[BreachExchange] Risk Based Security, NIST and University of Maryland Team Up To Tackle Security Effectiveness

[Inga Goddijn]

https://www.riskbasedsecurity.com/2017/02/risk-based-security-nist-and-university-of-maryland-team-up-to-tackle-security-effectiveness/

The research team at Risk Based Security analyzes and catalogs thousands of
data breaches every year. From that work, a few central themes arise time
and again.  One such theme is that breaches can happen at even the most
security-conscious organizations. Another is the tenacity and skill of
attackers when it comes to searching out weaknesses in organizational
practices and processes is unrelenting. Watching these themes repeatedly
play out to their unfortunate consequences – a data compromise event – has
led us to the conclusion there  is no substitute for a methodical and
risk-based approach to security management that addresses both the
organization’s  security practices as well as the downstream risk posed by
vendors, suppliers and other third parties that can be a gateway to a
security incident.

Risk Based Security has long been a staunch supporter of leveraging the
value of cyber security frameworks like ISO 27001/2 and NIST’s
Cybersecurity Framework to create robust security programs based on
security best practice.  Management systems such as these bring much needed
structure to the day-to-day work of risk assessment, defining security
objectives, and selecting and implementing security controls. Until now,
what has been missing from the picture, however, are formal tools for
assessing how well the organization is performing against these frameworks,
measuring the effectiveness of the security controls and a common platform
for sharing that benchmarking data with peers.

So we were very excited to learn about a new joint research project
launched by NIST’s Computer Security Resource Center and the University of
Maryland, known as the Predictive Analytics Modeling Project.
<http://csrc.nist.gov/scrm/pamp-assessment-faqs.html> The aim of the
project  is to conduct the primary research needed in order to build tools
that can measure the effectiveness of security controls. In short, the
project is taking a deep, data-driven dive into the relationship between
security controls, supply chain capabilities and actual data breach results.

Project organizers have an open call out to federal agencies, IT vendors
and publicly traded companies in the U.S., looking for organizations
interested in participating in the study. In addition to  furthering
academic research, participation comes with some very real, near-term
benefits. The data gathering mechanism is a risk assessment questionnaire
which can be completed online in less than an hour. In addition to
providing researchers with much needed data, participants are able to
benchmark their current security practices against NIST’s Cybersecurity
Framework, providing valuable feedback on how  their program stacks-up and
highlighting areas for improvement. Participants will also be able to
anonymously compare their results against their peers for a better
understanding of how their practices compare to others within their
industry.

A website outlining the project  can be found here:
https://cyberchain.rhsmith.umd.edu/

The window for participation is only open until March 15th, so be sure to
register and start participating soon.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170217/04b7ec36/attachment.html>