ProCircular Information Security Experts Corner

Executive's Cybersecurity Checklist

Posted by Aaron R. Warner on Mar 13, 2017 9:55:05 AM
Find me on:

Cybersecurity Checklist for the Non-IT Executive:

If you’re an executive outside of IT wondering about your company’s cybersecurity preparedness, read on.

Conversations about cybersecurity are often a minefield, laden with murky tech-lingo. The CEO, CFO, and General Counsel all have their areas of expertise, but IT—and especially cybersecurity—is rarely among them. The following “litmus test” will help business leaders assess cyber-incident readiness with their technical team.

While this isn’t a complete list, and lacks technical details, it should provide you with a decent gauge for whether or not your team has taken appropriate steps. If you’re really interested in testing readiness, walk through the following process with the head of IT and then again, separately and in private, with a member of the technical team who is subordinate to that leader.

The findings can be eye-opening. The IT Manager may present polished responses, but with a guarantee of confidentiality and a stress on candor, the network engineer may paint an entirely different picture. 

On December 29th, 2016 the Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI) released a joint analysis report outlining a variety of measures that organizations, large and small, can take to defend against all forms of cyber attack, hackers, and state-sponsored actors alike. The questions below are a summarized application of the report’s recommendations.

Ask these questions to quickly establish the maturity level of your organization’s current security plan. Have an admin or trusted member of your team build a matrix with the following areas on one axis and a number scale on the other. With the help of your selected IT members, you can score the response for each area.

On a score of 1-10, rate your organization in terms of:

Backups:

  • Do we backup all critical information?
  • Are the backups stored offline?
  • Have we tested our ability to revert to backups during an incident?

Incident Response:

  • Do we have an incident response plan?
  • Have we practiced it?

Business Continuity:

  • Are we able to sustain business operations without access to certain systems?
  • If so, for how long?
  • Have we tested this?

Risk Analysis:

  • Have we continued a cybersecurity risk analysis of our organization?

Staff Training:

  • Have we trained staff on cybersecurity best practices?

Vulnerability Scanning & Patching:

  • Have we implemented regular scans of our network and systems?
  • Have we conducted appropriate patching of known system vulnerabilities?

Penetration Testing:

  • Have we attempted to hack into our own systems to test security and our ability to defend against attacks?

Application Whitelisting:

  • Do we allow only approved programs to run on our networks?

 

 These questions are organized roughly in order of importance. Low scores at the beginning of the list indicate that you may be spending too little on security infrastructure or have a staffing issue. This is particularly true with backups, the key to recovery in any situation. If your team can’t demonstrate (not just claim) a successful backup and restore test in the last week, you need to act and make sure that it gets done.

Low scores near the end of the list suggest your company might be behind on due diligence. Scanning/patching, security training, and application review require up-front effort, but can save you considerable headaches in the future. Penetration testing is a regular part of ensuring your company’s cyber-health, and can actually be a fun task that breaks up the day-to-day for IT staff.

If resources are the challenge, some excellent work on ‘how much is enough’ is listed here. If your staff is simply overcommitted, or the prioritized work they’re doing now is time-critical, consider bringing in a third party to assist where your team might not have the expertise or can’t dedicate the effort. In all of these areas, ProCircular can help give you confidence that you’re doing your best to protect your company and its customers.

Source: TLP:WHITE Reference Number JAR-16-20296, NCCIC/FBI/DHS

We know that these things can be confusing. Want to chat more with our experts and see a list of recommended services to get you started? Learn More! 




 

Topics: Cybersecurity, Vulnerability Assessment, Penetration Testing, Incident Response, Security Awareness Training