Enterprise Risk Management
Lines of Defense
3. Audit
SOC1/SOC2
1. Process Owners
2. Risk Mgmt Group
Risk Treatment Actions
Risk Appetite
Cyber Insurance
BCP/DR
Crisis Management
Risk Acceptance Statement
Risk Register
Security Architecture
Network Design
DDoS Prevention
Security Engineering
Data Protection
Data Leakage Prevention
Access Control
Identity Management
Privileged Access Management
Identity & Access Management
Federated Identity
MFA & SSO
Cloud Security
Secure System Build
Baseline Configuration
Patch Management
Cryptography
Key and Secret Management
Vaulting
HSM
Encryption Standards
Certificate Management
Endpoint Hygiene
Container Security
Security Operation
Security Operation Centers
Incident Response
Breach Notification
Containment
Eradication
Investigation
Forensics
Blue Team
Red Team
Detection
SIEM
SOAR
Vulnerability Management
Active Defense
Threat Hunting
Physical Security
IoT Security
Threat Intelligence
Internal
IOCs
Intel. Sharing
External
Contextual
Risk Assessment
3rd Party Risk
4th Party Risk
Penetration test
Infrastructure (Network and Systems)
Application Pen Tests
Social Engineering
DAST
Vulnerability scan
Assets Inventory
Risk Monitoring Services (Risk score)
Application Security
S-SDLC
"Shift Left"
CI/CD integration
Source Code Scan
Open Source Scan
SAST
Data-Flow Diagram
API Security
Security UX
Security QA
User Education
Training (new skills)
Awareness (reinforcement)
Cyber security table-top exercise
Career Development
Training
Certifications
Conferences
Peer Groups
Self Study
Coaches and Role Models
Frameworks and Standards
NIST Cybersecurity Framework
ISO 27001 27017 27018
OWASP Top 10 (WebApp & API)
CIS Top 20 Controls CIS Benchmarks
MITRE ATT&CK Framework
Governance
Laws and Regulations
Regional
CCPA
NYS-DFS 23 NYCRR 500
Central Government
GDPR
GLBA
Industry Specific
PCI
HIPAA
Company's Written Policies
Policy
Procedure
Standard
Guideline
Compliance & Enforcement
Executive Management Involvement
Reports and Scorecards
KPIs/KRIs
Risk Informed