team needs to demonstrate their behavior to ensure the organization stays safe. It is particularly important to figure out if the resources are allocated appropriately and where the money is spent. The original strategy proposal should have margins for errors concerning the deadline and the budget. As far as there are overruns within these margins, they must be noncontroversial.
There may be valid reasons even if the overruns are outside the margins. The balanced scorecard approach is a way to understand how security contributes to business performance. In this approach, the top layer defines the business aspiration, and organization performance against those aspirations is expressed using a traffic light mechanism. However, it's not the only way. Some organizations have different types of dashboards to discuss business performance.
The Incident Question - How did this happen?
An incident is unavoidable, and treatment is a blessing in disguise. Security and risk management leaders should be aware that in some scenarios, incident details may have been tightly controlled (such as sensitivities associated with the incident). Using the fact-based approach and explaining your knowledge will eliminate the mystery and give confidence that you have control over the incident. Acknowledging the incident provides details on the business impact, outlines the flaws or gaps needed to work out, and offers a mitigation plan.
Decipher Complex Board Question
There are usually no deterministic answers to the board question, and responses are generally more about showing options for sponsorship instead of a definitive course of action. The options can vary based on the context of the discussion, the maturity of the board, the communication skills of the SRM leader, and the frequency of reporting. However, understanding and answering board questions require everyone to understand their roles. Therefore, the SRM leader should know that the board is interested in facilitating the business goal. Any query that may seem immature, ignorant, or complicated has a purpose behind it.
Wish you all a very happy 2021 and be a year filled with success, good health, and happiness to you and all your loved ones. With the year 2020 and the pandemic overwhelming us, we must be conscious of the increase in cyber security threats that are looming in front of us. Here are a few thoughts and considerations for the unenviable role of the CISO for a great start to 2021!
Make the management part of your problem
Senior management does not know the technicalities of how the breach occurs, nor they should need to know. However, they should be clearly aware of the risks thereof. Ensure that the senior management/ board is completely up-to-date of all risks. Increase your frequency of meetings and provide a crisp update of the open risks and how you are working to mitigate them with clear established timeline and dependencies. Costs and budget overruns should be highlighted ahead of time. Bring in business-friendly and business-relevant cyber security metrics and report them periodically. This way the management is more forthcoming in providing the necessary authority and help prioritize your initiatives.
Get the Appropriate Budget
Budget definition and allocation on a percentage of IT spend, a percentage of cost of breach, a percentage of business growth YOY – various models exists. While each has its benefits and pitfalls, the budget should be commensurate with your risk appetite. Continuing from the point above on having the management ‘onboard’ on cyber security initiatives will pave a long way in ensuring that an appropriate budget is allocated. Let us understand one thing clear. The world expects ‘more’ with ‘less’
Clearly Identify your Security Partners
One of the top fields where the skills available and the market-needs gap is widening. It is expected that with the CAGR of 17% in cyber security (products and services), this area can become the CISO’s nightmare quickly. Relying on experts to do the job is also essential. This can be problem-solved by engaging the right eco-system partners to do your job. Security technologies, security governance, security operations are niche areas and picking the right partner will ensure that they stay with you and provide you the much-needed assurance and help address your problem by bringing in the right skills. Remember, it is not required to boil the ocean.
Evolve Your Security to Protect Your Remote Infrastructure
Secure your remote workforce by proactively protecting against zero-day malware and phishing, consider human and technological factors to avoid falling victim to phishing attacks. In response to the coronavirus pandemic, Gartner analysts observed a more than 400% increase in client inquiries related to remote access technologies for the months of March, April, and May in 2020, compared to the previous three months. Furthermore, a recent Gartner survey reveals that 41% of employees are likely to work remotely post coronavirus pandemic.
Continuous Monitoring for all Critical Assets
90% of breaches in cloud-based infrastructure were due to configuration-related issues. Periodic assessment ( like once a year, once a quarter) may not be sufficient in today’s scenario. The new buzzword is continuous monitoring. Continuous monitoring of critical assets would be an aid to enable rapid detection of compliance issues and security risks within the IT infrastructure that could lead to compliance violations. This would help understand real-time changes to the infrastructure and with a good threat intelligence feed it is possible to address zero-day attacks with much robustness with effective continuous monitoring.
Please reach out to us to know more about this to [email protected] or personally to me at [email protected].
Global situations relating to the COVID-19 pandemic have impacted the business and has also impacted the work of auditors. The current situations challenge the conventional methods adopted for an audit. The current uncertainty and unpredictability may create risks of material misstatement in the audits.
There anyone who loves or pursues or desires to obtain pain of itself, because it is pain, but because
occasionally circumstances occur in which toil and pain can procure him some great pleasure. To take a
trivial example, which of us ever undertakes laborious physical exercise,
Predicting the unpredictable: Adapting to the changing needs” has always been a key mantra, and this holds true today with the emergence of COVID-19.
Considering the recent situation and the paradigm shift in business operations CyRAACS would advise the audit teams to adopt the below methods for a precise, fact-based audit.
1. Re-evaluate the audit scope
With the change in the mode of business operations and the technology implemented, auditors may have to relook at the scope of the audit. Include the technology and architecture deployed to support remote working. Auditors may have to re-evaluate the effort estimates and timelines based on the changes in the scope of the audit.
2. Utilize Collaboration tools and communicate
Conference or video call facilities or collaboration tools such as Skype, Teams, Slack, etc. allow for regular communication with clients and team members. Extensively use collaboration tools to communicate what you need and what you have been working on. An additional point to note while implementing these communication and collaboration technologies is to keep an eye on the advisories issued with the vulnerabilities identified in these technologies. Any open-source tools adopted may be evaluated for any security flaws before implementation.
3. Use cloud services for storing evidence
Utilize cloud storage services to collect audit evidence. The cloud services like OneDrive, SharePoint enable gathering adequate, appropriate audit evidence remotely. Ensure all security controls are implemented in the cloud service being used for restricting any data leakages. Additionally, ensure that the current cloud platform being used is accessible to all stakeholders required to provide data for the audit.
4. Technology controls to be stringently implemented by the IT Team
In the event of the recent crisis and the work from home model adopted globally, the IT team may be evaluating stricter and stringent controls on implementing digital certificates, Multi-Factor Authentication to the environment, etc. Auditors may integrate the additional security controls in their methodology to adapt to the changing environment.
5. Check for regulatory/contractual requirements for evidence sharing
All the regulatory requirements for data hosting, data sharing may be validated before sharing the data with the auditors. In the case of strict organizational policies on data sharing, organizations may create a segment or a white room for the auditors to securely review the evidence.
6. Centralize work performed by other auditors
Centralize the audit engagement and the documentation on the cloud platform. This would enable the audit team to coordinate and review the work of auditors to meet the requirements in auditing and reporting standards.
7. Flexibility in reporting audit findings
As audit teams respond to the crisis and changing business risks in differing ways there may arise a need for more adaptable and flexible auditing techniques During this period, auditors may not be restricted to the traditional reporting methods and may consider different reporting templates like unrated reporting, e-mail reporting, mid-review reporting.
8. Reassess key risks in a real-time environment
Risk changes rapidly with the slightest change in the environment. Re-Assess the current environment to identify the new threat landscape and associated risks. The exercise would give insights into the changing risk landscape and aid in developing a robust risk mitigation strategy.
Additional Articles for a good read and understanding of global security controls and audits:
1. NBS Special Publication 500-153: Guide to Auditing for Controls and Security: A System Development Life Cycle Approach
2. NIST Special Publication 800-53 A: Assessing Security and Privacy Controls in Federal Information Systems and Organizations.
In conclusion, conducting a cybersecurity audit in the midst of a crisis is essential to ensure that an organization’s data and systems are secure. It is important for organizations to be aware of best practices for such audits, in order to successfully mitigate risks and vulnerabilities during times of uncertainty. Preparing for potential cyber threats by strengthening security protocols should be considered as part of any crisis plan. Organizations must also remain vigilant and monitor their systems on an ongoing basis, so as to detect possible threats before they become a problem.
