当前位置:首页 > 报告详情

SANS ICS 5项关键控制措施提交董事会审议 - Jemenas 5项关键控制措施历程.pdf

上传人: 可*** 编号:991760 2025-12-07 33页 3.38MB

1、5 Critical Controls goes to the boardThe energy transition is adding(consumer)tech to the GridMore data centers to do important AI things that will change our livesThreatsRegulation32%of corporate directors are completely satisfied with the information they get on cybersecurity19%of board members sa

2、y their companies have recruited board members with specific cybersecurity and technology skills46%Less than half of board members report receiving consistent,decision-useful reporting from their Chief Information Security Officers(CISOs)154MinutesSlidesYet CISOs get limited time at the board 2021Th

3、e right people translating to the right language9NIST CSFCyber Threat Awareness(TTX)Enhance Remote accessSecure NetworkNetwork visibilityTTX2021:Oct 2022:Lessons LearnedUse threat scenarios/model to tie everything together1.Scenarios are super importantIt always takes longer than you expect,even whe

4、n you take into account Hofstadters Law.Hofstadters Law:2.Its an operational environment,plan for it to take longer3.MFA needs to be phish resistant and loggedBasic MFA is not enough in 2025Aim for FIDO2 or similarLogging and Monitoring to detect session hijacking and token stealingBoard reporting P

5、art 1:Measuring and Reporting on 5 Critical ControlsGet your message acrossContext is KingTell the storyMotivate actionContext:During deployment vs Post deploymentDuring deploymentMostly vibes with a little dataCompleteness is the contextHighly manualMotivation:improving delivery and removing blocke

6、rsIncreased coverage=Reduced RiskPost deploymentMostly data with a few vibesControl Effectiveness is the contextHighly automatedMotivation:improving effectiveness of controls and finding control gapsIncreased effectiveness=Reduced RiskTell the story through metricsDeployment Metricsi.e.controls are

word格式文档无特别注明外均可编辑修改,预览文件经过压缩,下载原文更清晰!
三个皮匠报告文库所有资源均是客户上传分享,仅供网友学习交流,未经上传用户书面授权,请勿作商用。
根据报告的内容,全文主要内容概括如下: - **董事会与网络安全**:32%的董事会成员对获取的网络安全信息满意,但只有19%的公司招聘了具有特定网络安全技能的董事会成员。 - **关键控制措施**:5个关键控制措施包括增强远程访问、安全网络、网络可见性和监控等。 - **CISO报告**:不到一半的董事会成员报告说他们从CISO那里收到一致的、决策有用的报告。 - **威胁意识**:NIST CSF的威胁意识(TTX)是关键,需要使用威胁场景/模型来整合所有措施。 - **部署与效果**:部署和效果指标对于衡量控制措施至关重要,包括防火墙部署、远程访问MFA状态、漏洞修复等。 - **董事会报告**:将网络安全转化为风险语言,使用关键风险指标(KRIs)向董事会报告,确保简单易懂。 - **关键风险指标(KRIs)**:KRIs用于动态风险,帮助董事会理解组织内部和外部的情况。
"5大控制,董事会如何看?" "AI时代,网络安全如何说?" "CISO报告,如何打动董事会?"
客服
商务合作
小程序
服务号
折叠