classic | mobile
Follow us on:
Follow us on Facebook  Share via Twitter  Share via LinkedIn

Hi-Tech Security Solutions Business Directory

Senior executives information security survival kit
March 2006, Information Security

Specific information security risks for senior executives

The following examples show how senior executives can be exposed to information security risks:

* Lack of appreciation of what risks are most significant.

* Failure to mandate the right security culture and control framework and set the right security example.

* Failure to embed responsibilities for risk management into the management team.

* Failure to detect where the most critical security weaknesses exist within the organisation.

* Failure to monitor risk management investments and/or be able to measure benefits realised.

* Failure to direct risk management and be in a position to know what residual risk remains.

Questions to ask

* How is the board kept informed of information security issues? When was the last briefing made to the board on security risks and status of security improvements?

* Is the enterprise clear on its position relative to IT and security risks? Does it tend toward risk avoidance or risk taking?

* How much is being spent on information security? On what? How were the expenditures justified? What projects were undertaken to improve security last year? Have sufficient resources been allocated?

* How many staff had security training last year? How many of the management team received security training?

* How does the organisation detect security incidents? How are they escalated and what does management do about them? Is management prepared to recover from a major security incident?

* Is management confident that security is adequately addressed in the organisation? Has the organisation ever had its network security checked by a third party?

* Is management aware of the latest IT security issues and best practices?

* What is industry best practice and how does the enterprise compare?

* Are IT security issues considered when developing business and IT strategy?

* Can the entity continue to operate properly if critical information is unavailable, corrupted or lost? What would be the consequences of a security incident in terms of lost revenues, customers and investor confidence? What would be the consequences if the infrastructure became inoperable?

* Are the information assets subject to laws and regulations? What has management instituted to assure compliance with them?

* Does the information security policy address the concern of the board and management on information security ('tone at the top'), cover identified risks, establish an appropriate infrastructure to manage and control the risks, and establish appropriate monitoring and feedback procedures?

* Is there a security programme in place that covers all of the above questions? Is there clear accountability about who carries it out?

* Is management aware that serious security breaches could result in significant legal consequences for which management may be held responsible?

Action list

* Establish a security organisation and function that assists management in the development of policies and assists the enterprise in carrying them out.

* Establish responsibility, accountability and authority for all security-related functions to appropriate individuals in the organisation.

* Establish clear, pragmatic enterprise and technology continuity programmes, which are then continually tested and kept up to date.

* Conduct information security audits based on a clear process and accountabilities, with management tracking the closure of recommendations.

* Include security in job performance appraisals and apply appropriate rewards and disciplinary measures.

* Develop and introduce clear and regular reporting on the organisation's information security status to the board of directors based on the established policies and guidelines and applicable standards. Report on compliance with these policies, important weaknesses and remedial actions, and important security projects.

This material is extracted from COBIT Security Baseline. Copyright (c) 2004 IT Governance Institute (ITGI). For additional information on COBIT and ITGI, visit

  Share via Twitter   Share via LinkedIn      

Further reading:

  • Protecting the Wiegand protocol from attack
    November 2015, Access Control & Identity Management, Information Security
    In these attacks, a credential’s identifier is cloned, or captured, and is then retransmitted via a small electronic device to grant unauthorised access to an office or other facility.
  • Leveraging ERP investment with WFM
    November 2015, AWM360 Data Systems, Access Control & Identity Management, Information Security
    Many companies have an enterprise resource planning (ERP) system in place but fail to leverage its potential for saving them manpower costs and boosting produc­tivity.
  • The new security perimeter
    November 2015, Access Control & Identity Management, Information Security
    CA Southern Africa’s Security B.U. manager, Michael Horn, expands on the new security perimeter and how ID and access management ensure the business environment is protected against outside intruders.
  • Managing identities across the ­organisation
    November 2015, Access Control & Identity Management, Information Security
    Identity management (IDM) is essentially the management and administration of individual identities within a system, such as a business or a network.
  • Five reasons for IT to get ­physical with access control
    November 2015, Access Control & Identity Management, Information Security
    While many network security systems are now built to support IT best practices and standards, such as, virtualisation, physical access control systems (PACS) have traditionally been designed without IT professionals in mind.
  • Increased complexity complicates identity management
    November 2015, Access Control & Identity Management, Information Security
    Mobile identity and access management services can help organisations ensure ­security in the digital revolution.
  • P@$$wORD_1: How secure is your password?
    November 2015, Access Control & Identity Management, Information Security
    One of the simplest means of acquiring this information, for an attacker, is to enter an organisation with the key to the door itself, users’ passwords.
  • The what, who and why of RBAC
    November 2015, Access Control & Identity Management, Information Security
    In the world of identity and access management, Role-Based Access Control is gradually becoming a frequently used term.
  • The Internet of Things is the Land of Opportunity
    November 2015, This Week's Editor's Pick, Information Security, Security Services & Risk Management
    The Internet of Things is happening now because two important drivers are in place: opportunity and necessity.
  • 10-Port PoE+ full gigabit managed switch
    November 2015, Products, Information Security, IT infrastructure in security
    Antaira Technologies’ LMP-1002G-SFP and LMP-1002G-SFP-24 series are cost-effective 10-port industrial gigabit PoE+ managed Ethernet switches.
  • Banking malware grows
    November 2015, Information Security, Enterprise Solutions
    South Africa is well known for its concentration of financial resources and any region that transacts using the English language or deemed as affluent is always high on the target list for the adversaries.
  • Data security in an insecure world
    October 2015, Enterprise Solutions, Information Security
    Copiers retain sensitive data on their built-in hard drives creating security risks due to the potential for malicious retrieval.

Technews Publishing (Pty) Ltd
1st Floor, Stabilitas House
265 Kent Ave, Randburg, 2194
South Africa
Publications by Technews
Dataweek Electronics & Communications Technology
Electronic Buyers Guide (EBG)

Hi-Tech Security Solutions
Hi-Tech Security Business Directory (HSBD)

Motion Control in Southern Africa
Motion Control Buyers’ Guide (MCBG)

South African Instrumentation & Control
South African Instrumentation & Control Buyers’ Guide (IBG)
Terms & conditions of use, including privacy policy
PAIA Manual
    Mobile | Classic

Copyright © Technews Publishing (Pty) Ltd. All rights reserved.