June 2020 – The SECOND Advisories Limited

Accountability

27th June 202012th August 2020 By cliangNo Comments

To run a business, there are always business risks. It is a matter of how much risk acceptance is comfortable. Say, shoplifter will incur revenue loss of a supermarket. Therefore, protection decision is against high value goods, e.g. adding RFiD anti-theft tag. Even CCTV and guards are deployed, there might still be a chance of incidental slipping thru on goods not protected by anti-theft tag. This is risk acceptance. The business owner is fully accountable to manage these risks. That said, there should be parties with different knowledge domains to help business owner understand the inherent risks and the ultimate risk acceptance is the business owner. For risks involving regulatory compliance, these must be addressed or else putting the organization into civil or criminal offence, temporary or even permanent suspension of business license. An example is the taxi business that needs to have vehicle license for passenger, compulsory vehicle inspection, public liability insurance, emission control of exhausted...

Visibility

20th June 202020th June 2020 By cliangNo Comments

In physical world, this creates uncertainties for moving forward. In the cyber world, this means even more. From business perspective, vast amount of information that data analystic is needed to derive management insight in understanding customer profile, product popularity, performance etc. to align with business planning In cybersecurity perspective, this can be considered in various use cases Asset inventory: provides the components in the information processing infrastructure such that prompt reaction to incident and new threats plus properly managing technology obsolescence are possibleSystem events: feeds into SIEM to locate potential threats that has been persistentNetwork traffic: detects traffic flow to detect or block potential malicious activitiesVulnerability: itemizes known technical vulnerabilities to develop counter-measuresPerformance dashboard: provide cybersecurity KPI to drive improvement ...

Access Control #3

6th June 20206th June 2020 By cliangNo Comments

Controlling cyber (or network) access is always a main concern to limit threat vectors for lateral movement once they have gained a stepping stone within the infrastructure. The physical access aspect must not be forgotten. No matter how sophiscated controls are implemented and in place, if the core equipment is exposed to access at wish, this will defeat all these cyber controls. Bear in mind that all controls are to defer the access as much as possible. There is no bullet proof solution. A comprehensive risk assessment against the target of evaluation is very important to develop effective compensating controls. ...