GRC on Sinetris's viewpoints

Frameworks

Mon, 17 Mar 2025 10:39:53 GMT

Requirements and Regulations

GDPR: General Data Protection Regulation
BaFin: Bundesanstalt für Finanzdienstleistungsaufsicht

English translation: Federal Financial Supervisory Authority
MaRisk: Mindestanforderungen an das Risikomanagement

English translation: Minimum Requirements for Risk Management
BAIT: Bankaufsichtliche Anforderungen an die IT

English translation: Supervisory Requirements for IT in Financial Institutions
ISO/IEC 27001: Information security management systems - Requirements
ISO/IEC 24760: IT Security and Privacy - A framework for identity management
KRITIS: Kritische Infrastrukturen

English translation: Critical Infrastructures
MiCA: Markets in Crypto-Assets Regulation
DORA: Digital Operational Resilience Act

Good reads and presentations

BAIT: Clearer Guidelines as a Basis for More Effective Implementation

Compliance as Code

Mon, 17 Mar 2025 10:45:42 GMT

Standards

SCAP: Security Content Automation Protocol
OSCAL: Open Security Controls Assessment Language
BPMN: Business Process Model and Notation
DMN: Decision Model and Notation

Guidelines

ComplianceAsCode: The ComplianceAsCode project

Previously known as SCAP Security Guide (SSG)

Tools

OpenSCAP: open source security compliance toolkit

NIST certified for SCAP 1.2
Trestle: Manage compliance as code using NIST’s OSCAL standard
Open Policy Agent (OPA): Declarative Policies

Context-aware, Expressive, Fast, Portable
OPAL: Open Policy Administration Layer

Good reads and presentations

OSCAL Mini Workshop Series

GRC

Mon, 17 Mar 2025 10:37:00 GMT

Governance, Risk management and Compliance

Disaster Recovery

Mon, 17 Mar 2025 10:53:28 GMT

Have a Plan B for disaster recovery

During a disaster recovery you want to be fast to respect your RTO.

It is possible, for example, to restore the operation of a service using snapshots (both volumes and instances).

Restoring snapshots may fail for unforeseen reasons (e.g., you need to restore the service on a different cloud provider), so you should make sure that you can restore from scratch (ability to recreate the service, use database dump, etc.).

[Truncated]

Accessibility

Mon, 17 Mar 2025 10:43:09 GMT

Accessibility Directives and Guidelines

European Commission - Web Accessibility: Overview of the European Commission Web Accessibility Directive
- EN 301 549: Accessibility requirements for ICT products and services
WAI: W3C Web Accessibility Initiative
- WCAG: Web Content Accessibility Guidelines
- ARIA: Accessible Rich Internet Applications suite of web standards
- ACT: Accessibility Conformance Testing
- EARL: Evaluation and Report Language
- policies: Web Accessibility Laws & Policies