Ten essen ssenttial ial cyb cyber er secu securi rity ty ques questtions ions to ask ask your your CISO CISO
http http:/ ://w /www ww.i .ittgove goverrnanc nance. e.co co.u .uk k/bl /blog/ og/tenen-ess essent entialial-cy cybe berr-sec -secur uriity-qu y-queesti stion.. on....
About Us Visit our Webshop
IT Governance Blog 3enu
4lo" ome
4usiness Continuity
T 4est ratie
T overnane
Cyber &eurity C D&&
Data rotetion
ther 4lo"s
June 17, 2015 by Julia Dutton — 6 Comments The ever-present threat of yber atta!s, hi"hli"hte# hi"hli"hte# by the host of massive #ata breahes affetin" most setors an# ountries, is forin" business of all si$es to ta!e ation%
&ome reports tell reports tell us that yber seurity is a hot topi in the boar#room, 'hile other reports imply that the boar# isn(t plain" enou"h emphasis on this thorny matter%
)evertheless, yber rime an# its assoiate# onse*uenes are here to stay, an# if the boar# is not yet as!in" the tou"h *uestions, it is time that it #i#%
+hile some mi"ht ar"ue that the boar# is ill-e*uippe# to hallen"e the C& about yber seurity ris!s an# their ounter measures, several or"anisations have alrea#y embar!e# on #iretor trainin" in yber seurity%
.lthou"h boar#s of #iretors an# C/s may not nee# to !no' 'hy a ertain type of mal'are an penetrate a fire'all, they 'ill nee# to !no' 'hat their or"anisation is #oin" to a##ress threats !no'n to penetrate fire'alls%
Disussions of yber ris! at boar# level shoul# inlu#e i#entifyin" 'hih ris!s to avoi#, aept, miti"ate or transfer throu"h yber insurane, as 'ell as revie'in" speifi plans assoiate# 'ith eah approah%
Ten essential cyber security questions to ask your CISO
http://www.itgovernance.co.uk/blog/ten-essential-cyber-security-question...
The boar# must ensure that the C& is reportin" at the a ppropriate levels 'ithin the or"anisation% .lthou"h many C&s report to the C, it is important to be a'are that there may be onflitin" a"en#as bet'een the C an# the C&%
The nstitute of nternal .u#itors reommen#s as!in" the C& the follo'in" *uestions8
1% Does the organisation comply with leading information security framewors or standards!
/9amples inlu#e the international information seurity mana"ement stan#ar#, & 27001, the ayment Car# n#ustry Data &eurity &tan#ar# C D&& an# C4T, as 'ell as .. for or"anisations in the :& healthare in#ustry%
2% What are the top riss the organisation faces!
/9amples oul# inlu#e ;brin" your o'n #evie(, Clou# omputin", internal threats employee errors or maliious ats or supply hain ris!s%
<% Do we have an effective information security awareness programme!
3ost ompanies realise the benefits of effetive staff a'areness trainin"% /nsure that the trainin" provi#es suffiient a'areness about the !ey threats an# employee behaviours that an result in a #ata breah% &taff shoul# also be a'are of the inreasin"ly sophistiate# tatis use# by phishin" atta!s%
=% Are we considering the internal threat!
. startlin"ly lar"e number of breahes are ause# by employee error often on#ute# by mana"ers> or maliious behaviour%
5% In the event of a data breach" what is our response plan!
3any yber seurity e9perts no' believe that it is no lon"er a matter of ;if( but ;'hen( you 'ill be breahe#% The ritial #ifferene bet'een or"anisations that 'ill survive a #ata breah an# those that 'on(t is the implementation of a yber resiliene strate"y, 'hih ta!es into aount ini#ent response plannin" an# #isaster reovery strate"ies to boune ba! from a yber atta! 'ith minimal #isruption to the business% The boar# shoul# also be a'are of the la's "overnin" its #uties to #islose a #ata breah%
ther important *uestions inlu#e8
Ten essential cyber security questions to ask your CISO
http://www.itgovernance.co.uk/blog/ten-essential-cyber-security-question...
6% Are we conducting comprehensive and regular information security ris assessments!
The ris! assessment shoul# provi#e the boar# 'ith an assurane that all relevant ris!s have been ta!en into aount, an# that there is a ommonly #efine# an# un#erstoo# means of ommuniatin" an# atin" on the results of the ris! assessment% +orryin"ly, <2? of respon#ents to a reent 'C information seurity breahes survey &4& ha# not un#erta!en any form of ris! assessment% roven soft'are tools an help spee# up an# streamline the ris! assessment proess%
7% Are we ade#uately insured!
@eent reports reveal that yber insurane is not a#e*uate to protet ompanies from a full-sale yber atta!% .lthou"h it is #iffiult to *uantify ho' e9pensive a #ata breah an be, information about other #ata breahes in your in#ustry shoul# provi#e an in#iation of the potential #ama"es your or"anisation mi"ht fae% Aatest statistis reveal that breahes ost lar"e or"anisations bet'een B1%=6m an# B<%1=m in 201=% 3any or"anisations #on(t realise that they are liable for a #ata breah even if the #ata is store# in the Clou#, or if a thir# party 'ith 'hih they share information is breahe#%
% Are we testing our systems before there$s a problem!
There are many tests that an be un#erta!en to assess the vulnerability of systems, net'or!s an# appliations% .n important element of any seurity re"ime shoul# be re"ular penetration tests% en tests are simulate# atta!s on a omputer system 'ith the intent of fin#in" seurity 'ea!nesses that oul# be e9ploite#% They help establish 'hether ritial proesses suh as pathin" an# onfi"uration mana"ement have been follo'e# orretly% 3any ompanies fail to on#ut re"ular penetration tests, falsely assumin" the ompany is safe, but ne' vulnerabilities an# threats arise on a #aily basis, re*uirin" the ompany to ontinually test its #efenes a"ainst emer"in" threats%
% %ave our internal cyber security controls been audited!
f the or"anisation has hosen to omply 'ith an information seurity stan#ar# suh as & 270018201<, an in#epen#ent revie' of an or"anisation(s information seurity ontrols an be on#ute# by a ertifiation bo#y, an# an be use# to provi#e evi#ene of the or"anisation(s ommitment to information seurity% This an in turn be use# as a ompetitive a#vanta"e 'hen bi##in" for ne' business, as in#ee# is the ase 'ith ompanies ertifie# to & 27001%
10% Is our information security budget being spent appropriately!
26? of respon#ents to the 'C &4& sai# they #on(t evaluate ho' effetive their seurity
Ten essential cyber security questions to ask your CISO
http://www.itgovernance.co.uk/blog/ten-essential-cyber-security-question...
e9pen#iture is%
The boar# an play a !ey role in preventin" problems before they arise by playin" a more ative role in yber ris! #isussions% 4y beomin" e#uate# an# informe#, yber ris! in the boar#room nee# not be a topi that "ets #isusse# only 'hen there is an ini#ent% Don(t ris! it, yber seure it% Contat T overnane for tailor-ma#e boar#room yber seurity trainin" on E== =5 070 1750%
=6
&hares
27
12<
&elated
File# :n#er8 Cyber &eurity, & 27001
2
<17
0
Ten essential cyber security questions to ask your CISO
http://www.itgovernance.co.uk/blog/ten-essential-cyber-security-question...
Aa'rene Char# says July 6, 2015 at 10811 am
+TF is a C&, or a CG 'on(t even mention C4T or ..> @eply
&atish says July 6, 2015 at 857 am
.s the topi mentions 'e are loo!in" at the or"ani$ation 'i#e seurity measures by the or"ani$ation% ene 'e have to see all internal as 'ell as outsi#e threats%nternal threats from employee li!in" a fishin" lin! is also nee# to be seen as a ris!% 'oul# li!e to a## another aspet of supply hain ris!s 'herein your business is also vulnerable to the supplier ris!s also so same also nee# to assesse# an# re"istere# 'ith your ris! re"ister% @eply
nioatri#"e says June 22, 2015 at 821 am
'oul# a## the *uestion H+hen #i# 'e last test our reovery proe#uresGI% Clearly this 'oul# inlu#e D@, but also reoverin" #ata from a ba!up soure or manual alternatives to automate# proe#ures% .##itionally some of the H'hat ifI thin!in" shoul# be establishin" ho' vulnerable fallba! options themselves are to yber atta!s% For e9ample a maliious assault on your #ata may not be #etete# for some time an# ba!up #ata may have also been ompromise#%
Ten essential cyber security questions to ask your CISO
http://www.itgovernance.co.uk/blog/ten-essential-cyber-security-question...
@eply
Julia Dutton says June 22, 2015 at 825 am
i )io reat point, than!s% @eply
Julia Dutton says June 22, 2015 at 85< am
i Dir!, than!s for your omment% From our perspetive, an# ertainly the point of vie' that is bein" ta!en by many other seurity firms, is that yber seurity is an element of a broa#er information seurity strate"y, 'hih enompasses people, proesses an# tehnolo"y% f you aren(t pratisin" en#-user e#uation, ho' 'ill you ensure that your employees #o not li! on maliious lin!s from phishin" sams that an #ama"e your entire net'or!G Cyber seurity may have ori"inate# from the ;outsi#e( as you all it, but 'ithout a omprehensive approah, your best lai# plans 'ill fall short of protetin" your #ata% @eply
Dir! &ha#t says June 22, 2015 at 78= am
Ten essential cyber security questions to ask your CISO
http://www.itgovernance.co.uk/blog/ten-essential-cyber-security-question...
(m missin" your #efinition of yber seurity an# #ifferentiation to information seurity% n my #efinition first is a t hreat from outsi#e, the C4/@, the other is about seurite from insi#e an# outsi#e% Therefore thin"s li!e seurity a'areness or internal threats are not subKet of yber seurity% ther'ise yber seurity is Kust a bu$$'or# for bullshit bin"o% @eply
Ten essential cyber security questions to ask your CISO
http://www.itgovernance.co.uk/blog/ten-essential-cyber-security-question...
T overnane is loo!in" to publish relevant, 'ell-'ritten, informative an# ori"inal artiles% f you have an artile that meets these riteria, then please sen# it in%
."ile 4reahes an# a!s
4usiness Continuity 4D
C.& C&. C&3
C&& Clou#
Computin" C4T CompT. C@/&T yber atta!
Cyber essentials
Cyber @esiliene
Cyber
&eurity #ata breah Data rotetion
Data rotetion
.t CL eneral #ata protetion re"ulation a!in"
4TL nformation seurity
&3& &001 &20000 & 22<01 &27001 &
Ten essential cyber security questions to ask your CISO
http://www.itgovernance.co.uk/blog/ten-essential-cyber-security-question...
27001 T overnane TA T&3 C C ompliane penetration test
phishin"
C D&&
enetration Testin"
roKet
3ana"ement L&. @is! 3ana"ement @C &taff .'areness Trainin"
.rhives
'('U)A&
)AT*+T TD. 3)T
+//P .AA
6 truly sho!in" yber seurity statistis 3ore than 70? of yber atta!s e9ploit pathable vulnerabilities Ten essential yber seurity *uestions to as! your C& Aist of #ata breahes an# yber atta!s in June 4usinesses #an"erously slo' to reat to vulnerabilities
M 200<-2015 T overnane At# N .!no'le#"ement of Copyri"hts N T overnane Tra#emar! 'nership )otifiation N eCommere by Oanthos