Friday, March 1, 2024

Cybersecurity and Compliance Frameworks

Starting with my work as a consultant and continuing through my time at Jackson National Life Insurance and Zoom Video Communications, I've used multiple security frameworks to help dozens of organizations (commercial and government) to meet compliance obligations. I started working with NIST SP800-53 to construct audit plans for financial services clients. In some instances this was to help internal audit teams identify areas of concern, in other instances I assisted IT teams to mature their implementation processes and align them with business needs. Other clients had a preference for aligning to ISO 27001, which I've used in writing information security policies that gave these organizations a basis for building their security programs.

As a consultant, I helped electrical utility clients operating critical national infrastructure assets to assess readiness for audits by their regional authorities and to recommend architectural changes, using NERC CIP standards

Within Jackson National Life Insurance and Zoom Video Communications, my work with security and compliance frameworks required much more collaboration with internal teams of risk managers, IT, and Security, aligning multiple frameworks to internal standards and regulatory mandates. In the case of Jackson National, I largely created all the documentation of framework alignments to drive internal compliance and assessment efforts. These were later adapted to fit the needs in different subsidiaries and globally by parent company Prudential PLC in business units spanning from the UK to Hong Kong, Korea, and everything in between to help mature organizational governance and compliance. When I identify security risks in the course of an assessment, tying the issues back to the related control statements we have in the alignment documentation, helps me better communicate the risks of compliance to stakeholders with widely ranging concerns. Some of the security and compliance frameworks I've mapped out and used for this include:

  • Center for Internet Security (CIS) / SANS Critical Controls
  • NIST Cybersecurity Framework and SP800-53
  • ISO 27001 & 27002
  • COBIT
  • BSIMM (Building Security In Maturity Model)
  • HITRUST
  • Information Security Forum Standard of Good Practice

Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)