On 1 Jun 2015, at 22:21, Mark Tinka wrote:
The difference is that there are standardized (global) guidelines for those infrastructures within their own industry, that lack of compliance can lead to serious fines, jail time or both.
1. Ensuring insurance underwriters understand the amount of unsecured risk they have, and working with them to develop the *verifiable* checklists they should be going through before they write 'cyber-' policies. 2. Working with ISO to develop relevant outcome-based standards (e.g., not what you type into your config, but rather the desired result, such as source address validation, detection/classification/traceback/mitigation capabilities, et. al.). 3. Working with regulatory bodies in various regulated verticals to require aforementioned ISOs, same with insurance companies serving those industries (this will have an ink-blot effect reaching down into their supply/service chains). 4. Working with governmental bodies to require aforementioned ISOs in the regulated industries. 5. Working with PCI/DSS to add an availability component, as well as all relevant integrity BCPs. 6. Adding outcome-based requirements surrounding all the relevant BCPs to peering/transit agreements, getting regulators and governments to require same. I really think the insurance industry is going to be the best/easiest route to take (pardon the pun); this has the advantage of not requiring further governmental regulation, and does offer a market-based solution. I know Bill Woodcock has some experience in this general arena. ----------------------------------- Roland Dobbins <rdobbins@arbor.net>