To Risk, or Not to Risk
Risk-based regulation introduces potential for differences of opinion when the risk rating of a particular asset is determined by the individual responsible for that asset, said Sumner Blount, director of product marketing, security and compliance at CA Technologies. Still, a one-size-fits-all approach, where the risk of a given asset is not considered, is even worse. "A balance is clearly needed," he said. "Organizations need to evaluate asset importance based on clearly documented criteria, and the decision should be made by cross-functional, compliance-savvy teams rather than individual asset owners. Similarly, the definition and treatment of critical information or PII should not be up to one person...There are generally accepted definitions for this type of information for regulatory purposes, and where none exists, definitions should be developed by the team so as to avoid conflicts later on."In addition, the complexity and redundancy of controls should be to some extent related to the impact and likelihood of a situation that would cause the control to fail, Blount said. Some compliance controls, such as making sure administrators only have the rights they need, are essential due both to the likelihood and the potential impact of a violation. Others are much less likely and therefore don't require the same type of strong controls, he added."In short, risk-based compliance is like Churchill's description of democracy - it's one of the worst ways to approach compliance.....except for all the other ways that have been tried," he said. While to Blount risk-based regulations have their place, Stiennon argued regulations need to move beyond such methodologies. "They have not worked in IT security; they will not work in CIP," he said. "Laws and regulations must supply real financial incentives. Instead of mandating password policies they should assign liability. Make a power generating utility liable for the damage caused by an outage from a cyber incident and they will find the resources to devote to IT security. They, along with their insurers, and bond raters, will quickly determine their risks." A vulnerability on an expose machine is a higher priority than one on a machine that is not exposed for example, he noted, just as a vulnerability that is being exploited by a worm or virus is of higher priority than one that requires a targeted attack to exploit. "Imagine a military commander using risk based management," he said. "During a battle he would deploy his forces to protect the most valuable assets instead of where the enemy was penetrating his line."