Skip to main content

Back to (new) Basics

To maintain secure computer systems, in the past the basics have been tasks like keep systems updated, run anti-virus software, use a properly configured firewall,use a filtering proxy for access to the internet.

The advice on basics has been mechanistic in the past - make the machinery protect itself was the ideal and most hoped-for outcome.

The new Basics include the old things and add:

  • Establish a Security Culture
  • Maintain Good Computer Habits 
  • Plan for the Unexpected
  • Control Access to Protected Health Information

(from Top 10 Tips for Cybersecurity in Health Care)

What's interesting about the new Basics is the additional items all have something in common: People. Each item focuses on how people interact with the systems, what they should expect and look for in terms of benefits, risks and dangers, and the fact the use of computers and computerized machinery must always remember the human elements for mistake, misuse and out-right abuse.

Why Is Cybersecurity So Hard? puts it succinctly, attributing it to three reasons. The first reason is that which is being recognized more broadly now: It's not just a technical problem.  Harvard Business Review's The Best Cybersecurity Investment You Can Make Is Better Training documents the problem. The Small Business Administration is gearing up to help in the effort to train small and medium sized businesses and  the AHA is making efforts at training from the top-down and this includes training on and in governance efforts.

It's people that are trying to defeat security, it will come down to people promoting security - as the new Best Practices warrant.

Labels:

Comments

Post a Comment

Popular posts from this blog

Let's Not Mess Around with Security on our Personal Systems Either!

Essential Security Practices for Your Personal Systems Ensuring a minimal level of cybersecurity, privacy, and availability on your personal systems means you need to manage the following essential practices. This is a brief overview of recommendations from sources like CISA, NSA, etc., focused on personal laptop, phone, and other systems' security. Anti-virus  I've found you'll get the best anti-virus protection and usability from a paid product - I've always had good luck with Norton labeled products. If you are looking for current vendor offerings see:  https://www.pcmag.com/picks/the-best-antivirus-protection Regardless of whether you choose to use a commercial product or open-source anti-virus tool, it is absolutely something you need to use. This is the minimally needed level of system security. Once installed, ideally, it should be invisible until there's a security problem it can't prevent or solve.   Backups You need to have at least a minimal level of ...
Post a Comment
Read more

RACI, Cybersecurity and NICE Framework

The NICE framework from a RACI point of view The NICE framework ( NIST SP 800-181 rev. 1) established a standard approach for describing cybersecurity work, in order to help stakeholders share a common language and ideally improve how to identify, recruit, develop and retain talent. It breaks down cybersecurity work role categories into: Oversight and Governance; Design and Development; Implementation and Operation; Protection and Defense; Investigation.  Which is very cybersecurity-centric and not related to common tools for project management within companies. Especially smaller enterprises that do not have dedicated people to mange and coordinate cybersecurity needs. A  RACI chart  is   a project management tool used to define and clarify roles and responsibilities within a project team.   It stands for Responsible, Accountable, Consulted, and Informed, and visually represents who is responsible for what, who is accountable for the outcome, who needs to be c...
Post a Comment
Read more

Typescript - It might not be easier, but but it's surely different

Typescript is a statically typed language, that is a superset of JavaScript. I've had the discussions and debates about that aspect of the language. I am all for static typing. Any way my tools can help me be better is alright by me. So I avoid the ' any ' type designation and make sure I have guards on ' unknown ' types, as much as I can.  Any  does not carry any useful type information, while unknown does, and allows it to enforce type checking.  Anything can be assigned to a variable of type unknown , but an unknown value cannot be assigned to variables of other types without explicit type assertion or narrowing. Similarly, no operations are permitted on an unknown value until its type is refined. This behavior ensures type safety and prevents runtime errors. (Refined with help from google). I bring this up because I was arguing with the compiler recently because I'd assumed both made no use on any type information in any circumstance - because I haven't ...
Post a Comment
Read more