Cyber Security Toolkit for Boards: Comprehensive Briefings and Key Questions
Explore the Cyber Security Toolkit for Boards which covers modules on embedding cyber security, understanding threats, risk management, developing a positive security culture, implementing measures, building expertise, identifying critical assets, collaboration with partners, and incident response. Key questions and indicators of success are provided for each module to help boards enhance their organization's cyber security posture.
Download Presentation
Please find below an Image/Link to download the presentation.
The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.
Presentation Transcript
In depth briefings for boards including questions and answers Taken from The Cyber Security Toolkit for Boards https://www.ncsc.gov.uk/board-toolkit
Toolkit modules Embedding cyber security into your organisation Understanding the cyber security threat Risk management for cyber security Developing a positive cyber security culture Implementing effective cyber security measures Growing cyber security expertise Identifying the critical assets in your organisation Collaborating with your supply chain and partners Planning your response to cyber incidents
1. Embedding cyber security into your organisation Cyber security: Isn t a standalone issue but integral to other risks that must be considered. Is to be embraced good cyber security enables organisations to innovate and flourish. Must be integrated into organisational structure and objectives. Independent cyber risk assessment. To provide informed view of cyber security posture Requires boards to engage with their key stakeholders.
1. Embedding cyber security into your organisation: Key questions to ask Indicators of Success 1. 2. 3. 4. 5. 6. Has an independent cyber security risk assessment been carried out? Is a cyber strategy in place? Does cyber security feature in the priorities of all business units across the organisation? Does everyone know where accountability and responsibility sits? Do all Board members get involved in discussions of cyber security? Do cyber security reports help support decision making?
2. Developing a positive cyber security culture People make an organisation secure, not just technology and processes. Culture is an outcome rather than an input Leadership set the tone Policies clear and simple reporting
2. Developing a positive cyber security culture: Key questions to ask Indicators of Success 1. Do you lead by example? 2. Can we demonstrate a collaborative approach to security policy and process design? 3. Do we have a no-blame culture? 4. Do our security metrics focus on success rather than failure?
3. Growing cyber security expertise Baseline current skills Make an organisational plan to ensure your cyber security needs will be met. Cyber awareness programme Talent Pipeline
3. Growing cyber security expertise: Key questions to ask Indicators of Success 1. Can HR point to specific cyber skills areas which are currently needed, and is there a plan to address the gaps? 2. Are we seeing improvements in metrics of cyber hygiene? 3. Do we have good employee retention in key cyber security roles? 4. Does the diversity of our staff compare favourably with business and industry-reported figures? 5. Does the organisation review cyber skills to establish gaps on a regular basis?6. 6. Does the board have sufficient knowledge to make strategic decisions about cyber security?
4. Identifying the critical assets in your organisation Importance of understanding your technical estate Work out where you are starting from. Identify critical technical assets. Collaborate with other teams
4. Identifying the critical assets in your organisation: Key questions to ask Indicators of Success 1. How complete and up to date is our inventory? 2. Do we have assurance that changes are considered and recorded to keep the baseline up to date? 3. Do we have assurance that the critical assets are known, who is responsible for each asset, what it is used for and where it is stored? 4. Have the priority objectives been clearly communicated and is there assurance that those priorities guide cyber security efforts?
5. Understanding the cyber security threat Tailor your cyber security investment by understanding the threats Prioritise which threats you are trying to defend against Collaborate on cyber security and threat assessment exercises
5. Understanding the cyber security threat Key questions to ask Indicators of Success 1. Can board members name the top cyber security threats faced by the organisation and outline the measures in place to mitigate their impact? Do threat assessments involve representatives from across the business, and are they linked to our cyber risks? Do we have relationships with representatives from other organisations in our sector? Are our experts attending key cyber events? 2. 3. 4.
6. Risk management for cyber security Integrate cyber security into organisational risk management processes Avoid tick box compliance Be realistic about the risks Reporting from audit/risk committee meetings
6. Risk management for cyber security Key questions to ask Indicators of Success 1. Have we clearly set out what types of risks we would be willing to take and those which are unacceptable? Do we know the current risks the business is exposed to from cyber events? Do we have a process that ensures cyber risk is integrated with business risk? Do we have an effective approach to managing cyber risks? 2. 3. 4.
7. Implementing effective cyber security measures Start with a cyber security baseline Tailor your defences to your highest priority risks Layer your defences Defend against someone inside your network Review and assess your measures
7. Implementing effective cyber security measures Key questions to ask Indicators of Success 1. 2. 3. 4. Are effective security metrics shared with the board? Does the board understand the overarching purpose of the cyber security measures? Can new implementations of cyber security measures be traced to the risks they mitigate? Are new implementations of cyber security measures being rolled out in close engagement with the workforce? Has our cyber security posture been reviewed in the last 12 months? 5.
8. Collaborating with your supply chain and partners Cyber attacks on your suppliers Map your suppliers and partners to gain assurance of their cyber security Build cyber security into contracts and agreements Use threat intelligence
8. Collaborating with your supply chain and partners: Key questions to ask Indicators of Success 1. Is supplier performance being regularly measured against defined metrics and is this visible to board members? Are we developing threat assessments and incident response exercises in collaboration with suppliers and partners? Are high severity supply chain risks tracked and reported? Do we have a defined process for onboarding and managing suppliers? Are products/services provided by partners/suppliers documented? 2. 3. 4. 5.
9. Planning your response to cyber incidents Plan your response Understand your role in incident management Practice your plan Learn Lessons
9. Planning your response to cyber incidents: Key questions to ask Indicators of Success 1. 2. Do we have an incident response plan in place, do we regularly exercise it? Do I understand what's required of my role during an incident, and have I had training to equip me for that role? If we have had a cyber incident, can the person responsible for cyber security report what improvements have been made? Are cyber incidents considered in the design of the Disaster Recover (DR) and Business Continuity Plans (BCP)? As an organisation do we know where we can go for help in an incident? 3. 4. 5.
