GRC on Sinetris's viewpoints

Frameworks

2025-03-17T10:39:53+00:00

2025-03-17T10:39:53+00:002025-03-17T10:39:53Zhttps://sinetris.info/topics/iam/grc/frameworks/#atom

Requirements and Regulations

GDPR: General Data Protection Regulation
BaFin: Bundesanstalt für Finanzdienstleistungsaufsicht

English translation: Federal Financial Supervisory Authority
MaRisk: Mindestanforderungen an das Risikomanagement

English translation: Minimum Requirements for Risk Management
BAIT: Bankaufsichtliche Anforderungen an die IT

English translation: Supervisory Requirements for IT in Financial Institutions
ISO/IEC 27001: Information security management systems - Requirements
ISO/IEC 24760: IT Security and Privacy - A framework for identity management
KRITIS: Kritische Infrastrukturen

English translation: Critical Infrastructures
MiCA: Markets in Crypto-Assets Regulation
DORA: Digital Operational Resilience Act

Good reads and presentations

BAIT: Clearer Guidelines as a Basis for More Effective Implementation

Compliance as Code

2025-03-17T10:45:42+00:00

2025-03-17T10:45:42+00:002025-03-17T10:45:42Zhttps://sinetris.info/topics/iam/grc/compliance-as-code/#atom

Standards

SCAP: Security Content Automation Protocol
OSCAL: Open Security Controls Assessment Language
BPMN: Business Process Model and Notation
DMN: Decision Model and Notation

Guidelines

ComplianceAsCode: The ComplianceAsCode project

Previously known as SCAP Security Guide (SSG)

Tools

OpenSCAP: open source security compliance toolkit

NIST certified for SCAP 1.2
Trestle: Manage compliance as code using NIST’s OSCAL standard
Open Policy Agent (OPA): Declarative Policies

Context-aware, Expressive, Fast, Portable
OPAL: Open Policy Administration Layer

Good reads and presentations

OSCAL Mini Workshop Series

Disaster Recovery

2025-03-17T10:53:28+00:00

2025-03-17T10:53:28+00:002025-03-17T10:53:28Zhttps://sinetris.info/topics/iam/grc/disaster-recovery/#atom

Have a Plan B for disaster recovery

During a disaster recovery you want to be fast to respect your RTO.

It is possible, for example, to restore the operation of a service using snapshots (both volumes and instances).

Restoring snapshots may fail for unforeseen reasons (e.g., you need to restore the service on a different cloud provider), so you should make sure that you can restore from scratch (ability to recreate the service, use database dump, etc.).

Accessibility

2025-03-17T10:43:09+00:00

2025-03-17T10:43:09+00:002025-03-17T10:43:09Zhttps://sinetris.info/topics/iam/grc/accessibility/#atom

Accessibility Directives and Guidelines

European Commission - Web Accessibility: Overview of the European Commission Web Accessibility Directive
- EN 301 549: Accessibility requirements for ICT products and services
WAI: W3C Web Accessibility Initiative
- WCAG: Web Content Accessibility Guidelines
- ARIA: Accessible Rich Internet Applications suite of web standards
- ACT: Accessibility Conformance Testing
- EARL: Evaluation and Report Language
- policies: Web Accessibility Laws & Policies