Informed Leaders Ask Good Cybersecurity Questions
Many senior executives are not cyber security professionals but asking a few simple questions can give you great insight into organizational security posture. These questions work equally well for small consulting firms or billion-dollar conglomerates. Thoughtful questions can provide valuable information regardless of the type of organization you are operating.
Who has administrative access to ALL our sensitive information? Show me the list. Are these people still employed here?
Reference: NIST 800-171 Access Control (SC-2) ensuring that only authorized individuals have access to sensitive information and systems. Are all user accounts still valid? Do all those people still work here?
If there is a disaster and we have to recover data from third party providers, how long do they have to restore and give it back to us? Is that timeline in our contracts with our critical providers?
Reference: NIST 800-171 Information System and Communications Protection" (SC-13) assessing the risk of third-party vendors and partners. Some cloud providers may not respond as quickly as your organizational recovery timeline requires.
How many workstations and laptops have we purchased in the last 3 years? How many of those show up now in our malicious code monitoring systems?
How many mobile phone contract subscriptions do we have right now? How many of those mobile phones appear in our Mobile Device Managment system today?
Reference: NIST 800-171 Malicious Code Protection" (SC-28). Who has a company phone? Is it under configuration management or not? Are there apps on that phone that could compromise sensitive organizational information.
When was the last time we had an internal vulnerability assessment? Action items? Are they all closed now?
Reference: NIST 800-171 Vulnerability Scanning (RA-5). Tracking and closing open exposures is important to maintaining a strong security posture over time. A scan report is not good enough; you have to actually track and fix the issues.
When was the last time we had an external penetration test? Action items? Closed now?
Reference: NIST 800-171 Boundary Protection (SC-30). Periodic penetration tests can uncover blind spots. Consider rotating among different third-party firms to provide higher test integrity.
If we have a cybersecurity incident, what do we do? Who gets called and who do we need to report to?
Reference: NIST 800-171 Incident Response and Reporting (SC-47). Well documented processes are critically important in times of crisis. Some state and federal government contracts require 24-hour rapid reporting.
How often do our systems get patch updates? How do we know the systems actually got updated?
Reference: NIST 800-171 System and Information Integrity (SC-39) steps taken to ensure the secure configuration and management of our systems. Periodic patching is important. Some systems may not get the patches like offline laptops or virtual machines that are not active at the time of the patch cycle. Make a plan to cover all hosts.
When was the last time we had a cybersecurity phishing awareness exercise? What percentage of our users clicked on the link possibly compromising sensitive information or disrupting operations?
Reference: NIST 800-171 Security Awareness Training (AT-2). Periodic live and email exercises can educate staff members on cyber risks significantly reducing the potential for costly downtime, data loss, investigations, and lawsuits.
Asking simple cybersecurity posture questions like these can help give you rapid insight into the overall security posture of any organization. Highly regulated or government organizations will have additional controls to consider but at a very high level this is a good place to start asking questions.
If you would like more questions to ask or want to discuss remediation help, contact LP3 at https://LP3.com.