- Where cloud services are already being used, does your organization have processes for checking performance against agreed security practices?
- Does the vendor have designated cybersecurity personnel, as a Chief Information Security Officer, and does the vendor require its staff to undergo cybersecurity and data privacy training?
- What types of cybersecurity policies, plans, and/or protocols does your organization have in place for the control system network to detect, respond to, and/or recover from a cyber incident?
- How often should your organization conduct tests and what factors should go into determining the frequency of tests?
- What network safeguards does your organization have in place to continue the delivery of key services during an attack?
- How much impact would a real time security measurement service have on your confidence of security in moving services and data to a public cloud?
- What physical security measures, processes, and monitoring capabilities does your organization have in place to prevent unauthorized access to its data centers and infrastructure?
- Does your organization have or will soon have specialized staff regarding data privacy and and/or cybersecurity issues to complement existing expertise?
- Does your organization have current information to understand cyber risks and whether its data use could be criticized?
- What sort of program does your organization have in place to monitor the level and robustness of the administrative privileges that it gives to its employees and executives?
- How does your organization view the security of public cloud environments to host and deliver its business applications and data assets?
- What processes and controls does the vendor have in place to ensure that engineers only use the right software for each customer?
- Do you have any personal or confidential data on your system that a hacker would want and could gain unauthorized access to?
- How does your organization maximize data security when various employees store and access data on the cloud server?
- Does the cloud provider have enterprise performance management cloud services that can quickly bring your organization into compliance with your financial processes?
- Do you use or does someone in your organization use machine learning technologies / techniques with alternative data sets as text, social media, specialist limited access datasets or images?
- Does your organization have the capacity and capability to analyze security data made available by the cloud provider?
- Is the cloud provider solvent and reputable, and does it have a credible performance record, especially regarding security and privacy compliance issues?
- Does your organization have a cyber risk management program and what is being done to ensure it is evolving to keep up with evolving threats?
- Do you have physical and logical security controls around information systems and databases to avoid unauthorized access and detect/prevent potential data leakage?
- Does your organization have the right people/ resources to effectively lead cybersecurity and data privacy strategic planning and implementation?
- Does your organization have confidentiality agreements with any third party service providers with access to your organizations information technology systems?
- Does your organization have a policy that requires the use of security safeguards as a condition to using certain cloud computing applications?
- Do you have a comprehensive incident response plan in place to use in the event of a security incident or data breach?
- Does your organization have backup and recovery capabilities to restore information, if necessary, after a security breach or loss of data due to a ransomware attack?
- Does your organization have policies and procedures that define criteria for the protection of customer PII data stored?
- What impact does the diversity of regulations have on the ease of adoption of cybersecurity practices or the ability of industry members to collaborate on cybersecurity issues?
- Do you have an engaging and effective information security awareness program in place across your organization designed to influence and drive new cyber resilient behaviors?
- How does the use of cloud applications and/or IT infrastructure services affect your organizations security posture?
- Does your organization have a comprehensive data management plan that defines goals and policies for the collection, structure, and management of data assets?
- How does your organization ensure that network operations meet the data regulations and compliance requirements?
- Does your organization have confidentiality agreements with third party service providers that have access to your information technology systems?
- Does your organization have any corporate policies, compliance regulations, or legal requirements concerning storing data in the cloud?
- Do you have assurances that your staff, suppliers, cloud providers, contractors, overseas subsidiaries and partners can be trusted to safely access your critical information and data assets?
- Is your data being adequately protected by your employees, business partners and third-party vendors who have access to it?
- Does your organization have a budget for achieving convergence with cybersecurity, functional safety and data privacy?
- Does the system have auditing capabilities as archived reporting and activity logs to help your organization reduce compliance risk?
- How frequently does your organization report to executive management on the implementation and effectiveness of your organizations cybersecurity program?
- Does your organization have a long term plan concerning its cybersecurity strategy, including plans to mitigate any IT system gaps resulting from merger/acquisition activity?
- How does your organization address the possibility that email or traditional communication channels will be unavailable during a cyber incident?
- Does your organization have procedures on how to decide if cloud applications using sensitive or confidential information should be allowed?
- Will cloud based technologies provide broad enough tools to address the full scope of GDPR, or will you have to switch to other capabilities over time?
- Do you have a centralized mobile device management solution deployed to all mobile devices that are permitted to store, transmit, or process organization data?
- Does your organization have a governance and risk assessment program for the key areas of your cybersecurity program?
- Should your organization have a formal chief risk officer and a risk management function to manage the day to day risk management processes?
- Do you have the staff to support your application interface, IoT hardware, software, data analytics, data comms/aggregation and cybersecurity needs?
- How does the cloud service provider handle resource democratization and dynamism to best predict proper levels of system availability and performance through normal business fluctuations?
- Does your organization have coordinated and measurable information security and cybersecurity awareness programs?
- What types of knowledge or skills does your organization need or value as it builds its cybersecurity workforce?
- Are employees who have offices or do business in multiple jurisdictions subject to different standards or requirements with respect to cybersecurity, data privacy or business continuity?
- Does the board/executive management team have a comprehensive understanding of information security to fully evaluate cyber risks and preventive measures?
- Did your organization have a cybersecurity incident that resulted in a significant disruption to your organizations IT and business processes?
- Does your business have technologies, processes, and practices designed to protect networks, computers, programs and data from attack, damage or unauthorized access?
- Does your organization have its own business continuity arrangements in place to deal with disruptions caused by cybersecurity incidents?
- Do you have a unified data management operation that supports efficient governance, compliance and discovery on demand?
- What type of internal training does your organization provide regarding information security, and are policies and procedures enforced?
- Does your organization have a testing program to validate the effectiveness of your organizations incident detection processes and controls?
- Does your organization have an improvement plan in place to ensure exposures are within your agreed-upon risk appetite?
- Does your cloud security service provider offer other security services beyond DDoS, or does it only mitigate DDoS attacks?
- Does your organization have appropriately skilled staff or ready access to resources to contain and mitigate cybersecurity incidents?
- Does your organization have an over arching cybersecurity policy or equivalent which has been signed off by the board, if so, how often is it reviewed by the board?
- How does your organization ensure safe sharing of confidential or sensitive information with cloud computing vendors?
- Does your organization have a map with critical physical supply, distribution and service hubs/ nodes and interrelated flows to help you visualize the IT supply chain?
- Where does your organization permit cloud computing resources to be deployed without vetting or evaluation for security risks?
- Is your organization planning to approach network security in the cloud in the same manner as it does with its on premise security operations?
- Does your organization have an independent testing program that includes comprehensive penetration testing of its perimeter network and application security controls?
- When does a cyber threat become real and tangible enough for your organization to stop being reactionary and dedicate sufficient resources and talent to get ahead of it?
- Do you know what is in your network that may be end of support or have issues that may compromise the security of your network?
- Do you have a good sense of progress in terms of best practices and the operations metrics of how securely your organization is using cloud services?
- How does your organization determine that all appropriate security requirements are met before deploying cloud computing resources?
- How does the overall security posture for your organizations cloud services compare to your on premises security?
- What sort of cybersecurity expertise does your organization need and what type of expertise do you already have?
- Can your cloud defenses provide continuous security assessment policy checks, so organization cloud data storage always requires access credentials or MFA?
- Do you have the talents and capabilities to feedback data and insights to improve machine learning and decision making?
- Does your organization have written procedures to ensure that backups of information are conducted, maintained, and tested periodically?
- Do you have a defined incident response team that has high level participation from all pertinent business functions and has clearly defined roles for response team members?
- How does your organization ensure that it has a sufficiently robust understanding of future technological developments and scenarios to inform its strategic planning?
- How does management monitor whether there has been unauthorized access to digital/electronic assets and assess the impact on financial reporting?
- What do you believe would help make your organizations cybersecurity and data privacy program stronger/more secure?
- Does the board have regular briefings on the evolving Cybersecurity threat environment and how the Cybersecurity risk management program is adapting?
- Can the security products correlate user actions and data analysis across multiple cloud services to identify high risk incidents and behavior?
- Does the accountable officer have sufficient authority to drive your organization and IT culture that builds suitable controls into the business and IT processes?
- What proprietary and industry standard machine learning algorithms and data science techniques does the technology vendor incorporate?
- What security measures does the service provider use to protect data, and is there a means to audit the effectiveness of measures?
- Which challenges has your organization experienced with regard to monitoring the security of applications, workloads, and data residing on cloud infrastructure?
- Do you have documented policies and procedures demonstrating adherence to data retention periods as per legal, statutory or regulatory compliance requirements?
- Does your organization have a process for establishing and maintaining security for the system built and operated in the cloud?
- How does your risk framework align to your business model, customer base, product offerings and jurisdictional footprint?
- How does your organization ensure effective governance and compliance whilst managing the risks of cloud computing?
- Who does the most senior person in your organization responsible for information security/cybersecurity report to?
- How does your internal audit department add value by helping your organization avoid the pitfalls associated with cloud adoption?
- How does obtaining visibility into network traffic within public cloud environments compare with traffic visibility within your physical data center?
- Do you believe your internal resources have appropriate skills and knowledge to manage and use cybersecurity technology efficiently?
- Does your organization have established incident response and event management procedures to quickly detect security events?
- How is your organization exposed to cyber incidents in the supply chain, and how have suppliers own cybersecurity measures been assessed?
- What principles have been developed for determining whether the response to a particular cybersecurity incident will involve which authorities?
- Does your IT team have the necessary skills to oversee the implementation, the security of your approach, and the load balancing between your organizations on premise and cloud presence?
- Do you have the support systems in place to assist staff working from home, including technology support and appropriate cybersecurity?
- Does your organization have cybersecurity guidelines that cover production/product risks and the extended enterprise in addition to traditional IT Security?
- Does your organization have written policies, procedures, or training programs in place pertaining to safeguarding client information?
Senior Documentation Specialist
3 年I agree with Sigrid de Kaste... while the questions are excellent, they need to be placed into a hierarchy that can be addressed by the appropriate corporate SMEs... Suggest a reorganization of type from broad to specific... and if possible, create a "aspect" group of questions.
IT Security/Cybersecurity,Data Protection, GRC,ISO 27001 InfoSec LA, LI, Internal Auditor,InfoSec Risk Manager, ISO 22301BCM Risk Manager
3 年Kindly provide a template that has all these questions and possible answers based on your experiences and who we have to work with
--
3 年How do you create a Risk table from a Risk Policy?
Brilliantly splendid! Nearly101 intellectuality lessons learned, listened and taken
Bachelor of Commerce - BCom from Nizam College at Hyderabad Public School
3 年????