The Register on NIST issuing “don’t be stupid” cyber security guidelines for contractors:

The guidance will look familiar to those that have studied the Australian Signals Directorate’s to-do list (which El Reg calls the “don’t be stupid” list).

The NIST publication covers access control, awareness and training, audit and accountability, configuration management, ID and authentication, incident response, maintenance, media protection, personnel security, physical protection, risk assessment, security assessment, system and communications protection, system and information integrity.

And yes, the kind of advice it gives would have helped the DBP – for example, agencies should “separate the duties of individuals to reduce the risk of malevolent activity without collusion”, and should “employ the principle of least privilege, including for specific security functions and privileged accounts”.

Most cyber security guidelines could be classified under the guise of “don’t be stupid”. The problem is so many organizations are just simply lazy, they take the easy way out and choose not to implement best practices.