Pub. 14 2019-2020 Issue 3

WWW.NEBANKERS.ORG 16 Terry Kuxhaus, Sr.Information Security Consultant – SBS CyberSecurity, LLC TECH TALK Reporting Critical Information Security Areas Upstream O NE OF THE MOST CRITICAL ASPECTS OF ANY INFORMATION Security Program (ISP) is communication and sharing information. This is especially true with executives and board of directors, who need to be educated and informed on all aspects of information security so they can ask better questions andmake appropriate decisions. If the top level of the organization better understands the risks and the impact potential, it will help build a stronger information security cul- ture throughout the organization. Asking Better Questions Before we dive into the type of information fromyour ISP that should be shared upstream, let’s talk about how to get directors and senior management to ask better questions. The foundation of your ISP is your risk assessments. How- ever, your directors and senior management don’t often know what to look for in these assessments. Share this question set with your top-level folks to encourage them to ask more meaningful questions: 1. What are our most important things - IT assets, vendors, business processes, etc.? 2. What are ourmost risky things? Could be Inherent Risk or Residual Risk. 3. Have we set goals around acceptable levels of risk for IT assets, vendors, business processes, etc.? 4. If we have goals, are we meeting those goals? 5. What are our next steps? These simple questions will help them to get to the areas of most concern to the organization, make better decisions, and identify where you need to spend your next information security dollar. What Information Should Be Shared? A challenge many organizations face is determining what information should be shared with the board of directors and senior management. The above question set should be a building