Any members in the Risk & Compliance space here?Information Assurance, Governance, Risk and Compliance

Begin Learning Cyber Security for FREE Now!

Already a Member Login Here

Home Forums Information Assurance, Governance, Risk and Compliance Any members in the Risk & Compliance space here?

This topic contains 22 replies, has 19 voices, and was last updated by  mizazga 2 years, 8 months ago.

Viewing 20 posts - 1 through 20 (of 23 total)
  • Author
  • #52037


    Hello All!
    Just trying to reach out to other Risk & Compliance professionals learning they’re way thru!


    Franck KAMGAING




    Exposure to risk and compliance as I’m a blueteam leader. Welcome to Cybrary!






    such things have now been taken over by automated solutions, like GRC software etc.



    Yes…..been working in the GRC field for two years now (have several years of security experience…)



    last one year



    I have a couple clients who are heavily compliance oriented. I do their GRC management and lead their Security Committees.

    Work in the financial sector, as well as PCI, ISO27001, and SSAE-16.



    Working in Cloud Computing & GRC



    Dear All

    Just joined the Club and would be interested read any hints / tips/ on keeping records secure. I am particularly interested in the risks surrounding the acquisition of information relating sensitive documentation in storage devices that do not have up to date security software



    @mightyhash Sharepoint has some Data Loss Prevention features that might be worth looking into. Any solution which stores the information centrally and doesn’t require downloading to the client machine will be a big asset containing information loss.



    Hi rafaelh

    Already working with sharepoint and unfortunately it doesn’t appear to have the same features that you mention. It is either that it is set-up incorrectly or we have a bad copy. Basically after two years personnel just do not appear to use it.

    Therefore we have three risks: one the data is stored elsewhere such as the hard drive of personnel and two, the information is not seen at all except for a select few, and thirdly the IT department do not …

    However I need to look into the issue further. Thanks for reminding me



    Doing C&A/ISSE type stuff around Common Criteria, FIPS 140, FedRAMP and UC APL. I live in an alphabet soup land of compliance…



    @mightyhash If you have sensitive files across various file storage, I’d say a decent start is to first identify all your records, classify them according to sensitivity, and also note who would need access to them. Then, build groups in active directory (and give good descriptions to those groups), and use groups to control access to the places where those files are. Assign memberships to the groups based on the roles/need-to-know.

    For added security and auditing of privileges, have a mechanism to request membership of those groups, so that if someone wants access to a file, they must first be approved by ISOs, business owners, and get access by the sysadmins as a final sanity check.

    If you have SANs that have massive amounts of shares and don’t know what security groups you already have to control access, or where those are applied at, consider using PowerShell to script out a solution (or use an existing one from the internet) with the get-acl cmdlet.



    I have about 2 years of experience with GRC. My last job was focused on PCI and building a security program. My new role is centered around FISMA/NIST while trying to build a security program at a low cost.



    I’m just getting started in the GRC field (3 months) but I have been working Policy & Compliance for other roles for over the last 7 years. It’s nice to see everything under one roof so to speak. Currently, I’m in the lead position for a small team of contractors that supports a LARGER client. One thing I can say for sure is that having the major areas of IT Security in one part of the organization can help focus and drive compliance.



    ISO 27000 series and CISSP has risk controls… you must take a look



    Nice to see others which are in the GRC field.
    The main issue in my opinion is to have the right combination of GRC knowledge AND technical understanding.



    hi guys, I’m working at a Risk Assurance Services dept of one of the big 4.



    Hi all, I am just now trying to get into the GRC field. I’ve been working as a business process improvement guy for the past 3 years, and just got out of school a few months ago with a degree in information security. I am working to get a position now within my organization as the cyber specialist in Risk and Compliance. I recently passed my CISSP exam, and working on getting my PMP. Down the road I’d like to go for the CCSP and the CISM… and maybe the CRISC too. Any advise for a noob in this field?

Viewing 20 posts - 1 through 20 (of 23 total)

You must be logged in to reply to this topic.

Our Revolution

We believe Cyber Security training should accessible for everyone, everywhere. Everyone deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is the world's largest community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

We recommend always using caution when following any link

Are you sure you want to continue?