To Risk, or Not to Risk
Email
Print
Risk-based regulation introduces potential for differences of
opinion when the risk rating of a particular asset is
determined by the individual responsible for that asset,
said Sumner Blount, director of product marketing, security and
compliance at CA Technologies. Still, a one-size-fits-all
approach, where the risk of a given asset is not considered, is even
worse.
"A balance is clearly needed,"
he said. "Organizations need to evaluate asset importance based on
clearly documented criteria, and the decision should be made by
cross-functional, compliance-savvy teams rather than individual asset
owners. Similarly, the definition and treatment of critical information
or PII should not be up to one person...There are generally accepted
definitions for this type of information for regulatory purposes, and
where none exists, definitions should be developed by the team so as to
avoid conflicts later on."
In addition, the complexity and redundancy of controls should be to
some extent related to the impact and likelihood of a situation that
would cause the control to fail, Blount said. Some compliance
controls, such as making sure administrators only have the rights they
need, are essential due both to the likelihood and the potential impact
of a violation. Others are much less likely and therefore don't require
the same type of strong controls, he added.
"In short, risk-based compliance is like Churchill's description of
democracy - it's one of the worst ways to approach compliance.....except
for all the other ways that have been tried," he said.
While to Blount risk-based regulations have their place,
Stiennon argued regulations need to move beyond such methodologies.
"They have not worked in IT security; they will not work in CIP," he said. "Laws and regulations must supply
real financial incentives. Instead of mandating password policies
they should assign liability. Make a power generating utility liable
for the damage caused by an outage from a cyber incident and they will
find the resources to devote to IT security. They, along with
their insurers, and bond raters, will quickly determine their risks."
A vulnerability on an expose machine is a higher priority than one
on a machine that is not exposed for example, he noted, just as a
vulnerability that is being exploited by a worm or virus is of higher
priority than one that requires a targeted attack to exploit.
"Imagine a military commander using risk based management," he said.
"During a battle he would deploy his forces to protect the most
valuable assets instead of where the enemy was penetrating his line."
