NIST has just released SP 1314 Risk Management Framework (RMF) Small Enterprise Quick Start Guide as a lightweight form/introduction to the full RMF.
... and, despite having said the steps are not necessarily sequential ...
As if on cue, along comes a golden opportunity to consider what the Adaptive SME security approach has to say regarding the Crowdstrike incident:
That's not 20/20 hindsight but foresight: I've picked out the most relevant rows from the security controls table published in the guide 24 hours before the incident. Although Crowdstrike primarily supplies much larger enterprises than SMEs, the incident could equally have afflicted other security software, or indeed operating systems such as Windows and assorted cloud apps commonly used by SMEs. Regardless of the details, it is a wake-up call, an opportunity to consider and respond to the information risks ... and to adapt, accordingly.
I am delighted to announce the release of Adaptive SME Security:
ISO/IEC 27403 "Cybersecurity – IoT security and privacy – Guidelines for IoT-domotics" was published at the very end of last month.
Title: Permanent Record
Author: Edward Snowden
ISBN: 978-1-250-23723-1Price: US$18 from Amazon
Title: Thinking, Fast and Slow
Author: Daniel Kahneman
ISBN: 978-0-374-53355-7
Price: $18 from Amazon
KPMG's Soft Controls model caught my beady eye this week:
"Mitigation and adaptation are required together to reduce the risks and impacts of climate change, including extreme weather events. Mitigation refers to actions taken to limit the amount of greenhouse gas emissions, reducing the amount of future climate change. Adaptation refers to actions taken to limit the impacts of a changing climate. Mitigation and adaptation together provide co-benefits for other environmental and social goals."
That paragraph by Lizzie Fuller, Climate Science Communicator for the UK's Met Office, plucked from another excellent digest of lessons learned from various UK resilience exercises and initiatives, obviously concerns climate change ... but it occurs to me that 'mitigate and adapt' might be a novel approach to information risks and impacts as well.
Early this morning (very early!) I remotely attended an ISO/IEC JTC 1/SC 27/WG 1 editing meeting in London discussing the planned revision of ISO/IEC 27003:2017.
"I saw your pragmatic book but I was confused on the way criteria and no’s were assigned. If you could guide will really help. I’m doing a RBI Based compliance assessment where regulator has asked for such metrics. Help would be really appreciated."
Here's my reply.
For guidance on choosing which metrics to take a look at and maybe score, I recommend Lance Hayden's book "IT Security Metrics" which describes the Goal-Question-Metric approach.
.jpg)
A provocative piece on LinkeDin by Brian Matsinger caught my beady eye and sparked my fertile imagination today. I'm presently busy amplifying the disaster recovery advice in NIS 2 for a client. When I say 'amplifying', I mean generating an entire awareness and training piece on the back of a single mention of 'disaster recovery' in all of NIS 2. Just the one. Blink and you'll miss it.
Oh boy.
Anyway, Brian points out that recovering from disasters caused by 'cyber attacks' requires a different DR approach than is usual for physical disasters such as storms, fires and floods. Traditional basic DR plans are pretty straightforward: essentially, the plans tell us to grab recent backups and pristine systems, restore the backups onto said systems, do a cursory check then release services to users. Job's a good 'un, off to the pub lads.
⬚ Study
the standards, in depth: complete lead implementer training if possible.
⬚ Study
the business, in depth, to understand its objectives, strategies, culture, governance
arrangements, existing information risk and security management etc.
⬚ If
the organisation has a defined, structured approach for this phase, use it!
⬚ Build
a business case that identifies and promotes the business benefits of the ISMS.
⬚ Look beyond ‘security’ and ‘compliance’ e.g. helping management to manage business risks, supporting/enabling other business initiatives and strategies.
"A calamity can often strike without warning. Whether it be generated by humans or a natural disaster, leaders need to be ready to direct their teams in the aftermath. In order to be ready for crisis, leadership skills, like any others, must be practised over and over beforehand. So the way you lead in the quiet times helps to build the skills you need when you have to dig deep."
That paragraph plucked from this month's impressive NZ Airforce newsletter about the military response to the devastating flooding caused by cyclone Gabrielle here in Hawkes Bay caught my beady eye this morning.
The idea of practicing incident management as well as incident handling or operations on relatively small incidents makes perfect sense.
Like other ISO management systems standards, ISO/IEC 27001:2022 has just been amended to incorporate two small wording changes:
