5 governance security principles from AICD
Contents
According to its annual cyber threat report, the Australian Cyber Security Center (ACSC) received 76,000 cybercrime reports in the last financial year. With some significant and publicised data breaches such as Optus, Medibank, and The Smith Family, there’s a new wave of cybercrime on the scenes.
This has prompted the Australian Institute of Company Directors (AICD) and the Cyber Security Cooperative Research Centre (CSCRC) to come up with a set of governing principles. These principles are aimed at the Board of Directors to help them play an important role in strengthening the cybersecurity of the organisation and to help with effective cybersecurity.
What is meant by governance principles in cyber security
Governance principles in cyber security refer to the fundamental rules, strategies, and policies that organizations should adhere to in order to ensure the safety of their digital assets. These principles are established to protect data, systems, networks, and other resources from unauthorized access or misuse. They provide a framework for establishing best practices and standards for implementing effective cyber security measures within an organization.
How are the AICD governing principles relevant now?
As Australian customers share their private data with organisations, they expect that this information is protected. Thus, it is the responsibility of an organisation to ensure that information security and cyber security are prioritised. In times when data breaches by bad actors are a serious concern, protecting data needs alignment and collaboration between businesses, industry, and the government.
A very important part of strengthening the cybersecurity of an organisation is to build a risk-aware and risk-resilient culture. The Board can play a major role in building this culture and the AICD cybersecurity governance principles are to support the Board in preparing to face the myriad cyber threats. Governance security principles give an organisation the tools to define what their risk appetite is and to decide on areas of the most importance. The principles provide a framework to build cyber resilience in organisations of all sizes across different industries.
What are the AICD governing principles?
Below are the five cybersecurity governing principles.
- Set clear roles and responsibilities
- Develop, implement, and evolve a comprehensive cyber strategy
- Embed cyber security in existing risk management practices
- Promote a culture of cyber resilience
- Plan for a significant cyber security incident
These principles have been developed after consultation with and feedback from government agencies, industry experts, cybersecurity professionals, regulators, and senior directors. They are designed to help directors as well as governance professionals to understand cyber risk, take proactive measures to mitigate risk and be prepared to deal with a significant cybersecurity incident. Let’s look at each principle in detail.
Set clear roles and responsibilities
The first step towards cybersecurity is to establish a team with each member having defined roles and responsibilities. With cybersecurity no longer being only the IT team’s job, all members of an organisation need to be made aware of their roles and responsibilities to manage cyber risk.
There should also be a clear line of management responsibility and communication at all levels. This should include board reporting, communication with senior leaders and decision-makers, and keeping track of emerging threats and trends in cybersecurity. The directors should ensure that their understanding of cyber risk management is up to date.
The AICD encourages directors to take expert advice to set clear roles and responsibilities and for identifying areas of improvement.
Develop, implement, and evolve a comprehensive cyber security strategy
There needs to be a well-documented cyber strategy overseen by the Board and implemented by the management and team members in the organisation. The strategy should proactively address risk and as the risk landscape evolves, the strategy should evolve, too. The idea is to evaluate the strategy and improve cyber maturity over time. It should address the below points.
- The strategy should include information on all the digital assets and data in the organisation that needs to be protected.
- It should consider third-party and supply chain risks while dealing with external vendors, partners, and any other stakeholders.
- It should outline a framework for how sensitive data is to be stored, protected, and destroyed.
Embed cyber security in existing risk management practices
Cyber risk should be treated as an integral part of the business strategy and should be included in the existing risk management practices. Just as the board reviews business risk, cyber risk should also be reviewed and the effectiveness of the cyber controls should be assessed. These reviews and assessments should be in line with the changing threat landscape and the technological advancements which can impact the organisation’s threat exposure.
The idea behind this governing principle is not to reduce cyber risk to zero but to effectively protect the organisation from risks and create a more secure environment. Most organisations outsource cybersecurity to MSSPs and while it is a good idea to engage experts, the Board should still be involved in the oversight of cyber risk management.
Promote a culture of cyber resilience
A cyber-resilient culture should begin at the Board and the senior leaders and should flow through the organisation. And the key step to cyber resilience is education and awareness for all end users and stakeholders through regular training. There should be specialised training programs for directors, too. Good cybersecurity practices should be promoted at all levels to encourage timely reporting, transparency, and awareness.
The other part of adopting this principle is to conduct regular tests and exercises to measure the preparedness of the staff against cyber attacks. This includes carrying out simulated cyber attacks, phishing tests, penetration testing, etc.
Plan for a significant cyber security incident
An organisation should have a documented response plan in the event of a significant cybersecurity incident. The response plan ensures that the organisation is in a position to appropriately respond to the incident and that all major stakeholders including the Board have a clear understanding of their roles and responsibilities.
The key elements of a response plan include:
- Responsibilities - Identifying the personnel for implementing key steps in the response plan
- Resources - The resources to be used for implementing the response plan
- Triage and immediate response - Steps to detect an incident and identify its severity and engage support teams
- Containment and eradication - Strategy for containing the damage from the incident
- Communication - Establishing channels for communication with stakeholders, impacted users, regulators, law enforcement agencies, media, etc.
- Recovery - Recovering the impacted systems and further improving the cybersecurity strategy based on the learnings from the incident
Final thoughts on governance security principles
Cyber attacks are expensive with the cost of cyber crimes in Australia estimated at about $1 billion per year. Cyber resilience is crucial to the sustenance of businesses and the AICD cyber governing principles are a good starting point for the directors to enforce robust cybersecurity measures.
While adopting a comprehensive cybersecurity framework can feel like a lot of work, with the help of AI and automation tools, it becomes considerably easier. At 6clicks, we help you on your journey to build cyber resilience by automating your Information Security Management System (ISMS). With a Reporting and Analytics suite that supports data storytelling, insights, and collaborative dashboards, overseeing cybersecurity is hassle-free and quick.
