[Chinese]网络安全风险产生的财务影响 – 每个CFO都应该问的50个问题
美国国家标准局(ANSI)和互联网安全联盟(ISA)日前联合发布了一片白皮书 – 网络风险产生的财务影响 -每个CFO都应该问的50个问题。白皮书强调了网络空间的安全对于美国国家和社会经济组织的重大意义。文中认为如何评估认识安全空间的安全风险在组织的财务上面的影响是一个又挑战性的工作。这本白皮书用以帮助CFO来了解和沟通网络空间安全的财务影响。
下面是白皮书中的50个问题,分别针对首席律师(Chief Legal Counsel), 合规性官员(compliance officer), 业务运营和技术团队,外部沟通和危机管理团队,以及公司保险的风险经理。如果对全文感兴趣,请留邮件。
CHAPTER 1
KEY QUESTIONS FOR YOUR CHIEF LEGAL COUNSEL
1.1 Have we analyzed our cyber liabilities?
1.2 What legal rules apply to the information that we maintain or that is kept by vendors, partners and other third parties?
1.3 Have we assessed the potential that we might be named in class action lawsuits?
1.4 Have we assessed the potential for shareholder suits?
1.5 Have we assessed our legal exposure to governmental investigations?
1.6 Have we assessed our exposure to suits by our customers and suppliers?
1.7 Have we protected our company in contracts with vendors?
1.8 What laws apply in different states and countries in which we conduct business?
1.9 Have we assessed our exposure to theft of our trade secrets?
1.10 What can we do to mitigate our legal exposure and how often do we conduct an analysis of it?
CHAPTER 2
KEY QUESTIONS FOR YOUR COMPLIANCE OFFICER
2.1 Have we inventoried what regulations we must comply with?
2.2 Do we understand what regulated data we have, where it exists and in what format?
2.3 Are there valid business reasons for collecting the data, if not required by regulations?
2.4 How do we track and monitor compliance on an ongoing basis?
2.5 Do we have regulatory risk with vendors / companies we do business with?
2.6 Are all of our procedures and policies with respect to our regulatory obligations documented?
2.7 Are there (regulatory) requirements we can or have considered opting out of?
2.8 Are there processes and procedures in place regarding data retention and data destruction?
2.9 Does the organization have processes to review and update privacy policies and disclaimers to customers?
2.10 Are we complying with what our privacy policy says?
CHAPTER 3
KEY QUESTIONS FOR YOUR BUSINESS OPERATIONS AND TECHNOLOGY TEAMS
3.1 What is our biggest single vulnerability from a technology or security point of view?
3.2 How vulnerable are we to attack on the confidentiality, integrity and availability of our data and systems?
3.3 If our system goes down, how long until we are back up and running and are there circumstances where we do NOT want to be back up
quickly?
3.4 Where do we stand with respect to any information security/technology frameworks or standards that apply to us?
3.5 Do we have the proper staffing to reasonably maintain and safeguard our most important assets and processes?
3.6 What is the assessment of physical security controls at each of our sites (data center, home office, field offices, and other sites?)
3.7. How prepared are our incident response and business continuity plans?
3.8 What is our risk exposure of technology or business operations failures at our vendors and service providers?
3.9 What is the maturity of our information classification and management program?
3.10 How often are we re-evaluating our technical exposures?
CHAPTER 4
KEY QUESTIONS FOR YOUR EXTERNAL COMMUNICATIONS AND CRISIS MANAGEMENT TEAMS
4.1 Do we fully understand the overall financial impact of mishandling communications with our key stakeholders following a cyber security
event?
4.2 Have we evaluated the appropriate communication responses to our key stakeholders?
4.3 Do we have a documented, proactive crisis communications plan?
4.4 Have we identified and trained all of the internal resources required to execute the communications plan?
4.5 Do we have a template timeline for executing the communications plan?
4.6 Do we have contacts at specialist crisis communications firms if we need their services?
4.7 In the case of a cyber security event involving personally identifiable information (PII), do we have a system in place to quickly
determine who should be notified, and how?
4.8 Have we considered that, depending on the situation, we may need to craft different messages for different types or levels of clients or
employees?
4.9 Have we implemented improvements as a result of an actual execution (real or mock) of the plan?
4.10 Have we budgeted for a cyber security event?
CHAPTER 5
KEY QUESTIONS FOR YOUR RISK MANAGER FOR CORPORATE INSURANCE
5.1 Doesn’t the company already have insurance coverage for this?
5.2 What does cyber risk insurance cover?
5.3 What types of cyber security events are covered by this insurance and how are our insured losses measured?
5.4 Does the policy specifically cover identity theft issues?
5.5 Is there a Directors’ & Officers’ exposure if we do not purchase the cover?
5.6 Where do we find an insurance broker who can assist in evaluating whether we need this type of insurance?
5.7 How do we know what insurance carrier to consider with respects to this insurance?
5.8 Have there been losses in this area?
5.9 What does a policy cost?
5.10 What are the other benefits of our purchasing a specific cyber risk insurance policy?
Recent Comments