classic | mobile
Follow us on:
Follow us on Facebook  Share via Twitter  Share via LinkedIn

Hi-Tech Security Solutions Business Directory

Senior executives information security survival kit
March 2006, Information Security

Specific information security risks for senior executives

The following examples show how senior executives can be exposed to information security risks:

* Lack of appreciation of what risks are most significant.

* Failure to mandate the right security culture and control framework and set the right security example.

* Failure to embed responsibilities for risk management into the management team.

* Failure to detect where the most critical security weaknesses exist within the organisation.

* Failure to monitor risk management investments and/or be able to measure benefits realised.

* Failure to direct risk management and be in a position to know what residual risk remains.

Questions to ask

* How is the board kept informed of information security issues? When was the last briefing made to the board on security risks and status of security improvements?

* Is the enterprise clear on its position relative to IT and security risks? Does it tend toward risk avoidance or risk taking?

* How much is being spent on information security? On what? How were the expenditures justified? What projects were undertaken to improve security last year? Have sufficient resources been allocated?

* How many staff had security training last year? How many of the management team received security training?

* How does the organisation detect security incidents? How are they escalated and what does management do about them? Is management prepared to recover from a major security incident?

* Is management confident that security is adequately addressed in the organisation? Has the organisation ever had its network security checked by a third party?

* Is management aware of the latest IT security issues and best practices?

* What is industry best practice and how does the enterprise compare?

* Are IT security issues considered when developing business and IT strategy?

* Can the entity continue to operate properly if critical information is unavailable, corrupted or lost? What would be the consequences of a security incident in terms of lost revenues, customers and investor confidence? What would be the consequences if the infrastructure became inoperable?

* Are the information assets subject to laws and regulations? What has management instituted to assure compliance with them?

* Does the information security policy address the concern of the board and management on information security ('tone at the top'), cover identified risks, establish an appropriate infrastructure to manage and control the risks, and establish appropriate monitoring and feedback procedures?

* Is there a security programme in place that covers all of the above questions? Is there clear accountability about who carries it out?

* Is management aware that serious security breaches could result in significant legal consequences for which management may be held responsible?

Action list

* Establish a security organisation and function that assists management in the development of policies and assists the enterprise in carrying them out.

* Establish responsibility, accountability and authority for all security-related functions to appropriate individuals in the organisation.

* Establish clear, pragmatic enterprise and technology continuity programmes, which are then continually tested and kept up to date.

* Conduct information security audits based on a clear process and accountabilities, with management tracking the closure of recommendations.

* Include security in job performance appraisals and apply appropriate rewards and disciplinary measures.

* Develop and introduce clear and regular reporting on the organisation's information security status to the board of directors based on the established policies and guidelines and applicable standards. Report on compliance with these policies, important weaknesses and remedial actions, and important security projects.

This material is extracted from COBIT Security Baseline. Copyright (c) 2004 IT Governance Institute (ITGI). For additional information on COBIT and ITGI, visit

  Share via Twitter   Share via LinkedIn      

Further reading:

  • Passport to identity crisis
    September 2015, iFacts, This Week's Editor's Pick, Information Security, Identity Management, News
    Scores of South Africans woke up to a disturbing reality recently when the British High Commission contacted them to say that their UK Visa Applications, together with all supporting documentation, had ...
  • Cloud-based identity management solution
    September 2015, Access Control, Information Security, Identity Management, Enterprise Solutions
    Networks Unlimited has introduced Centrify Privilege Service (CPS), a cloud-based identity management solution that addresses today’s growing gap in security, visibility and control over privileged accounts, ...
  • Wireless the weakest security link
    September 2015, Information Security
    The wireless network is the weakest security link in enterprise IT infrastructure. Nine in 10 CIOs report concerns over insufficient wireless protection; over one-third of enterprises found lacking basic wireless security.
  • Protect your scada systems
    September 2015, Industrial (Industry), Information Security
    Check Point delivers scada security solutions to protect industrial control systems against cyber threats. New hardened security appliance with scada security for critical infrastructure.
  • Stopping the next cyber attack
    August 2015, Information Security, IT infrastructure in security
    Doros Hadjizenonos, country manager of Check Point South Africa, explains how organisations can mitigate threats and how SA compares to the rest of Africa when it comes to cyber crime.
  • 18% of South Africans lost ­backup copies
    August 2015, Information Security, IT infrastructure in security
    A joint survey by Kaspersky Lab and B2B International has found that 18% of South African users surveyed who kept backup copies of their data on physical media eventually lost these copies.
  • BlackBerry acquiring AtHoc
    August 2015, News, Information Security
    BlackBerry and AtHoc to connect communities, devices and organisations for real time communication.
  • Surveillance systems under attack
    July 2015, Information Security
    Security examination of a working city video surveillance system by Kaspersky Lab has revealed that networks designed to help protect people from criminals and terrorists could be misused by a third party exploiting system configuration flaws.
  • Hosted security services
    July 2015, CA Southern Africa, Information Security, Security Services & Risk Management
    Cloud services can be useful, cost effective and beneficial, but take care of your security first. Michael Horn, BU manager for security at CA Southern Africa elaborates on being secure out in the great wide Internet.
  • Complete solution for three KZN schools
    July 2015, Miro distribution, CCTV, Surveillance, Information Security, Case Studies
    Three KZN schools opt for wireless networks for Internet access and security surveillance.
  • The increasing pace of technology advancement
    June 2015, News, Information Security, This Week's Editor's Pick
    The trouble with thinking about technology advancements is that the rate of past progress does not predict the rate of future progress.
  • Layered approach to prevent watering hole attacks
    June 2015, Information Security
    A layered approach based on a combination of checks and balances, along with various key technologies, is the most comprehensive method of preventing so-called watering hole malware attacks.

Technews Publishing (Pty) Ltd
1st Floor, Stabilitas House
265 Kent Ave, Randburg, 2194
South Africa
Publications by Technews
Dataweek Electronics & Communications Technology
Electronic Buyers Guide (EBG)

Hi-Tech Security Solutions
Hi-Tech Security Business Directory (HSBD)

Motion Control in Southern Africa
Motion Control Buyers’ Guide (MCBG)

South African Instrumentation & Control
South African Instrumentation & Control Buyers’ Guide (IBG)
Terms & conditions of use, including privacy policy
PAIA Manual
    Mobile | Classic

Copyright © Technews Publishing (Pty) Ltd. All rights reserved.