Cyber Security Governance

Governance, Risk and Compliance (from a cybersecurity standpoint) is a critical investment for the long-term growth and sustainability of any organization. However, meeting regulations, stakeholder expectations, and the standards can be complex and it can be easy to invest too much time or too little.

A number of areas will need to be addressed, starting with the following:

  • Organizational context
  • Risk management strategy
  • Roles and Responsibilities
  • Authorities
  • Security policies and procedures
  • Oversight; and
  • Cybersecurity supply chain risk management
Organizational Context

Knowing the internal context of your organisation involves identifying its values, culture, resources, internal stake holders, and overall objectives.

On the other hand, understanding the external context involves looking at your organisation’s external stakeholders, legal requirements, the industry in which it operates, your main competitors, and your organisation’s strengths and weaknesses.

By understanding both the internal and external context of your organisation, you can better identify risks and opportunities that may arise from the environment in which you operate and the way you operate.

Risk Management Strategy

Risk management identifies, assesses and prioritises cyber risks and threats to minimise their impact on the organisation. Effective risk management involves conducting regular assessments to identify potential vulnerabilities and threats to your network, systems and / or applications.

Once identified, your organisation can take the appropriate steps to reduce the likelihood and impact of these risks.

Roles and Responsibilities

The role of a Chief Information Security Officer (CISO) requires a combination of technical and soft skills, such as business acumen, leadership, communications and relationship building.

They must adopt a continuous approach to learning and up-skilling in order to maintain pace with the cyber threat landscape and new technologies.

The CISO will oversee the development of related policies, risk plans, methodologies, asset registers, cyber security awareness training, manuals / procedures along with distribution and regular updates.

The CISO is also responsible for reporting any cyber security matters to the directors, board and / or senior management team and other stakeholders.

Authorities

The reporting of all cybercrime activity should be made through the Australian Cyber Security Centre website.

Security Policies and Procedures

Security policies and procedures outline the rules and guidelines your staff must follow to ensure the confidentiality, integrity, and availability of your business’ systems.

These policies should cover data protection, access controls, incident response, and other critical aspects of information security.

Oversight

Responsibility for the company’s cybersecurity risk should be clearly assigned and coordinated by the directors of the organisation along with established procedures.

The board or committee overseeing cyber issues should ensure that management has conducted exercises to test and assess the company’s incident response and its processes for disclosures.

Cybersecurity Supply Chain Risk Management

All organisations should consider cyber supply chain risk management. If a supplier, manufacturer, distributor or retailer are involved in products or services used by an organisation, there will be a cyber supply chain risk originating from those businesses.

Effective cyber supply chain risk management ensures, as much as possible, the secure supply of products and services throughout their lifetime. This includes their design, manufacture, delivery, maintenance, decommissioning and disposal.

Cyber supply chain risk management can be achieved by identifying the cyber supply chain, understanding cyber supply chain risk, setting cyber security expectations, auditing for compliance, and monitoring and improving cyber supply chain security practices.