formal risk assessment workshop
Post on 16-Apr-2017
189 Views
Preview:
TRANSCRIPT
Created by Praveen Joseph Vackayil
Information Security Risk Assessment Workshop
Praveen Joseph VackayilDeepak Umapathy
Created by Praveen Joseph Vackayil
Created by Praveen Joseph Vackayil
DISCLAIMER
Created by Praveen Joseph Vackayil
• Explore perspectives and incite thoughts
on the risk assessment process
• Re-visit the basic concepts of risk
• Perform a risk assessment based on a formal methodology
Workshop Objectives
Created by Praveen Joseph Vackayil
• Questions are welcome
• Share your knowledge
• Mobile phones – you know what to do
Ground Rules
Created by Praveen Joseph Vackayil
• I. An Introduction to Risk Assessment
• II. Basic Concepts
• III. Lunch
• IV. Case Study: Implementing an NIST SP 800-30 Risk Assessment
Agenda
Created by Praveen Joseph Vackayil
So Let’s Go
Created by Praveen Joseph Vackayil
I. An Introduction to Risk Assessment
Created by Praveen Joseph Vackayil
What is Risk?
Created by Praveen Joseph Vackayil
The Concept of Risk
Risk exists in daily life
Risk may be a part of a profession or sport
Created by Praveen Joseph Vackayil
The Concept of Risk• We can’t always predict the future. At least
not accurately.• Risk is a consideration of how something we
value (asset) can be affected • by a negative entity (threat) • and lead to a less than ideal outcome
(impact)• since it is not protected enough
(vulnerability)
Created by Praveen Joseph Vackayil
Threat SourceThreat Outcome
Players in a Risk Assessment
Asset Vulnerability
Created by Praveen Joseph Vackayil
Asset
Textbook DefinitionInterpreted Definition:Risk is the probability that a threat, exploiting a vulnerability that exists in an asset of certain value, will cause an undesired impact.
Threat Undesired ImpactVulnerability
RISK ECOSYSTEM
Created by Praveen Joseph Vackayil
What is Risk Assessment?
Created by Praveen Joseph Vackayil
What is Risk Assessment?• Risk Assessment is nothing but people
being people• It is an extension of human nature and a
satiation of a basic human need:
CONTROL
TOBE
IN
Created by Praveen Joseph Vackayil
Some Perspectives on RA in the Outside World
The jaguar hides its prey atop trees
Created by Praveen Joseph Vackayil
Some Perspectives on RA in the Outside World
Name some things you see in this picture which remind you of risk assessment
Created by Praveen Joseph Vackayil
Formalizing Risk Assessment
• Formalizing a Risk Assessment is a way of providing it with a systematic mechanism of– Measurement (defining metrics)–Repetition (process-specific and not person-
specific)–Comparison (between different business
verticals, for instance)Note: We will be visiting formal methodologies in the later slides
Created by Praveen Joseph Vackayil
Why do we need Risk Assessment?
Or do we need it at all?
Created by Praveen Joseph Vackayil
Murphy’s Law
If anything can go wrong, it will
Created by Praveen Joseph Vackayil
Do We Really Need Risk Assessment?
Case i: I am trying to check all the boxes in my compliance checklist. I don’t need a separate risk assessment as such.–A compliance standard is a universal set of
instructions–Risk Assessment is the tool through which
the standard is tailored to the unique circumstances of your environment
Note: Risk assessment is mandated by most compliance standards today – eg. PCI, ISO 27001, HIPAA, etc.
Created by Praveen Joseph Vackayil
Do We Really Need Risk Assessment?
Case ii: We have annual third party audits. We don’t need risk assessment.–Risk assessment Audit–An audit is a discovery of what HAS
already gone wrong–Risk Assessment is the discovery of
what CAN go wrong in the near or distant future
Created by Praveen Joseph Vackayil
Do We Really Need Risk Assessment?
Case iii: I don’t see the point. We did a risk assessment last year and no one followed through with remediation.–Risk Assessment: • ‘If you can’t measure it, you can’t manage
it.’–Risk Management:• ‘Knowing is not enough, we must apply.’
Created by Praveen Joseph Vackayil
Do We Really Need Risk Assessment?
Case iv: Everything eventually boils down to the numbers. There is a cost involved in an RA. How do I justify this investment?
RA Cost RA Benefit
• Time and effort• Productivity is hit when
business team is facing risk assessors
• RA Training Costs• RA Consultant• RA Tool
?
• Not having a security incident is the ROI of any security investment.
• A key objective of RA is to ensure the security budget is not exceeded.
Created by Praveen Joseph Vackayil
II. Basic Concepts
Created by Praveen Joseph Vackayil
A Sample Risk Assessment Workflow
Risk Frame Threat Source and Threat Event
Impact Likelihood of Occurrence Vulnerability
Risk Score Risk Response
Created by Praveen Joseph Vackayil
Risk Frame• Identification of the
– Organizational priorities. Eg. Purpose of the RA– Scope – Assets (e.g., organizational entities covered, business functions
affected by the RA)– Team Structure within the organization– Assumptions and Constraints– Information sources – Risk management guidance on the Risk Model, Analysis
Approach, Assessment Approach, Qualitative Scale to be used for Risk Score, etc.
– Risk response guidance including, for example, risk tolerance– Risk monitoring guidance
Created by Praveen Joseph Vackayil
Role of Organizational Structure on Risk Perception
Nature of risks varies with the level of hierarchy being assessed.
Organization
TierBusiness Process
Tier
Information System Tier
Created by Praveen Joseph Vackayil
Analysis Approach
Asset/Impact-oriented
Threat-oriented
Threat SourceThreat Event
caused by the Threat Source
Vulnerability Impact
Vulnerability-oriented
Critical AssetImpact that can compromise the
Asset
Threat Event that can cause
the impact
Threat Source that leads to this
Threat Event
Vulnerabilities and Pre-disposing Conditions
Threat Event that exploits the
VulnerabilityThreat Source Impact
Created by Praveen Joseph Vackayil
Assessment Approach: Qualitative vs Quantitative Measurement
Created by Praveen Joseph Vackayil
Qualitative Quantitative
• High Medium Low• Red, Green, Yellow
Numeric
Easy to calculate May include complex formulae
Less accurate, but gets the job done Precise. Useful in $ estimations
Difficult to convince stakeholders, since it is based on subjective judgement
Easier to convince stakeholders
Risk = f (Asset Value, Threat probability, Level of Vulnerability)
Basic concepts to be noted:SLE=Asset Value x Exposure FactorALE= SLE x ARO
Assessment Approach: Qualitative vs Quantitative Measurement
Created by Praveen Joseph Vackayil
A Word on Assets• Anything of value to the organization• Perception of value is tied to the purpose of
the risk assessment– Eg. If in a compliance RA, the value of the asset depends on
the compliance requirement. In PCI, card data is the most important asset, and hence gets highest Asset Value.
– If the RA aims at capturing process inefficiencies and optimizing cost, money is the most important asset.
– For the purpose of ISRA, information is usually the most important asset.
Created by Praveen Joseph Vackayil
Characterizing AssetsAsset Name: DB ServerAsset Category: Supporting AssetAsset Type: HardwareAsset Owner: Head of IT DeptAsset Custodian: Database AdministratorAsset Value: • Impact if C is compromised:
VH• Impact if I is compromised: VH• Impact if A is compromised: MTotal Asset Value: VH
Created by Praveen Joseph Vackayil
Malicious outsider defaces the corporate website
Threat Source and Threat Event
Employee loses company confidential data in a laptop
Non-adversarial Threat Source
Adversarial Threat Source
Intent: To take control of the web server and deface the website
Targeting: Web server
Capability: Proficiency in hacking tools like MetasploitKnowledge of the systems architecture
Range of Effects: Loss of confidential data if the laptop falls into the wrong and capable hands
Threat Event
Threat Event
Website is defaced by a malicious outsider
Company data is misused by an unknown third party
Created by Praveen Joseph Vackayil
Threat Shifting• Change in attack approach based on
controls perception.Time
domain
Target domain
Resource Domain
Attack method
Influencers:• Path of least resistance• Path with quicker and
more benefit
Created by Praveen Joseph Vackayil
• A vulnerability is a weakness in an information system, system security procedures, internal controls, or implementation that could be exploited by a threat source
Vulnerabilities
Created by Praveen Joseph Vackayil
Vulnerabilities
• Controls are absent• Controls are not efficient• Controls are no longer relevantThe ever-changing threat landscape can render the current control eco-system obsolete. Eg. Shellshock bash vulnerability.
Created by Praveen Joseph Vackayil
Pre-disposing ConditionsAn existing condition within an environment that can increase or decrease the likelihood of a threat.Eg. • Indonesia is prone to earthquakes.• We use Windows XP on all our desktops. Risk increases• We operate out of a city with low crime rate
Created by Praveen Joseph Vackayil
Likelihood of OccurrenceQuestions to Ask:• Will the threat event occur/be initiated by a threat
source successfully? • Will the threat event cause an adverse impact
successfully?
Likelihood of Occurrence=f (Likelihood of Threat Event Initiation/Occurrence, Likelihood of Threat Event causing Adverse Impact)
Created by Praveen Joseph Vackayil
Impact• Magnitude of harm caused due to the
disclosure, modification, destruction/loss of sensitive data.
• Impact may cascade to entities even external to the scoped environment.
Eg. Financial loss,reputational loss, productivity loss, loss of existing clients.
Created by Praveen Joseph Vackayil
Risk Model
Risk Model• Threat• Likelihood• Vulnerability• Pre-disposing Condition• Impact
Risk Factors Risk
Risk models define the risk factors to be assessed and the relationships among those factors.
Created by Praveen Joseph Vackayil
Sample Risk Model
Recall the earlier slide
Created by Praveen Joseph Vackayil
NIST SP 800-30 Risk Model
• Risk is the
Likelihood
• that a Threat Source
will exploit• a
Vulnerability with Severity
And/or
• A Pre-disposing Condition with Pervasiveness
And initiate a• Threat Event
Leading to
An adverse Impact
Created by Praveen Joseph Vackayil
Timing your Risk Assessment
• Just before acquiring a new company• Just before an audit• Just after deploying new laptops • Before starting operations in a new facility• Every month for all assets• Never.
You be the Judge
Created by Praveen Joseph Vackayil
Continuous Risk Assessment
• Annual Risk Assessment• Real-time updates to the Risk
Assessment via a Feedback LoopScope
Identify
AssessManage
Document
Created by Praveen Joseph Vackayil
Continuous Risk Assessment
Created by Praveen Joseph Vackayil
Continuous Risk AssessmentThoughts• Does it really work?– No tracker/reminder on the RA– Job rotations/staff leave the team– Disconnect between the risk assessor and the asset
custodians
• Is everyone that committed to security?– Top management commitment to security may not
drill down to the grass-root levels
Created by Praveen Joseph Vackayil
Formal Risk AssessmentA Formal Risk Assessment is one that is:
• Measurable• Comparable• Repeatable
A Formal approach:• Is tried and tested• Reduces re-work in devising new methodologies every
year• Leads to consistency which in turn allows integration of
RA with audit and other activities• Establishes a process and reduces people-dependency
Created by Praveen Joseph Vackayil
Formal Risk Assessment
Do we really need to use a formal risk assessment methodology?
• Yes• No
Created by Praveen Joseph Vackayil
Formal Risk AssessmentDevelop a new RA methodology Adopt an existing formal RA methodology
RA METHODOLOGY:• A new methodology must be developed, tried and
revised. This is in some ways re-invention of the wheel
• A tried and tested methodology already exists. It needs to be shortlisted and adopted.
• Corresponding RA template may be available
RISK ASSESSORS:• Develop an in-house talent pool that is well versed with
the methodology. Training costs extra.• Hire RA personnel with relevant
experience/certification. Resource costs extra.
COMPATIBILITY :• It will be created as per the organization’s unique
environment.• The existing methodology may need to be tweaked to
suit the organization’s environment, structure and culture.
Eg. Primary and supporting assets may be selected according to the org-structure.
ASSET OWNERS/CUSTODIANS:• Factors that encourage user adoption may be built-in
while developing the methodology.Eg. Qualitative risk calculation is used, since it is easier for all to understand.
• Ways to enable user adoption of the methodology must be developed.
Eg. The survey-based approach of OCTAVE may not work in an organization where people don’t respond to emails.
PREVIOUS REFERENCES:• Not sure if it will succeed/fail since there is no prior user
experience/reviews to refer to
• Tried and tested. Known to have succeeded.• Common pitfalls will be readily available based on other
users’ experiences. These can be addressed accordingly.
Created by Praveen Joseph Vackayil
Formal RA Methodologies
3 popular RA methodologies:
• ISO 27005• OCTAVE• NIST SP 800-30
Created by Praveen Joseph Vackayil
ISO 27005• Developed by International Organization for
Standardization (ISO)• Suitable for technology as well as process RA• Concept of primary and supporting asset can
be adapted to most organizational scenarios• ISRA=Risk Identification->Risk Estimation-
>Risk Evaluation• It’s USP: Asset Characterization
Created by Praveen Joseph Vackayil
ISO 27005 Workflow
Description of ISRA• Scope and
Boundaries• Org structure• Risk
Acceptance Criteria
• RA Team
Risk Analysis: Risk Identification• Scope• Assets• Threats• Existing
Controls• Vulnerabilities• Impact
Risk Analysis: Risk Estimation• Qualitative• Quantitative
Risk Evaluation• Risk Value vs
Risk Acceptance Criteria
• Accept• Mitigate• Transfer• Avoid
Created by Praveen Joseph Vackayil
OCTAVE• Developed by SEI-CMU• Most suited for assessing risks within organizational
processes• Emphasizes a workshop-based approach over a tool
approach• Built for large organizations, so interviews are broken
across hierarchies and disciplines• Pareto’s Principle: 80% of the effects come from 20%
of the causes• It’s USP: Threat Profiling• OMIG is available for free from CERT.org
Created by Praveen Joseph Vackayil
OCTAVE Risk Assessment Flow
Organizational View• P1: Senior
Management Knowledge
• P2: Operational Management Knowledge
• P3: Staff Knowledge
• P4: Threat Profiling
Technological View• P5: Identify Key
Technoology Components within a System of Interest
• P6: Evaluate Selected Components (Run a VA, Nipper Scan, run a DB review tool, etc.)
Risk Analysis• Conduct Risk
Analysis• Develop
Protection Strategy
Key Outputs:Assets, Security Requirements, Areas of Concern, Vulnerabilities, Threats
Key Outputs:Key Technological Assets and their vulnerabilities
Key Outputs:Risks and Protection strategy
PHASE I PHASE II PHASE III
Created by Praveen Joseph Vackayil
III. Case Study: Implementing an NIST SP 800-30 RA
Created by Praveen Joseph Vackayil
NIST SP 800-30: A Little Background• The Federal Information Security Management Act (FISMA) is an
information security act for all federal bodies in the US
• FISMA requires NIST to develop and issue mandatory standards for all US federal agencies called FIPS – Federal Information Processing Standards– Eg. FIPS 140 talks about Cryptography requirements, FIPS 199
talks about classification of information
• Special Publications (SPs) are guidance documents developed by NIST to support FIPS.
Created by Praveen Joseph Vackayil
NIST SP 800-30: Concept of Risk
RiskLikelihood
of Occurrenc
e
Level of
Impact
Created by Praveen Joseph Vackayil
NIST SP 800-30: RA Milestones
I. Risk Framing
II. Conduct the RA
III. Maintain
the RA
I. Identify:• Purpose of RA• Scope and
Assets• Assumptions
and Constraints
• Information Sources
• Risk Model• Analysis
Approach
I. Identify:• Threat Source• Threat Event• Vulnerability &
Pre-disposing Condition
II. Calculate• Likelihood• Impact• Risk LevelIII. Communicate
I. Monitor Risk FactorsII. Update the RA
Created by Praveen Joseph Vackayil
Case Study
• Read aloud the case study in the hand-outs issued to you.
Created by Praveen Joseph Vackayil
A Look at RPRT’s Key Personnel
CEOJeff Antony
COO and CTOAnup Kumar
Sonia Arora– Head, Project
Delivery
Rohit Kumar–Manager, IT Operations
Manoj Krishna– Head,
Physical Security
Administration
Priya Thomas– AVP, HR
CISOPhilip
Williams
Created by Praveen Joseph Vackayil
A Look at RPRT’s Key Technology Infra
ServersAD, AV, SCCM, DHCP
Network DevicesFirewall, L3 Switch
Desktops and Laptops
Created by Praveen Joseph Vackayil
A Look at RPRT’s Key Process Environments
Support Processes
Server and desktop
administration
Network device administration
Physical Security Management
processes
Personnel security
processes
Client-facing Processes
SDLC:Dev, Testing
Production Support process
Created by Praveen Joseph Vackayil
Revisit the RA Milestones
I. Risk Framing
II. Conduct the RA
III. Maintain
the RA
I. Identify:• Purpose of RA• Scope and
Assets• Assumptions
and Constraints
• Information Sources
• Risk Model• Analysis
Approach
II. Identify:• Threat Source• Threat Event• Vulnerability &
Pre-disposing Condition
III. Calculate• Likelihood• Impact• Risk LevelIV. Communicate
V. Monitor Risk FactorsVI. Update the RA
Created by Praveen Joseph Vackayil
Milestone # I – Risk FramingI.
Risk Framin
g I. Identify:• Purpose of RA• Scope• Assumptions
and Constraints• Information
Sources• Risk Model• Analysis
Approach
V. Monitor Risk FactorsVI. Update the RA
Factors to Consider:
i. Initial RA:• Purpose can be to identify current
security posture• Purpose can be to capture the
starting point (baseline) of risks in the current setup/new setup.
ii. Re-assessment• Purpose can be to monitor risks as
part of continuous RA• Purpose can be to evaluate risk• Purpose can be to perform controls
testing• Purpose can be to capture new risks
as the environment has undergone a significant change and update an existing RA report.
Created by Praveen Joseph Vackayil
Milestone # I – Risk FramingI.
Risk Framin
g I. Identify:• Purpose of RA• Scope and
Assets• Assumptions
and Constraints• Information
Sources• Risk Model• Analysis
Approach
V. Monitor Risk FactorsVI. Update the RA
Factors to Consider:
i. Organizational Applicability:• Business processes within the
organization that are affectedii. Effectiveness Time-frame
• Time-duration for which the RA findings are going to be relevant and can assist in risk based decisions
iii. Technological Considerations• With segmentation (VLANs,
firewalls, etc.), the in-scope network can be reduced.
• In a flat network, the entire network is in scope.
Created by Praveen Joseph Vackayil
Milestone # I – Risk FramingI.
Risk Framin
g I. Identify:• Purpose of RA• Scope and
Assets• Assumptions
and Constraints• Information
Sources• Risk Model• Analysis
Approach
V. Monitor Risk FactorsVI. Update the RA
Factors to Consider:
i. Consider all the stages of the risk assessment
ii. Clarify on the following:• The uncertainty surrounding the
risk assessment findings• The constraints faced with
regard to resources – time, team, etc.
• Assumptions made with the sampling approach deployed (if any)
• Assumptions made and limitations of a qualitative computation of risk
Created by Praveen Joseph Vackayil
Milestone # I – Risk FramingI.
Risk Framin
g I. Identify:• Purpose of RA• Scope and
Assets• Assumptions
and Constraints• Information
Sources• Risk Model• Analysis
Approach
Factors to Consider:
Consider the methods to be used in risk identificationi. People Risks
• Interviews with relevant personnel• Review of records ( eg. BGV records)• External Source: Previous employers
ii. Process Risks• Walkthrough of the process • Interviews with relevant personnel
iii. Technology Risks• Review of desktop hardening• Review of server config• Nipper scan of firewall configs• Vulnerability Assessments• External Source: Security advisories
from CERT, SANS, etc.
Created by Praveen Joseph Vackayil
Milestone # I – Risk FramingI.
Risk Framin
g I. Identify:• Purpose of RA• Scope• Assumptions
and Constraints• Information
Sources• Risk Model• Analysis
Approach
Factors to Consider:Recall the earlier slides:
Documentation of a risk model includes: i. Identification of risk factors – ie threats,
vulnerabilities and pre-disposing conditions, likelihood and impact
ii. Identification of the relationships between the above risk factors
Created by Praveen Joseph Vackayil
Milestone # I – Risk FramingI.
Risk Framin
g I. Identify:• Purpose of RA• Scope and
Assets• Assumptions
and Constraints• Information
Sources• Risk Model• Analysis
Approach
Factors to Consider:
Recall the earlier slide:
Created by Praveen Joseph Vackayil
Milestone # II – Conduct the RA
V. Monitor Risk FactorsVI. Update the RA
Capture the following aspects:
i. Type of Threat Source• Adversarial• Non-adversarial
ii. Characteristics of Threat Source• Adversarial -> Capability, Intent,
Targeting• Non-Adversarial -> Range of
Effects (Sweeping, Extensive, Limited, Minimal, etc.)
iii. Overall Criticality Rating of Threat Source• Very High, High, Moderate, Low,
Very Low
II. Conduct the RA
I. Identify:• Threat Source• Threat Event• Vulnerability &
Pre-disposing Condition
II. Calculate• Likelihood• Impact• Risk LevelIII. Communicate
Created by Praveen Joseph Vackayil
Milestone # II – Conduct the RA
V. Monitor Risk FactorsVI. Update the RA
Factors to Consider:
i. Envision various ways through which the Threat Source can compromise the Asset and cause a Threat Event
ii. Study the entire lifecycle of the Asset to do so
iii. Think of internal and external links /physical and logical links from threat source to the asset
II. Conduct the RA
I. Identify:• Threat Source• Threat Event• Vulnerability &
Pre-disposing Condition
II. Calculate• Likelihood• Impact• Risk LevelIII. Communicate
Created by Praveen Joseph Vackayil
Milestone # II – Conduct the RA
V. Monitor Risk FactorsVI. Update the RA
Factors to Consider:i. Take existing controls into
account when determining level of vulnerability.
ii. Think of internal and external entities that are a direct or indirect characteristic of the asset.
Eg. Glass is breakable, AC ducts can serve as escape tunnels, strong lights can glare out images on CCTV cameras, etc.
II. Conduct the RA
I. Identify:• Threat Source• Threat Event• Vulnerability &
Pre-disposing Condition
II. Calculate• Likelihood• Impact• Risk LevelIII. Communicate
Created by Praveen Joseph Vackayil
Milestone # II – Conduct the RA
V. Monitor Risk FactorsVI. Update the RA
II. Conduct the RA
I. Identify:• Threat Source• Threat Event• Vulnerability &
Pre-disposing Condition
II. Calculate• Likelihood• Impact• Risk levelIII. Communicate
Factors to Consider:i. Be clear on the concept. A Threat Event
occurring is not the same as a Threat Event causing an adverse impact.
ii. Likelihood of Occurrence implies the Likelihood that Threat Event occurs/is initiated AND causes an adverse Impact
iii. Likelihood that a Threat Event occurs/is initiated depends on the Threat Source which causes the Threat Event
iv. Likelihood that a Threat Event causes an adverse Impact depends on the Level of Vulnerability that affects the exposure to the Threat Event
Created by Praveen Joseph Vackayil
Milestone # II – Conduct the RA
V. Monitor Risk FactorsVI. Update the RA
II. Conduct the RA
I. Identify:• Threat Source• Threat Event• Vulnerability &
Pre-disposing Condition
II. Calculate• Likelihood• Impact• Risk levelIII. Communicate
Factors to Consider:i. Consider the most valuable
asset (in this case customer information) that will get compromised if the threat source will exploit the vulnerability
ii. Impact = f(Asset Value, Level of Vulnerability)
Created by Praveen Joseph Vackayil
Milestone # II – Conduct the RA
V. Monitor Risk FactorsVI. Update the RA
II. Conduct the RA
I. Identify:• Threat Source• Threat Event• Vulnerability &
Pre-disposing Condition
II. Calculate• Likelihood• Impact• Risk levelIII. Communicate
Factors to Consider:i. Risk = f (Likelihood of Occurrence, Level of Impact)
ii. Recall the Risk Response definitions to decide whether to accept, mitigate, transfer, avoid a risk.
Created by Praveen Joseph Vackayil
Milestone # II – Conduct the RA
V. Monitor Risk FactorsVI. Update the RA
II. Conduct the RA
I. Identify:• Threat Source• Threat Event• Vulnerability &
Pre-disposing Condition
II. Calculate• Likelihood• Impact• Risk levelIII. Communicate
Factors to Consider:i. Discuss with senior
managementii. Ensure the message percolates
down to the grass-root level
Created by Praveen Joseph Vackayil
Milestone # III – Maintain the RA
V. Monitor Risk FactorsVI. Update the RA
III. Maintain
the RA
V. Monitor Risk FactorsVI. Update the RA
Factors to Consider:
i. Concept of continuous risk assessment
ii. Link RA with multiple sources– eg. Threat advisories from SANS, NIST, CERT, Microsoft patch updates, Quarterly VA scans, data discovery scans, end-point compliance reports, external audit findings
iii. Update the RA Report
Created by Praveen Joseph Vackayil
Stay in TouchEmail: praveen.jvc@gmail.comdeepakumapathy@gmail.com
Thank You
top related