Tag: Identify

GRC is the typical jargon when we talk about the cybersecurity posture in an organization. Risks, no matter in terms of cyber, technology, operational, financial or political domains always exist and they are all co-related. There is no zero risk business operation except how to reduce the likelihood effectively and optimally. Then, the compliance part plays. This refers following the organization written policy to run the business reasonably in the risk reduction manner. Finally, the governance is the capability in the organization to adminster and enforce that all the business activities will follow the written policy, or else the policy is just a document in the bookshelf. The entire GRC framework is dynamce. Written policies will need refresh To adopt new way of doing business (e.g. use of social media for point of presence or customer relation in the cyber space)Facilitate changing business environment (say, work from home due to pandemic situation, provide guest Wi-Fi for visitors)And most importantly, address the emerging cyber threat landscape. ...

We face many "policies" (directives) everyday - whether in real world or in the cyber space. And we are told to comply with these policies for keeping ourselves safe or secure in both domains. Sometimes, don't blindly follow the policy because policy makers could make mistake: lack of field experience, don't understand the subject matter well, having implicit assumption causing incorrect interpretation or putting something that is even not practically achievable. As an user, you need to think, contribute or challenge policy makers. There isn't perfectness in this world. Things always need continuous improvement. Policy makers are expected Solicit opinions objectivelyListen feedbacksResolve ambiguityAddress incorrectness If they don't, they simply fail. ...

Enforcement Having policy as written document isn't enough. If there is violation, it must be enforced thru correctional approach. In real world, this is done by disciplinary action, imposing fine or even imprisonment depending on severity of violation. This will reinforce the attitude for policy compliance. An example is jumping the light detected by traffic camera. At best if there is no traffic accident, impose fine and deduct marks to remind this act will hurt other road users. At worst this misbehavior has triggered traffic accident, it might be resulted in criminal offence for imprisonment. In cyber world, the situation is similar. Stipulate the cybersecurity directive (policy) and indicate what is the protection objectiveEstablish policy exception processDefine the levels of correctional action per violation natureAnd most importantly, raise awareness to educate all levels why the policy must be complied for what purpose and consequence of violation ...

DO NOT ACROOS - implicitly applied to vehicles only When we develop written directive, there might be chance that certain elements are assumed and be implicit. It is essential to engage stakeholders, listen to feedbacks and address opinions rather than dictate what should be done. If you do, you deem to be failed to develop a good policy. ...

I have seen cybersecurity directive regarding applicability is to protect OT (Operational Technology) system so as to minimize cyber attacks to energy production. Renewable energy like solar panel or consumer grade wind turbine at household are producing energy with certain OT systems for control. Unfortunately, that organization also markets these equipment. Confusion arises if these OT systems should be under the same set of protection principles unless a precise specific taxonomy is specified in the directive. ...

In policy development, it is essential the coverage of the rule is sufficient and precise to avoid ambiguity. A living creature could be animals, birds, fishes, reptiles and human beings for full coverage. A targeted group might be stipulated as non-human living creatures, or even specific as reptiles when certain situations need more precision. Policy maker needs to understand clearly the scenario when formulating the directive just right in meeting practical implementation. ...

The illustrated directive is unclear. Drone, also known as unmanned aerial vehicle, has different form factors. If the sign comes without the icon, then it's pretty clear. With the icon there, it becomes only this type of drone is not allowed. This happens exactly in typical policy statement for network connection where cybersecurity practitioners have implicit assumptions. The issue has been elaborated in earlier blog for network connection. In nutshell, the precise directive is to secure the network with the appropriate controls of layer 3 to layer 7 data flow. ...