[Editor's Note (Paller): As organizations discover there is economic liability for lax cybersecurity, and lawyers smell blood in the water, the recognition will dawn on policymakers that their reliance on high level "guidance" was a really bad idea and made government cybersecurity a terrible model for protecting the critical infrastructure and businesses. This week the Australian Attorney General established a legal requirement that all agencies implement a small number of critical security controls. No company can pretend they don't know the basic controls they must implement. The U.S. government will do that, too, but, as Winston Churchill said so long ago, "Americans will always do the right thing - after exhausting all the alternatives." You can get a head start on doing the right thing if you can get to London on May 1-2 (http://www.sans.org/event/
I found this comment somewhat ironic, given the recent twitter conversation with @joshcorman:
@cindyv for 1); stop dogmatically clinging to outdated "Best Practices", Dogma, and static compliance checklists.[cont]
— Joshua Corman (@joshcorman) April 2, 2013
Maybe "Best Practices" really aren't the absolute "Best" that we can do in every individual situation. And can they really be called "Practices", if they aren't actually practiced? (i.e. repeated performance or systematic exercise for the purpose of acquiring skill or proficiency). Having cursory familiarity with an established checklist of known good security measures such as the SANS Critical Security Controls, does not qualify as practicing or best. ;)
@sudosec @cindyv hasn't SANS migrated away from "the 20" ? Also, all controls need to subordinate to context of Risk Program
— Joshua Corman (@joshcorman) April 11, 2013
@cindyv @sudosec I need to look at their newest list; but my main point was the context/program is king
— Joshua Corman (@joshcorman) April 11, 2013
Also, check out Cindy's article about being Consumers of Security Intelligence here.
No comments:
Post a Comment