One Article Review
| Source |  NoticeBored |
|---|---|
| Identifiant | 5915454 |
| Date de publication | 2022-07-24 16:21:47 (vue: 2022-07-24 05:07:05) |
| Titre | Risk management trumps checklist security |
| Texte | While arguably better than nothing at all, an unstructured approach to the management of information security results in organisaitons adopting a jumble, a mixed bag of controls with no clear focus or priorities and – often – glaring holes in the arrangements. The lack of structure indicates the absense of genuine management understanding, commitment and support that is necessary to give information risk and security due attention - and sufficient resourcing - throughout the business. It's hard to imagine anyone considering such a crude, messy approach adequate, even those who coyly admit to using it! I'm not even sure it qualifies as 'an approach'. Anyway, the next rung up the ladder sees the adoption of a checklist approach: essentially, someone says 'Just adopt these N controls and you'll be secure'! It may be true that some information security controls are more-or-less universal, so any organisation that does not have them all might be missing out. Maybe it is a step up from the previous approach, and yet there are significant issues with checklists that tend to be:Basic, severely over-simplifying a complex and dynamic problem, ignoring numerous aspects while focusing attention on the N (meaning a handful);Generic but not necessarily as universal as implied, given the wide diversity of organisations out there in terms of size, maturity, industry, culture, history, business objectives, resources and so on;The 'lowest common denominator', setting a (very) low bar;Sequenced linearly in a way that implies priorities for implementation and generally disregards dependencies and linkages between items on the list, yet another over-simplification; Just someone's arbitrary selection, generally without any sound basis for selecting the listed controls and not others, other than the origantor's alleged expertise;Tricky to interpret and apply in a given situation, given the immaturity of the organisations attracted to checklist approaches; Not sufficient in most cases, and often biased towards particular types of control e.g. 'cyber' or 'compliance';Unrealistic in the presumption that simply because someone recommends the N controls, managers will therefore naively accept that they are both required and valuable;Belittleling, clearly implying that they are deliberately dumbed-down because the intended audience is, well, dumb.If N controls are inadequate or even barely sufficient, it is tempting |
| Envoyé | Oui |
| Condensat | it the anyway organisations 100 27001 27002 ;generic ;ultimately ;unrealistic about above absense accept accommodate activities added adequate admit adopt adopting adoption after ahead albeit all alleged allows already analysis annex another any anyone anything anyway appears applicable apply approach approach: approaches; appropriate arbitrarily arbitrary arduous are areas arguably around arrangements aspects attention attracted attractive audience avoids back backed bag bar;sequenced barely basic basics basis be:basic because becomes behind benefit better between beyond biased bit board body both build business but can capture case cases changes checklist checklists choose clear clearly commitment committee common complex compliance consideration considering consolidating context control controls core coyly criteria crude culture cyber defined defining deliberately denominator dependencies dependent design detailed discussion;there disregards diversity does down drive driven dubious due dumb dumbed during dynamic each easy edition embodies enables enhancement entirely especially essential/core essentially evaluating even existing expand expertise;tricky experts explained explanation extent face facilities fairly fashion focus focusing forth from fully functions furthermore generally genuine get give given glaring good google googling governance gradually grasp grouped handful hard has have heart help here history holes hopefully however idea identifying ignoring ill imagine immaturity implement implementation implementing implied implies implying important improvements inadequate including increasingly incremental indicates industry information initial intended interpret involve involving isms iso/iec iso27k issues items iterative its itself journey jumble just justified keep lack ladder lateral latest less lesser likely limited linearly linkages links list listed lists long longer low lowest main make makes making management managers managing mandated mature maturity may maybe meaning mechanisms mentality merely messy might missing mixed mnemonic months more most mostly naively necessarily necessary new next not nothing numerous nutshell objectives obligations off often on;the one operating operations organisaitons organisation organisations origantor other others out over overwhelmed page particular particularly perhaps phase phases:an plan plus plus:the practices press pressures presumption previous priorities prioritisation priority privacy probably problem problems process processes procurement properly published push put qualifies readers reading reasonably reasons recommended recommends related required requirements requiring resources resourcing results risk risks roughly rung says secure security see seeking sees selecting selection senior/executive sense set setting severely should significant similar simple simplification; simplifying simply situation size slotting solutions some someone sound source specific standard start step strategy strong structure structured substantial succinct such suffer sufficient suite summary support supports sure systematic systematically tailored takes tedious tempting tend terms than them there therefore these thing those through throughout time towards treating true truly trumps types understanding universal universal;the universally unless unstructured updated upwards urgently use using valuable;belittleling value value;the various very way well whatever where which who wide will wish within without working would yet you |
| Tags | |
| Stories | |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.