The discussion this week in class covers Information Security Policy and has been mentioned both this week and in past lessons, for any policy to be effective it must come from the top down. The Information Systems Audit and Control Association (ISACA) knowledge center has a link to an article (marketing my prevent the deep link) in InformationWeek online magazine from August 19, 2014 that asks "CyberSecurity: How Involved Should Boards of Directors Be?". The author quotes statistics regarding interest expressed by board members in cybersecurity stating the 58% of them feel they should be involved in cybersecurity while 65% say they have become more aware in the last 1 to 2 years of the risk their organizations face due to potential breaches. As correctly pointed out, the role of a Board of Directors for a company is not to be configuring firewalls but in guiding the company to ensure that management puts the proper policies in place that the firewall does get configured. The ISACA and the Institute of Internal Auditors (IIA) have collaborated to come up with a list of questions board members should be asking company's executive leaders:
(1) Is there a security framework in use? - There are a number of security frameworks available and depending on the company's business there may be a required framework or even multiple required frameworks issued by regulatory bodies of the company's industry.
(2) What are the top 5 cybersecurity risks the organization faces? - This may include areas such as new technology or legacy technology that is being used beyond it capabilities, such as the Windows XP POS devices mentioned in a previous post.
(3) Do employees understand their role in cybersecurity and protecting company assets? - Awareness training is the focus here and many companies are making this an annual requirement.
(4) Does cybersecurity planning cover both external and internal threats? Breaches from external sources get plenty of attention in the news but internal threats are still a reality.
(5) How does the company manage security governance? - Ensure that the three lines of defense, controls, governance, and audit being correctly managed so that everyone involved understands their role.
(6) Has the response to a serious breach been planned? Plays nicely into last weeks subject in class about incident response, disaster recovery, and contingency planning.
As one of the goals of this blog is to relate information security matters to the electronic payments industry, there is a discussion in the article referenced that fits this area. In the case where a Board of Directors does not involve itself in cybersecurity it is possible they will face calls for their replacement. This has happened regarding the data breach of payments data at Target stores last year. An adviser to institutional investors recommended that 70% of Target's board be replaced due to this incident during the annual shareholders vote for the board.
No comments:
Post a Comment