Hi-Tech Security Solutions Hi-Tech Security Solutions
Follow us on:
Follow us on Facebook  Share via Twitter  Share via LinkedIn


Senior executives information security survival kit
1 March 2006, Information Security

Specific information security risks for senior executives

The following examples show how senior executives can be exposed to information security risks:

* Lack of appreciation of what risks are most significant.

* Failure to mandate the right security culture and control framework and set the right security example.

* Failure to embed responsibilities for risk management into the management team.

* Failure to detect where the most critical security weaknesses exist within the organisation.

* Failure to monitor risk management investments and/or be able to measure benefits realised.

* Failure to direct risk management and be in a position to know what residual risk remains.

Questions to ask

* How is the board kept informed of information security issues? When was the last briefing made to the board on security risks and status of security improvements?

* Is the enterprise clear on its position relative to IT and security risks? Does it tend toward risk avoidance or risk taking?

* How much is being spent on information security? On what? How were the expenditures justified? What projects were undertaken to improve security last year? Have sufficient resources been allocated?

* How many staff had security training last year? How many of the management team received security training?

* How does the organisation detect security incidents? How are they escalated and what does management do about them? Is management prepared to recover from a major security incident?

* Is management confident that security is adequately addressed in the organisation? Has the organisation ever had its network security checked by a third party?

* Is management aware of the latest IT security issues and best practices?

* What is industry best practice and how does the enterprise compare?

* Are IT security issues considered when developing business and IT strategy?

* Can the entity continue to operate properly if critical information is unavailable, corrupted or lost? What would be the consequences of a security incident in terms of lost revenues, customers and investor confidence? What would be the consequences if the infrastructure became inoperable?

* Are the information assets subject to laws and regulations? What has management instituted to assure compliance with them?

* Does the information security policy address the concern of the board and management on information security ('tone at the top'), cover identified risks, establish an appropriate infrastructure to manage and control the risks, and establish appropriate monitoring and feedback procedures?

* Is there a security programme in place that covers all of the above questions? Is there clear accountability about who carries it out?

* Is management aware that serious security breaches could result in significant legal consequences for which management may be held responsible?

Action list

* Establish a security organisation and function that assists management in the development of policies and assists the enterprise in carrying them out.

* Establish responsibility, accountability and authority for all security-related functions to appropriate individuals in the organisation.

* Establish clear, pragmatic enterprise and technology continuity programmes, which are then continually tested and kept up to date.

* Conduct information security audits based on a clear process and accountabilities, with management tracking the closure of recommendations.

* Include security in job performance appraisals and apply appropriate rewards and disciplinary measures.

* Develop and introduce clear and regular reporting on the organisation's information security status to the board of directors based on the established policies and guidelines and applicable standards. Report on compliance with these policies, important weaknesses and remedial actions, and important security projects.

This material is extracted from COBIT Security Baseline. Copyright (c) 2004 IT Governance Institute (ITGI). For additional information on COBIT and ITGI, visit www.itgi.org

  Share via Twitter   Share via LinkedIn      

Further reading:

  • Keeping data secure
    April 2014, Securicom IT Solutions, Information Security
    With the ongoing trend to move data offsite on mobile devices, can we truly find ways of ensuring that this data is secure from prying hands and eyes? And is data security for mobile devices different from that for supposedly office- or home-bound data?
  • Mobile security from the cloud
    April 2014, Information Security
    Despite the widely publicised losses resulting from targeted attacks, many SMBs have not taken action to address mobile device security. Research Now found that fewer than half of the enterprises surveyed had implemented a security solution.
  • Cybersecurity in The Surveillance Age
    April 2014, Information Security
    Strong encryption guards against data integrity compromises, which are typically treated by network engineers or mobile security experts as hostile and untrustworthy.
  • New Titanium Backup Appliance
    April 2014, Information Security
    Attix5, a data protection software and cloud solution provider, has announced the release of the Titanium Appliance, a complete onsite backup and recovery solution preinstalled with Attix5 software.
  • Protecting critical data
    April 2014, Information Security
    Quartile Capital ensures sensitive client information is encrypted and secured, by unifying data protection and backup across physical and virtual environments.
  • POPI is here: start getting compliant
    April 2014, Securicom IT Solutions, Information Security
    E-mail security, archiving, and data loss prevention should be high on the agenda for South African companies in 2014 with PoPI around the corner.
  • Over the NSA spying hype? Don’t be
    April 2014, Information Security
    Hybrid cloud solutions – a mix of the best services provided by an outside environment and an internal infrastructure – are the latest buzzword. But even as they are touted as a ‘best of both worlds’ solution, they come with their own concerns.
  • What’s inside Pandora’s box?
    April 2014, iFacts, Information Security
    Cybercrime doesn’t just happen to large corporations. Small businesses are increasingly becoming prey for hackers, espionage, online fraud and social engineering. It is a growing and pervasive plague across the world.
  • Keep control over your data
    March 2014, Information Security
    Safesync provides enhanced data protection features such as DLP, persistent file encryption and document tagging, and is touted as a secure alternative to cloud based file sharing solutions such as DropBox.
  • Costly content at risk
    March 2014, Information Security
    The average cost of multimedia files that a user might lose from a device as a result of a cyber attack or other damage is estimated at $418, according to a Consumer Security Risks Survey, conducted by B2B International and Kaspersky Lab.
  • Don’t be a hostage to ransomware
    February 2014, Information Security
    Latest-generation ransomware can permanently encrypt business files, unless you pay to free them. Doros Hadjizenonos, sales manager at Check Point South Africa, takes a look at how ransomware is on the rise, and how firms can defend their data against being taken hostage.
  • TSB Sugar RSA feeling sweet
    February 2014, Information Security
    Kaspersky Lab has signed a three-year deal with TSB Sugar RSA to protect 1200 endpoints with Kaspersky Endpoint Security for Business.

Hi-Tech Security Solutions Business Directory

Technews Publishing (Pty) Ltd
1st Floor, Stabilitas House
265 Kent Ave, Randburg, 2194
South Africa
Publications by Technews
Dataweek Electronics & Communications Technology
Electronic Buyers Guide (EBG)

Hi-Tech Security Solutions
Hi-Tech Security Business Directory (HSBD)

Motion Control in Southern Africa
Motion Control Buyers’ Guide (MCBG)

South African Instrumentation & Control
South African Instrumentation & Control Buyers’ Guide (IBG)
Terms & conditions of use, including privacy policy
PAIA Manual
    Mobile | Classic

Copyright © Technews Publishing (Pty) Ltd. All rights reserved.