tag:blogger.com,1999:blog-1987420974894463968.post7455280659028411529..comments2024-03-16T14:38:20.724-05:00Comments on Tom Alrich's Blog: Here’s the Real Problem….Tom Alrichhttp://www.blogger.com/profile/11926296316487964077noreply@blogger.comBlogger1125tag:blogger.com,1999:blog-1987420974894463968.post-70562120988723771432017-09-16T10:11:31.405-05:002017-09-16T10:11:31.405-05:00Tom,
I agree with what you are saying, and a risk...Tom,<br /><br />I agree with what you are saying, and a risk-based approach to security is kind of the industry norm in general. It seems you are pitching a general risk assessment based review, gapped to current NERC-CIP mandates, with the addition of a running list of risk elements that can be added quickly. Risk assessments take into account something that NERC-CIP does not- business impact based prioritization due to risk (which includes cost).<br /><br />Security is a constantly evolving landscape, and to document specific elements each time something new is developed seems to runs contrary to a general risk-based approach to security. In other industries, they follow a baseline compliance requirement (sometimes proscriptive, sometimes more general), yet most of the current compliance mandates do not touch elements such as phishing or ransomware. See below as examples:<br /><br />PCI DSS v3.2 (No mention of Phishing or Ransomware)<br />ISO 27002-2013 (No mention of Phishing or Ransomware)<br />NIST SP 800-184 Guide for Cybersecurity Event Recovery (Discusses Ransomware, but only in context of data recovery efforts)<br /><br />I don't think we can bullet-proof an approach that accounts for unknown new threats that is proscriptive as well, unless we require a general risk assessment that catches those new threats and identifies remediation actions (based on the risk assessment finding).<br /><br />Compliance to a standard should be the baseline for all organizations, but not the only measurement of how to secure an organization. Due diligence and constant risk and compliance assessment are the best way to keep people on their toes. Just my very long two cents. :)Unknownhttps://www.blogger.com/profile/00349066095541195870noreply@blogger.com