Risk Management & Reporting

Cyber security compliance without tears

An increasing number of regulations and standards across many different industries are stipulating the cyber security controls that should be implemented by businesses and governments to protect their information. A recent collaboration between the Monetary Authority of Singapore (MAS) and the Bank of England (BofE) has seen them develop best practices for supervising cyber risk in banks and financial organisations. Standards are a great way to consistently explain the security target organisations should strive for, where they have a requirement to protect sensitive information like credit card numbers and personally identifying information.  However, the issues relating to achieving cyber security compliance almost put the targets out of reach.

Read More

Cyber security audits and maturity model measurement

Australia’s Federal Government Attorney-General’s Department is taking a new approach to cyber security audits when assessing cybersecurity preparedness in government. Until recently, each department’s security controls were audited against the Protective Security Policy Framework (PSPF), with adherence to controls recorded as either a yes or no answer.

Read More

Scrub up – good security starts with cyber hygiene

Squeaky clean cyber hygiene has never been more important. Several Victorian hospitals in Australia were recently hit by a ransomware attack, causing many of their most important administrative systems to be shut down to prevent the malware from spreading. Included in those areas of the business affected by this attack were systems running their financial management, internet and email services, many of which have taken over a week to restore.

Read More

The difference between PIs and KPIs in cyber security

The difference between “performance indicators” (PIs) and “key performance indicators” (KPIs) seems obvious.  “Key” ones are more important, they are a subset of a larger (and longer) list.

In security, particularly in compliance-driven environments where the information security management system (ISMS) is aligned to a standard, there can be over a hundred controls that must be in place and (ideally) routinely audited, monitoring and reported on.

Read More

Getting the most from security measurement

One common challenge in security is in proving status reports or demonstrating progress against security KPIs – either ongoing operational ones or those that reflect continual improvement (for example, corresponding to a security improvement project).

Read More

Comparing Ways to Measure Security Control Effectiveness

There is a growing range of ways to provide security control metrics and assessments for businesses.  The intended audience of these solutions tends to be non-security people, for example senior board members (for enterprise security and the associated risks) and procurement or risk/compliance managers (for third party security risk exposures) who need an understanding of cyber risk and security control effectiveness to monitor performance, improvements or exceptions.

Read More

Are your Cyber Security Controls effective?

Various factors are converging to influence the need for better management of cyber security risk. Whether it’s to understand the effectiveness of security controls, isolate any weaknesses or to simply acknowledge cyber security as a corporate governance issue; the requirement for greater visibility of an organisation’s cyber security posture is a given.

Read More
1 2 3 4 5