Dhia Hachicha

⚠ Areas of Overlap and Gaps between AICPA SOC2 Trust Services Criteria (TSC) and ISO 42001 - PART 1⚠ 🔄 Areas of Overlap 1. Risk Management: ◾AICPA TSC: Emphasizes risk assessment and risk management, focusing on identifying and mitigating risks to the achievement of service commitments and system requirements. ◾ISO 42001: Requires organizations to identify, assess, and address risks and opportunities related to AI systems (Clauses 6.1, 6.1.2, 6.1.3). 2. Security: ◾AICPA TSC: Includes criteria for protecting the system against unauthorized access, both logical and physical. ◾ISO 42001: Includes controls for ensuring the security of AI systems, including data and system integrity (Annex A controls). 3. Integrity and Confidentiality: ◾AICPA TSC: Addresses the need for integrity and confidentiality of information processed by the system. ◾ISO 42001: Requires the organization to maintain the confidentiality, integrity, and availability of information (Annex A controls). 4. Monitoring and Evaluation: ◾AICPA TSC: Stipulates the need for monitoring system performance and conducting regular evaluations. ◾ISO 42001: Requires monitoring, measurement, analysis, and evaluation of the AI management system’s performance (Clause 9.1). 5. Governance and Accountability: ◾AICPA TSC: Emphasizes governance and oversight mechanisms to ensure accountability. ◾ISO 42001: Requires defined roles and responsibilities, and top management commitment (Clauses 5.1, 5.3). ⤴ Gaps 1. Specific AI Controls: ◾AICPA TSC: General control criteria applicable to all IT systems but does not provide specific guidance for AI systems. ◾ISO 42001: Provides specific requirements and controls for AI systems, considering unique aspects such as continuous learning, transparency, and explainability. 2. Impact Assessment: ◾AICPA TSC: Focuses broadly on risk and impact assessments but not specifically tailored for AI impacts. ◾ISO 42001: Requires detailed AI system impact assessments, including societal and individual impacts (Clause 6.1.4). 3. Ethics and Bias: ◾AICPA TSC: Does not explicitly address ethical considerations or bias in AI systems. ◾ISO 42001: Emphasizes ethical considerations, fairness, and bias mitigation in AI systems (Annex A controls, Annex B guidance). 4. AI-specific Documentation: ◾AICPA TSC: Requires documentation of controls and policies but does not specify AI documentation requirements. ◾ISO 42001: Requires detailed documentation for AI systems, including policies, procedures, impact assessments, and risk management (Clauses 7.5.1, 7.5.3). For more information on questions you should be asking yourself if you are pursuing SOC2 attestation in parallel to ISO42001 certification. As always, for help getting started, please reach out! A-LIGN #AICPA #SOC2 #iso42001 #TheBusinessofCompliance #ComplianceAlignedtoYou

١٤

٢ تعليق

In this new article of mine on ISACA Journal, I want to present the common points between the ISO/IEC 27001:2022 security standard, the NIST CSF 2.0 cybersecurity framework and the Risk Treatment Plan (RTP), to allow us to highlight the possible synergies. Integrating compliance activities is a creation of value for the business because it optimizes the use of resources employed in assessment activities and obtains consistent results in the different perspectives adopted. The ISO standard requires the evaluation of the effectiveness of the controls included in the Statement of Applicability, the NIST framework requires the evaluation of the level of implementation of the subcategories of the cybersecurity profile, while the RTP must evaluate the effectiveness of the risk containment measures. Technically, each of those activities is called a control, and in turn these controls are composed of further elementary activities, that is, simpler tasks that the company implements for its own functioning. These latter activities we could call control tasks. There are two aspects to consider to obtain synergies. The first concerns the possibility of recombining these control tasks to respond to the evaluation of each element of the control checklists. The second aspect is the evaluation metric necessary to determine the level of implementation of the controls to aggregate the results. For this purpose, the best candidate is the Capability Maturity Model (CMM) as it is a simple and general model for researching the level of implementation maturity of an action, with respect to the objectives set for that action. The advantage of evaluating control tasks instead of the controls proposed by the frameworks is twofold. A first benefit is in the very nature of the control task which corresponds to a concrete action, required by some business process, and therefore well identified in terms of role and responsibility. In other words, something is used that the company has already built for its own needs, that it knows well, and therefore can process without wasting resources. This is also an indicator of the quality of the assessment. A second benefit is in the management method of the various frameworks. Instead of building specific detection mechanisms, with new costs to be sustained for their management, for each control of the chosen framework the control tasks that have been identified are appropriately combined and the relative evaluations are automatically aggregated. The only burden is in defining the relationship between the company's control tasks and the framework controls. All the details are in my article.

٢٦

١ تعليق واحد

Between mid-2021 and mid-2022, Saudi Arabia experienced a significant number of ransomware attacks. Here are some key points: 📌 Ransomware Attacks in Saudi Arabia and the UAE: 📎 Organizations in Saudi Arabia and the United Arab Emirates (UAE) were the most affected in the Gulf Cooperation Council (GCC) region during this period. 📎 A report by cybersecurity company Group-IB revealed that 33% of the targeted companies were UAE-based, while 29% were from Saudi Arabia1. 📎 The energy, telecoms, IT, and manufacturing sectors were frequently targeted. 📌 Double Extortion Technique: 📎 Ransomware gangs used a technique called double extortion. In addition to encrypting networks, they also stole sensitive data and threatened to publish it online if the victim didn’t pay the demanded ransom. 📎 Dedicated leak sites (DLS) were used by these gangs to upload stolen data and files from victims’ networks1. 📌 Global Impact: 📎 Globally, 2,886 companies had their information, files, and data published on such sites during the same period, representing a 22% increase compared to the previous year1. 📎 Ransomware remains a major threat for businesses and governments worldwide in 2023, with ransom demands rising rapidly1. 📌 Iran’s Cybersecurity Threat: 📎 Experts have warned that Iran poses a real cybersecurity threat to Saudi Arabia and other Gulf countries. 📎 Key industries such as telecoms, oil, and gas could be targeted by Iranian groups for potential cyberespionage or attacks1. Additionally, in the past, Saudi Aramco, the world’s most valuable oil producer, faced a data leak from one of its contractors. Hackers reportedly demanded $50 million from the company in an extortion attempt. To protect against any cyber attacks, it is important to understand the motives. The cyberattacks that impacted Saudi Arabia and the United Arab Emirates (UAE) between mid-2021 and mid-2022 were driven by several key motivational aspects: 📌 Geopolitical Tensions and Cyberwarfare 📌 Hacktivism 📌 Critical Infrastructure Vulnerability 📌 Government Agencies as Prime Targets 📌 Increased Digitization and Economic Impact 📌 DDoS Attacks on the Rise Remember that cybersecurity is an ongoing process. Stay informed about emerging threats and adapt your defenses accordingly. If you have any specific concerns or need further guidance, feel free to ask!

١١

١ تعليق واحد

Vulnerability Details : CVE-2024-38872 Zohocorp ManageEngine Exchange Reporter Plus versions 5717 and below are vulnerable to the authenticated SQL injection in the monitoring module. CVSS 8.3

١

#ISACA #Audit #Auditor #ITAuditor The increasing importance of IT Audits to the #BoD The BoD is responsible for ensuring that the IT audit is effective by asking the right questions before the audit, confirming adequate due diligence has been completed, understanding the scope and objectives of the IT audit, and ensuring appropriate actions are taken related to the audit by requiring management responses for any exceptions noted or recommendations made.....

٥

#SIEM_SOR_XDR #SIEM (Security Information and Event Management): #Core_function: Gathers, analyzes, and correlates security events from various sources within an organization. #Focus: Provides a centralized view of security activities, enabling detection of anomalies and potential threats. #Key_features: Centralized logging, correlation rules, real-time monitoring, #reporting, and compliance management. #SOR (Security Orchestration, Automation, and Response): #Core function: Automates and orchestrates security workflows and responses to incidents. #Focus: Improves efficiency and reduces response time by automating repetitive tasks and integrating with existing security tools. #Key_features: Incident response playbooks, automation of tasks like threat hunting and remediation, integration with SIEM and other tools. #XDR (Extended Detection and Response): #Core function: Combines threat detection, investigation, and response capabilities across multiple security domains. #Focus: Provides a more comprehensive and unified view of threats, enabling faster and more effective response. #Key_features: Integration of endpoint detection and response (EDR), network detection and response (NDR), cloud workload protection platform (CWPP), and other security technologies. #In_essence: #SIEM provides the foundation for security visibility and analysis. #SOR enhances the efficiency and effectiveness of security operations. #XDR offers a more comprehensive and integrated approach to threat detection and response. Many organizations today are combining #SIEM, #SOR, and #XDR solutions to create a more robust and effective security posture. #cybersecurity #InformationSecurity #Monitoring_solutions #SIEM #SOR #XDR

٢

#Cybersecurity #RiskManagement "...technical and methodological requirements of cybersecurity risk-management measures and further specification of the cases in which an incident is considered to be significant with regard to DNS service providers, TLD name registries, cloud computing service providers, data centre service providers, content delivery network providers, managed service providers, managed security service providers, providers of online market places, of online search engines and of social networking services platforms, and trust service providers " #security #securityriskmanagement #securitymanagement #securityrisks #enterprisesecurity #cybersecurity #physicalsecurity #informationsecurity #digitalsecurity #securityoperations #enterprisesecurityriskmanagement #securityassessment #intelligence #threatlintelligence #risk #riskmanagement #safety #safetyfirst #safetymanagement #safetyassessment #safetyrisks #safetyculture #safetyanalysis #personalsafety #workplacesafety #healthandsafety #hazard #danger #peril #threat #PPE #protectivesafety #workplacesafety #risk #risks #enterpriserisk #enterprisesecurityriskmanagement #intelligence #threatlintelligence #riskmanagement #riskanalysis #riskassessment #riskmanagementframework #operationalriskmanagement #projectriskmanagement #projectrisk #operationalresilience #resilience #operationalrisk #riskintelligence #governance #crisis #crisismanagement #complexity #chaos #crisisleadership #crisisplan #crisismanagementplan #stress #governance #decisionmaking #riskmanagement #riskinformed #securitymanagement #securityriskmanagement #resilience #humanfactors #emergency #disaster #emergencyresponse

١١

٢ تعليق

Information Security Basics, Part 16 : Digital signatures A digital signature is a mathematical technique used to validate the authenticity and integrity of digital messages, documents, or software. It functions similarly to a handwritten signature or a stamped seal but in a digital form. 1. Signing: When a sender wants to sign a document or message digitally, they use a cryptographic algorithm to generate a unique digital fingerprint of the content, known as a hash. Then, they use their private key to encrypt this hash, creating the digital signature. 2. Verification: The recipient of the digitally signed content can use the sender's public key to decrypt the digital signature and obtain the hash. They then generate their own hash of the received content. If the two hashes match, it proves that the content has not been altered since it was signed and that the signature was generated using the sender's private key, thus confirming its authenticity and integrity. Digital signatures are commonly used in electronic transactions, contracts, software distribution, and other scenarios where verifying the origin and integrity of digital content is essential. They provide a high level of security and assurance in the digital realm, helping to prevent tampering, forgery, and unauthorized modifications. #information #security #cybersecurityawareness #audit #Infosec #basics

٧

١ تعليق واحد

📚 Normes ISO pour les professionnels de la GRC, Mindmap. 📖 Resources for GRC professionals: -Frameworks and standards: -Guidelines for Boards: -Books: #Gouvernance #Compliance #Confirmité #GRC https://lnkd.in/eJFKePue

١

❌️ CrowdStrike : The Cybersecurity Ally More Dangerous Than Malicious Hackers!☠️💀☠️ Today's global outage of Microsoft Windows systems due to a botched CrowdStrike update raises serious questions about the reliability of our cybersecurity solutions. When the protectors become the disruptors, the stakes are higher than ever. Are we putting too much trust in these 'allies'? How did our risk management and internal audit systems fail to detect such systemic risks? What steps can we take to ensure better oversight and resilience in the future? #CyberSecurity #IT #Microsoft #CrowdStrike #RiskManagement #InternalAudit #SystemicRisks

٢

١ تعليق واحد

#Cybersecurity #RiskManagement "...the strategic environment was characterized by complexity, interconnectivity, and competition. Continued progress in digital communications, advanced computing, quantum information science, data storage and processing, and other critical and emerging technologies are rapidly increasing the complexity of our economy and society. These technologies also connect people around the world, enable the proliferation of cyber-physical systems, and create new dependencies between critical infrastructure and essential services across every sector. As this landscape evolves, malicious state and non-state actors are exploiting its seams with growing capability and strategic purpose, making clear that cyberspace is closely aligned with other domains of international conflict and competition." "Five trends, in addition to enduring cybersecurity challenges, drove change in the strategic environment in 2023. 1. Evolving Risks to Critical Infrastructure: Nation-state adversaries demonstrated a growing willingness to use cyber capabilities to compromise and hold at risk critical infrastructure systems and assets with no inherent espionage value, in order to further their broader strategic objectives. 2. Ransomware: Ransomware remained a persistent threat to national security, public safety, and economic prosperity, and ransomware groups continued to develop sophisticated strategies to evade or circumvent defensive and disruptive measures designed to frustrate their activities. 3. Supply Chain Exploitation: Complex and interconnected supply chains for software and other information technology and services enabled malicious actors to compromise victims at scale. 4. Commercial Spyware: There was a growing market for sophisticated and invasive cyber-surveillance tools sold to nation-state actors by private vendors to access electronic devices remotely, monitor and extract their content, and manipulate their components without the knowledge or consent of the devices’ users. 5. Artificial Intelligence: Artificial intelligence (AI) is one of the most powerful, publicly accessible technologies of our time, and its continued evolution in 2023 presented opportunities and challenges for cyber risk management at scale. " #security #securityriskmanagement #securitymanagement #securityrisks #enterprisesecurity #cybersecurity #physicalsecurity #informationsecurity #digitalsecurity #securityoperations #enterprisesecurityriskmanagement #securityassessment #intelligence #threatlintelligence #risk #riskmanagement #risk #risks #enterpriserisk #enterprisesecurityriskmanagement #intelligence #threatlintelligence #riskmanagement #riskanalysis #riskassessment #riskmanagementframework #operationalriskmanagement #projectriskmanagement #projectrisk #operationalresilience #resilience #operationalrisk #riskintelligence #governance #crisis #crisismanagement #complexity #chaos #crisisleadership #crisisplan #crisismanagementplan #stress #governance

٣٩

٤ تعليق

A guide to #bcp

١٩

#𝐊𝐞𝐲_𝐁𝐞𝐧𝐞𝐟𝐢𝐭𝐬 𝐨𝐟 𝐍𝐞𝐭𝐰𝐨𝐫𝐤 𝐏𝐞𝐧𝐞𝐭𝐫𝐚𝐭𝐢𝐨𝐧 𝐓𝐞𝐬𝐭𝐢𝐧𝐠: #𝐈𝐝𝐞𝐧𝐭𝐢𝐟𝐲_𝐕𝐮𝐥𝐧𝐞𝐫𝐚𝐛𝐢𝐥𝐢𝐭𝐢𝐞𝐬: Detect and address network weaknesses before exploitation, reducing security risks effectively. #𝐄𝐧𝐡𝐚𝐧𝐜𝐞_𝐒𝐞𝐜𝐮𝐫𝐢𝐭𝐲_𝐏𝐨𝐬𝐭𝐮𝐫𝐞: Gain insights to improve defenses and optimize security investments. #𝐄𝐧𝐬𝐮𝐫𝐞_𝐂𝐨𝐦𝐩𝐥𝐢𝐚𝐧𝐜𝐞: Meet regulatory standards (e.g., HIPAA, PCI DSS) and avoid penalties or reputational harm. #𝐒𝐚𝐟𝐞𝐠𝐮𝐚𝐫𝐝_𝐃𝐚𝐭𝐚: Prevent breaches by addressing risks to sensitive information, maintaining trust and compliance. #𝐌𝐢𝐧𝐢𝐦𝐢𝐳𝐞_𝐅𝐢𝐧𝐚𝐧𝐜𝐢𝐚𝐥_𝐋𝐨𝐬𝐬: Reduce potential financial damage from cyberattacks by strengthening defenses. #𝐏𝐫𝐨𝐭𝐞𝐜𝐭_𝐑𝐞𝐩𝐮𝐭𝐚𝐭𝐢𝐨𝐧: Maintain trust and credibility by demonstrating commitment to robust security practices. #𝐍𝐞𝐭𝐰𝐨𝐫𝐤_𝐒𝐞𝐜𝐮𝐫𝐢𝐭𝐲_𝐓𝐞𝐬𝐭𝐢𝐧𝐠_𝐏𝐫𝐨𝐜𝐞𝐬𝐬: #𝐏𝐥𝐚𝐧𝐧𝐢𝐧𝐠_𝐚𝐧𝐝_𝐒𝐜𝐨𝐩𝐢𝐧𝐠: Define objectives, scope, and rules of engagement. Gather information about the target network (IP ranges, domains, etc.). #𝐑𝐞𝐜𝐨𝐧𝐧𝐚𝐢𝐬𝐬𝐚𝐧𝐜𝐞: Collect intelligence through active and passive methods. Identify open ports, services, and potential vulnerabilities. #𝐒𝐜𝐚𝐧𝐧𝐢𝐧𝐠_𝐚𝐧𝐝_𝐄𝐧𝐮𝐦𝐞𝐫𝐚𝐭𝐢𝐨𝐧: Perform network scans to identify live hosts, services, and systems. Enumerate systems to gather user accounts, shares, or configurations. #𝐕𝐮𝐥𝐧𝐞𝐫𝐚𝐛𝐢𝐥𝐢𝐭𝐲_𝐀𝐧𝐚𝐥𝐲𝐬𝐢𝐬: Analyze scan results to identify security flaws and potential exploits. Assess risks based on the vulnerabilities discovered. #𝐄𝐱𝐩𝐥𝐨𝐢𝐭𝐚𝐭𝐢𝐨𝐧: Attempt to exploit identified vulnerabilities to gain unauthorized access. Simulate attacks to understand the network's weaknesses. #𝐏𝐨𝐬𝐭_𝐄𝐱𝐩𝐥𝐨𝐢𝐭𝐚𝐭𝐢𝐨𝐧: Maintain access to compromised systems for further exploration. Extract sensitive data or escalate privileges to simulate real-world threats. #𝐑𝐞𝐩𝐨𝐫𝐭𝐢𝐧𝐠: Document findings, including vulnerabilities, exploits, and recommendations. Provide actionable insights for remediation and improving security posture. #𝐑𝐞𝐦𝐞𝐝𝐢𝐚𝐭𝐢𝐨𝐧_𝐚𝐧𝐝_𝐑𝐞_𝐓𝐞𝐬𝐭𝐢𝐧𝐠: Collaborate with the target organization to address vulnerabilities. Re-test to confirm the effectiveness of the implemented fixes.

٧

Finally obtained the CISM certification from ISACA 🎉 Thank you to PwC France and Raphael Roth for your investment in my personal development. The opportunities provided by the company have been instrumental in my growth and progress. #PwCProud This journey required a lot of dedication and hard work. Here are some key tips that are crucial to pass the exam: 1. Complete all questions from the study plan: As a manager already familiar with most information security concepts, I found it more beneficial to focus on thoroughly working through the study plan questions rather than reading the manual. 2. Practice tests are crucial: Taking at least two full practice tests after completing the study plan helped confirm my understanding and identify areas for improvement. 3. Aim high on practice tests: Striving to achieve at least 90% on practice tests ensured I was well-prepared and confident in my knowledge. 4. Take notes and revise them: Diligently taking notes and revising them regularly helped me reinforce key concepts and details. 5. Understand, don’t memorize: Focusing on understanding key concepts rather than note memorization made the material more intuitive and easier to apply. 6. Set a deadline for yourself and book the test: Setting a clear deadline to finish studying and booking the test accordingly kept me on track and motivated. 7. Maintain a positive mindset: Approaching the exam with confidence and a positive attitude was crucial. Believing in my preparation and knowledge helped me stay focused and calm. Here’s to many more milestones together! #CISM #ISACA #Dedication #PersonalDevelopment

١٣٧

٢٢ تعليق

The 20th Control under Technology Controls in ISO 27001:2022 A.8.20 - Networks Security #ISMS #ISO27001 #ISO27002

٣١

#Cybersecurity "Cloud computing can provide significant agility, resiliency, security, and economic benefits. However, these benefits are only materialized if cloud models are properly understood and adopted, and cloud architectures and practices are aligned with the features and capabilities of cloud platforms. A cloud service customer (CSC ) migrating an existing application or asset by simply moving it to a CSP without any changes (known as rehosting or "lift-and-shift”) will often not provide the expected agility, resiliency, and security, all while increasing costs. In short, the benefits of cloud computing are closely tied to understanding the proper use of cloud computing models, cloud-native capabilities, and services. " #security #securityriskmanagement #securitymanagement #securityrisks #enterprisesecurity #cybersecurity #physicalsecurity #informationsecurity #digitalsecurity #securityoperations #enterprisesecurityriskmanagement #securityassessment #intelligence #threatlintelligence #risk #riskmanagement #safety #safetyfirst #safetymanagement #safetyassessment #safetyrisks #safetyculture #safetyanalysis #personalsafety #workplacesafety #healthandsafety #hazard #danger #peril #threat #PPE #protectivesafety #workplacesafety #risk #risks #enterpriserisk #enterprisesecurityriskmanagement #intelligence #threatlintelligence #riskmanagement #riskanalysis #riskassessment #riskmanagementframework #operationalriskmanagement #projectriskmanagement #projectrisk #operationalresilience #resilience #operationalrisk #riskintelligence #governance #crisis #crisismanagement #complexity #chaos #crisisleadership #crisisplan #crisismanagementplan #stress #governance #decisionmaking #riskmanagement #riskinformed #securitymanagement #securityriskmanagement #resilience #humanfactors #emergency #disaster #emergencyresponse #travelsecurity #travelsafety #travel #businesstravel #tourism #travelrisks #travelriskmanagement

٢٧

١ تعليق واحد

𝐏𝐮𝐛𝐥𝐢𝐜 𝐀𝐰𝐚𝐫𝐞𝐧𝐞𝐬𝐬: 𝐄𝐧𝐜𝐫𝐲𝐩𝐭𝐢𝐨𝐧 𝐢𝐧 𝐀𝐈 𝐯𝐬. 𝐓𝐫𝐚𝐝𝐢𝐭𝐢𝐨𝐧𝐚𝐥 𝐃𝐚𝐭𝐚 𝐒𝐞𝐜𝐮𝐫𝐢𝐭𝐲 “Encryption algorithms designed for deep neural networks and AI safeguard model weights and training data, ensuring privacy and robustness against adversarial attacks, while traditional data encryption primarily secures static information in transit or storage.” It should be one if the points that nedd to focused on while we are checking data theft and data poisoning in our AI applications. Stay informed and stay secure! #AI #Encryption #CyberSecurity #DataProtection

٣