On 1 Jun 2015, at 22:21, Mark Tinka wrote:
The difference is that there are standardized (global) guidelines for
those infrastructures within their own industry, that lack of
compliance
can lead to serious fines, jail time or both.
1. Ensuring insurance underwriters understand the amount of unsecured
risk they have, and working with them to develop the *verifiable*
checklists they should be going through before they write 'cyber-'
policies.
2. Working with ISO to develop relevant outcome-based standards (e.g.,
not what you type into your config, but rather the desired result, such
as source address validation,
detection/classification/traceback/mitigation capabilities, et. al.).
3. Working with regulatory bodies in various regulated verticals to
require aforementioned ISOs, same with insurance companies serving those
industries (this will have an ink-blot effect reaching down into their
supply/service chains).
4. Working with governmental bodies to require aforementioned ISOs in
the regulated industries.
5. Working with PCI/DSS to add an availability component, as well as all
relevant integrity BCPs.
6. Adding outcome-based requirements surrounding all the relevant BCPs
to peering/transit agreements, getting regulators and governments to
require same.
I really think the insurance industry is going to be the best/easiest
route to take (pardon the pun); this has the advantage of not requiring
further governmental regulation, and does offer a market-based solution.
I know Bill Woodcock has some experience in this general arena.
-----------------------------------
Roland Dobbins <rdobb...@arbor.net>
