General
When did we do our last data inventory check?
Secure Development
Do we follow secure SDLC? Is security looked into from the scratch?
What is the cycle of application testing?
What are the most major security vulnerabilities/flaws existing and what how can we implement them?
Where does our organization's security stand compared to our competitors? Benchmarking!
Security Program-How to Measure, Monitor? What is Response Time, Response Plan, Disaster Recovery Plan?
What are the Training programs and plans? How can we measure its effectiveness?
Cloud Security-
What kind of data can be accessed over our clouds and how are they segregated in terms of access?
How do we monitor and detect malicious/unauthorized activities over our cloud platforms?
How are the cloud data accesses managed?
How are the vendor risks associated with cloud handled?
Network Security-
How secure are our networks? What is protected and unprotected over it?
Can we track any unusual activity, if not which are the ones? How sensitive are the remaining?
Can it prevent data leaks, document loss and detect the exact activity and user of the activity?
Do we have security policies in place for incidents and how aware are the employees of the policies?
*check for some network threat reports
3) How Does Our Cybersecurity Program Apply Industry Standards and Best Practices?
4) How Many and What Types of Cyber Incidents Do We Detect In a Normal Week? What is the Threshold for Notifying Our Executive Leadership?
https://www.trustwave.com/Resources/Trustwave-Blog/10-Questions-for-Your-CISO/
https://www.us-cert.gov/sites/default/files/publications/DHS-Cybersecurity-Questions-for-CEOs.pdf
---------------------------------------------------------------------------------------
1. Do you understand our wider business strategy?
2. Have you aligned our cyber security approach to our organizational strategy?
3. What are the gaps?
4. How are you evolving our cyber security approach to match the changing risk landscape?
http://www.ey.com/GL/en/Services/Advisory/Cyber-security---Steps-you-should-take-now
---------------------------------------------------
1. Are you documenting your relationships with third-party vendors and are third party vendors being required to incorporate security controls?
2. Do we have an in-depth, comprehensive and relevant policies and procedures documentation to encourage company-wide buy in, support and increased awareness?
3. Should a security incident occur, do we have a team in place to assist at all levels?
4. What security training is or should be offered for all employees?
5. How are you protecting our organization from threats to our systems and facilities?
6. Is there a risk management group that gathers regularly to discuss physical and local security issues?
7. Is there an inventory of all IT assets? Is there a schedule for the decommissioning of old systems?
8. Is security built into our IT and application development lifecycles?
9. How is our wireless network structured?
10. What security investments should we consider? Are we an early adopter or is this a widespread practice?
https://www.trustwave.com/Resources/Trustwave-Blog/10-Questions-for-Your-CISO/
------------------------------------------------------
1. Who is accountable for protecting our critical information?
2. How do we define our key security objectives to ensure they remain relevant?
3. How do we evaluate the effectiveness of our security program?
4. How do we monitor our systems and prevent breaches?
5. What is our plan for responding to a security breach?
6. How do we train employees to view security as their responsibility?
7. How do we take advantage of cloud computing and still protect our information assets?
8. Are we spending our money on the right things?
9. How can we ensure that we comply with regulatory requirements and industry standards in the most cost-effective, efficient manner?
10. How do we meet expectations regarding data privacy?
----------------------------------------------------------
1. Can we identify unusual user or network activity to cloud services
2. Can we track who accesses what cloud-hosted data and when?
3. How are we protecting against insider attacks at the cloud service providers?
4. How do we know unprotected sensitive data is not leaving the corporate network?
5. Can we reduce surface area of attack by limiting access based on device and geography?
-------------------------------------------------
1. When did we last do a data inventory?
2. Can you give me the what, where, who, and why for all our data assets?
3. How are we protecting the systems that store our sensitive data?
4. How is the efficacy of our security systems being measured?
5. Can you show me your risk assessment for our various data assets?
6. Can you show me any security or network reports?
7. Do we have an incident response and disaster recovery plan?
8. Have all our employees received security awareness training?
9. Do we have a software and hardware asset lifecycle?
10. Who’s ultimately accountable for your organisation’s information security?
--------------------------------------
1) How Is Our Executive Leadership Informed About the Current Level and Business Impact of Cyber Risks to Our Company?
2) What Is the Current Level and Business Impact of Cyber Risks to Our Company? What Is Our Plan to Address Identified Risks?
3) How Does Our Cybersecurity Program Apply Industry Standards and Best Practices?
4) How Many and What Types of Cyber Incidents Do We Detect In a Normal Week? What is the Threshold for Notifying Our Executive Leadership?
5) How Comprehensive Is Our Cyber Incident Response Plan? How Often Is It Tested?
https://www.us-cert.gov/sites/default/files/publications/DHS-Cybersecurity-Questions-for-CEOs.pdf
Comments