10. Defining GRC Roles Exercise
Question 1.
QUESTION:
During our lesson, we talked briefly about a breach that involved an unsecured AWS S3 bucket. If you are unfamiliar, an S3 bucket is used in AWS cloud infrastructure to store data. S3 buckets have garnered a good deal of attention because you were able to create them and expose them to the internet without having any security protections in place. As a result, many breaches occurred because an S3 bucket was created and used without proper security controls in place making the data publicly accessible.
Thinking about each GRC role, can you come up with at least one way each that a governance professional, a risk professional, and a compliance professional might help solve the problem of open S3 buckets?
ANSWER:
Governance professionals may write a policy restricting the use of unsecured S3 buckets or write a procedure detailing how to secure them. They may have also assessed existing controls for creating S3 buckets to ensure they are working properly.
Risk management professionals might identify the risk and work with stakeholders to develop technical controls to prevent the issue from occurring.
and
Compliance professionals might have assessed this control as part of a compliance initiative and identified whether controls for S3 buckets existed at all.