GRC- Audit and Assessment
Gaurav Kumar Gupta
CISSP | CISM | RHCA | ISO LA | Cyber Security and Privacy Consulting for E2E Mobile Network ,IaaS , PaaS , CaaS , SaaS , Data Centre , PNF/VNF/CNF ,2G-5G , AI/ML
DigitialWorld news letter Edition 15 aims to demystify Audit and Assessment from Enterprise Architecture and associated Risk management Framework ?, How to Select audit/assessment applicable , How the Compliances audit are linked to Industry vertical, How to Audit/Assessment? , Outcome Focussed Audit and Assessment .
?
Contents
Enterprise Architecture , Goal and Purpose
Enterprise Architecture Key Functional Components
Enterprise Architecture and Risk Management
Risk Management , Role of? Audit /Assessment
Focus/Purpose of an Audit/Assessment
Audit/Assessment Methodology ( How to Audit / Assessment )
Outcome focused Audit/Assessment
References.
Enterprise Architecture , Goal and Purpose
?
§? Alignment with Business Strategy: Aligement of IT Capabilities to Business strategry .? This ensures that IT investments and initiatives support and enable the overall objectives of the organization. EA helps bridge the gap between business needs and IT capabilities by providing a structured approach to designing, planning, and implementing IT solutions that contribute to business success.
§? Holistic View of the Organization: EA provides a comprehensive view of an organization's structure, processes, information flows, and technology infrastructure. It captures how different parts of the organization interact and operate together as a unified system. This holistic view allows stakeholders to understand dependencies, identify opportunities for integration and optimization, and make informed decisions about investments in IT and business processes.
§? Standardization and Consistency: EA promotes standardization of processes, technologies, and data across the organization. By defining and enforcing standards and guidelines, EA helps reduce complexity, duplication, and inconsistency within IT systems and infrastructure. This standardization improves efficiency, enhances interoperability between different systems, and facilitates easier management and maintenance of IT assets.
§? Enablement of Change and Innovation: A well-defined EA enables organizations to adapt to changes in the business environment and technology landscape. It provides a framework for evaluating new technologies, assessing their impact on existing systems, and implementing changes in a controlled and systematic manner. EA fosters innovation by enabling the exploration and adoption of emerging technologies that can drive business growth and competitive advantage.
§? Risk Management and Compliance: EA incorporates risk management practices to identify, assess, and mitigate risks associated with IT investments and initiatives. By integrating risk management into EA processes, organizations can proactively address security threats, regulatory compliance requirements, and operational risks. This approach helps minimize disruptions to business operations and ensures that IT investments deliver expected value while managing associated risks effectively.
§? Cost Optimization: EA helps optimize IT costs by rationalizing IT investments, eliminating redundant systems and processes, and improving resource utilization. By providing visibility into IT assets and their interdependencies, EA enables organizations to identify cost-saving opportunities, streamline operations, and allocate resources more effectively.
In essence, the goal of enterprise architecture is to enable organizations to achieve their strategic objectives by leveraging IT capabilities effectively, managing complexity, and driving business transformation in a structured and coherent manner. It serves as a foundational framework that aligns business and IT, promotes standardization and innovation, mitigates risks, and optimizes costs to support long-term organizational success and competitiveness.
Enterprise Architecture Key Functional Components
The key components of Enterprise Architecture (EA) typically include various aspects that collectively define and govern an organization's structure, processes, systems, and technology infrastructure. These components ensure alignment with business goals and facilitate effective management of IT resources
1.Business Architecture
??????? ?Key Components Of Business Architecture
???????????????????? I.??????????? Business Processes
?????????????????? II.??????????? Organizational Structure
???????????????? III.??????????? Business Capabilities
2.Information Architecture
·???????? Describes the structure of an organization's logical and physical data assets and data management resources.
Key Components Of Information Architecture
3.Application Architecture
·???????? Specifies the organization's major application systems and their interactions. It Includes software applications, their interfaces, and their relationships to the business processes
?
?
Key Components Of Application Architecture
I.??????????? Applications Inventory
II.??????????? Application Interfaces
III.??????????? Application Dependencies
4.Technology Architecture
Key Components Of Technology Architecture
This list outlines the main components typically found in enterprise architecture frameworks like TOGAF or Zachman Framework
?
?
This structure provides a clear overview of the main components of enterprise architecture, illustrating how each layer (Business, Information, Application, and Technology and Risk Management ) contributes to the overall architecture of the organization.
Enterprise Architecture and Risk Management
Enterprise Architecture (EA) doesn't inherently have a single, specific Risk Management framework as a built-in component. However, Enterprise Risk Management is a concept that leverages EA principles to specifically focus on risk management.
Here's how EA and risk management interwine
While there isn't a standardized ERA framework, some organizations adopt existing risk management frameworks (like COSO or ISO 31000) and integrate them with their EA practices.
This allows them to:
Enterprise Architecture and Risk management are closely linked within an organization
???????? I.??????????? Risk Informed Decision Making
?????? II.??????????? Identifying and Mitigating Risks
???? III.??????????? Aligning Risk Management with Business Objectives
??? IV.??????????? Standardization and Compliance
????? V.??????????? Resilience and Business Continuity
Infact Risk Management encompass Application Infrastructure, Technology Architecture, Information Architecture and Business Process/Operational Process.?
Further to this Application Infrastructure, Technology architecture and Information Architecture can be further simplied as Cyber Physical Assets and traffic /data flow supported by same. Picture below indicates the same.
Depending on the Risk management strategy adopted To protect individuals/enterprise/government CIA ( Confidentiality , Integrity and Availability ) , safe guard or countermeasures needs to be implemented . These? safeguard /countermeasures are known as Security Controls .
领英推荐
These Security Controls help in Protecting the information /data,?? reduce /minimize the likelihood of data loss , theft , data breaches or cyber security incidents .? Security Controls on assets i.e cyber-physical system and people and workflows shall be implemented to safe guard . These Security Controls shall also meet the required? compliance and applicable regulatory? needs .
Security Controls are broadly falls into? 3 types – physical , logical and technical .
Logical falls into -? Security policies , programme and Security Awareness and Security Trainings leading to individual awareness .
Technical Controls are? implemented using Cyber-physical system such as IAM/PAM including Multi factor authentication , Firewall ( Considering the OSI Layers ) , IPS, IDS , DLP? , PKI/Digital Certificates , SIEM/SOAR , EDR/XDR etc .
Security Controls? Physical , Logical and Technical? ensures? that cyber security posture remains consistent and insider and external threats gets minimized and organization/enterprise assets including people remains protected .
In essence, enterprise architecture and risk management are intertwined because EA provides the foundational framework and context within which risks can be identified, assessed, and managed effectively to support the organization's strategic objectives and operational resilience. By integrating risk management practices into EA processes, organizations can enhance their ability to adapt to changes, exploit opportunities, and minimize potential threats.
?
Risk Management , Role of ?Audit /Assessment and associated use cases
?
Based on the Risk management strategy adopted? Risk Acceptance / Risk Mitigation , Audit/Assessment shall be supported in below use cases
-????????? New Technology/Solution /Cyber physical Assets introduction/Changes in Cyber-Physical Assets
?
-????????? Merger and Acquisition
?
-????????? Changing Regulatory Compliance Audit
?
-????????? New Business/Operational Process Introduction /Change in Business/Operational Process
?
-????????? New Enterprise User onboarding /Existing user role Changes
?
-????????? New Supplier/Vendor introduction/changes in Existing Vendor/Supplier
?
-????????? Predefined frequency of Audit/Assessment
?
Focus/Purpose of an Audit/Assessment
?
Considering the key component of Enterprise Architecture .
Audit/Assessment could encompass all of the EA Components of some/part of? of the EA Components i.e ( Business Architecture , Information Architecture , Application Architecture and Technology Architecture ) .
In More simplified view –? Business / operational Process – shall entail ( Enterprise users/3Rd Party Vendor/ user /End Customer )? Interaction? with ( Information architecture , Application and Technology architecture ) .
Technology Architecture , Information Architecture and Application Architecture and Business /Operational Process – can be further broken down to (
·???????? Organization Known and managed (Cyber-physical Assets) ,Supported Operational/Traffic /Data Flow? ) , enterprise known user , enterprise user end point devices .
·???????? Organization Known and managed (Cyber-physical Assets) ,Supported Operational/Traffic /Data Flow? ) , 3rd Party Known user
?
Audit/Assessment can also be categorized Good to Have versus Must have
???????? I.??????????? Enterprise Architecture Best Practices, Industry Specific? Best Practices (Good to have , focus on efficiency /Optimization )
?????? II.??????????? Business Process/Operational Process Best practices ( Good to have , focus on efficiency /Optimization? )
???? III.??????????? Regulatory compliance Audit/Assessment ( Must have category )
?
Audit/Assessment can also be categorized having
???????? I.??????????? IT System Focus
?????? II.??????????? IT Controls Focus
???? III.??????????? Enterprise User
??? IV.??????????? Enterprise IS Policies/Process focus
????? V.??????????? Privacy Focus
??? VI.??????????? 3rd Party Focus,
?? VII.??????????? End Customer Focus
?
Framework for Selecting Applicable Audit /Assessment
Depending on the? Industry segment (BFSI, Automobile , Telecommunication , HealthCare? ) , Organization Sales Segment as?? B2B/ B2C ,?? Industry segment specific audit/assessment comes into picture as described below .
?
?
?
B2B example –
???????? I.??????????? A Telecommunication Service Provider , purchasing the Hardware and software system from an OEM .
B2C example –
I.??????????? An Automotive Vendor products such as ( 2 wheeler , 4 Wheeler ) and end customer buying the automobile product and using it .
II.??????????? When a Telecommunication Service Provider is providing the mobile /Broad Band services to end users ( It Becomes B2C )
?
Audit/Assessment Methodology ( How to Audit / Assessment )
?
-????????? Stages in an Audit/Assessment
-????????? ?Audit /Assessment depending on the methodology can be described Usage of Questionnaire , Interviews , report analysis
Versus using
? Controls such as Penterating testing , VA Scanning and Configuration Audit for IT Systems
Outcome focused Audit/Assessment
???????? I.??????????? Direct and Immediate impact on the security posture
?????? II.??????????? Indirect and non immediate Impact on the security posture of an organization .
Findings from VA Scanning , Pen testing and Config Audit shall result into a mitigation control such as Change request that shall be triggered or new Control Selection . ??
A Robust Change Request and patch Mgmt strategy both in principle and in practice remains a key area of InfoSec program strategy for an Enterprise .
References
?
?
?
·???????? COSO ERM Integrated Framework: https://www.iasplus.com/en/othernews/global/coso-framework
·???????? ISO 31000 Risk Management Framework: https://www.iso.org/iso-31000-risk-management.html
·???????? NIST RMF https://csrc.nist.gov/projects/risk-management/about-rmf
?
Principal Cyber Security Architecture & Consulting || GenAI CGEIT CRISC CySA+ CSPA+TOGAF9 IBM-SOA Watsonx | IBM MS Security | AWS AZ Oracle |Oracle 9i DB2|Data AI |AIX |Rational | CCA CSBA CSM PPSO CBE L6σGB eTOM ||
3 个月??