Today’s security soapbox item:
The materiality of a security incident is a legal determination.
CISOs you should not be making this call. You do not want to make this call. Loop in your lawyer.
Also make sure your company (if public) has a process for determining materiality and reporting.
The materiality of a security incident is a legal determination.
CISOs you should not be making this call. You do not want to make this call. Loop in your lawyer.
Also make sure your company (if public) has a process for determining materiality and reporting.
Comments
Eg incident vs alert vs event of interest.
Had some regulators who thought every unauthorized incoming connection *attempt* was a "reportable incident".
If it's questionable, ask legal. But at the same time, they're going to get really annoyed if you keep coming to them for "background noise of the internet" stuff.
Getting scanned by Shodan is not a "security incident", let alone thousands of them.