A Board of Directors
has a responsibility for overall cultural direction in an organization. To
exercise this responsibility the organization must first have a cybersecurity culture
that will minimize the risks. Cybersecurity culture
is “the knowledge, beliefs, perceptions, attitudes, assumptions, norms and
values of people regarding cybersecurity and how they manifest themselves in
people’s behavior with information technologies.” (European Union Agency for
Network and Information Security (ENISA), Cyber
Security Culture in Organizations, Greece, 2017)
The directors need to ask
the following questions:
1.
What are
the business functions in the enterprise with the highest exposure to
technology breaches?
2.
Is there a
cybersecurity policy in place?
3.
Has the
policy been infused into the cybersecurity culture of the organization?
4.
Has the
policy been reflected in the operational processes of the organization, particularly
in those areas of greatest risk
5.
Have
people with the appropriate skills been empowered to implement those policies
and procedures?
6.
What steps
are being taken to reinforce the cybersecurity culture?
7.
Are appropriate
educational and training programs in place?
8.
Is there a
process in place for regular and periodic review of the health of the cybersecurity
culture?
9.
Have the
main policies and procedures supporting the cybersecurity culture been documented
to provide a cohesive understanding of that culture?
10.
Are there steps
in place for regular reporting and discussion with the Board of Directors involving
the most responsible personnel?
No comments:
Post a Comment