Senior executives information security survival kit

March 2006 Information Security

Specific information security risks for senior executives

The following examples show how senior executives can be exposed to information security risks:

* Lack of appreciation of what risks are most significant.

* Failure to mandate the right security culture and control framework and set the right security example.

* Failure to embed responsibilities for risk management into the management team.

* Failure to detect where the most critical security weaknesses exist within the organisation.

* Failure to monitor risk management investments and/or be able to measure benefits realised.

* Failure to direct risk management and be in a position to know what residual risk remains.

Questions to ask

* How is the board kept informed of information security issues? When was the last briefing made to the board on security risks and status of security improvements?

* Is the enterprise clear on its position relative to IT and security risks? Does it tend toward risk avoidance or risk taking?

* How much is being spent on information security? On what? How were the expenditures justified? What projects were undertaken to improve security last year? Have sufficient resources been allocated?

* How many staff had security training last year? How many of the management team received security training?

* How does the organisation detect security incidents? How are they escalated and what does management do about them? Is management prepared to recover from a major security incident?

* Is management confident that security is adequately addressed in the organisation? Has the organisation ever had its network security checked by a third party?

* Is management aware of the latest IT security issues and best practices?

* What is industry best practice and how does the enterprise compare?

* Are IT security issues considered when developing business and IT strategy?

* Can the entity continue to operate properly if critical information is unavailable, corrupted or lost? What would be the consequences of a security incident in terms of lost revenues, customers and investor confidence? What would be the consequences if the infrastructure became inoperable?

* Are the information assets subject to laws and regulations? What has management instituted to assure compliance with them?

* Does the information security policy address the concern of the board and management on information security ('tone at the top'), cover identified risks, establish an appropriate infrastructure to manage and control the risks, and establish appropriate monitoring and feedback procedures?

* Is there a security programme in place that covers all of the above questions? Is there clear accountability about who carries it out?

* Is management aware that serious security breaches could result in significant legal consequences for which management may be held responsible?

Action list

* Establish a security organisation and function that assists management in the development of policies and assists the enterprise in carrying them out.

* Establish responsibility, accountability and authority for all security-related functions to appropriate individuals in the organisation.

* Establish clear, pragmatic enterprise and technology continuity programmes, which are then continually tested and kept up to date.

* Conduct information security audits based on a clear process and accountabilities, with management tracking the closure of recommendations.

* Include security in job performance appraisals and apply appropriate rewards and disciplinary measures.

* Develop and introduce clear and regular reporting on the organisation's information security status to the board of directors based on the established policies and guidelines and applicable standards. Report on compliance with these policies, important weaknesses and remedial actions, and important security projects.

This material is extracted from COBIT Security Baseline. Copyright (c) 2004 IT Governance Institute (ITGI). For additional information on COBIT and ITGI, visit www.itgi.org





Share this article:
Share via emailShare via LinkedInPrint this page



Further reading:

Highest increase in global cyberattacks in two years
Information Security News & Events
Check Point Global Research released new data on Q2 2024 cyber-attack trends, noting a 30% global increase in Q2 2024, with Africa experiencing the highest average weekly per organisation.

Read more...
Crypto in SA: between progress and precaution
Information Security
“As cryptocurrency gains momentum and legitimacy, it’s becoming increasingly important for people to pay attention to financial security”, says Richard Frost, head of technology and innovation at Armata Cyber Security.

Read more...
Cyber recovery requires a different approach to disaster recovery
Information Security
Disaster recovery is about getting operations back on track after unexpected disruptions; cyber recovery, however, is about calculated actions by bad actors aiming to disrupt your business, steal sensitive data, or hold your system hostage.

Read more...
MDR users claim 97,5% less
Sophos Information Security
The average cyber insurance claim following a significant cyberattack is just $75 000 for MDR users, compared with $3 million for endpoint-only users, according to a new independent study.

Read more...
The impact of GenAI on cybersecurity
Sophos News & Events Information Security
Sophos survey finds that 89% of IT leaders worry GenAI flaws could negatively impact their organisation’s cybersecurity strategies, with 87% of respondents stating they were concerned about a resulting lack of cybersecurity accountability.

Read more...
Efficient, future-proof estate security and management
Technews Publishing ElementC Solutions Duxbury Networking Fang Fences & Guards Secutel Technologies OneSpace Technologies DeepAlert SMART Security Solutions Editor's Choice Information Security Security Services & Risk Management Residential Estate (Industry) AI & Data Analytics IoT & Automation
In February this year, SMART Security Solutions travelled to Cape Town to experience the unbelievable experience of a city where potholes are fixed, and traffic lights work; and to host the Cape Town SMART Estate Security Conference 2025.

Read more...
Kaspersky KATA 7.0 for targeted attack protection
Information Security Products & Solutions
] Kaspersky has announced a major update to its Kaspersky Anti Targeted Attack (KATA) including enhanced network detection and response (NDR) capabilities with deeper network visibility, internal threats detection and other critical security features.

Read more...
The role of advanced technologies in ransomware recovery
Information Security
As businesses increasingly adopt cloud technologies, the complexities of maintaining resilience and ensuring rapid recovery from such incidents become even more pronounced. The integration of advanced technologies is essential to navigate these challenges effectively.

Read more...
Cybersecurity best practice
Information Security Security Services & Risk Management
Breach and attack simulation has become an essential element of cybersecurity strategies in any modern business by allowing companies to actively detect and resolve vulnerabilities through real-world attack simulations.

Read more...
Empower individuals to control their biometric data
Information Security Access Control & Identity Management Security Services & Risk Management
What if your biometrics, now embedded in devices, workplaces, and airports, promising seamless access and enhanced security, was your greatest vulnerability in a cyberattack? Cybercriminals are focusing on knowing where biometric data is stored.

Read more...