View
236
Download
2
Category
Preview:
DESCRIPTION
A list of initial questions to ask about your security program.
Citation preview
About Us
Visit our Webshop
IT Governance Blog
June 17, 2015 by Julia Dutton 6 Comments
The ever-present threat of cyber attacks,
highlighted by the host of massive data
breaches affecting most sectors and countries,
is forcing business of all sizes to take action.
Some reports tell us that cyber security is a
hot topic in the boardroom, while other reports
imply that the board isnt placing enough
emphasis on this thorny matter.
Nevertheless, cyber crime and its associated consequences are here to stay, and if the board
is not yet asking the tough questions, it is time that it did.
While some might argue that the board is ill-equipped to challenge the CISO about cyber
security risks and their counter measures, several organisations have already embarked on
director training in cyber security.
Although boards of directors and CEOs may not need to know why a certain type
of malware can penetrate a firewall, they will need to know what their organisation is doing
to address threats known to penetrate firewalls.
Discussions of cyber risk at board level should include identifying which risks to avoid,
accept, mitigate or transfer (through cyber insurance), as well as reviewing specific plans
associated with each approach.
Menu
Blog Home Business Continuity Cyber Security Data Protection
IT Best Practice IT Governance PCI DSS Other Blogs
Ten essential cyber security questions to ask your CISO http://www.itgovernance.co.uk/blog/ten-essential-cyber-security-question...
1 of 9 7/6/2015 9:17 AM
The board must ensure that the CISO is reporting at the appropriate levels within the
organisation. Although many CISOs report to the CIO, it is important to be aware that there
may be conflicting agendas between the CIO and the CISO.
The Institute of Internal Auditors recommends asking the CISO the following questions:
Does the organisation comply with leading information security frameworks
or standards?
1.
Examples include the international information security management standard, ISO 27001,
the Payment Card Industry Data Security Standard (PCI DSS) and COBIT, as well as HIPAA
for organisations in the US healthcare industry.
What are the top risks the organisation faces?2.
Examples could include bring your own device, Cloud computing, internal threats (employee
errors or malicious acts) or supply chain risks.
Do we have an effective information security awareness programme?3.
Most companies realise the benefits of effective staff awareness training. Ensure that the
training provides sufficient awareness about the key threats and employee behaviours that
can result in a data breach. Staff should also be aware of the increasingly sophisticated
tactics used by phishing attacks.
Are we considering the internal threat?4.
A startlingly large number of breaches are caused by employee error (often conducted by
managers!) or malicious behaviour.
In the event of a data breach, what is our response plan?5.
Many cyber security experts now believe that it is no longer a matter of if but when you
will be breached. The critical difference between organisations that will survive a data breach
and those that wont is the implementation of a cyber resilience strategy, which takes into
account incident response planning and disaster recovery strategies to bounce back from a
cyber attack with minimal disruption to the business. The board should also be aware of the
laws governing its duties to disclose a data breach.
Other important questions include:
Ten essential cyber security questions to ask your CISO http://www.itgovernance.co.uk/blog/ten-essential-cyber-security-question...
2 of 9 7/6/2015 9:17 AM
Are we conducting comprehensive and regular information security risk
assessments?
6.
The risk assessment should provide the board with an assurance that all relevant risks have
been taken into account, and that there is a commonly defined and understood means of
communicating and acting on the results of the risk assessment. Worryingly, 32% of
respondents to a recent PwC information security breaches survey (ISBS) had not
undertaken any form of risk assessment. Proven software tools can help speed up and
streamline the risk assessment process.
Are we adequately insured?7.
Recent reports reveal that cyber insurance is not adequate to protect companies from a
full-scale cyber attack. Although it is difficult to quantify how expensive a data breach can
be, information about other data breaches in your industry should provide an indication of
the potential damages your organisation might face. Latest statistics reveal that breaches
cost large organisations between 1.46m and 3.14m in 2014. Many organisations dont
realise that they are liable for a data breach even if the data is stored in the Cloud, or if a
third party with which they share information is breached.
Are we testing our systems before theres a problem?8.
There are many tests that can be undertaken to assess the vulnerability of systems,
networks and applications. An important element of any security regime should be regular
penetration tests. Pen tests are simulated attacks on a computer system with the intent of
finding security weaknesses that could be exploited. They help establish whether critical
processes such as patching and configuration management have been followed correctly.
Many companies fail to conduct regular penetration tests, falsely assuming the company is
safe, but new vulnerabilities and threats arise on a daily basis, requiring the company to
continually test its defences against emerging threats.
Have our internal cyber security controls been audited?9.
If the organisation has chosen to comply with an information security standard such as ISO
27001:2013, an independent review of an organisations information security controls can be
conducted by a certification body, and can be used to provide evidence of the organisations
commitment to information security. This can in turn be used as a competitive advantage
when bidding for new business, as indeed is the case with companies certified to ISO 27001.
Is our information security budget being spent appropriately?10.
26% of respondents to the PwC ISBS said they dont evaluate how effective their security
Ten essential cyber security questions to ask your CISO http://www.itgovernance.co.uk/blog/ten-essential-cyber-security-question...
3 of 9 7/6/2015 9:17 AM
expenditure is.
The board can play a key role in preventing problems before they arise by playing a more
active role in cyber risk discussions. By becoming educated and informed, cyber risk in the
boardroom need not be a topic that gets discussed only when there is an incident. Dont risk
it, cyber secure it. Contact IT Governance for tailor-made boardroom cyber security training
on +44 845 070 1750.
469 Shares 27 123 2 317 0
Filed Under: Cyber Security, ISO 27001
Related
Ten essential cyber security questions to ask your CISO http://www.itgovernance.co.uk/blog/ten-essential-cyber-security-question...
4 of 9 7/6/2015 9:17 AM
Lawrence Chard says
July 6, 2015 at 10:11 am
WTF is a CISO, or a CIO?
I wont even mention COBIT or HIPAA!
Reply
Satish says
July 6, 2015 at 9:57 am
As the topic mentions we are looking at the organization wide security measures by
the organization. Hence we have to see all internal as well as outside
threats.Internal threats from employee clicking a fishing link is also need to be seen
as a risk. I would like to add another aspect of supply chain risks wherein your
business is also vulnerable to the supplier risks also so same also need to assessed
and registered with your risk register.
Reply
nicoatridge says
June 22, 2015 at 9:21 am
I would add the question When did we last test our recovery procedures?. Clearly
this would include DR, but also recovering data from a backup source or manual
alternatives to automated procedures. Additionally some of the what if thinking
should be establishing how vulnerable fallback options themselves are to cyber
attacks. For example a malicious assault on your data may not be detected for
some time and backup data may have also been compromised.
Ten essential cyber security questions to ask your CISO http://www.itgovernance.co.uk/blog/ten-essential-cyber-security-question...
5 of 9 7/6/2015 9:17 AM
Reply
Julia Dutton says
June 22, 2015 at 9:25 am
Hi Nico
Great point, thanks.
Reply
Julia Dutton says
June 22, 2015 at 8:53 am
Hi Dirk, thanks for your comment. From our perspective, and certainly the point of
view that is being taken by many other security firms, is that cyber security is an
element of a broader information security strategy, which encompasses people,
processes and technology. If you arent practising end-user education, how will you
ensure that your employees do not click on malicious links from phishing scams
that can damage your entire network? Cyber security may have originated from the
outside as you call it, but without a comprehensive approach, your best laid plans
will fall short of protecting your data.
Reply
Dirk Schadt says
June 22, 2015 at 7:48 am
Ten essential cyber security questions to ask your CISO http://www.itgovernance.co.uk/blog/ten-essential-cyber-security-question...
6 of 9 7/6/2015 9:17 AM
Im missing your definition of cyber security and differentiation to information
security. In my definition first is a threat from outside, the CYBER, the other is
about securite from inside and outside.
Therefore things like security awareness or internal threats are not subject of cyber
security.
Otherwise cyber security is just a buzzword for bullshit bingo.
Reply
Ten essential cyber security questions to ask your CISO http://www.itgovernance.co.uk/blog/ten-essential-cyber-security-question...
7 of 9 7/6/2015 9:17 AM
IT Governance is looking to publish
relevant, well-written, informative and
original articles. If you have an article
that meets these criteria, then please
send it in.
Agile Breaches and Hacks
Business Continuity
BYOD CASP CISA CISM CISSP Cloud
Computing COBIT CompTIA CREST
cyber attack Cyber essentials
Cyber Resilience Cyber
Security data breach Data
Protection Data Protection
Act GCHQ General data protection regulationHacking IBITGQ Information security
ISMS ISO9001 ISO20000
ISO 22301 ISO27001 ISO
Ten essential cyber security questions to ask your CISO http://www.itgovernance.co.uk/blog/ten-essential-cyber-security-question...
8 of 9 7/6/2015 9:17 AM
27001 IT
Governance ITIL ITSM
PCI PCI compliance PCI DSS
penetration test Penetration Testing
phishing Project
Management QSA Risk
Management ROC Staff
Awareness Training
Archives
2003-2015 IT Governance Ltd | Acknowledgement of Copyrights | IT Governance Trademark Ownership Notification |
eCommerce by Xanthos
POPULAR LATEST
TODAY WEEK
MONTH ALL
6 truly shocking cyber security
statistics
More than 70% of cyber attacks
exploit patchable vulnerabilities
Ten essential cyber security
questions to ask your CISO
List of data breaches and cyber
attacks in June
Businesses dangerously slow to
react to vulnerabilities
Ten essential cyber security questions to ask your CISO http://www.itgovernance.co.uk/blog/ten-essential-cyber-security-question...
9 of 9 7/6/2015 9:17 AM
Recommended