Governance and Assurance
Questions to ask the board or management team about the organisational awareness and IT risk management appetite.
- Do we have an effective enterprise risk management process in place and are cyber risks fully integrated into this process?
- Are we clear who is responsible for managing risks, can we identify who on the board is responsible, who explains the risks to them and on what information will decisions be made?
- Have we considered our risk appetite in relation to cyber risks, have we communicated this to all functions and do we know if our resources being deployed effectively? How would we know if inappropriate risk taking was taking place?
- Are we fully aware of the regulatory and legal exposure?
Understanding the Risk
- What is the value of the information we hold (e.g. intellectual property, financial, strategic plans and other business critical information, customer/personal data)? What are our ‘crown jewels’ that need the most protection?
Incident Response
- How will we know if we are being or have been attacked?
- Do we have an incident response plan and have we tested it? Do we have arrangements to obtain specialist advice and services post breach (e.g. customer help lines)?
- Who has the responsibility to declare a cyber risk incident?
Training
- Do we have an effective cyber risk training programme in place including reporting of breaches and subsequent actions?