What the board needs to know about cybersecurity compliance

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.cio.com/article/3023865/cyber-attacks-espionage/what-the-board-needs-to-know-about-cybersecurity-compliance.html

Board members are now facing lawsuits after large-scale cybersecurity
breaches because the security breakdowns are considered a failure to uphold
fiduciary duties. The Department of Justice has recently provided
guidelines for cybersecurity awareness for board members. The CIO now has a
responsibility to communicate the cybersecurity strategy to board members
and make them aware of critical risks to help avoid personal liability.

Details of day-to-day activities like software monitoring and firewall
setup are important for the IT team and CIO to understand, but that level
of granularity is not necessary for the Board. However, at a minimum, the
Board should understand how cybersecurity failures can impact the business.

The Board should know how critical business processes could be affected by
a breach, how decisions are made during an emergency situation, and how
company compliance can impact a breach.

1. How critical business processes would be affected by a breach:

It is important for the CIO to review the results of regularly scheduled
security assessments with the Board, so members are aware of potential
threats to critical business processes and the steps being taken to
safeguard against those risks. The Board is responsible for acting on
information presented in risk assessments. When members take steps to
address risk appropriately, they are fulfilling their fiduciary duties.

Some of the critical business processes to monitor are those that involve
the customer, those that involve a breach of company IP and those that
related to financial transactions. These processes are the channels through
which company and customer information move back and forth, which makes it
an ideal target for an attack.

2. How decisions are made in an emergency:

In addition, the Board needs to know how decisions will be made during an
incident. The CIO should review current internal compliance policies and
review how the company rates against industry standard compliance policies
with the Board. This information can be used to help to Board prioritize
risks and identify areas where the most harm could be caused.

Like in any emergency situation, having an internal and external
communication plan is imperative. Depending on the nature of the situation,
it may be necessary to involve specialized outside legal counsel. The Board
should be involved in selecting an outside firm and should know what their
role will be. In addition, the Board should understand how information
would be documented, tracked and communicated in the event of a breach.
Miscommunicated information related to a data breach, or withheld
information, can mean the company and Board have failed to uphold their
duties and they would assume liability for the incident.

3. How company compliance can impact a breach:

A cybersecurity breach is not the time to find out that basic compliance
policies are not being followed. If external vendors are accessing internal
systems, their access and permissions in the systems should be monitored
and controlled just like company employees. The CIO should be aware of
vendor compliance policies and know how vendors are securing company data.
In the Target breach of 2013, they were not in compliance with the Payment
Card Industry (PCI) Data Security Standard (DSS). This type of compliance
is something that companies simply cannot afford to ignore.

Cybersecurity is as much about technology as it is about people, including
the Board of Directors. Board members have a unique responsibility to
protect their company’s assets and customer information. They no longer
have the luxury to keep cybersecurity on the sidelines for IT to manage.
They must work to integrate the cybersecurity strategy with the overarching
business strategy and make sure risks are appropriately addressed.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Need access to data breach details or alerts when new breaches happen? Risk Based Security's Cyber Risk Analytics 
portal, fueled by the RBS breach research team, provides detailed information on how data breaches occur and which 
vendors to trust. Contact us today for a demo.