19 July 2022

The First Cyber Safety Review Board Report is Out

Paul Rosenzweig

Last year, President Biden created the Cyber Safety Review Board, with the intention that (akin to the National Transportation Safety Board) the new organization would review cyber incidents, examine root causes and, where necessary, make recommendations.

This is fundamentally a good thing. For too long, cyber incident response has been uncoordinated, with a lack of systematic review at the Federal level.

Earlier this month the CSRB released its first report, an account of the Log4J event. I will likely have more to say about the report in some detail later. For now, however, it is enough to welcome the initiative and call the report to the readers’ attention. Here’s a short taste from the Executive Summary:

“Generally, the Cyber Safety Review Board (CSRB, or the Board) found that organizations that responded most effectively to the Log4j event understood their use of Log4j and had technical resources and mature processes to manage assets, assess risk, and mobilize their organization and key partners to action. Most modern security frameworks call out these capabilities as best practices. However, few organizations were able to execute this kind of response, or the speed required during this incident, causing delays in both their assessment of the risk and in their management of it. When ASF made upgrades for Log4j available, deploying them was itself a risk decision, forcing a tradeoff between possible operational disruption and timeliness, completeness, and compensating controls.”

The entire report is worthy of your attention.

No comments: