UIDAI does a U turn
UIDAI, under MEITY (Ministry of Electronics and IT) released a press notification on the 27th of May.
They said “Do not share a photocopy of your Aadhar because it can be misused”.
The original message appears to have been removed. Here is a tweet referring to the same:
Expectedly, there was uproar. People were worried. Organisations relying on Aadhar for identity verification were worried. Nobody knew what to do.
CISOs were bombarded with people seeking clarifications.
Can we continue to collect Aadhar copies?
Do we need to mask what we collect?
Delete all Aadhar data?
Then MEITY decided to add to the confusion.
Before the dust settled, they released a retraction.
Take Action:
Nothing is required to be done.
Know someone who might find this useful? Share this post.
CIS released their updated Risk Assessment Methodology (RAM), V 2.1
The CIS RAM was initially released in 2018.
It has three different approaches for different complexities:
Control Based Assessment
Asset Based Assessment
Threat Based Assessment
In version 2.1 of the RAM, which can be downloaded from here, CIS tries to ‘quantify’ the risks. The approach they take is somewhat midway between qualitative and quantitative. In qualitative, there are buckets of risks (Low, Moderate, High, etc.), while in quantitative, there is a monetary value assigned to the risk.
In the hybrid approach suggested by RAM 2.1, the qualitative buckets are given quantitative ranges:
It sort of reminds you of a traditional Business Impact Analysis (BIA)
As cybersecurity risk assessment moves from qualitative to quantitative, prepare to see such hybrid approaches before fully quantitative ones.
Take Action:
If your Risk Assessment Methodology (RAM) is still qualitative, you can easily adopt it to this hybrid style. If you RAM is hybrid, you can think of moving to the next level - fully quantitative.
Useful? CyberInsights is a weekly post about two new items in cybersecurity which helps the cybersecurity professional think. Subscribe to it here.