<aside> đź’ˇ Summary
</aside>
Compliance & audit framework and
What is GRC, Complaints are here because standards
An audit validates compliance with standards
<aside> <img src="/icons/keyboard-alternate_gray.svg" alt="/icons/keyboard-alternate_gray.svg" width="40px" /> To digitise
Sketch - Cybersecurity Frameworks
</aside>
Best practices are well-known and are implemented regularly. Then it’s no use reinventing the wheel that’s why we use Security Frameworks. Then Security Frameworks are optimized methods to secure things.
All the frameworks have similar controls, Gerald Auger recommends NIST Cybersecurity Framework and the NIST SP 800-53 but presents CIS18 and CIS20 as beginner-friendly frameworks.
The NIST Security Framework is presented in five stages from “identify” to “recover”. We’ll focus on the GRC analyst part which is the left part of the “boom” - the bad event - constituted of “identify” and “protect”. We control what’s done badly before it is exploited.
Identify
Good identification means knowing the environment to respond quickly. It includes identifying :
Having a list of those allows you to easily spot weird software installed somewhere. We can’t list all the phones and computers, even more with BYOD policies and remote work, then it’s obvious that the list contains sensible and logical elements more than a stupid exhaustive list.
<aside> đź“– Dwell time: How long a threat actor is in the environment since it is compromised.
</aside>