Steven Stuart
Compliance and Governance
Risk Management
Risk Assessment Process
- Asset Identification: Catalog valuable resources
- Threat Identification: Potential attack vectors
- Vulnerability Assessment: System weaknesses
- Risk Analysis: Impact and likelihood evaluation
- Risk Treatment: Accept, mitigate, transfer, avoid
Risk Rating (OWASP Methodology)
- Likelihood Factors:
- Threat agent factors (skill, motive, opportunity, size)
- Vulnerability factors (ease of discovery, exploit, awareness)
- Impact Factors:
- Technical impact (confidentiality, integrity, availability)
- Business impact (financial, reputation, non-compliance)
Compliance Frameworks
SOX (Sarbanes-Oxley Act)
- Scope: US publicly traded companies
- Requirements: Financial reporting controls and certification
- IT Impact: Financial system security and access controls
PCI DSS (Payment Card Industry Data Security Standard)
- Scope: Organizations handling credit card data
- Requirements:
- Secure network and systems
- Protect cardholder data
- Maintain vulnerability management program
- Strong access control measures
- Regular monitoring and testing
- Information security policy
SOC 2 (Service Organization Control 2)
- Trust Criteria: Security, availability, processing integrity, confidentiality, privacy
- Report Types: Type I (point in time), Type II (period of time)
- Audience: Service providers and their customers
Audit and Assessment
Security Audit Process
- Planning: Scope definition and resource allocation
- Fieldwork: Evidence collection and testing
- Reporting: Findings documentation and recommendations
- Follow-up: Remediation tracking and verification
Continuous Monitoring
- Automated Compliance Checking: Policy violation detection
- Security Metrics: Key performance indicators
- Dashboard Reporting: Executive visibility
- Trend Analysis: Security posture evolution
Found this guide helpful? Share it with your team:
Share on LinkedIn