The exiting Obama administration has embraced a risk-based approach to data breach preparation and mitigation for federal agencies in an Office of Management and Budget memorandum, cybersecurity professionals told Bloomberg BNA.
Lisa M. Ropple, a cybersecurity partner at Jones Day in Boston, told Bloomberg BNA that “this risk-based framework, which is consistent with National Institute of Science and Technology standards and cybersecurity industry best practices, reflects an appreciation of the reality that not all incidents warrant the same response.”
Although aimed at agencies, official OMB guidance carries weight in the private sector. The endorsement of a risk-based approach is an acknowledgment that breaches are inevitable and resources should be directed at where the risk of breaches are more likely, the cybersecurity pros said. In addition, the report supports efforts to limit breach notices, they said.