Sinetris's viewpoints

Frameworks

Mon, 17 Mar 2025 10:39:53 GMT

Requirements and Regulations

GDPR: General Data Protection Regulation
BaFin: Bundesanstalt für Finanzdienstleistungsaufsicht

English translation: Federal Financial Supervisory Authority
MaRisk: Mindestanforderungen an das Risikomanagement

English translation: Minimum Requirements for Risk Management
BAIT: Bankaufsichtliche Anforderungen an die IT

English translation: Supervisory Requirements for IT in Financial Institutions
ISO/IEC 27001: Information security management systems - Requirements
ISO/IEC 24760: IT Security and Privacy - A framework for identity management
KRITIS: Kritische Infrastrukturen

English translation: Critical Infrastructures
MiCA: Markets in Crypto-Assets Regulation
DORA: Digital Operational Resilience Act

Good reads and presentations

BAIT: Clearer Guidelines as a Basis for More Effective Implementation

Compliance as Code

Mon, 17 Mar 2025 10:45:42 GMT

Standards

SCAP: Security Content Automation Protocol
OSCAL: Open Security Controls Assessment Language
BPMN: Business Process Model and Notation
DMN: Decision Model and Notation

Guidelines

ComplianceAsCode: The ComplianceAsCode project

Previously known as SCAP Security Guide (SSG)

Tools

OpenSCAP: open source security compliance toolkit

NIST certified for SCAP 1.2
Trestle: Manage compliance as code using NIST’s OSCAL standard
Open Policy Agent (OPA): Declarative Policies

Context-aware, Expressive, Fast, Portable
OPAL: Open Policy Administration Layer

Good reads and presentations

OSCAL Mini Workshop Series

Disaster Recovery

Mon, 17 Mar 2025 10:53:28 GMT

Have a Plan B for disaster recovery

During a disaster recovery you want to be fast to respect your RTO.

It is possible, for example, to restore the operation of a service using snapshots (both volumes and instances).

Restoring snapshots may fail for unforeseen reasons (e.g., you need to restore the service on a different cloud provider), so you should make sure that you can restore from scratch (ability to recreate the service, use database dump, etc.).

[Truncated]

Accessibility

Mon, 17 Mar 2025 10:43:09 GMT

Accessibility Directives and Guidelines

European Commission - Web Accessibility: Overview of the European Commission Web Accessibility Directive
- EN 301 549: Accessibility requirements for ICT products and services
WAI: W3C Web Accessibility Initiative
- WCAG: Web Content Accessibility Guidelines
- ARIA: Accessible Rich Internet Applications suite of web standards
- ACT: Accessibility Conformance Testing
- EARL: Evaluation and Report Language
- policies: Web Accessibility Laws & Policies

Risk Owner

Sun, 07 Dec 2025 23:58:31 GMT

Person directly responsible for identifying, assessing, monitoring, reporting, responding to, and defining intervention strategies in relation to risks associated with an IT asset.

Information Technology Asset

Sun, 07 Dec 2025 23:19:32 GMT

Hardware and software (e.g., applications, systems, virtual resources, data) that an organization uses to support its business objectives.

Responsive Controls

Sun, 07 Dec 2025 21:35:56 GMT

Measures designed to respond to and rectify security violations or incidents after they have been identified.

Detective Controls

Sun, 07 Dec 2025 21:23:57 GMT

Measures designed to identify, record, and report a security incident after it has occurred.

General Data Protection Regulation

Sun, 07 Dec 2025 21:22:17 GMT

Regulation that governs how the personal data of individuals in the EU may be processed and transferred.

Entitlements

Mon, 01 Dec 2025 11:17:25 GMT

The access rights an account has on an asset.

Access Recertification Campaigns

Mon, 01 Dec 2025 10:25:02 GMT

Periodic review of user entitlements to enforce the Principle of Least Privilege, ensure orphaned accounts are removed, and reduce internal threats and compliance violations.

Access Request

Mon, 01 Dec 2025 10:22:15 GMT

A user-initiated process to gain permission to access an IT asset within an organization’s infrastructure.

Birthright Access

Sat, 29 Nov 2025 15:32:02 GMT

Entitlements automatically granted to a user when they join an organization or change roles within it.

Orphaned Account

Sat, 29 Nov 2025 15:24:33 GMT

Account that retains access to an asset without an active owner.

Data Breach

Thu, 27 Nov 2025 22:08:23 GMT

Incident involving copying, transmitting, viewing, or processing sensitive, protected, or confidential information by unauthorized individuals or for unauthorized purposes.

Data Anonymization

Mon, 24 Nov 2025 14:47:49 GMT

The process of removing Personally Identifiable Information from a dataset in an irreversible and permanent manner. This can serve as a mechanism of privacy protection. In the context of data governance, anonymized data is no longer considered Personally Identifiable Information according to the current regulatory interpretation.

Proactive Controls

Mon, 24 Nov 2025 12:56:03 GMT

Proactive Controls are a strategy designed to prevent attacks and identify vulnerabilities before they are exploited, focusing on prediction and prevention rather than simply reacting, anticipating potential problems or targets and taking action to prepare in advance, rather than waiting for them to occur.

Preventative Controls

Mon, 24 Nov 2025 11:42:20 GMT

Designed to prevent an event or an unauthorized action from occurring.

Security Controls

Mon, 24 Nov 2025 11:36:55 GMT

Safeguards and countermeasures that help protect an organization’s assets, systems, and data from potential risks and threats.

Subject Matter Expert

Mon, 24 Nov 2025 07:28:53 GMT

A professional with in-depth, specialized knowledge in a particular field, process, or technology who acts as a trusted advisor, guiding teams, validating information, and solving complex problems to ensure accuracy, efficiency, and successful project outcomes.

Asset Administrator

Mon, 24 Nov 2025 01:27:13 GMT

Manages user roles, account assignments, and performs access reviews and audits for an IT asset.

Brute-Force Attack

Sat, 22 Nov 2025 09:03:19 GMT

Often used to guess authentication credentials or discover hidden content/pages within a web application using a trial-and-error method.

Zero Trust

Sat, 22 Nov 2025 08:11:15 GMT

Security framework that requires all users, devices, and systems, whether inside or outside the organization’s network, to be continuously authenticated, authorized, and validated before gaining access to applications and data.

Authentication Assurance Level

Sat, 22 Nov 2025 08:02:00 GMT

NIST standard to assess the degree of confidence and reliability of an authentication process.

Asset Owner

Sat, 22 Nov 2025 08:01:09 GMT

Person or group responsible for an IT asset.

Account Lockout

Sat, 22 Nov 2025 08:00:36 GMT

A security feature typically used to prevent a Brute-Force Attack by temporarily disabling a user account after a set number of failed login attempts.

Single Source of Truth

Thu, 20 Nov 2025 09:01:34 GMT

Practice of centralizing all of an organization’s data related to a given subject in a single, reliable location, ensuring that every person and every system operates with the same up-to-date information.

Web Authentication

Mon, 10 Nov 2025 15:34:37 GMT

Specification that defines an API enabling the creation and use of strong, attested, scoped, public key-based credentials by web applications, for the purpose of strongly authenticating users.

Client-to-Authenticator Protocols

Mon, 10 Nov 2025 15:29:40 GMT

Protocol developed by the FIDO Alliance and complementary to the W3C's WebAuthn specification that allows a client (for example, an operating system, browser, or application) to communicate with a device designed to authenticate the user.

FIDO Specifications

Mon, 10 Nov 2025 15:10:26 GMT

A set of open standards published by the FIDO Alliance for stronger, simpler, and phishing-resistant user authentication.

Information Technology Asset Management

Mon, 10 Nov 2025 14:55:30 GMT

Systems to manage the lifecycle of IT assets, including tracking, maintaining and disposing of hardware and software.

Anomaly Detection

Mon, 10 Nov 2025 14:26:54 GMT

A fundamental process in cybersecurity, used to identify events or patterns that deviate from expected behavior within systems, networks, or datasets and that could indicate a security threat, such as a network intrusion, malware, or unauthorized access.

Drift

Mon, 10 Nov 2025 13:50:07 GMT

Drift is the difference between the Desired State of a system and its Actual State.

Detecting and resolving this drift is essential to prevent security vulnerabilities, compliance violations, and operational failures.

Actual State

Mon, 10 Nov 2025 13:47:54 GMT

Current and factual condition of a system or its data as opposed to the Desired State.

Desired State

Mon, 10 Nov 2025 13:47:45 GMT

The planned state of a system, usually defined as data or code in a SSOT.

Segregation of Duties

Thu, 04 Sep 2025 12:33:22 GMT

Description

Segregation of Duties (SoD) is a mechanism designed to prevent the risks of errors and fraudulent behavior by dividing the actions required to complete a task among different employees.

Examples

To prevent financial fraud: the person approving an invoice cannot be the same person who issued it.

Reason: they could potentially approve and pay fraudulent invoices to themselves or a fictitious supplier.
To prevent both fraud and errors: the software engineer that approve code changes to critical assets cannot be the same person who submitted the changes.

Reason: they could miss mistakes made by them (prevent errors) or abuse the system to their own advantage (prevent fraud).

[Truncated]

Non-Human Identity

Sat, 26 Jul 2025 10:27:48 GMT

Identity belonging to a machine, service account, containerized workload, or autonomous agent.

Identity and Access Management

Wed, 16 Jul 2025 15:07:33 GMT

Identity and access management is a framework of policies, technologies, and business processes aimed at facilitating the management of digital identities and their access.

Identity Threat Detection & Response

Wed, 16 Jul 2025 11:30:52 GMT

Cybersecurity discipline that includes tools and best practices for protecting user identities and identity systems from cyber threats.

SSL-Bridging

Wed, 02 Jul 2025 07:50:28 GMT

The load balancer decrypts the incoming encrypted traffic (same as in SSL-Termination) and re-encrypts it when sending to the destination (e.g. backend instances).

SSL-Passthrough

Wed, 02 Jul 2025 07:50:28 GMT

The load balancer passes the encrypted traffic to the destination (e.g. backend instances) without decrypting it.

Because the load balancer only sees encrypted traffic, it is not possible to perform layer 7 (OSI model) actions.

SSL-Termination

Wed, 02 Jul 2025 07:50:28 GMT

The load balancer decrypts the incoming encrypted traffic and sends it to the destination (e.g. backend instances) unencrypted.

Account Takeover

Wed, 25 Jun 2025 11:55:55 GMT

Gaining unauthorized access to a user account.

Color Wheel

Fri, 30 May 2025 06:55:18 GMT

A circular diagram used to show the relationships between colors.

Color Theory

Tue, 27 May 2025 15:46:33 GMT

The study of how colors interact with each other and how they can influence people’s emotions and perceptions.

Color Harmonies

Tue, 27 May 2025 14:18:00 GMT

Definition

The term “color harmonies” refers to the creation of balanced and aesthetically pleasing color combinations based on the principles and concepts outlined in Color Theory.

Color combinations

Analogous

Complementary

Split-Complementary

Triadic

The triadic color harmony uses three colors equally spaced on the color wheel, forming a triangle, to create vibrant, balanced, and visually appealing color palette.

Information Assurance

Mon, 17 Mar 2025 10:43:09 GMT

Information Assurance (IA) is the practice of assuring information quality and managing risks related to the use, processing, storage, and transmission of information.

The 5 pillars of information assurance includes protection of the Confidentiality, Integrity, Availability, Authenticity, and Non-repudiation of information.

In IT systems, when possible, assets should be tagged/labeled with proper Information Assurance level.

Confidentiality

The property that information is not made available or disclosed to unauthorized individuals, entities, or processes.

[Truncated]

Access Management

Mon, 15 Jul 2024 16:27:00 GMT

Why you need access management

Some important points are:

It allows to properly document granted access history for auditing and security purposes
- Who had access to a specific system, what kind of access, why, at any point in time
- What did they access, when, and why (via integration with SIEM systems)
- When they are doing operations on a system, this allow to check if they are allowed
Monitor drifting between desired state and actual state and what caused it
Keeping track of users accesses allow to better refine them
- Did they had granted more access than needed for their work?
  
  Grant them access based on principle of least privilege

[Truncated]

Information and Communication Technology

Sun, 06 Aug 2023 10:15:25 GMT

An umbrella term that encompasses all technical means used to handle information and facilitate communication through the use of computing devices (e.g., desktops, laptops, servers, mainframes, smartphones, tablet, or any other CPU-equipped device), network equipment (e.g., routers, switches, modems, cables), other peripherals (e.g., printers, scanners, external hard drives), and any related software.

Out of the box

Sun, 06 Aug 2023 10:15:25 GMT

Native or built-in feature or functionality of a product, included by default and that works immediately after first setup.

Best Effort

Sun, 06 Aug 2023 10:10:15 GMT

Reasonable effort to satisfy a request but without guaranteeing success.

Information Technology

Sun, 06 Aug 2023 10:10:15 GMT

The study or use of hardware and software to manage, store, retrieve, and deliver data.

A subset of ICT.

Principle of Least Privilege

Sun, 06 Aug 2023 10:10:15 GMT

Security concept whereby a user or service is granted the minimum levels of access and authorization necessary to perform the requested task.

Real Time

Sun, 06 Aug 2023 10:10:15 GMT

Reported at the same time something takes place or delivered in a short time.

What we consider real-time is a matter of expectations, for example a postal package delivered in few minutes would still be considered as delivered in real-time.

Real-Time Computing

Sun, 06 Aug 2023 10:10:15 GMT

Description

Real-time computing, also known as reactive computing, is used to describe a computer system that guarantees the processing of inputs and the execution of tasks within specified time limits, often referred to as “deadlines”.

We can divide real-time systems into three categories based on expectations:

soft real-time

The system continues to operate even if it’s unable to perform operations within the allotted time.

firm real-time

Deadlines are crucial, but occasional non-compliance is tolerable.

[Truncated]

Real-Time Operating System

Sun, 06 Aug 2023 10:10:15 GMT

Recovery Point Objective

Sun, 06 Aug 2023 10:10:15 GMT

Targeted duration of time between the event of failure and the point where operations resume.

Recovery Time Objective

Sun, 06 Aug 2023 10:10:15 GMT

Agreed maximum time, based on risk analysis, between the failure event and the restoration of operations.

Software Bill of Materials

Sun, 06 Aug 2023 10:10:15 GMT

A Software Bill of Materials (SBOM) is a comprehensive inventory of all the components, including dependencies and related installed tools, used in a software.

Advices

Sun, 16 Jul 2023 18:20:00 GMT

Assets and people

Ensure to have proper Orphan Account Monitoring (for example, people leaving the company) and delegation (for example, people in sick or parental leave) for people assigned to managing assets (Asset Owners, Application Administrators, Infrastructure Administrators, etc). Take into consideration that people might be out of office because in vacation, out sick, at a conference, etc.

Identity Lifecicle Management

Sun, 16 Jul 2023 18:20:00 GMT

HR-Driven Identity Lifecycle

The HR department is the one that knows who is joining, who is leaving, who is moving to another job within the company, who is on vacation, sick leave, parental leave, etc. Their system should expose for each employee at least the name that should be used for them within the company (might be diﬀerent from their legal name, which is only required by HR to sign contracts), the start and end dates (if applicable) of the contract, department, role, line manager, and absences.

[Truncated]

Identity Security

Sun, 16 Jul 2023 18:20:00 GMT

Orphan Account Monitoring

It’s important to find missing identity associations or assets assigned to wrong identities (for example off-boarded employees).

Examples:

An account is associated to an asset but is not assigned to any identity
- All accounts should be associated with one (and only one ) identity.
- If the system allow only one account (for example only one admin), access to that account should happen trough a system that keep track of all actions (see PAM and Just-in-time credentials).
- If credentials to the account are shared it will be hard to know who performed an action.
Asset role (for example Owner or Admistrator) assigned to an Identity that left the company
Employee assigned to a line manager that transferred to a different department

Adaptive Authentication

Varying authentication methods based on runtime evaluation of risk factors.

[Truncated]