Ensuring Digital Security Governance in the Modern Business Landscape

Slide Note
Embed
Share

In today's digital landscape, companies and board directors must actively establish good controls to safeguard sensitive information crucial for sustained business operations. This involves understanding risks, enforcing robust security measures, and staying abreast of evolving threats. Failure to prioritize digital security can lead to severe consequences, including financial penalties and reputational damage from data breaches. This article emphasizes the importance of aligning digital security strategies with business objectives to protect assets effectively.


Uploaded on Aug 03, 2024 | 0 Views


Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

E N D

Presentation Transcript


  1. ATHENA ALLIANCE Governance: The Digital Security Equation A (New) Director s View L. Haynesworth 2021 Athena Salon WWW.ATHENAALLIANCE.COM

  2. Digital Security Governance Essentials So what??

  3. Digital Security Governance Essentials Why? Companies and the board directors are expected to actively ensure that good controls in place to protect sensitive business / customer information critical to sustained business operations Directors duty of care Security is a strategic business enabler Reputational, financial and legal impacts of significant data loss Includes breach of director duties and personal liability in some jurisdictions Boards must understand what is to be protected, on-going security risks and ensure a robust system is in place to protect the company Significant penalties have been levied in recent years for data breaches including * Equifax, Home Depot, Uber, Morgan Stanley, Yahoo, Capital One, Google, British Airways, Marriott If the Data Breach Doesn t Kill Your Business, the Fine Might Tripwire APR 2019 * Tessian May 21,

  4. Digital Security Essentials What is it? Every digital asset in the enterprise to be protected to ensure tamper-free access on demand! All IT devices across all environments computers, servers, networks, storage, phones, all operational systems, all development systems and cloud instances All data flowing through and at rest in the enterprise All SW every application, tool, database, scripts Resources needed to do the job IT resources, talent and funding Across all org boundaries including 3rdparty AND the strategy for managing, protecting assets today and innovation needed for the future What and Where is it? Does your company have an accurate view of all the digital assets?

  5. Digital Security Governance Essentials How? A board director sees enterprise digital security through the eyes of risk seeking to ensure that the risk profile is understood and within an acceptable tolerance level Processes & procedures Clear Lines of Authority / Controls Ransomware policy Escalation, IR / BC / DR processes Geopolitical Evolving threats Evolving laws data privacy Security status / trends Employee engagement / training External /cross-industry trends Independent assessment of maturity Vulnerabilities Independent validation, testing and exercises Risks A director s perspective must be shaped by understanding the threat view from outside and inside the enterprise

  6. Digital Security Governance Essentials How and When? Balance level of detail and current status with risk perspective, view of the future Anchor the board with fundamental information set the baseline Materiality assessment and translation to overall risk picture in alignment with appetite Critical status / security trend Hygiene health Incidences / dwell time Current / emerging threats Current and potential impacts Gaps to achieve acceptable security posture Audit / testing results and trends Employees Adequacy of resources Financial Critical talent Tech Security insurance adequacy Key stakeholders include the CIO, CISO, Legal, Communications, and Human Resources Recommend security risk status / impacts/ mitigations be addressed at each board meeting

  7. Digital Security Governance Essentials Best Practice Considerations 1. Understand the applicable laws, regulations, and guidance, leverage experts within or outside the organization. 2. Know what types of data the organization has and how it is protected. 3. Build compliance into the governance structure designate board oversight responsibilities. Ensure adequate skills on the board and management team. 4. Ensure that the company has robust information security program and policies tailored to the organization, and they are implemented and followed. 5. Ensure that an organizational risk assessment has been conducted and is periodically updated. 6. Ensure that the organization has an adequate cyber incident response plan, and that it is updated and practiced. Test the system: organizations should conduct cyber breach exercises, penetration tests, incident response Source: NACD, Carter Ledyard & Milburn LLP

  8. Digital Security Essentials Best Practice Considerations 7. Review the technology infrastructure for data security and information management and ensure that it is current and updated regularly (anti-virus and anti-malware software, encryption, etc.) 8. For public companies, ensure that there are effective disclosure controls and procedures that enable the organization to make accurate and timely disclosures, including as related to cybersecurity. Ensure that public filings adequately address cybersecurity risks, policies, oversight, and incidents. 9. Ensure that there is employee training and education on cyber and data protection policies, and the identification of red flags. 10.Conduct risk assessment of third-party vendors. Ensure that vendors with access to the organization s data have adequate cybersecurity and privacy policies to protect such data. 11.Review and assess adequacy of insurance coverage for data breaches and cyber-related incidents and consider separate cybersecurity insurance. Review/assess whether directors and officers insurance covers breach liability. Require quarterly reporting of digital security risks and events, including updates from internal audit to enable directors to determine material risk and take action where needed Source: NACD, Carter Ledyard & Milburn LLP

  9. ATHENA ALLIANCE Governance: The Digital Security Equation WWW.ATHENAALLIANCE.COM

  10. Backup Info

  11. Digital Security Essentials Bottom Line Know what is important to protect in your company Know where you are in protecting that information across the enterprise, including 3rdparties? Establish the acceptable level of risk Take action to resto

  12. Digital Security Governance Essentials Best Practice Considerations 1. Understand the applicable laws, regulations, and guidance, leverage experts within or outside the organization. 2. Know what types of data the organization has and how it is protected. 3. Build compliance into the governance structure designate board oversight responsibilities. Ensure adequate skills on the board and management team. 4. Ensure that the company has robust information security program and policies tailored to the organization, and they are implemented and followed. 5. Ensure that an organizational risk assessment has been conducted and is periodically updated. 6. Ensure that the organization has an adequate cyber incident response plan, and that it is updated and practiced. Test the system: organizations should conduct cyber breach exercises, penetration tests, incident response 7. Review the technology infrastructure for data security and information management and ensure that it is current and updated regularly (anti-virus and anti-malware software, encryption, etc.) 8. For public companies, ensure that there are effective disclosure controls and procedures that enable the organization to make accurate and timely disclosures, including as related to cybersecurity. Ensure that public filings adequately address cybersecurity risks, policies, oversight, and incidents. 9. Ensure that there is employee training and education on cyber and data protection policies, and the identification of red flags. 10. Conduct risk assessment of third-party vendors. Ensure that vendors with access to the organization s data have adequate cybersecurity and privacy policies to protect such data. 11. Review and assess adequacy of insurance coverage for data breaches and cyber-related incidents and consider separate cybersecurity insurance. Review/assess whether directors and officers insurance covers breach liability. Require quarterly reporting of digital security risks and events, including updates from internal audit to enable directors to determine material risk and take action where needed Source: NACD, Carter Ledyard & Milburn LLP

Related


More Related Content