One Article Review
| Source |  NoticeBored |
|---|---|
| Identifiant | 2985374 |
| Date de publication | 2021-06-26 17:27:23 (vue: 2021-06-26 06:05:28) |
| Titre | Are our infosec controls sufficient? |
| Texte |  ^ Although it's tempting to dismiss such questions as rhetorical, trivial or too difficult, there are reasons for taking them seriously*. Today I'm digging a little deeper into the basis for posing such tricky questions, explaining how we typically go about answering them in practice, using that specific question as an example. OK, here goes.The accepted way of determining the sufficiency of controls is to evaluate them against the requirements. Adroitly sidestepping those requirements for now, I plan to blabber on about the evaluation aspect or, more accurately, assurance.Reviewing, testing, auditing, monitoring etc. are assurance methods intended to increase our knowledge. We gather relevant data, facts, evidence or other information concerning a situation of concern, consider and assess/evaluate it in order to:Demonstrate, prove or engender confidence that things are going to plan, working well, sufficient and adequate in practice, as we hope; andIdentify and ideally quantify any issues i.e. aspects that are not, in reality, working quite so well, sufficiently and adequately. Assurance activities qualify as controls to mitigate risks, such as information risks associated with information risk and security management e.g.: Mistakes in our identification of other information risks (e.g. failing to appreciate critical information-related dependencies of various kinds); Biases and errors in our assessment/evaluation of identified information risks (e.g. today's obsessive focus on “cyber” implies down-playing, perhaps even ignoring other aspects of information security, including non-cyber threats such as physical disasters and hum |
| Envoyé | Oui |
| Condensat | there although assurance so speaking * along ; able about accept accepted accepting accurately acknowledging activities addition address adequate adequately admit adopting adroitly advantage after against ahead aim alert all already also alternative although and/or andidentify another answering any anything appreciate appreciation approach appropriately are are classic arise arising around arrangements article as: as:sophisticated aspect aspects assertions assess/evaluate assessment/evaluation assessments associated assumes assumptions assurance assurances auditing auditor audits author availability averse avoid bad barely basis because begging being better biases bigger binary bitch blabber black blind blithely blog book box broader business businesses but bypass can capability cause certification certifications challenges changes checking circling circumstances clues collate colleagues collect come commercial commiserations committal competent competing concern concerning concerns confidence conflicting congratulations consider considering constantly consultant consumed context contingency continue contributions control controls convinced convincing cope cost could couple coverage covid credible critical critically customers cyber data day days deal dealing decay decisions deeper degrees dependencies designed determined determining difficult digging disasters dismiss dismissive doesn doing don doubts doug down each early ecosystem effective efficiency either eliminating else end ended engender enough environment equally errors especially essentially etc evade evaluate evaluation even events ever everyone everything evidence evolving example examples excessive exist explaining fact facts fail failing failure failures fallible far feelers field financial finished finite flowing focus focused forms frame fraud fraudsters freely from fully further gaps gather general generally generate genuine given goes going good governance gradually grey hackers;i hacks had harms has have having hayden help here hope hope; hopefully hours how hubbard human human/cultural ideally identification identified identify ignoring illustrates implemented implications implies important imposed inadequate inadequately inappropriate inattention incidents including incompetence increase indefinitely indicate individuals information infosec instance intended interesting interests invalid involve isms iso27k issues its judgement just keen kinds know knowledge lance lap leading learned leave leeson legal legitimate lengths life like limits little lot made maintained maintaining malware manage managed management managing many matters may mean measure measures mechanism methods intended metric metrics might misinterpreted mislead missed missing mistakes mitigate monitored monitoring more more/less most mostly move much mull myriad naïve networks nick non not novel now objectives obligations obsessive obvious occasionally off offer one open operate operate;changes opportunities optimal order organization organizations other out over overall overtaken paranoid partially particularly partners pass/fail people people; perfectionist perfectly perhaps physical picture piece plain plan plans plate playing plus posing possible potentially practice practice; pragmatic pressures prevent previously priorities privacy pro probe problems processes proofreader prove puzzle qualify quantify quantifying question questions quite range reactive read reality reasons recommend recovery reformed regarding related relating relation relationships relevant remain replete represents requirements residual resilience resourced resources resources; respond responses reviewing rhetorical risk risks said satisfies say scratches secure security senior serious seriously* shades should sidestepping significant signs silently since situation situations sketched software some someone something sources specialist specific specified spots stability stack stocks; strategic strategies streak strong studying stuff such suck suddenly suf |
| Tags | Malware Guideline |
| Stories | |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.