Technique 2.104 Checklist for Handling Cyber Risk
Introduction
Below is a checklist for evaluating effectiveness of your cyber risk strategy, implementation, etc
| 1. Set clear roles and responsibilities | - document where possible, who has responsibility for cyber security - appoint a cyber champion to promote cyber resilience and respond to questions - consider whether a director, or group of directors, should be more actively involved in overseeing cyber security - collect data where possible on the effectiveness of cyber risk practices |
| 2. Develop, implement and evaluate a comprehensive cyber strategy | - utilise appropriate assessment tools to identify cyber security strengths in your organisation and understand areas for improvement - assess whether utilising reputable external providers will enhance cyber resilience over managing it in-house - assess whether there is certain data that does not need to be collected - establish a system to determine who should have access to what - readily repeat cyber security training and awareness amongst all staff - promote strong e-mail hygiene |
| 3. Embed cyber security in existing risk management practices | - patch and update applications and anti-virus software - configure Microsoft office macro settings from trusted locations - user application hardening - limit interaction between Internet applications and business systems - limit or restrict access to social media and external e-mail accounts - restrict use of USB or external hard drives - restrict operating systems and software administrative privileges - implement multi-factor authentication - maintain off-line backups of key data - ensure that departing staff no longer have access to systems and passwords |
| 4. Promote a culture of cyber resilience | - implement mandatory training and phishing testing for all staff where appropriate - select a staff member to be 'cyber security leader' to promote strong cyber practices and respond to questions from staff - be affiliate with the appropriate regulatory authority - stay updated about emerging cyber threats |
| 5. Plan for a significant cyber security incident | - prepare an incident response plan utilising online templates, if appropriate - conduct practical simulation exercises or test various scenarios against the incident response plan - ensure physical backup of key data and systems are regularly updated and securely stored - maintain off-line lists of who may assist in the event of a significant cyber security incident and which key stakeholders to communicate with |
(source: AICD et al, 2022)