- White House Presidential Memo on Cybersecurity
- NIST Cybersecurity Framework
- CIS Benchmarks
- CIS Controls
- SANS 2021 Top New Attacks and Threat Report
- CISA Tips on Staying Safe Online
- New York’s Fiduciary Access to Digital Assets Act
- Verizon DBIR
Topics from the Presidential Memo :
"...the term “Zero Trust Architecture” means a security model, a set of system design principles, and a coordinated cybersecurity and system management strategy based on an acknowledgement that threats exist both inside and outside traditional network boundaries. The Zero Trust security model eliminates implicit trust in any one element, node, or service and instead requires continuous verification of the operational picture via real-time information from multiple sources to determine access and other system responses. In essence, a Zero Trust Architecture allows users full access but only to the bare minimum they need to perform their jobs. If a device is compromised, zero trust can ensure that the damage is contained. The Zero Trust Architecture security model assumes that a breach is inevitable or has likely already occurred, so it constantly limits access to only what is needed and looks for anomalous or malicious activity. Zero Trust Architecture embeds comprehensive security monitoring; granular risk-based access controls; and system security automation in a coordinated manner throughout all aspects of the infrastructure in order to focus on protecting data in real-time within a dynamic threat environment. This data-centric security model allows the concept of least-privileged access to be applied for every access decision, where the answers to the questions of who, what, when, where, and how are critical for appropriately allowing or denying access to resources based on the combination of sever."
Online Learning for the CyberSecurity Framework
Among many links on the page, there was one to the Japanese cross-sector forum which had this interesting point.
"There are three differences between Japanese and U.S. companies in terms of cybersecurity professionals. First, Japanese companies still keep life-time employment and rotate their employees every two to three years. Thus, industry finds it challenging to keep up with fast-developing cybersecurity changes. Second, while 62.7 percent of Japanese companies have CISOs in 2017, they are mostly dual-hatted and they lack a firm cybersecurity background. That makes it especially crucial to assign experienced cybersecurity professionals to the CISO team. Third, Japanese end-user companies tend to outsource most IT and cybersecurity work to system integrators. Only 24.8% of IT professionals work in-house in Japan, whereas 71.5% do so in the U.S."