|
|
|
|
|
|
by ShittyKickflips
589 days ago
|
|
|
I think if siemens was breached they have to publish as it is stock market listed, NIS2 and also founder of the charter of trust. Question is what do you consider breach. Is it malware incident? Some cryptolocker? Or is it exfiltration of IP? |
|
|
Lots of companies did it the same way. SAP, Salesforce, Fortinet, Sophos, heck, even Solarwinds RCE was disputed - AFTER the whitehouse made a public statement about it.
I'd argue that NIS2 doesn't enforce much, because the "reasonably modern" lingo is used everywhere, which is a legal grey area that lazy lobbyists inserted for a good reason.
Legally speaking, base64 is a reasonably modern encryption, which says something about this, and the lack of technical correctness in the whole sector.
TISAX requires 24 hours response times, and the response is "We have received it" because it doesn't say that companies have to disclose or report any incident. Neither any mandatory time frames for bugfixes.
Same for all ISO norms, you can fulfill ISO 27001 et al with a single part time student job, which has 20+ role descriptions. Will the student get the job done? Probably not, but it's still passing the audit because auditors don't control the outcome, only the management policies.
We need to rethink how audits are done, because systematically paying auditors for implied successful audits is what got us here.