Featured in JEP’s Cyber Security supplement – 25th April 2018
Picture this -You are in the board meeting and everything is going according to “plan” until the topic of cyber security is raised by the Chairman. The following question is asked “do we, as the board of directors, fully understand how we are managing cyber security in our organisation today?” After some initial comments about the large amounts of money being spent on technology and the cost of the tech team, nobody can properly articulate in a language that everyone understands, exactly what our governance arrangement is. Everyone is now feeling uncomfortable as the Chairman looks menacingly around the table. You get the feeling that the board could have done better than this.
From a governance perspective, the board needs to take control of this topic and properly formulate and articulate an effective plan. Set-out below is a brief outline of the main elements of what such a governance framework could look like.
The “three lines of defence” model is often used to build the framework around which an organisation can manage such cyber security risks. The lines of defence are as follows;
- Risk Identification & Assessment
This can only be done once your organisation has prepared a comprehensive information register which details the critical assets (key data sets and computer systems) of your business and full consideration is given to the real and potential vulnerabilities to these assets and every effort made to identify which potential parties, internally and externally, may want to damage, destroy or interrupt the availability of these assets to your business. It is only when such risks have been identified that an assessment can then be made to determine if they fall into the high, medium or low risk category. You need to have sight of the risks in order to be able to implement and manage the appropriate internal controls. The organisation then evaluates these risks to determine whether to take action to (a) avoid the risk (b) share/transfer the risk (c ) accept the risk or (d) reduce the level of risk identified.
- Risk Management
This line of defence can cover a range of activities designed to deal with the risks such as, administering security procedures, training and testing, maintaining secure device configuration, up to date software and security patches, restrict least-privilege access roles, deploy data protection and loss prevention programmes, encrypting data and deployment of intrusion detection systems and conducting penetration testing. Other actions would be configuring your network to adequately manage and protect network traffic flow, implementing vulnerability management with internal and external scans.
This second line of defence entails setting company boundaries by drafting and implementing policies and procedures and embedding the controls into these procedures. This COBIT framework also encourages process ownership, enabling the definition of responsibilities and accountabilities.
It is also essential that you have properly skilled certified IT, IT risk and information security talent within your organisation to deliver these key activities. This ongoing activity will be critical to reducing the risks. As part of the management structure within a large company, one would expect to see senior roles such as Chief Information Security Officer (CISO), Chief Information Officer (CIO) and Chief Technical Officer (CTO).
The important role of CISO is one like a liaison officer for customers, partners and public in all matters relating to security, dealing with law enforcement, balancing security needs with strategic business plans, identifying risk factors and determining solutions. They also lead with the development of security policies and procedures, create and execute plans to respond to security breaches, oversee the selection testing, deployment and maintenance of security hardware and software products and any outsourced arrangements. They can also be responsible for the organisation’s network technicians managing firewalls devices to security guards. The characteristics of a CISO to note is that they are experienced security technology professionals, who have the ability to build teams and be able to work across all senior levels of your company.
- Risk Monitoring
The third line of defence is the role of independent assurance such as internal and external audit. The audit work looks at key controls by taking a risk-based approach which is linked to the COBIT framework components to make the process more efficient and effective. This provides an independent assessment of the workings of the existing operational controls and the formal reporting procedures. This provides for the opportunity to improve or replace your controls as your organisation evolves.
There are a number of risk and cyber security frameworks which an organisation can deploy such as ISO 27000 series on information risk management, NIST cyber security framework (NIST CSF), and ITIL as a Service Lifecycle Approach. It is worth researching and evaluating which framework may best suit your organisation before the next board meeting!