Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

Numerous risks are inherent in the technologies that all organizations use. These risks have especially become apparent with recent ransomware attacks, which have crippled major infrastructure such as the Colonial Pipeline in the Eastern United States1. This discussion will focus on how GRC, or governance, risk, and compliance can help organizations face and manage the risks that they face.

A cybersecurity baseline is an invaluable set of standards for your organization. It helps you understand your security posture, identify security gaps, and meet cybersecurity regulations. The most widely adopted cybersecurity baselines are those recommended by the NIST Cybersecurity Framework, the SANS Top 20 Critical Security Controls, and Shared Assessments (designed for third-party risk management). We covered the specifics of these frameworks in a previous blog.

With the new year upon us, now is the ideal time to re-evaluate your cybersecurity controls and your cybersecurity risk remediation strategy. Do you have a plan for cybersecurity risk remediation? Has this plan outlined who needs to be involved? How are you being notified of risks? Is there a process in place to identify and prioritize the riskiest threats for rapid remediation? This year, plan ahead for evolving cybersecurity threats and follow these five tips for crafting a risk remediation plan.

Though very helpful in representing the efficacy of a service provider’s third-party risk management program, SOC reports aren’t always available. Some service providers either don’t have the budget for a SOC report or are unwilling to undergo the laborious process of an SSAE-18 audit. While a lack of a SOC report should raise alarm bells during the due diligence process, it shouldn’t necessarily result in the disqualification of a prospective vendor.