Key questions executives should ask to ensure assets are protected – Canadian Government Executive

NEWS

SEARCH

AccountabilityBusinessSecurity
April 12, 2017

Key questions executives should ask to ensure assets are protected

Security professionals have an obligation to communicate risks and recommendations to management, but the ultimate responsibility for protecting corporate assets lies with executives. Here are five questions top executives should be asking right now:

According to vulnerability scans, how many critical and important patches need to be applied, and how many remain outstanding for 30, 60, 90, and 180 days?

Many IT organizations believe they are doing a good job keeping up with patches, but a scan with Nessus, Qualys, or similar product often tells a different story. From a security operations perspective, applying patches is low-hanging fruit. Proactively addressing vulnerabilities makes it more difficult for attackers to gain a foothold and reduces the opportunities for lateral movement.

While IT operations should focus on missing patches, management should focus on higher-level trends. This requires an enterprise-class product that is capable of tracking vulnerabilities over time instead of simply producing snapshots. Ideally, all security-relevant patches (typically labelled critical or high by vulnerability scanning products) should be applied in less than 30 days; this should result in strongly declining 60, 90, and 180-day numbers. Significant vulnerabilities remaining unpatched for more than 30 days suggests that patch management processes are ineffective and placing the organization at risk.

Is our business continuity plan (BCP) complete, when was our most recent test, and what were the results?

Organizations of all sizes require a BCP to survive potential disruptions, including natural disasters. To be of practical use the plan must focus on critical systems and operational capabilities, including those provided by third parties. The size and complexity of a BCP vary from organization to organization. A small business that relies on cloud services might document service contracts and contingency plans if the service becomes unavailable. Enterprises with their own data centres require far more elaborate plans.

While it can be difficult for management to quickly assess a BCP, the absence of critical information is a red flag. In addition to identifying business-critical systems, the Maximum Tolerable Downtime (MTD), Recovery Time Objective (RTO), and Recovery Point Objective (RPO) for each system should be documented.

Without this information, it is difficult to assess the viability of the plan, and whether other related plans (such as backups and disaster recovery) are aligned. For example, if backups are made daily, the organization is not likely capable of achieving a 4-hour RPO.

There are numerous ways to test BCPs, ranging from checklist reviews and tabletop exercises to simulated emergencies. Executive management should review test results and find evidence of continuous improvement.

What percentage of our information has a classification label attached, when was the last audit conducted, and what were the results?

Information classification is a pillar of information security. It is generally not practical to secure all information as if it was the most sensitive in the organization. Instead, information should be labeled. Policies, procedures, and employee training can then focus on how information of various classifications should be handled, processed, and stored.

A good metric for management is to consider what percentage is labeled in accordance with policy. Even small audits using a sampling approach can provide management with valuable insight.

What percentage of notebooks, USB sticks, and other mobile devices are encrypted? What are the recent audit reports?

Virtually every operating system used on business computers, phones, and tablets includes encryption functionality for free. Encrypted USB sticks are more expensive, but costs are declining and some products such as the Apricorn Aegis line are exceptionally easy to deploy and use.

Given the potential for reputational and monetary damages, there is simply no excuse for failing to encrypt data. In addition to policy requirements and incorporating encryption into employee training, regular audits should be conducted.

How many malware infections have we experienced in the past 12 months? How many were ransomware? What are we doing about it?

Organizations of all sizes continue to struggle with malware, and it is difficult to prevent all infections. However, management needs to understand the overall trend to determine whether the existing policy, standards, training, and technical controls are adequate.

Ransomware incidents continue to escalate due to strong profit motives. While directive and technical controls help to mitigate the risk, backups and disaster recovery plans are the final line of defence. Organizations of all sizes must be capable of restoring all business-critical data in the event of a major malware event.

About this author

Eric Jacksch

Eric Jacksch

Eric Jacksch is a leading cybersecurity analyst with over 20 years of practical security experience. He has consulted to some of the world's largest banks, governments, automakers, insurance companies and postal organizations. Eric is a regular columnist for IT in Canada and was a regular columnist for Monitor Magazine and has contributed to several other publications.

0 comments

There are no comments for this post yet.

Be the first to comment. Click here.

Accountability
 
The International Monetary Fund (IMF) in issuing its annual review of...
 
There’s no shortage of organizations claiming to have a digital transformation...
 
Cybersecurity professionals have sounded the alarm for years, and they are...
 
Cost estimation is becoming an extremely important skill within government due...
 
In this special episode of CGE Radio, your host John Jones...
 
Security professionals have an obligation to communicate risks and recommendations to...
 
Risk is always present in any undertaking, no matter the size...
 
Cost overruns have become institutionalized in the federal government, according to...
 
Last year, procurement Minister Jody Foote was prompted by the swirling...
 
Professionals, managers, and executives in the cost estimation industry can gain...
 
In this episode, hear from Carl Hammersburg, Manager, Government and Healthcare...
 
A new study from the Conference Board of Canada gives our...
 
In the world that we are living in today, free and...
 
The delivery method developed by Sir Michael Barber, chief adviser to...
 
Rules and accountability are helpful in developing and standardizing processes but...
 
Canadian doctors were told that climate change impacts human health and...
 
Even as talks between the government and federal workers affected problems...
 
The largest effort in 20 years to seek public input on...
 
Ottawa has overhauled the process by which justices are picked for...
 
Please to view this Content. (Not a member? Join Today! )...
 
In this episode, editor-in-chief, Patrice Dutil talks about the need for...
 
As much a 20 per cent of grade seven students in...
 
Upon receiving numerous complaints regarding add-on fees that turn making economy...
 
Are you absolutely clear what the government wants to achieve? Are...
 
Please to view this Content. (Not a member? Join Today! )...
 
Please to view this Content. (Not a member? Join Today! )...
 
Please to view this Content. (Not a member? Join Today! )...
 
Please to view this Content. (Not a member? Join Today! )...
 
Written By Jason McNaught The Public Service Alliance of Canada was...
 
Independence has long been regarded as a cornerstone of the auditing...
 
Canada is a diverse nation, in language, culture, geography, and, ultimately,...
 
Public sector organizations are under increasing pressure to identify all risks...
 
The government of Canada has implemented several measures over the past...
 
Whether at the territorial, provincial or federal government level, internal audit...
 
An organization’s reputation can take years to build but it can...
 
On October 30, Ontario began second reading of the Public Sector...
 
In the well-known children’s story, an Emperor falls victim to the...
 
The Nova Scotia Office of the Ombudsman is a small operation...
 
I think the ombudsman needs to be independent, because without independence...
 
Today’s business environment changes rapidly to adjust to evolving conditions and...
 
The best internal auditors actually are really good managers first. I...
 
The recent controversy about the actions of some staff members in...
 
Most professionals don’t need more than a sentence at a cocktail...
 
Recent research by the Institute of Internal Auditors Canada aims to...
 
When is it that a politician becomes part of the governing...
 
It’s been a busy couple of weeks on the information, privacy...
 
In 1996, a new budget watchdog, the Parliamentary Budget Officer, was...
 
The Ontario government is moving forward with the creation of a...
 
The Office of the Public Sector Integrity Commissioner of Canada (PSIC)...
 
After the Auditor General’s (AG) report was released on April 30,...
 
In the U.K. system, Permanent Secretaries are what we call Deputy...
 
We are living in a period of rapid change and limited...
 
US public sector employees don’t trust their management to do the...
 
The news of Mark Carney’s nomination as the new Governor of...
 
Following Singapore’s independence in 1965, the controversial leadership of Lee Kuan...
 
Over the past few years, the preparation and delivery of the...
 
In healthcare, cost-cutting can result in cutting what is valued most...
 
For over 20 years Colin Bennett has been exploring issues of...
 
Even before controversy shook the organization to its foundation, Ornge was...
 
It will be the largest international multi-sport event ever held on...
 
We’ve all seen the headlines – BC Ferries, Ornge, la Caisse...
 
It can happen, and it’s noteworthy when it does. Government, business...
 
Kevin Page’s mandate as the first Parliamentary Budget Officer comes to...
 
Governments are challenged to meaningfully mitigate the effects of the financial...
 
Canada is facing a huge financial challenge brought on by massive...
 
For the past one hundred years, democratic states have been moving...
 
It’s so much easier and less painful to learn from the...
 
CGE Vol.13 No.7 September 2007 "If the Public Service, as a...
 
When pondering leadership, we immediately think of exercising our influence downward...
 
CGE Vol.13 No.1 January 2007 "How can I be held accountable...
 
CGE Vol.13 No.2 February 2007 Canada’s Performance 2006 is the sixth...
 
CGE Vol.14 No.1 January 2008 The furor over the $300,000 that...
 
CGE Vol.14 No.2 February 2008 Let’s say you’re a senior manager,...
 
CGE Vol.13 No.1 January 2007 Perhaps it’s a legacy of the...
 
The Independent Blue Ribbon Panel on Grants and Contributions called for...
 
Au Canada, le secteur bénévole et à but non lucratif vit...
 
As the global economy struggles to regain some forward momentum, Canadian...
 
This will be a defining budget for Stephen Harper. It will...
 
It is difficult to determine when the debate about the need...
 
For the next few years, the federal government’s overarching agenda will...
 
Much of the current conversation about the federal government’s economic agenda...
 
Bill Greenlaw is the elected president of the Institute for Public...
 
Have you ever asked yourself the question: ‘How would I evaluate...
 
Last fall, Alberta’s Employment and Immigration department posted online the workplace...
 
In 2006 the world was feeling the aftershocks of a number...
 
CGE Vol.13 No.4 April 2007 Robert Parkins, editorial director, met recently...
 
In the past two decades, the nature of the state has...
 
Please to view this Content. (Not a member? Join Today! )...
 
Some title Some author
Some excerpt
 
Some title Some author
Some excerpt
 
Some title Some author
Some excerpt
The International Monetary Fund (IMF) in issuing its annual review of...

Member Login

Forgot Password?

Join Us

Password Reset
Please enter your e-mail address. You will receive a new password via e-mail.