1. Addressing Cyber Fundamentals
How do we move from inconsistent security/privacy protection control approaches to solid fundamentals that address most basic risks faced by agencies?
Endorse existing ideas by voting for them. YOU MUST BE LOGGED ON TO VOTE.
Enabling the Software Defined Data Center
Centrally define security policy
Security policies move with VMs
Reduce security as a choke point; accelerate business agility and responsiveness by... more »
We'd have to drive conversation to the point where the rubber meets the road, by which I mean an action or behavior, performed by a person, which creates a particular harm. Assuming we could categorize the harms in a way useful for analysis... more »
1. Establish “white hat” teams that test employees through phishing and spear-phishing intrusion testing.
2. Change enterprise email policy to only allow plain text, preventing unintentional click-through threats.
3. Similar to the “Cybersecurity Tip of the Day” concept, establish a “Cybersecurity Blunder of the Day” program.
• Cyber-attackers have no fear of retaliation, risk or viable legal proceedings.
• There is no U.S. Government legal doctrine to counter cyber-attacks on U.S. industries, governments and citizens.
• The U.S. Government does not have the cyber capacity to protect U.S. industries.
The U.S. Congress should create a newly crafted Cyber-Castle Doctrine legislation for a legal framework for U.S. industries... more »
Perhaps an alternative is providing prioritization for allocation of existing funds (This mandate is #1, then this exec order etc etc).
With the "public" availability of such a list, audit should become more effective,... more »
Use Cyber Investment Management Boards (DOD example) where cyber projects are presented, defended, and measured against outcome based performance measures for funding. Helps get cybersecurity accountability as a shared responsibility across senior leadership of the organization and to understand costs and risk benefits.
Cyber Tips of the Day – first thing to pop up on intranet logon-screen would be a cyber awareness question (with ability to quickly check against answer). These would be focused on knowledge leveling, increasing awareness of vulnerabilities created by SPAM/Phish attacks, etc. etc.
Create a self-audit checklist that agencies could use on a regular basis to assess themselves on fundamental security capabilities. It would be risk profile based for each agency. Addresses the problem of just having this done by auditors (GAO/IG) or consultants. Keeps attention and resource needed to close weaknesses and vulnerabilities.
Note: FCC is example.
1) How do we move from inconsistent security/privacy protection control approaches to solid fundamentals that address most basic risks faced by agencies?
Leverage the self audit capability of the SEC as a guidance for other agencies.