Governance of Enterprise Security: CyLab 2012 Report How ... - RSA

More documents

Recommendations

Info

Carnegie Carnegie Carnegie Mellon Mellon Mellon CyLab CyLab ! ! Zero Zero percent (0%) of of the the IT/telecom industry sector sector said they have CPOs, even even though though they have some some of of the the most stringent stringent privacy compliance requirements. requirements. Likewise, Likewise, none (0%) of the respondents from the the energy/utilities and and industrials industrials sectors sectors indicated they have CROs. CROs. III. Recommendations Recommendations ! The survey revealed that governance of of enterprise security is still lacking in most most corporations, corporations, with with gaps gaps gaps in critical critical areas. areas. If If If boards boards and and senior senior management management take take the the following following 12 12 actions, actions, actions, they they could could significantly significantly improve improve their their organizations’ organizations’ security security security posture posture and and reduce reduce risk: risk: 1. Establish Establish a board Risk Committee Committee separate from the Audit Committee and assign it responsibility responsibility for enterprise risks, including IT risks. Recruit directors with security and IT governance and cyber risk expertise. expertise. 2. 2. 2. Ensure that privacy and security security roles roles within within the organization organization organization are separated and that responsibilities are appropriately appropriately assigned. assigned. assigned. The The The CIO, CIO, CISO/CSO, CISO/CSO, and and CPO CPO CPO should should report report independently independently to senior senior management. management. 3. 3. Evaluate the existing organizational structure and establish establish establish a a cross-organizational cross-organizational team that that is is is required to meet meet meet at at least least monthly monthly to to coordinate coordinate coordinate and and communicate communicate on on privacy privacy and security security issues. This team should include include include senior senior senior management management from from human human resources, resources, public relations, legal, and procurement, as well as the CFO, CFO, the CIO, CIO, CISO/CSO, CISO/CSO, CRO, CRO, the CPO, and business line line executives. executives. 4. 4. Review Review existing existing top-level top-level policies policies to to create create a a culture culture of of of security security and and respect respect for for privacy. privacy. Organizations can enhance their their their reputation by valuing valuing cybersecurity cyber security and and the protection of privacy and viewing it as a corporate corporate social social social responsibility. responsibility. 5. 5. Review Review assessments assessments of of the the organization’s organization’s security security program program and and ensure ensure that that that the it comports program with comports best practices with best and practices standards and standards and includes and incident includes response, incident response, breach notification, breach breach notification, notification, disaster recovery, disaster and crisis recovery, communications and crisis communications plans. plans. 6. 6. Ensure Ensure that that privacy privacy and and security security requirements requirements for for vendors vendors (including (including cloud cloud and and software-as-a-service software-as-a-service providers) are based upon key aspects aspects of the the organization’s organization’s security security program, including annual audits and and control requirements. Carefully review notification procedures procedures in the event event of of of a a breach breach or or or security security incident. 7. 7. Conduct an annual audit of the the the organization’s organization’s organization’s enterprise enterprise security program, to be reviewed reviewed by the the Audit Audit Committee. 8. 8. Conduct an annual annual review review of of the the enterprise enterprise security security program program program and effectiveness effectiveness of of controls, controls, to to be reviewed by the board board Risk Risk Committee, and ensure that identified gaps gaps or weaknesses weaknesses weaknesses are are addressed. addressed. 9. 9. 9. Require regular reports reports from senior senior management management on on privacy privacy and and security security risks. 10. 10. Require Require annual annual board board review review of of budgets budgets for for privacy privacy and and security security risk management. management. 11. 11. Conduct Conduct annual privacy compliance compliance audits and review test incident response, breach breach notification, notification, disaster recovery, and crisis communication communication plans. plans. 12. 12. Assess Assess cyber cyber risks risks and and potential potential loss loss valuations valuations and and and review review adequacy adequacy of of cyber cyber insurance insurance coverage. coverage.
Endnotes !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! 1 Jody R. Westby & Julia Allen, Governing for Enterprise Security Implementation Guide, Carnegie Mellon University, Software Engineering Institute, Technical Note CMU/SEI-2000-TN-020, 2007, http://www.sei.cmu.edu/publications/documents/07.reports/07tn020.html (hereinafter “Westby & Allen”). 2 Board Briefing on IT Governance, 2 nd ed., IT Governance Institute, 2003 at 10, http://www.isaca.org/Knowledge-Center/Research/ResearchDeliverables/Pages/Board-Briefing-on-IT- Governance-2nd-Edition.aspx (emphasis added). 3 Convergence of Enterprise Security Organizations, American Society for industrial Security, Information Systems Security Association, and Information Systems Audit and Control Association, 2003 at 2, www.asisonline.org/newsroom/alliance.pdf. ! 4 See Jody R. Westby, Testimony Before the House Committee on Government Reform, Subcommittee on Technology, Information Policy, Intergovernmental Relations and the Census, Sept. 22, 2004, http://www.cccure.org/Documents/Governance/westby1.pdf . For a discussion regarding the fiduciary duty of boards and officers and the extension of that duty to protect the digital assets of their organizations, see Jody R. Westby, ed., International Guide to Cyber Security, American Bar Assn., Privacy & Computer Crime Committee, 2004 at 189-93. 5 Sarbanes-Oxley Act of 2002, Pub. Law 107-204, Sections 302, 404, http://news.findlaw.com/hdocs/docs/gwbush/sarbanesoxley072302.pdf. The SEC has taken a narrow interpretation of Sarbanes-Oxley to the point that information security and risk management pertain only to the financial statements of a company. The Federal Reserve has countered this by saying a broader interpretation is needed to include all of the operational risks since there are many aspects that can impact the financial standing of an organization that can affect the integrity and accuracy of the financials. 6 “CF Disclosure Guidance: Topic 2, Cybersecurity,” Securities and Exchange Commission, Division of Corporate Finance, Oct. 13, 2011, http://www.sec.gov/divisions/corpfin/guidance/cfguidance-topic2.htm. 7 “Legal Resources,” Critical Energy Infrastructure Information (CEII) Regulations, Federal Energy Regulatory Commission, http://www.ferc.gov/legal/maj-ord-reg/land-docs/ceii-rule.asp. 8 See, e.g., Jody Westby, “Cyber Legislation Will Cost Businesses and Hurt Economy,” Feb. 27, 2012, Forbes.com, http://www.forbes.com/sites/jodywestby/2012/02/27/cyber-legislation-will-cost-businesses-and-hurt-economy/. 9 Kevin Coleman, “Battle Damage Increases From Widespread Attacks,” Defense Systems, Aug. 1, 2011, http://defensesystems.com/Articles/2011/07/18/Digital-Conflict-cyberattacks-economysecurity.aspx?Page=1; Brian Cashell, William D. Jackson, Mark Jickling, Baird Webel, The Economic Impact of Cyber-Attacks,” Congressional Research Service, RL32331, Apr. 1, 2004, www.cisco.com/warp/public/779/.../images/CRS_Cyber_Attacks.pdf; A. Marshall Acuff, Jr., “Information Security Impacting Securities Valuations: Information Technology and the Internet Changing the Face of Business,” Salomon Smith Barney, 2000, at 3-4. Carnegie Mellon CyLab !
Page 1 and 2: How Boards & Senior Executives Are
Page 3 and 4: Table of Contents Table of Contents
Page 5 and 6: About Carnegie Mellon CyLab About C
Page 7 and 8: About RSA About RSA Founded in 1982
Page 9 and 10: Executive Executive Summary Summary
Page 11 and 12: Committee, but indicated that when
Page 13 and 14: Carnegie Mellon University’s Dean
Page 15 and 16: Enterprise governance and IT govern
Page 17 and 18: II. Findings and Conclusions II. Fi
Page 19 and 20: Industry & Region Comparison Table:
Page 21 and 22: management regarding privacy and se
Page 23 and 24: esponsible for risk 65% of the time
Page 29: Regional Regional Conclusions Carne

Governance of Enterprise Security: CyLab 2012 Report How ... - RSA

Create successful ePaper yourself

Delete template?

Save as template?