Last weekend I came across this gem of guidance: a taxonomy of operational risks for cyber-security, published by the Software Engineering Institute, a division of CERT at Carnegie Mellon University. How I missed this taxonomy until now, I don’t know, but since your board of directors is likely to resolve at its January meeting not to become the next Sony (or Target, or Home Depot, or JP Morgan), it is worth a fresh look.
CERT also posted a podcast about the taxonomy, featuring an interview with its principal developer. That podcast is worth your time too (30 minutes), and the crucial insight comes at the 5:30-minute mark when a CERT staffer asks this question:
