Voici un document du National Association of Corporate Directors (NACD) qui aborde une question cruciale sur le rôle des conseils d’administration en matière de prévention et de réactions à la suite de problèmes de sécurité informatique.
Le document de 10 pages est disponible gratuitement sur le site du NACD si vous vous inscrivez. Je vous invite à prendre connaissance des principales questions qu’un administrateur devrait poser à la direction.
Voici un extrait de l’article, notamment les questions concernant la planification d’une attaque à la sécurité, et d’autres questions concernant les mesures à prendre à la suite de ces problèmes.
Ten Questions Directors Can Ask Management in Planning for a Breach
- How will we know we have been hacked or breached, what makes us certain or how will we find out?
- What are best practices for cybersecurity and where do our practices differ?
- In management’s opinion, what is the biggest weakness in our IT systems? If we wanted to deal the most damage to the company, how would we go about it?
- Does our external auditor indicate we have deficiencies in IT? If so, where?
- Where do management and our IT team disagree on cybersecurity?
- Were we told of cyber attacks that already occurred and how severe they were? For significant breaches, is the communication adequate as information is obtained regarding the nature and type of breach, the data impacted, and potential implications to the company and the response plan?
- What part of our IT infrastructure can contribute to a significant deficiency or material weakness?
- What do we consider our most valuable assets; how does our IT system interact with those assets; do we think there is adequate protection in place if someone wanted to get them or damage them; what would it take to feel comfortable that they were protected? Do we believe we can ever fully protect those assets? How should we monitor the status of their protection?
- Are we investing enough so our corporate operating and network systems are not easy targets by a determined hacker?
- Where can we generate more revenue and marginal profitability by making changes in IT?
Ten Questions Directors Can Ask Management Once a Breach Is Found
- How did we learn about the breach? Were we notified by an outside agency or was the breach found internally?
- What do we believe was stolen?
- What has been affected by the breach?
- Have any of our operations been compromised?
- Is our crisis response plan in action, and is it working as planned?
- Whom do we have to notify about this breach (materiality), whom should we notify, and is our legal team prepared for such notifications?
- What steps is the response team taking to ensure that the breach is under control and the hacker no longer has access to the internal network?
- Do we believe the hacker was an internal or external actor?
- What were the weaknesses in our system that allowed it to occur (and why)?
- What steps can we take to make sure this type of breach does not happen again,