Assume you have been employed as a corporate governance consultant by a company listed on the Australian Stock Exchange and ranked within the ASX 200. The Chairman of the company has decided to address the issue of cyber security at the company board level.
As an initial step in the process of improving the cyber resilience of the company the Chairman has employed you to prepare a report that critically analyses how the company can best integrate its cyber security and resilience protocols to ensure continued corporate survival and improved business performance. The Chairman has requested that you submit a report providing examples of best practice and a clear set of recommendations on how the company should initiate a cyber resilience policy at the corporate board level. Your report will be tabled at the next board meeting for board members to review and evaluate your recommendations.
Cyber security or information technology security is the procedure of shielding, networks, computers, programs and data from attack, damage or illicit access that are aimed for exploitation. In a computing context security includes both cyber security and physical security.
One of the most challenging essentials of cyber security is that the security risk factor is very prompt and constant. The conventional approach has been to emphasise large number of assets on the critical items to guard against major threats, the same necessitates parting ways with less critical constituents and even minor dangerous threats not safe guarded against. This kind of approach is inadequate in the present scenario.
Cyber security demands focus and dedication. Cyber security professionals face few challenges which are Kill chains, zero-day attacks, ransom ware, alert fatigue and budgetary constraints. Cyber security professionals need a powerful understanding of the above topics and many others, so that they are able to tackle those challenges more efficiently.
According to Forbes, the world wide cyber security market has risen to $75 billion for the year 2015 and is projected to reach $170 billion in 2020.
Various elements of cyber security
There are various elements of cyber security which includes 1. “Application security”, 2. “Information security”, 3. “Network security” and 4. “Disaster recovery / business continuity planning”.
Application security involves procedures through the improvement life-cycle to protect applications from risks which may occur due to mistakes in the application design, development, consumption, improvement or maintenance (Hashim et al., 2016). Methods used for application security are as follows:
- Input parameter authentication
- User/Role Validation & Consent
- Session supervision, parameter management & exemption management
- Auditing and data entry
Information security shield information from illicit contact to evade individuality theft and to defend confidentiality. Few techniques which are used to shield this are as follows:
- Documentation, verification & agreement of user
- Crypto technique
Network security comprises of means to safeguard the dependability, reliability, accessibility and security of the network. Efficient network security aim at diversity of risks and prevent these risks from moving in or scattering the network (Leclair, 2015). Network security constituents of:
- Antivirus and anti spyware
- Firewall to protect against illegal access to the network
- Intrusion Prevention Systems (IPS), to locate quickly spreading risks, such as “zero day” or “zero hour” attacks (Group, 2017).
- VPN’s to provide protected remote access
Disaster recovery is a process that involves undertaking risk analysis, identifying priorities, evolving recovery plans to protect against any kind of disaster. Every business must institute measures for disaster recovery to recommence routine business operations as quickly as possible post disaster (Stitilis et al., 2017).
Cyber Resilience Principles for Board
Responsibility for cyber resilience: The board is entirely accountable for omission of cyber threats and resilience. The board may assign major lapse to a standing committee (e.g. risk committee/ cyber resilience committee).
Command of the subject: Members of the board are educated about various aspects of cyber resilience upon joining the board and are updated frequently on the latest threats and trends.
Accountable officer: The board nominates one corporate officer for reporting on the organization’s competence to accomplish cyber resilience and to recommends steps for executing cyber resilience objectives. The officer has systematic access to board, knowledge of the matter, adequate ability, understanding and assets to perform these duties.
Integration of cyber resilience: The board ascertains that management is able to amalgamate cyber resilience and cyber risk valuation in inclusive business policy and also into budgeting and resource allocation (SBS Team, 2017).
Risk assessment and reporting: The management is held answerable by board for reporting a measured and comprehensible valuation of cyber risks, threats and actions as a standing schema item during the course of review meetings. The evaluations are validated using the cyber risk framework.
Resilience plans: The officer answerable for cyber resilience is supported by the management and the same is ensured by the board by conception, execution, testing and unending development of cyber resilience plans, which are fittingly synchronized from one corner to another corner of the business. The prerequisite being an officer nominated for monitoring the performance and reporting the same on regular basis to the board.
Community: The board supports management to join forces with others involved, as applicable and apt to facilitate complete cyber resilience.
Review: Ensuring that an official, sovereign cyber resilience assessment of the organization is undertaken annually the board.
Effectiveness: The board from time to time assesses its own effectiveness in the implementation of these principles or asks for free suggestions for constant perfection (ASIC, 2016).
Embedding cyber resilience
Ascertain the degree of exposure to cyber risk: Recognize the evidence and other resources viz. rational property, human resources and financial information that are critical to the organization. It must be made sure that any incident of cyber threat must be dealt with aptly and effectively. Frequently review the extent of attentiveness of cyber risk within the organization.
Develop and execute measures to safeguard the organization: Continual up-gradation of company’s security policies and methods involving supervising and scrutinizing policies and processes. Identify that cyber security is also about human resources and not just technology, therefore it must be ensured that all involved are appropriately taught. It includes the following:
- Enhancing knowledge on cyber security threats and vulnerabilities in larger perspective to involve personnel (Vai et al., 2016).
- Presentation/ plays/ acts on cyber security matters, to enhance the extent of involvement and attention.
- Tasking various other departments to aid the IT security department.
Position the assets (both personnel and technological) necessary to recognize a cyber breach well in advance. Execute and continuously develop processes and procedures for timely scrutiny. Join forces with peer groups and agencies to enhance the organization’s cyber intelligence abilities (Wilding, 2016).
Plan and prepare response to, and recovery from, a cyber intrusion: Execute and repeatedly test a data intrusion response plan Employ and recurrently examine business stability and adversity recovery methodology like storing the data in the cloud (Conclin, 2017).
Board Cyber Risk Framework.
The evaluation of cyber risk involves the overall cyber security plan by disbursing the requisite information only to prioritize risk management actions within the programme. The board is required to understand and evaluate the following:
- The existing risk tolerance ability of the organization with respect to organization’s cyber threats and business plans.
- Cyber threats faced by the organization
- Threat management or easing actions and related costs (Ellisen, 2017).
Lingering cyber risk portfolio post threat management or mitigation actions
The procedure is described under the following heads:
- Examination of the cyber risk portfolio
- Supervision on relevance of framework
- Overview on risk benchmarking (HPE, 2016).
The issues mentioned below are critical when a board reviews the cyber risks that can affect the organization:
- Cyber risk tolerance level/risk appetite: The board is required to ally the complete threat tolerance standards with the executive team. A collective effort is required by the board along with the executive team for elongated sustainability requirements of the share holders it symbolises. The conversation shall take into consideration future tactical issues, the credible market conditions and the competitive place of the association. It is necessary to look at the organization’s capability to prevail over material threats and stabilise the value of endured threat and the probable production that comes along. This conventional risk of performing trade includes different types of risks viz. customary risk type like credit risk and new risks like cyber risk. Consequently, the tolerance measure of risk for each kind and cyber risk in particular, is required to be resolved (Campbell & Lautenbach, 2017).
- Cyber risk identification prior to management actions: The recognition of a company’s cyber risk portfolio will be handed over to board by executive committee. The considerations into account of the portfolio should be legal, operational, financial, strategic and reputational. It will generally consist of a significant collection of cyber risks in addition to two major factors of risk probability and risk impact with each varying to extreme levels.
- Risk management actions: Post evaluation of cyber risks existing and aligning on their possibility and effect, the board is required to assess the risk management steps that have been projected. Risk management steps are encompassed in the organization’s cyber security programme. Probable sorts of management measures comprise:
Mitigation actions- Each mitigation action has a related budget and predictable lessening of risk.
Risks can be moderated by technical, physical, managerial and administrative capabilities. Some examples are: – Risk controls pointing people and culture, such as employee training. Organizational risk controls such as regulation policies, authority, and partaking of intelligence across industries, or mutual assistance and synchronized reactions. Administrative risk control measures, such as asset portfolios and risk cataloging. Technical risk control measures like firewalls, recognition abilities, recovering skills and physical access measure.
Transfer actions- Transmission of threat through insurance agreements in risk market.
Acceptance actions- Risks that are minor or cannot be reduced in an effective way may be accepted.
Avoidance actions- Risks which are external to the risk tolerance of the organization are to be avoided (e.g. an item being inhibited from market).
The board is required to recognize the actions to be taken and the one which are deliberately not to be taken. The executive committee has to priortise on risks and whether the actions taken are the effective options (Ellisen, 2017).
- Residual risk portfolio: The residual portfolio is the rate that the board consents as a representative of the share holders and the stake holders. With application of threat management measures to recognize cyber risks will change the real risk understanding of the organization and residual risks will be the end result. The board is required to make sure that entire amount of residual portfolio and the budget of risk mitigation, evasion and relocation are lesser than risk tolerance level as summarized above. The board should ensure that administration put the residual cyber threat with respect to operational risk portfolio of organisation, to ensure its updation repeatedly.
Impact of cyber security instances on businesses
Cyber Security Instance Percentage of Respondents Who Experienced an Instance (%)
Data break and third party provider/supplier 4.4
Data loss/theft of critical evidence 5.3
Denial of service attack 9.1
Physical force attack 2.9
E-mail address or website banned 5.6
Trojan/ Malware infections 17.5
Phishing/ targeted malicious e-mails 18.2
Ransom ware 22.0
Robbery of laptop or mobile device 3.9
Unlawful access to data by outside user 3.6
Illegal access to data by internal user 3.7
Unlicensed alteration of data 1.3
Website damage 2.5
Considerations while purchasing cyber risk insurance
The policy offers cover up for new evaluation and states responsibility under the compulsory information break reporting arrangement as mentioned in the Privacy Amendment Bill 2015.
Whether, the insurer proposes imperative breach training or cyber instance responsive services (provided admittance for insured establishments to IT specialists, forensic auditors, public relations experts and lawyers) (Fuller, 2017).
The accessibility of value added services like credit monitoring, to assist establishments in creating and nourishing benevolence with consumers following an information breach.
Policy omissions for obligation presumed under contract. In accordance with Australian common law, there exists no basis to undertake lawful action for breach of secrecy, third party obligation claims can be advanced beside protected organizations in agreement. As a result Organizations should ensure to recognize possible omissions in the strategy that can be relevant to such pledged claims.
Future of cyber resilience
The World Economic Forum anticipates that the tools and philosophy that have been afore mentioned will offer the ways through which boards and business leaders will be able to take appropriate steps by certifying that their organizations adopt cyber resilience plans. In the upcoming years, the Forum shall persist to offer approaching and encourage various methodologies, comprising the following means:
Continual improvement: These methods are not the ultimate effort on cyber resilience control and policy. Rather, though planning with associates, the Forum intends to aid as the platform for constant iteration and enhancement of authority and management tools. Iteration will follow for these methods, with sustained expansion of the Cyber Risk Framework.
Partnership: Digital networks across the country connect organizations across borders. The Forum shall endure to work to look after corporations in favor of cyber resilience amongst boards and high-ranking committee members (KRG, 2017).
Public-private cooperation: The Forum will inform the stake holders to make sure that cyber security and resilience are a substance of collaboration amongst management, industry and society.
Leadership: The worldwide growth of digital networking means that the apparatuses which are being used to promote private sector’s cyber resilience should be modified to aid both the public sector and society. The Forum will keep on expanding these tools to maintain an extensive range of leaders.
By implementing efficient cyber safety methodology at a nationwide, personal and organizational level, will help in endorsing fiscal progression and affluence in our county, and make sure that the industries and contributing personalities, can do so inside a protected cyber surroundings.
This year’s survey revealed extremely high jump in C-level managers taking accountability for majority of security breaks in Australia. The rise from 19.5 % to 60% is the biggest YOY variation witnessed and is in consonance with rest of Asia, swelling from 35% to 65%. There have been enhancement in the possessions businesses can admit to guide their passage to greater resilience. Many organizations are employing cyber security frameworks, strategies and criterions. These possessions are timely restructured and include outstanding suggestions which majority of the organizations can employ for actual circumstances.
ASIC, 2016. Cyber resilience assessment report: ASX Group and Chi-X Australia Pty Ltd., Available at: https://www.asic.gov.au/media/3563866/rep-468-published-7-march-2016.pdf?utm_source=report-468&utm_medium=landing-page&utm_campaign=pdfdownload
Campbell, N. & Lautenbach, B., 2017. Telstra Cyber Security Report 2017: Managing risk in a digital world, Available at: https://www.telstraglobal.com/images/assets/insights/resources/Telstra_Cyber_Security_Report_2017_-_Whitepaper.pdf
Conclin, W., 2017. Cyber-Resilience: Seven Steps for Institutional Survival. The EDP Audit, Control, and Security Newsletter, 55(2), pp.14-22.
Ellisen, M., 2017. Perspectives on cyber risk 2017, Available at: https://forms.minterellison.com/files/Uploads/Documents/Publications/Articles/CyberReport2017.pdf
Fuller, B., 2017. 5 Considerations When Purchasing Cyber Insurance, Available at: https://www.cio.com/article/3202079/security/5-considerations-when-purchasing-cyber-insurance.html
Group, T.B.C., 2017. Advancing Cyber Resilience: Principles and Tools for Boards, Available at: https://www3.weforum.org/docs/IP/2017/Adv_Cyber_Resilience_Principles-Tools.pdf
Hashim, M., Masrek, M. & Yunos, Z., 2016. Elements in the cyber security framework for protecting the Critical Information Infrastructure against cyber threats, Available at: https://www.researchgate.net/publication/309262805_Elements_in_the_cyber_security_framework_for_protecting_the_Critical_Information_Infrastructure_against_cyber_threats
HPE, 2016. Advance the fight against cyber threats, Available at: https://hpe-enterpriseforward.com/wp-content/uploads/2016/04/4AA5-8351ENW.pdf
KRG, 2017. 6 Considerations When Buying Cyber Insurance, Available at: https://krginsure.com/wp-content/uploads/2017/05/Coverage-Insights-6-Considerations-When-Buying-Cyber-Insurance.pdf
Leclair, J., 2015. National cybersecurity report. National cybersecurity institute journal, 1(3), pp.1-68.
SBS Team, 2017. Advancing Cyber Resilience. Principles and Tools for Boards, Available at: https://www.sbs.ox.ac.uk/cybersecurity-capacity/content/advancing-cyber-resilience-principles-and-tools-boards
Stitilis, D., Pakutinskas, P., Laurinaitis, M. & Castel, I., 2017. A model for the national cyber security strategy. The lithuanian case. Journal of security and sustainable issues, 6(3), pp.1-16.
Vai, M. et al., 2016. Secure Embedded Systems. Lincon Lab journal, 1(9), pp.1-13.
Wilding, N., 2016. Cyber resilience: How important is your reputation? How effective are your people? Business Information Review, 33(2).
This problem has been solved.
Cite This work.
To export a reference to this article please select a referencing stye below.
Urgent Homework (2022) . Retrive from https://www.urgenthomework.com/sample-homework/law-7057-corporate-governance-information-technology-security
"." Urgent Homework ,2022, https://www.urgenthomework.com/sample-homework/law-7057-corporate-governance-information-technology-security
Urgent Homework (2022) . Available from: https://www.urgenthomework.com/sample-homework/law-7057-corporate-governance-information-technology-security
Urgent Homework . ''(Urgent Homework ,2022) https://www.urgenthomework.com/sample-homework/law-7057-corporate-governance-information-technology-security accessed 30/09/2022.