Wanted to say thank you to everyone who was able to make it out to our talks. Given the topics, they were very well attended and more importantly, the attendees were the exact people we were hoping to capture. For insurance we caught a lot of infosec people who were early on researching it and shared that they learned a lot. More exciting, the medical device talk was attended by very many heavy hitting organizations in both the manufacturers as well as hospitals. We’re very excited about the promised deliverables that we will be publishing as an output of these projects.
- For insurance, we’re drafting a cyber breach insurance application that is based on a maturity model rather than yes/no standard in current applications. Additionally, our focused is on elements of security interesting to insurers. Since most losses occur via lost or stolen devices, hacked networks via web application or weak perimeter defenses, we will be focus our time on those control areas and our maturity-style questions will attempt to target a hybrid progression & capability style approach. The current standard is very, “do you have a firewall?” While there are more advanced questions from some underwriter, we found for the most part and as our presentation shows, the review models are mostly ‘from the 90s’. Also very exciting, some of the people that whom I think of when I say “maturity models” were in attendance and were interested in collaborating. More to come!
- For medical devices, we are very excited to publish an assessment framework tailored to medical devices with questions and techniques dynamically based on what type of technologies and security implications are associated to a device. This will come primarily via a macro-enabled spreadsheet that includes the controls that we highlight from our talk. Our material is essentially a hacked-up version of other standards that our out there (NIST, ISO, CIS, OWASP, SANS, etc…) but spun with implementation guidance for hospitals. Very important is the dynamic of vendor-owned/supported devices which makes the implementation of controls unique to typical areas. Also included will be a document providing user guidance & our RSAC presentation describing the problem, why we should invest now to address it, and our recommended solutions.
The slides are up on the RSAC site here but posted here as well. Thanks to Jamie Gamble, my awesome co-presenter, and all the folks who provided a sounding board for the content. Cheers!