TheCorporateCounsel.net

Unlike the positive developments on climate change preparedness, John recently blogged that many boards aren’t entirely comfortable with their companies’ level of cyber-readiness and even boards that include a cyber expert face challenges in effectively overseeing cyber issues. This article from the CPA Journal provides a timely list of key considerations to allow boards, audit committees or cybersecurity committees to quickly understand the status of their organization’s cybersecurity program. Here are a few of the recommendations:

Inventory and categorization of all assets. A complete, accurate, timely list of all assets should be available upon demand. This list should include internal (within the company) and external (outsourced, cloud) assets. Each asset should be categorized by its risk in order to prioritize controls, including vulnerability remediation. The primary oversight concern is that if management cannot identify the assets it is responsible for, how can it protect them?

Quality of internal audit comments. Directors can learn a lot about their organizations through the internal audit reports performed and the issues raised by those reports. From an oversight perspective, it is essential that such reports have an independent review, appropriate scope, and recommendations that add value to the organization. The inherent complexity of technology and its continued evolution causes managerial control challenges. Even when a prior security issue has been remediated, technological advances may require that a new control be implemented.

Managing accounts. The number, type, and utilization of user and system accounts can be a leading indicator of how well an organization manages these accounts. If administered properly, access, accountability, and monitoring accounts enable organizational activity while protecting data. Considerations include the number and percentage of users designated as privileged, stale users (accounts not used within a specific time), and generic accounts (not assigned to individuals). From an oversight perspective, primary concerns are the effectiveness of administering user privileges to enforce organizational controls and ensuring accountability for activities over protected digital resources.

Confirming the assurance provided by penetration testing. There are various definitions, forms, and scopes related to penetration testing. The idea is to simulate an attack that an intruder could conduct. Often directors are presented with results that summarize technical vulnerabilities. From an oversight perspective, directors should ensure that the scope of what was tested is clear. This should include not only which assets were tested but scope limitations, assumptions, and other factors that could provide a false sense of security when reviewing testing results.

– Meredith Ervine