Ten Essential Cyber Security Questions to Ask Your CISO

Ten essen ssenttial ial cyb cyber er secu securi rity ty ques questtions ions to ask ask your your CISO CISO

http http:/ ://w /www ww.i .ittgove goverrnanc nance. e.co co.u .uk k/bl /blog/ og/tenen-ess essent entialial-cy cybe berr-sec -secur uriity-qu y-queesti stion.. on....

About Us Visit our Webshop

IT Governance Blog  3enu

4lo" ome

4usiness Continuity

T 4est ratie

T overnane

Cyber &eurity C D&&

Data rotetion

ther 4lo"s

June 17, 2015 by Julia Dutton — 6 Comments The ever-present threat of yber atta!s, hi"hli"hte# hi"hli"hte# by the host of massive #ata breahes affetin" most setors an# ountries, is forin" business of all si$es to ta!e ation%

&ome reports tell reports tell us that yber seurity is a hot topi in the boar#room, 'hile other reports imply that the boar# isn(t plain" enou"h emphasis on this thorny matter%

)evertheless, yber rime an# its assoiate# onse*uenes are here to stay, an# if the boar# is not yet as!in" the tou"h *uestions, it is time that it #i#%

+hile some mi"ht ar"ue that the boar# is ill-e*uippe# to hallen"e the C& about yber seurity ris!s an# their ounter measures, several or"anisations have alrea#y embar!e# on #iretor trainin" in yber seurity%

.lthou"h boar#s of #iretors an# C/s may not nee# to !no' 'hy a ertain type of mal'are an penetrate a fire'all, they 'ill nee# to !no' 'hat their or"anisation is #oin" to a##ress threats !no'n to penetrate fire'alls%

Disussions of yber ris! at boar# level shoul# inlu#e i#entifyin" 'hih ris!s to avoi#, aept, miti"ate or transfer throu"h yber insurane, as 'ell as revie'in" speifi plans assoiate# 'ith eah approah%

Ten essential cyber security questions to ask your CISO

http://www.itgovernance.co.uk/blog/ten-essential-cyber-security-question...

The boar# must ensure that the C& is reportin" at the a ppropriate levels 'ithin the or"anisation% .lthou"h many C&s report to the C, it is important to be a'are that there may be onflitin" a"en#as bet'een the C an# the C&%

The nstitute of nternal .u#itors reommen#s as!in" the C& the follo'in" *uestions8

1% Does the organisation comply with leading information security framewors or standards!

/9amples inlu#e the international information seurity mana"ement stan#ar#, & 27001, the ayment Car# n#ustry Data &eurity &tan#ar# C D&& an# C4T, as 'ell as .. for or"anisations in the :& healthare in#ustry%

2% What are the top riss the organisation faces!

/9amples oul# inlu#e ;brin" your o'n #evie(, Clou# omputin", internal threats employee errors or maliious ats or supply hain ris!s%

<% Do we have an effective information security awareness programme!

3ost ompanies realise the benefits of effetive staff a'areness trainin"% /nsure that the trainin" provi#es suffiient a'areness about the !ey threats an# employee behaviours that an result in a #ata breah% &taff shoul# also be a'are of the inreasin"ly sophistiate# tatis use# by phishin" atta!s%

=% Are we considering the internal threat!

. startlin"ly lar"e number of breahes are ause# by employee error often on#ute# by mana"ers> or maliious behaviour%

5% In the event of a data breach" what is our response plan!

3any yber seurity e9perts no' believe that it is no lon"er a matter of ;if( but ;'hen( you 'ill be breahe#% The ritial #ifferene bet'een or"anisations that 'ill survive a #ata breah an# those that 'on(t is the implementation of a yber resiliene strate"y, 'hih ta!es into aount ini#ent response plannin" an# #isaster reovery strate"ies to boune ba! from a yber atta! 'ith minimal #isruption to the business% The boar# shoul# also be a'are of the la's "overnin" its #uties to #islose a #ata breah%

ther important *uestions inlu#e8



6% Are we conducting comprehensive and regular information security ris assessments!

The ris! assessment shoul# provi#e the boar# 'ith an assurane that all relevant ris!s have been ta!en into aount, an# that there is a ommonly #efine# an# un#erstoo# means of ommuniatin" an# atin" on the results of the ris! assessment% +orryin"ly, <2? of respon#ents to a reent 'C information seurity breahes survey &4& ha# not un#erta!en any form of ris! assessment% roven soft'are tools an help spee# up an# streamline the ris! assessment proess%

7% Are we ade#uately insured!

@eent reports reveal that yber insurane is not a#e*uate to protet ompanies from a full-sale yber atta!% .lthou"h it is #iffiult to *uantify ho' e9pensive a #ata breah an be, information about other #ata breahes in your in#ustry shoul# provi#e an in#iation of the potential #ama"es your or"anisation mi"ht fae% Aatest statistis reveal that breahes ost lar"e or"anisations bet'een B1%=6m an# B<%1=m in 201=% 3any or"anisations #on(t realise that they are liable for a #ata breah even if the #ata is store# in the Clou#, or if a thir# party 'ith 'hih they share information is breahe#%

% Are we testing our systems before there$s a problem!

There are many tests that an be un#erta!en to assess the vulnerability of systems, net'or!s an# appliations% .n important element of any seurity re"ime shoul# be re"ular penetration tests% en tests are simulate# atta!s on a omputer system 'ith the intent of fin#in" seurity 'ea!nesses that oul# be e9ploite#% They help establish 'hether ritial proesses suh as pathin" an# onfi"uration mana"ement have been follo'e# orretly% 3any ompanies fail to on#ut re"ular penetration tests, falsely assumin" the ompany is safe, but ne' vulnerabilities an# threats arise on a #aily basis, re*uirin" the ompany to ontinually test its #efenes a"ainst emer"in" threats%

% %ave our internal cyber security controls been audited!

f the or"anisation has hosen to omply 'ith an information seurity stan#ar# suh as & 270018201<, an in#epen#ent revie' of an or"anisation(s information seurity ontrols an be on#ute# by a ertifiation bo#y, an# an be use# to provi#e evi#ene of the or"anisation(s ommitment to information seurity% This an in turn be use# as a ompetitive a#vanta"e 'hen bi##in" for ne' business, as in#ee# is the ase 'ith ompanies ertifie# to & 27001%

10% Is our information security budget being spent appropriately!

26? of respon#ents to the 'C &4& sai# they #on(t evaluate ho' effetive their seurity



e9pen#iture is%

The boar# an play a !ey role in preventin" problems before they arise by playin" a more ative role in yber ris! #isussions% 4y beomin" e#uate# an# informe#, yber ris! in the boar#room nee# not be a topi that "ets #isusse# only 'hen there is an ini#ent% Don(t ris! it, yber seure it% Contat T overnane for tailor-ma#e boar#room yber seurity trainin" on E== =5 070 1750%

=6

&hares

27

12<

&elated

File# :n#er8 Cyber &eurity, & 27001

2

<17

0



Aa'rene Char# says July 6, 2015 at 10811 am

+TF is a C&, or a CG  'on(t even mention C4T or ..> @eply

&atish says July 6, 2015 at 857 am

.s the topi mentions 'e are loo!in" at the or"ani$ation 'i#e seurity measures by the or"ani$ation% ene 'e have to see all internal as 'ell as outsi#e threats%nternal threats from employee li!in" a fishin" lin! is also nee# to be seen as a ris!%  'oul# li!e to a## another aspet of supply hain ris!s 'herein your business is also vulnerable to the supplier ris!s also so same also nee# to assesse# an# re"istere# 'ith your ris! re"ister% @eply

nioatri#"e says June 22, 2015 at 821 am

 'oul# a## the *uestion H+hen #i# 'e last test our reovery proe#uresGI% Clearly this 'oul# inlu#e D@, but also reoverin" #ata from a ba!up soure or manual alternatives to automate# proe#ures% .##itionally some of the H'hat ifI thin!in" shoul# be establishin" ho' vulnerable fallba! options themselves are to yber atta!s% For e9ample a maliious assault on your #ata may not be #etete# for some time an# ba!up #ata may have also been ompromise#%



@eply

Julia Dutton says June 22, 2015 at 825 am

i )io reat point, than!s% @eply

Julia Dutton says June 22, 2015 at 85< am

i Dir!, than!s for your omment% From our perspetive, an# ertainly the point of vie' that is bein" ta!en by many other seurity firms, is that yber seurity is an element of a broa#er information seurity strate"y, 'hih enompasses people, proesses an# tehnolo"y% f you aren(t pratisin" en#-user e#uation, ho' 'ill you ensure that your employees #o not li! on maliious lin!s from phishin" sams that an #ama"e your entire net'or!G Cyber seurity may have ori"inate# from the ;outsi#e( as you all it, but 'ithout a omprehensive approah, your best lai# plans 'ill fall short of protetin" your #ata% @eply

Dir! &ha#t says June 22, 2015 at 78= am



(m missin" your #efinition of yber seurity an# #ifferentiation to information seurity% n my #efinition first is a t hreat from outsi#e, the C4/@, the other is about seurite from insi#e an# outsi#e% Therefore thin"s li!e seurity a'areness or internal threats are not subKet of yber seurity% ther'ise yber seurity is Kust a bu$$'or# for bullshit bin"o% @eply



T overnane is loo!in" to publish relevant, 'ell-'ritten, informative an# ori"inal artiles% f you have an artile that meets these riteria, then please sen# it in%

."ile 4reahes an# a!s

4usiness Continuity 4D

C.& C&. C&3

C&& Clou#

Computin" C4T CompT. C@/&T yber atta!

Cyber essentials

Cyber @esiliene

Cyber

&eurity #ata breah Data rotetion

Data rotetion

.t CL eneral #ata protetion re"ulation a!in"

4TL nformation seurity

&3& &001 &20000 & 22<01 &27001 &



27001 T overnane TA T&3 C C ompliane penetration test

phishin"

C D&&

enetration Testin"

roKet

3ana"ement L&. @is! 3ana"ement @C &taff .'areness Trainin"

.rhives

'('U)A&

)AT*+T TD. 3)T

+//P .AA

6 truly sho!in" yber seurity statistis 3ore than 70? of yber atta!s e9ploit pathable vulnerabilities Ten essential yber seurity *uestions to as! your C& Aist of #ata breahes an# yber atta!s in June 4usinesses #an"erously slo' to reat to vulnerabilities

M 200<-2015 T overnane At# N .!no'le#"ement of Copyri"hts N T overnane Tra#emar! 'nership )otifiation N eCommere by Oanthos

Ten Essential Cyber Security Questions to Ask Your CISO

Recommend Documents