Released Jan 10, 2017 https://www.nist.gov/cyberframework/draft-version-11 NEW REVISION: Cyber Supply Chain Risk Management – The organization can quickly and efficiently account for emerging cyber supply chain risks using real-time or near real-time information and leveraging an institutionalized knowledge of cyber supply chain risk management with its external suppliers and partners as well as internally, in related functional areas and at all levels of the organization. The organization communicates proactively and uses formal (e.g. agreements) and informal mechanisms to develop and maintain strong relationships with its suppliers, partners, and individual and organizational buyers.
NIST released draft NICE Cybersecurity Workforce Framework (NCWF) to more effectively identify, recruit, develop and maintain nation’s cybersecurity talent. The framework provides a common language to categorize and describe cybersecurity work that will help organizations build a strong labor staff to protect systems and data.
As the threats to cybersecurity and the protections implemented grow and evolve, a cybersecurity workforce must be prepared to adapt, design, develop, implement, maintain, measure, and understand all aspects of cyber security. A cybersecurity workforce includes not only technically focused staff but those who apply knowledge of cyber security and its inherent challenges when preparing their organization to successfully implement its mission. A knowledgeable and skilled cybersecurity workforce can implement and maintain protections and take actions to meet nation’s needs.
Security awareness- A very big buzz word. We all know and often say that awareness is the key to security. An organization who is aware has much more likelihood of being secure than its counterparts. But to what extent do we give awareness to the audiences? When we address them, generally we talk about what is information, what is meant by its security, what aspects of information we secure, what are the general controls we have and what are the common/ grave mistakes one could do and what could be its possible impact.
Well, if we say awareness is directly related to perception of information security risks, then awareness in itself might become another risk because you are making aware the audiences what could go wrong sometimes, without realizing the fact, that unless you would have told them, they might never get to know about that and thus giving them a chance to say “Ah, I don’t know that this kind of breach is that simple?”
Vulnerabilities in web application are the major cause for security breaches and are being treated as a pain by enterprises. Continuous monitoring of web applications is a hectic process, as the organizations are adopting agile delivery to face the business challenges. Traditional DAST and SAST are widely known technologies which make it easier to perform web application security assessments.
Regardless of your role with respect to cyber-space, when you engage in any discussion of cyber-security, make sure everyone in the dialogue is working with the same definition. Doing so will help avoid confusion, conflict, and missed expectations.
If you browse the Web for the definition of cyber-security, you will get a wide variety of definitions. Some definitions encompass the spectrum of IT and data security. All exclude the broader field of "information security" which would include information in non-electronic form. Some definitions limit the scope to cyber-space...the realm of connected computers, their transactional activities and data exchanges. Futher, some limit scope to malicious attacks. Others expand scope to include all threats to networks, systems, applications, and data.