Managing vulnerabilities in an organisation is a never-ending task. There are various challenges involved
I've written and deployed a vulnerability management process that included scanning, treatment and senior management review and action plan for discovered vulnerabilities. This was all based on NIST best practice and NCSC guidance.
One of my passions is risk management, and clearing up confusion in how to do this. Using the ISO27001 standard / controls, and NIST framework for risk management I have previously improved risk management in information and cyber security.
One of my ambitions is to be formally certified by ISACA as a CRISC (Certified in Risk and Information Systems Control).
I embrace risk management as a business requirement that ensures IT, information security and privacy are central to an organisation’s technical and information operations, using the NIST control family as ‘main risks’ to ensure that all areas of compliance are covered.
Policies, processes and procedures are the 'how to' part of any organisation. Without security policy, it's not clear what the organisation expects in terms of acceptable use of its assets, and minimum security requirements such as password policies and how to safely serve the objectives and interests of the business with the minimum of disruption to its operations.
I have twelve years experience of policy writing and assessment. Based on the objectives of your organisation, policies are written in accordance with what management want. Some consultants and even security managers working directly for some organisations introduce generic policies and associated processes and procedures that are a 'one size fits all' solution - which ultimately isn't a solution at all.
All policies and associated procedures are done in collaboration with teams working to meet the needs of the organisation's mission, and agreement reached before placing the individual policy before the board of directors for approval. It's important to ensure everything is included in a policy, as it could be quite some time before another version of it is approved.
sdfe
As a qualified Lead Auditor I have years of experience in conducting full audits on organisations I am a member of; but I don't have UKAS accreditation to audit external parties in order to certify them. I have developed ISO27001 compliance in 8 companies (7 from scratch), seeing them through to successful certification. As such I have conducted full audits as they were to be conducted by the certifying body, and followed up with annual control audits to ensure continued suitability for the ISO27001 certifications.
The 'Experience' page gives more detail on ISO27001 for your perusal.
I have extensive experience of responding to third-party risk management questionnaires, and supplying appropriate evidence of compliance where requested. This is performed using open and honest disclosure, taking into account organisational security considerations when doing so. Where the organisation is not compliant with a client requirement, planned actions to remediate are shared with the client.
Having years of experience of assessing third-parties on their security posture, I'm aware of a large number of solutions that can be employed to manage third-party risk (SCRM or TPRM as it’s known), however have been involved in locally produced policies, processes and procedures – authoring much documentation to categorise third-party vendors into ‘risk levels’, and have produced much documentation including questions and scoring mechanisms to validate vendors’ security posture. This has been developed to require various results including ISO27001, PCI-DSS, SOC2 and other evidences based on the requirements of the organisations I have worked for, commensurate with the type and level of service / product being provided (ie; SaaS).