Recently one of your clients in the financial service sector has had its ICT system hacked and large sums of depositors’ funds stolen. He called and inform you about what happened. You intimated to him that his company needs a cyber security policy and cyber security audit. He requested a briefing on the issue.
Required:
i) Outline the purposes of cyber security policy. (5 marks)
View Solution
- Organisations using electronic systems for conduct of business need to have cyber security policy and strategy. By their design cyber security policies serve many purposes including informing organisation users and third parties of their obligations to protect the organisation’s digital assets.
- It describes what must be protected and outlines possible threats to those assets. Cyber security policies also provide information on what is acceptable usage. For example employees cannot use the organisation’s internet outside office hours or for private work.
- Another element of a cyber security policy is classification of digital assets, where system files, data and equipment can be classified either as confidential or non-confidential.
- A good cyber security policy recognises the fact that employees are the biggest security threat to an organisation because their wilful action or inaction can cause damage.
- It provides mitigations such as limited access to qualified persons only, logging the usage of the system and making it mandatory for employees to change their password periodically.
ii) Explain cyber security audit and what it is intended to achieve. (5 marks)
View Solution
Cyber security audit is a formal process of carrying out cyber security assessment. It is an assessment carried out by a certified third party, an independent organisation or consultant. Cyber security audits usually involve an external assessment to ascertain the level of cyber risks an organisation is exposed to.
The audit process covers processes such as digital assets management, cyber security awareness training, data security, resources planning, information and communication.
What it is intended to achieve:
- When done properly a cyber security audit can help the organisation understand what risks to information system and software exist in the situation.
- It can help prioritise these risks, align the information protection to that of the central authority such as the Data commission, Communication Authority or even the central bank and to external security frameworks such as National Standards and Technology Institute (NISTI) cyber security framework of USA and European Network and Security agency (ENISA) as well as the ISO/IEC 2700 family on information security management systems.
- Once the audit and assessment is completed the reviewer will provide a detailed report articulating gaps or vulnerabilities in the organisation’s security profile.
- The tangible outcome of cyber security audit is clear cut road map which is expected not only to improve cyber security readiness, but also ensure long term compliance and robust system of risk management.