Posts by mhs1973

Determine whether your organization is in NIS2's scope, How?

There are enough rather hard to pin down phrases within this 'regulation' that make it almost impossible to determine if you are indeed in the scope, or not.

And if you are in scope, for some (smaller) companies it is (or will be) rather hard to meet the requirements, simply because the effort is very expensive.

Additionally, to comply certain processes will slow and require to employ more people who have to be qualified and certified to perform their duties.

Where will they come from? How will they be paid?

Example: A small company (let say 10 staff) is an integral part for several cooperations each with >50 million Euro total revenue globally. total revenue, not profit. the cooperations are in the transport sector. The small company provides let's say a logistics scheduling tool without which the large cooperations can not easily function. Under long term contracts.

Thanks to NIS2 and its requirements the small company is in scope and now has to employ 5 additional people with certifications in various professions, one of the being a person who is only there to monitor compliance.

Changes to the product that now take 6 months where they before changes took 1 week. Said changes might be for optimization of the scheduling because of e.g. certain waterways being blocked.

The cost of doing business has increased for no real reason and there is no sensible way to increase the price of the product short term.

Result: (best case scenario) the owner sells of the product to a larger cooperation and the the other 14 people have to look for new jobs.

(worst case scenario) the company closes its doors, the product is not usable anymore and the transport cooperations which used it are in chaos. It spreads to the population because one of them is a major participant in transporting perishable goods, and nothing arrives anymore in the shops. Looting and burning ensues and soon people are reduced to try and eat the politicians. It turns out they are not even useful for that purpose because its either hot air inside them, or excrement. Everyone (else) dies of dysentery.

contract language

sounds to me like a someone took what the contract says, quite literally.

e.g. reaction time 4 hours = 3 hours 57 minutes after opening a ticket this message arrives: "We have received your complaint and will work on a resolution in due time."

the other side

Believe it or not, yes, there is the other side of that equation.

Imagine a sales team, if you will, that promises the customer an all inclusive solution.

And they then sign a contract to that effect.

And then you, the Devops people, sometimes a few, sometimes just one, have to make it happen.

You say that does not exist? search for the "real unicorns have curves" I dare you.

Yes, the grey one. That's it.

The eyes are the sales team.

The body is the look of the code of your software.

And you, you are the soles of those dainty feet.

jamming isn't the point

but gradually changing the offset well enough to put the training ship from the north sea to lake Geneva.

the fine line...

.. is what you walk, as a sysadmin. Not that I should have to tell that to anyone reading here.

That fine line makes the difference between a usable system, and a 99.999% safe system.

Even if you have proper change control, even everything that you can think of testing checks out, there will be something you missed, developers, testers and sysadmins alike.

That is, why bug-bounties need to be there in commercial software (and be paid out, not reneged on), and that is why you as a developer of free software can never act like there is nothing wrong with your code, when someone asks a (hopefully polite) question.

Finally the penalties for publishing exploits and the use of them need to be so draconian that nobody will even dare to think about it. And that goes for anyone, no exceptions.

a) doing inventory is FUN, it helps finding 'broken' equipment

b) June 31st? That should have been the hint, that this particular beancounter is, well, shall we say 'creative'.

The "Honey, I Shrunk the Kids" franchise is actually a bit older then most would expect