Showing posts with label ISF. Show all posts
Showing posts with label ISF. Show all posts

Thursday, September 24, 2020

Risk Management for Vendor Ecosystem

Many orgs focus too long on assessing the risk before deciding to onboard a vendor.

Multiple control frameworks (COBIT, ISF, ISO, NIST, HITRUST) include hundreds of questions that are often redundant.

Furthermore, these assessments couple the vendor governance witht the actual solution.  Hence, orgs spending weeks on evaluating each vendor.

The solution here is a laser-focused framework that includes a base for the vendor, along with specific questions for the solution.  I would also advocate for a vulnerability scan of the solution by the specific org doing the assessment. 

Posted by at No comments:
Labels: , , , , , , ,

Saturday, October 29, 2016

Best Control Framework for HIPAA / HITECH Audits / Reviews

While many are adamant about using NIST SP 800-53a Rev 4~ for HIPAA / HITECH there is precedent for using alternatives.

Preference should be given to hybrid frameworks that use HITRUST CSF and / or ISF SOGP as they use a combination of 800-53, COBIT, and / or ISO.

The genesis for building on controls are the new technologies, new attack vectors / threats, and a renewed emphasis on deeper dives into the proper deployment of controls / safeguards.
Posted by at No comments:
Labels: , , , , , , , , , , ,
Subscribe to: Posts (Atom)