First Reference company logo

Inside Internal Controls

News and discussion on implementing risk management

machine cogs image

Cybersecurity

Ten considerations for a cybersecurity incident response plan

If you ask a group of cybersecurity experts what should be included in a Cybersecurity Incident Response Plan (“CIRP”), you will get a wide variety of answers. Happily, many of those answers contain similar themes including these ten important considerations your organization should be aware of when creating and managing a CIRP.

 

, , , , ,

Treating cyber as a business problem

Cyber risk can only be communicated to leadership in a way that is meaningful and actionable, enabling them to make informed and intelligent decisions, if it is done using business language.

 

, , , ,

First review of the GDPR: Four findings after four months

With four months of life behind the GDPR, now is an opportune time to review those developments. Indeed, after assessing those four months we can make the following four findings.

 

, , ,

What can employers do to prevent security breaches from the inside?

Until employers start to prioritise information security, then the culture won’t change and employers will continue to make mistakes. But if those mistakes do happen and data is breached, then employers need to be smart and act quickly to ensure the best possible defence is available.

 

, , , , , ,

Why are SOX compliance costs increasing so much?

From a recent survey by Protiviti, the information on how many organizations had to issue a cyber-security disclosure is interesting. Apparently, this generally resulted in an increase on SOX compliance hours – although the reason for a significant increase is not clear.

 

, , , , ,

Learn from British Airways’ security breach reporting and notification

British Airways’ experience described in this article underscores that cybersecurity is important, and Canadian entities preparing for mandatory security breach reporting and notification coming into force soon can take lessons from British Airways’ response to a security breach.

 

, , , , , , , , , , ,

Is there an ROI for investing in cyber or information security?

IS ROI on cyber really as high as it may seem at first glance? At some point, it may be better to consider cyber risk as a “cost of doing business”. If you can’t actually reduce the likelihood of a breach, can you at least increase the likelihood of prompt detection and response?

 

, , , , , ,

Recent SEC settlement is cautionary tale for Canadian public issuers on disclosure of cyberincidents and related risks

The Securities and Exchange Commission’s (SEC) first enforcement action against a public issuer for failure to make timely disclosure of cyberincidents may be a wake-up call for Canadian public issuers and their directors and officers.

 

, , ,

Are you managing risk or are you managing the organization?

Stop managing risk – manage the business. Stop talking about accepting or managing risk and start talking about taking the right risks through informed and intelligent decisions.

 

, , , , ,

Talking sense about technology risk and cyber

You have to have sponsorship from the CEO and throughout the company to really understand and diagnose IT risks, data security risks and business risks, and then prioritize them.

 

, , , ,

The SEC is changing the rules for SOX s302 certifications to include cyber risks

You may know that the SEC just published new guidance on the disclosures they are required to make related to cybersecurity. But did you realize that the SOX s302 certification now has to address whether disclosure controls are adequate in ensuring that the proper disclosures are made?

 

, , ,

A step-by-step guide to creating a cybersecurity plan

The first step is easily accomplished by reviewing a few definitions. The second step is trickier. The third step may involve a lot of work, but you can start with six straightforward steps.

 

, , , , , , , , , , , , ,

Federal budget allocates significant funds towards cybersecurity

The Budget’s proposed investment in the area of cyber security is the largest single investment made in this area by the Canadian federal government. It also sends a strong signal that the government is focused on cyber threats that pose a real risk to the Canadian economy and national security.

 

, , , , , ,

Collaboration between the business risk and IT security teams

Take each of your business objectives and plans. Now, figure out what might result from a technology-related failure (noting that ‘technology’ extends beyond the IT function). Then, what are you going to do about it?

 

, , , , , ,

Phishing losses exceed $224,000.00 after insurer denies coverage

In August 2010, someone called The Brick’s accounts payable (AP) department, pretending to be from Toshiba Canada. The caller said he was new to Toshiba and needed some payment details. The Brick employee faxed the payment information to the number which the caller provided.

 

, , , , , , , , , , ,

Previous Posts