One Article Review
| Source |  NoticeBored |
|---|---|
| Identifiant | 4497070 |
| Date de publication | 2022-04-23 18:05:53 (vue: 2022-04-23 07:05:35) |
| Titre | Topic-specific policy 10/11: management of technical vulnerabilities |
| Texte | With respect to whoever crafted the wording of the 10th topic-specific example policy for ISO/IEC 27002:2022, "management of technical vulnerabilities" is the kind of phrase that speaks volumes to [some, switched-on, security-aware] IT pro's ... and leaves ord'nry folk perplexed, befuddled and nonplussed. In this case, that may be appropriate if it aligns with the intended audience for the policy, perhaps not if the policy needs to be read, understood and complied with by, say, workers in general, for whom "Patching" is arguably a more apt and widely-known term.So, do you need to tell workers to keep their IT systems, smartphones and IoT things up to date with security patches? If so, before launching into the policy development process, think very carefully about the title, content and style of your policy - plus the associated procedures, guidelines, awareness and training materials, help-desk scripts or whatever you decide is necessary to achieve your information risk management objectives in this regard (more on that below).Hinson tip: what are your information risk management objectives in this regard (concerning 'technical vulnerabilities' ... or whatever aspect/s you believe need addressing)? What information risks are you facing, how significant are they (relative to other things on your plate) and how do you intend to treat them? Seriously, think about it. Talk it through with your peers and professional colleagues. Draft a cunning treatment plan for this particular subset of information risks, discuss it with management and refine it. Lather, rinse, repeat until you achieve consensus (or wear down the blockers and negotiate a fragile settlement), and finally you are primed to craft your policy.Once more, we have your starter-for-ten, a generic patching policy template designed to help get you smartly off the starting blocks: While we don't presently offer a policy template on vulnerability disclosures (something worth adding to our to-do list, maybe?), we do have others that are to some extent relevant to this topic, for instance on change and configuration management and information systems security. I'll pick up on that point at the end of this blog series.Aside f |
| Envoyé | Oui |
| Condensat | tune 10/11: 10th 27000 27002 27002:2022 27002:22 33a about accessible achieve adding addressing advice aligns any anyone applying appropriate approve approved apt are arguably as: aside aspect/s associated audience authorized avoid aware awareness banana before befuddled being too explicit believe below blockers blocks:while blog but call can carefully case catalogs change ciso colleagues communicated complied concerning configuration consensus content continues: controls corporate could craft crafted cunning cupcakes currently date decide defined definitions designed desk determine development directives directs disclosures discuss document documents doesn don down draft end enough esmirelda even example examples extent external facing fact fair final finally fine folk form formats fragile from further general generic get group guideline guidelines has have help highest hinson how however implement individual information instance intend intended interested iot ism iso/iec iso27k junior just keep kind know known lacks lather launching laws leaves level list lists maintained management management and information manager managers mandated materials matter may maybe means meet middle more name names necessary need needs negotiate nice nonplussed not notably the information notes notice nry objectives obvious off offer offers once ord organisation organization organizations other others overseen particular parties patches patching peers people perhaps perplexed person personnel phrase pick piece plan plate plus point policies policies: policy presently primed principle pro procedures process professional purposes read reader reasonably refine regard regulations relative relevant repeat respect rinse risk risks say scripts security see iso/iec senior series seriously settlement should significant single size smartly smartphones some something speaks specific standard standards starter starting style subset such suits switched systems talk technical tell template ten term terms them these things think thoughts through tip: title tomorrow top topic training treat treatment understandable understood until very volumes vulnerabilities vulnerability wear what whatever whereas whether who whoever whom widely word wording workers worth your your information |
| Tags | Vulnerability |
| Stories | |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.