By now there can be no doubt that legal obligations on company directors and officers to discharge their duties with care and diligence extend into the field of cyber security.
As a director or board member, how can you satisfy yourself that you have taken sufficient steps in this regard?
In this article we provide a concise guide to Six Cyber Security Standards which you should know about. Familiarity with these six standards will:
- give you a basic grasp of cyber security issues in your organisation
- allow you to have appropriate conversations with and to ask the questions that need to be asked of your line management with responsibility for IT and cyber security.
The six cyber security standards
NUMBER 1: THE AUSTRALIAN SIGNALS DIRECTORATE’S TOP FOUR MITIGATION STRATEGIES TO PROTECT YOUR ICT SYSTEM
The Australian Signals Directorate (ASD) is the Commonwealth’s peak advisory body on cyber security. Its 2012 publication, Top four mitigation strategies to protect your ICT system, sets out four cyber security strategies which it says, if implemented, can address up to 85% of targeted cyber intrusions. The Top four mitigation strategies to protect your ICT system are a subset of a wider suite of ASD’s published cyber security strategies (see ASD’s Strategies to Mitigate Targeted Cyber Intrusions – Mitigation Details).
NUMBER 2: THE AUSTRALIAN GOVERNMENT CYBER SECURITY OPERATIONS CENTRE’S QUESTIONS SENIOR MANAGEMENT NEED TO BE ASKING ABOUT CYBER SECURITY
The Cyber Security Operations Centre (CSOC) is a joint agency under the responsibility of the Commonwealth Attorney-General and the Minister for Defence. The CSOC suggests that senior management should be asking the following questions:
- What would a serious cyber incident cost our organisation?
- Who would benefit from having access to our information?
- What makes us secure against threats?
- Is the behaviour of our staff enabling a strong security culture?
- Are we ready to respond to a cyber security incident?
- Has the organisation applied ASD’s top four mitigation strategies? (see Number 1, above).
NUMBER 3: ASIC’S CYBER RESILIENCE: HEALTH CHECK (ASIC REPORT 429)
For directors and officers of corporations and other ASIC regulated entities, this guidance from the regulator should be compulsory reading. The Cyber Resilience: Health Check (ASIC Report 429) contains a number of ‘Health Check Prompts’ which provide useful guidance as to the questions directors and officers can ask in assessing their organisation’s awareness of and preparedness for cyber security issues.
The Report notes:
- for listed entities, a cyber attack may need to be disclosed as market-sensitive information
- cyber risks may need to be disclosed in Product Disclosure Statements.
NUMBER 4: THE OFFICE OF THE AUSTRALIAN INFORMATION COMMISSIONER’S GUIDE TO SECURING PERSONAL INFORMATION – ‘REASONABLE STEPS’ TO PROTECT PERSONAL INFORMATION
The Privacy Act 1988 (Cth) requires regulated entities to ‘take such steps as are reasonable in the circumstances’to protect personal information from misuse, interference and loss; and from unauthorised access, modification or disclosure (Australian Privacy Principle (APP) no. 11). But what constitutes ‘such steps as are reasonable in the circumstances’?
The OAIC’s Guide to securing personal information – ‘reasonable steps’ to protect personal information provides useful information and should be read in conjunction with the other documents referred to in this article.
NUMBER 5: THE PAYMENT CARD INDUSTRY’S DATA SECURITY STANDARD (DSS): REQUIREMENTS AND SECURITY ASSESSMENT PROCEDURE
If your organisation processes card payments, it should comply with the PCI Data Security Standard (DSS): Requirements and Security Assessment Procedures. If your organisation outsources card payment processing, your outsourced service provider should comply with this standard.
NUMBER 6: ISO/IEC STANDARDS
The International Organisation for Standardisation (ISO) and the International Electrotechnical Commission (IEC) publish a number of standards used across the IT industry, including specific standards relating to IT security. The key IT and cyber security standards are the ISO 27000 series. These are highly technical and detailed publications and it is not suggested that directors and officers become experts in these standards and their implementation. However directors and officers can ask whether their organisation, suppliers to it and third party products and services are compliant with applicable ISO/IEC standards such as ISO 27000. Such compliance will not be necessary or appropriate in all cases but to ask these questions may serve as a useful prompt for a discussion with your IT manager or CIO about whether you, your suppliers and third party products are or should be ISO/IEC compliant.
Your organisation’s most basic (but arguably not sufficient) cyber-security strategy must include the following:
- implement ASD’s top 4 cyber intrusion mitigation strategies
- implement the other ASD published strategies, as applicable
- in respect of any of the ASD strategies that are not implemented, ensure that your organisation has a clearly documented audit trail of the reasons why it decided not to implement a particular strategy. That documentation should include an appropriate risk analysis
- ask CSOC’s six questions of your IT manager or CIO – are you happy with the answers you get?
- apply ASIC’s “Health Check Prompts” to your organisation – what do the outcomes tell you about your organisation’s cyber-preparedness?
- if your organisation collects, stores, handles or processes personal information, ask whether it meets the standards set out in OAIC’s Guide to securing personal information – ‘reasonable steps’ to protect personal information
- if your organisation processes card payments, does it (or its service provider) comply with the PCI Data Security Standard (DSS): Requirements and Security Assessment Procedures?
- does your organisation, its suppliers and third party products meet any applicable ISO/IEC standards, if appropriate?
The Six Cyber Security Standards referred to above are by no means exhaustive. This article is intended as an introductory guide to allow the non-technical director or officer to ask the right questions of those with managerial responsibility for IT and cyber security.
We have not, for example, discussed the publications put out by the Australian Prudential Regulation Authority (APRA). While APRA’s publications are aimed particularly at the banking, insurance and superannuation industries, they are of relevance to a wider audience.1