One Article Review
| Source |  NoticeBored |
|---|---|
| Identifiant | 4496047 |
| Date de publication | 2022-04-23 11:09:24 (vue: 2022-04-23 00:05:31) |
| Titre | EU to standardise on ISO 31000 and ISO/IEC 27005? |
| Texte |  "Risk management procedures are fundamental processes to prepare organisations for a future cybersecurity attack, to evaluate products and services for their resistance to potential attacks before placing them on the market, and to prevent supply chain fraud" says ENISA in the report "RISK MANAGEMENT STANDARDS - Analysis of standardisation requirements in support of cybersecurity policy" published in March 2022. Not to be left behind, ENISA - originally the European Network and Information Security Agency (an official agency of the EU) - leapt aboard the cyber bandwagon, rebranding itself "The European Union Agency for Cybersecurity" when it became a permanent EU agency under the European Cybersecurity Act, regulation (EU) 2019/881. Despite the vague title, RISK MANAGEMENT STANDARDS in fact primarily concerns "risk management [and] security of ICT products, ICT services and ICT processes" where 'risk' means "any reasonably identifiable circumstance or event having a potential adverse effect on the security of network and information systems." Apparently, "The main goal of risk management is (in general) to protect ICT products (software, hardware, systems, components, services) and business assets, and minimise costs in cases of failures. Thus it represents a core duty for successful business or IT management." In other words, the ENISA document revolves around IT risks, primarily, although it does casually mention 'enterprise risk management' which takes in operational, market, supply chain, project, strategic and other risks. Unfortunately, I haven't dug deep enough yet to reveal actual defiinitions of key terms such as "cybersecurity" or "sector". Evidently, we are supposed to just know what they mean. It doesn't help that the cited "Methodology for Sectoral Cybersecurity Asssessments 2021" official download appears to be broken, but consulting another source I see that it doesn't even define those terms anyway. Furthermore, an embedded diagram suggests an unconventional interpretation of 'risk' and 'exposure', while 'threat' seemingly disregards unintentional and untargeted threats such as generic malware, accidents and storms: |
| Envoyé | Oui |
| Condensat | given unfortunately 200 2013 2014 2019/881 2021 2022 27002 27005 31000 7799 abbreviations aboard accidents act actions actual address adverse agency alignment although analyse analysis and/or annoying another any anyway apparently appears application approach approaches appropriate are area argument around aside assets asssessments attack attacks available bandwagon barely based became before behind being best between biased broken bsi building business but can cases casually cen cenelec chain circumstance cited cnnvd collectively complete components concerns conformity confusing consulting controls conversely convinced coordination core costs counter coverage cramm critical current cve cyber cybersecurity databases deep defence defiinitions define defined despite diagram different disregards divisions document does doesn download dug duty each ebios edition effect embedded emphasis enisa enough enterprise essentially etsi european evaluate even event evidently exposure fact failures fair finsec focused following fraud from fundamental furthermore future general generic germany given global goal good grundschutz guidance hardware has haven having help hyperlinked ict identifiable iec inconsistencies industry information infrastructures inherently internet interpretation iso iso/iec itself just key know known lack language leading leads leapt least left less levels long main malware management management;2 mandates march market mean means measure mehari mention mentioned mentions methodologies methodology methods minimise mitre moment more muddle national nature network not numerous nvd observed official once operational organisational organisations organisations:1 originally other others outlines owasp own perhaps permanent pickle picture placing plus policy poorly potential predominates prepare prevent primarily procedures processes products project proliferation protect provides ps published range rational reasonably rebranding recommends references regard regarding registers regulation regulations regulatory relating reminds report reports represents requirements resistance responsible results reveal reveals revolves right risk risks same says scant sector sectoral security see seemingly selected services several since single software some source sp800 specific staff standard standardisation standardise standardising standards stated storms: risk strategic successful such suggests supply support supposed suspects systems taken takes terms that them thing those threat threats through thus title uncertain unconventional under unhelpful unintentional union untargeted use useful usual vague valid version vulnerability ways weak well what when where which wide words yet |
| Tags | Guideline |
| Stories | |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.