Alexander Del Toro

If you’re interested in cybersecurity governance, risk, and compliance (GRC), there are some great free resources you can start with: Alison – Fundamentals of GRC A simple, free introduction to governance, risk, and compliance. https://lnkd.in/enAFazS4 BreakInCyber – Free GRC Training Videos https://lnkd.in/eFZmtnNF (ISC)² – Certified in Cybersecurity (CC) (includes free training + exam This one is a gem: free training and a free exam voucher for a globally recognized entry-level cert.voucher) https://lnkd.in/ebUkPQq5 Cybrary – Risk & Compliance Courses Short, practical lessons covering frameworks like NIST, ISO, PCI DSS, and SOC 2. https://www.cybrary.it/ CISA – Cybersecurity & Risk Training Free lessons on risk management frameworks, compliance requirements, and cyber hygiene. https://lnkd.in/e8SngKmJ These cover the fundamentals of risk management, compliance, and frameworks like NIST, ISO, and PCI DSS. A good place to start is the (ISC)² Certified in Cybersecurity to get a recognized credential, then expand with GRC-focused courses. #Cybersecurity #GRC #RiskManagement #Compliance #FreeLearning #Infosec

188

10 Comments

Dear Cybersecurity Auditors, The Five (5) Critical Layers Every Cybersecurity Audit Must Cover Many organizations believe a cybersecurity audit simply reviews IT controls. In reality, effective audits require examining multiple layers of protection. Attackers don’t care about compliance boundaries; they exploit whatever layer is weakest. Here are five layers that every meaningful cybersecurity audit must cover: 📌 Identity and Access Management Overprivileged accounts, weak passwords, and poor role design remain among the top risks. A good audit tests whether least privilege is enforced, multi-factor authentication is mandatory, and orphaned accounts are removed promptly. 📌 Infrastructure Security Servers, endpoints, and networks form the foundation. Weak segmentation, outdated systems, and poor monitoring create easy entry points. Auditors should test patch management, vulnerability scans, and network defenses to see if they actually work in practice. 📌 Application Security Web applications, mobile apps, and APIs often contain coding flaws. Attackers exploit them to steal data or bypass authentication. A proper audit should review secure development practices, penetration test results, and patch timelines for known vulnerabilities. 📌 Data Security Data is the most valuable asset. Encryption, access controls, and retention policies are critical. An audit should verify not only that policies exist, but also that sensitive data is encrypted in transit and at rest, that access is tightly restricted, and that data disposal procedures are followed. 📌 Third-Party and Vendor Security Even if your own defenses are strong, a vendor with poor security can compromise your entire organization. A thorough audit evaluates vendor assessments, contract clauses, and whether ongoing monitoring of third parties is in place. When any of these five layers is neglected, the security posture collapses. One gap at the identity layer, for example, can give attackers a pathway past strong infrastructure and data protections. Executives should push their auditors to go beyond compliance checklists and ensure layered coverage. A single control review is not enough. Audits must demonstrate whether protections across all layers work together in practice. #CybersecurityAudit #CyberRisk #ITAudit #BoardOversight #InformationSecurity #ThirdPartyRisk #CyberResilience #RiskManagement #Compliance #BusinessContinuity #CyberYard #CyberVerge

318

32 Comments

5 Skills You Need to Thrive in Cyber GRC  Post 6 Here are the 5 skills that matter most — and why they anre often what interviewers look for. Many freshers and professionals ask: ‘Do I really have what it takes for GRC?’ Here’s the truth: GRC is not about being the best coder or the best lawyer. It’s about a mix of skills that help you see risk, connect dots, and build trust. Here are the 5 that matter most 👇 1. Security Fundamentals – know the tech, don’t fear it You don’t need to configure firewalls or write malware detection code. But you do need to understand the basic functioning of core technologies, their role, and how they should be secured. Take cloud storage as an example: it’s great for collaboration, but do you know who has access, how it’s encrypted, and what controls (like backups or logging) protect it? GRC isn’t about building the cloud. It’s about knowing what could go wrong, what risks that creates, and which controls reduce those risks. 2. Analytical Thinking – connect cause and effect Controls fail in small ways that lead to big problems. Example: MFA wasn’t enforced → dormant accounts stayed open → ex-employee logged in six months later. A GRC professional asks: What’s the risk? What’s the likelihood? What’s the business impact? You don’t just see the event. You connect it to its ripple effects. 3. Communication – translate tech into business I once saw a brilliant security engineer explain a patching delay in pure technical terms. The leadership team didn’t act. A GRC analyst reframed it as: “This means customer data may be at risk, and non-compliance with regulator timelines could mean fines.” Action was taken immediately. That’s the difference clear communication makes. 4. Attention to Detail – spot the gap others miss Audit evidence says “control is compliant.” But the screenshot is 18 months old. A casual glance says ✅. A GRC eye says ❌. That one stale proof can cause an audit finding, regulator escalation, even reputational damage. Details matter — they’re the difference between passing and failing. 5. Ethics and Integrity – doing the right thing when no one is watching GRC deals with uncomfortable truths: unpatched systems, missed processes, risky exceptions. It’s tempting to gloss over them. But the best GRC professionals don’t. They raise the issue, even if it’s unpopular — because trust is built on honesty. ⸻ Bottom Line: You may already have some of these skills. The rest you can build. What matters is curiosity — because frameworks and controls change, but the mindset stays. If you’re starting in GRC, which of these skills do you already see in yourself? 👇 #CyberSecurity #GRC #DigitalTrust #WhatsInIt4Me #UmaRamani

143

12 Comments

Understanding Job Roles in a GRC Framework Are you curious about where you fit into the world of Governance, Risk, and Compliance (GRC)? I've designed a PDF that breaks down key job roles within a GRC framework — perfect for anyone looking to enter or grow in this high-demand field! Featured Roles Include: ✅ Cybersecurity GRC Analyst ✅ Information Security Analyst ✅ GRC Architect ✅ Cybersecurity Advisor ✅ Cybersecurity Consultant Whether you're starting fresh or transitioning from a different role, understanding these profiles can give your career a strategic direction. Make sure to save this PDF and share it with your friends who are also looking to build a career in GRC. Let’s help each other grow! #GRC #CyberSecurityCareers #InformationSecurity #RiskAndCompliance #CareerInCyberSecurity #CyberJobs #GRCAnalyst #ComplianceJobs #GovernanceRiskCompliance #CybersecurityAwareness #InfosecCareers #Thinkcloudly #NonITtoIT #CareerTransition #JobSearchTips #ITCareers #TechJobs #SecurityCompliance #CyberCareerPath #BreakingIntoCyber

171

16 Comments

💠Database Security💠Aligned with #ISO27001:2022 This Roadmap organizes essential database security practices within the Plan-Do-Check-Act (#PDCA) cycle of an ISMS and maps them to specific controls in ISO 27001:2022 Annex A and Clauses. ✅#Plan: Establishing the ISMS Context & Leadership ✅#Do: Implementing & Operating Controls ✅#Check:Monitoring & Reviewing Performance ✅#Act:Maintaining and Improving the ISMS Key Annex A Controls for Database Security: 👉🏻A.8.2 Information Classification: The foundation. You cannot protect data if you don't know its sensitivity. 👉🏻A.8.3 Acceptable Use of Information & Assets: Policies governing how databases are accessed and used. 👉🏻A.8.4 Access Control: The core of database security (user accounts, privileges, roles). 👉🏻A.8.24 #Cryptography: Essential for protecting data at rest and in transit. 👉🏻A.8.15 Logging: Critical for detective controls and forensic analysis. 👉🏻A.8.6 Technical #Vulnerability Management: The process for patching database software. 👉🏻A.8.16 Monitoring Activities: The proactive review of logs and use of monitoring tools. 👉🏻A.8.23 Secure Authentication: Enforcing strong passwords and #MFA for database access. 👉🏻A.8.31 Separation of Development, Test, and Production Environments: Prevents accidental data leaks or changes. #isms #iso27000 #iso27001 #iso27002 #informationsecurity #database #sql #oracle #standard

75

3 Comments

Stop Putting GRC in a Box..!!! We need to stop pretending that Governance, Risk, and Compliance (GRC) neatly fits under one technology pillar. For years, orgs have buried GRC under Security or Audit. Feels logical on paper, right? Security teams know the controls, the frameworks, the regulations. But here’s the truth: Modern GRC isn’t checklists and binders anymore --> It’s engineering. It’s automation. It’s integration. If you don’t understand CI/CD pipelines, Infrastructure-as-Code, and cross-platform automation, your governance model is already outdated. Policies that can’t adapt to the way infra is actually built today? Shelf-ware overnight. Risk that Actually Matters and risk isn’t just about security alerts or dashboards. Real risk management connects dots: What does this risk mean for the business outcome? How does it line up with regulatory appetite? How does it play out across Dev, Infra, Ops, Security, and beyond? If you shove all that under one pillar, you’ve already limited its impact. Different Muscles, Different Jobs Think of it like this: Security = enforces controls GRC = adjudicates risk One executes, the other calibrates. They’re complementary, but not interchangeable. The Big Shift The most mature orgs I’ve seen don’t hide GRC inside Security or IT. They put it next to Security, Dev, Infra, and Program Management. And when that happens, something cool shows up: Governance becomes adaptable Risk becomes actionable Compliance actually accelerates delivery instead of slowing it down Final Thought If you’re still treating GRC as a sub-function, you’re not just behind — you’re creating friction at every scale point. GRC is no longer a back-office checkbox. It’s a cross-cutting capability that should guide how we build, ship, and scale. So let me throw this out: Where does GRC live in your org today — under Security, or alongside everything else?

186

24 Comments

PBC vs. IPE. What's the difference? PBC and IPE often get used interchangeably... But they’re not the same. If you're in IT/Cybersecurity Audit or GRC, or trying to get into the field, you should know the difference. Here's a simple explanation of the two concepts.  → PBC (Provided By Client) - Documents and reports generated in response to an audit request. - They are also IPEs because they are produced by the entity (company/client). → IPE (Information Produced by Entity) - Documents and reports created by the company for internal use (not just for audits). - Used by company employees to perform controls, run reports, or support business processes. Key point: Both PBCs and IPEs need to be validated for completeness and accuracy. If you’re planning a career transition into IT Audit and GRC, focus on acquiring practical skills. That real-world understanding is what hiring managers are really looking for. It’s how you prove you're ready to do the work - not just talk about it.

92

11 Comments

Over the years, whether implementing a security standard or auditing a company, I’ve seen too many organizations treat Governance, Risk & Compliance (GRC) as nothing more than paperwork. It usually gets attention only when: 📌 A regulator demands it, 📌 A major client asks for proof of compliance, or 📌 An RFP requires evidence of security and privacy controls. As a result, implementations are often rushed, assigned to already stretched teams, and treated as a short-term project — just enough to “get the certificate.” The reality is that GRC isn’t about ticking boxes. It’s about: ✅ Building trust with customers ✅ Safeguarding sensitive data ✅ Enabling employees to make the right decisions ✅ Supporting long-term business growth In the months ahead, I’ll be sharing weekly insights on: ✔ Implementing security & privacy standards (ISO 27001, PCI DSS, SOC 2, ISO 27701, GDPR, NDPA, GAID) ✔ IT & privacy audits ✔ Practical GRC strategies for leaders, business owners, and early-career professionals Compliance doesn’t have to be red tape. It can be a driver of confidence and a real business advantage. Follow along, and let’s make compliance work for the business, not against it. #GRC #CyberSecurity #Privacy #Audits #ISO27001 #Leadership  #TrustComplianceByOpe

79

1 Comment

“(2) Security requirement re-evaluation. A security requirement that is NOT MET (as defined in § 170.24) may be re-evaluated during the course of the Level 2 certification assessment and for 10 business days following the active assessment period if all of the following conditions exist: (i) Additional evidence is available to demonstrate the security requirement has been MET; (ii) Cannot change or limit the effectiveness of other requirements that have been scored MET; and (iii) The CMMC Assessment Findings Report has not been delivered. #cmmc #dod #cybersecurity”

56

Good morning! Here is this week's ICS Advisory, Other CERT, & Vendor vulnerability advisories weekly summary for 28 July – 1 August 2025. Attached are this week's CISA ICS Advisory summary slides. Link to Weekly Summary Slides: https://lnkd.in/ee2HbYMw This past week, CISA released Five new CISA ICS Advisories for the following vendors: Rockwell Automation, Guralp Systems, Delta Electronics, Samsung, and National Instruments Corp (NI). Two updated CISA ICS Advisories were released for Fuji Electric and Johnson Controls. Based on the new CISA advisories, Critical Manufacturing and Commercial Facilities are the potentially affected critical infrastructure (CI) sectors. The ICS Advisory Project identified 21 new ICS Advisories for Ashlar-Vellum [2D and 3D CAD file viewer software], MedDream [Picture Archiving and Communication System (PACS) SERVER], Tesla [Home EV Charging Station], MB connect line GmbH [Industrial Router], and Helmholz [Industrial Router]. The Weekly Summary of Other Vendor & CERT Advisories identified the following critical infrastructure sectors as potentially impacted: Critical Manufacturing, Healthcare and Public Health, and Transportation Systems. For a more comprehensive understanding, you can view the summary details of other CERT & Vendor product advisories identified last week (28 July – 1 August 2025) and read the vendor advisory using the links provided at: https://lnkd.in/eACRyFF4 This past week, CISA added Three new Known Exploited Vulnerability (KEV) Catalogs. None correlated to CISA ICS Advisories CVE. Visit the ICS[AP] CISA KEV Catalog Dashboards: https://lnkd.in/emzXBbBw View previous ICS Advisory Project weekly summaries: https://lnkd.in/eQKxhAEi To view the updated ICS Advisory Project Dashboards, visit: icsadvisoryproject.com Sign up to receive ICS[AP] Weekly Summary Slides and Other CERT and Vendor Advisory Summaries via email every Monday https://lnkd.in/eUwQrrj4 I appreciate everyone's comments & support. Have a great week! #CISA #ot #ics #otcybersecurity #otsecurity #icscybersecurity  #cybersecurity #cybersecuritythreats #cybersecurityawareness #industrialautomation #IoT #IIoT #Internetofthings #buildingautomation #healthcare #publichealth #medicalsecurity #BMS #DCS #emergencyservices #manufacturing #criticalmanufacturing #chemical #energy #foodproduction #agriculture #dams #hydroelectric #hydro #Nuclear #oilandgas #oilgas #oilandgasindustry #physicalaccesscontrolsystem #accesscontrolsystems #solar #renewables #SCADA #transportationsystems #waterandwastewater #waterinfrastructure #rail #maritime   Disclaimer: The views expressed in my LinkedIn posts and profiles are my own, not those of my employers or LinkedIn.

31

🚨 NEW STANDARD ALERT 🚨 ISO - International Organization for Standardization 📘 “ISO/IEC 27031:2025” is officially published! The newly released Edition 2 (2025) of ISO/IEC 27031 provides updated guidance for ICT readiness to support business continuity — a critical topic in today’s digital and cloud-driven world. 🔍 What is it about? ISO/IEC 27031:2025 helps organizations ensure that their information and communication technologies (ICT) are resilient enough to support operations during and after disruptions — from cyberattacks and outages to third-party failures. 🔗 Why does it matter? Modern business continuity depends on the reliability and recoverability of ICT systems. This standard bridges the gap between information security (ISO/IEC 27001) and business continuity (ISO 22301) by offering a structured framework for: ✔️ ICT risk preparedness ✔️ Recovery planning ✔️ Resilience engineering ✔️ Integration with cloud and third-party services ✨ Key Benefits: ✅ Maintain business operations during ICT disruptions ✅ Align ICT, cybersecurity, and continuity strategies ✅ Reduce downtime and data loss ✅ Strengthen resilience and stakeholder trust ✅ Seamlessly integrate with ISO/IEC 27001 & ISO 22301 🌐 Whether you’re managing IT infrastructure, building disaster recovery strategies, or leading enterprise resilience programs — ISO/IEC 27031:2025 is an essential reference for your toolkit. 🔄 How ISO/IEC 27031:2025 Supports DRP: • Focus on ICT Readiness → It ensures that all critical ICT systems (on-prem, cloud, hybrid) are assessed, prioritized, and prepared for restoration after a disruption. • Recovery Objectives → It helps define and validate RTOs (Recovery Time Objectives) and RPOs (Recovery Point Objectives) as part of your disaster recovery strategy. • Technology-Specific Measures → Unlike general BCM guidance, 27031 zooms in on technical capabilities such as: • Backup strategies • Failover mechanisms • Alternate site readiness • Cloud recovery procedures • Alignment with ISO 22301 → It provides the ICT-specific layer that feeds into the broader business continuity plan (BCP) and DRP. • Testing and Exercising → It mandates testing of recovery mechanisms (e.g., DR drills), ensuring that your DRP is not just a document, but a validated operational capability. 🗓️ This new version replaces the 2011 edition and is now officially Stage 60.60 – Published. 📥 If you’re building cyber-resilient organizations, it’s time to review and align with the latest edition. #ISO27031 #BusinessContinuity #CyberResilience #ISOStandards #ICT #ISO22301 #ISO27001 #DisasterRecovery #CloudSecurity #Cybersecurity #InformationSecurity #GRC #RiskManagement #Resilience #Continuity #ISO #BCM #BCMS #DRP #IRP #InfoSec #InformationSecurity

31

1 Comment