The threat cannot be overstated
- Acceptable use: What company equipment can and cannot be used for.
- Access control: Who can access what, and when and where they can access it.
- Change management: Procedures to ensure that the impact of IT software or hardware changes on security is monitored and communicated.
- Information security: The rules governing the sensitivity of data and the accountability of employees.
- Disaster recovery: How business continuity will be maintained in the event of a successful attack.
- Passwords: Rules covering the format and updating of passwords and their reuse.
- Incident response: How the company will respond to an incident and recover from it, and who will take responsibility for remedial actions.
- Remote access policy: How employees will connect to the organisation’s systems remotely.
- Bring your own device (BYOD): How employees should use, connect and encrypt personal devices they use for company business.
- Email/communication: Acceptable use of email, social media, blogs and phone.
Key governance questions
- Does the board understand the organisation’s exposure to cyberattacks from both inside and outside the business, and the extent of the digital connections it has with suppliers, customers and the outside world?
- What are the vulnerabilities of the organisation to cyberattacks and the risks of it occurring?
- What are the likely business impacts of cyberattacks, including revenue loss, business disruption, crisis management, regulatory and recovery costs?
- What is the planned response to a cyberattack to deal with technical resolution, business disruption, impact, reputation management and regulatory response, and mitigating knock-on effects outside the business?
- What capabilities and resources does the organisation have for managing cybersecurity risks and dealing with incidents?
- How can the organisation collaborate with regulators, law enforcement, suppliers, customers and other stakeholders?
- How often does the organisation’s cybersecurity preparedness undergo review and testing, and who does the testing?
- Who is responsible for reporting on cybersecurity, both in an incident-based and regular basis?
- How often should there be board discussion of cybersecurity?
Source: Cyber and the CFO. Article originally published by Acuity.partica.online. (2019). [online] Available at: https://acuity.partica.online/acuity/august-september-2019/insight/the-era-of-the-cyber-resilient-cfo