|
Based on what you have read, consider the following questions and how you would reply to them:
Have you identified the natural threats to your company's information and systems?
Have those threats been documented and processes put in place to mitigate them?
Have you identified the manmade threats and the malicious code that can attack your information and systems?
Have those threats been documented and processes put in place to mitigate them, for example, disaster recovery/contingency plans?
Do you know the difference between risk management, risk assessment, and risk analysis?
Do you have formal processes, policies, and procedures in place to use these risk management techniques?
Have you identified your personal education and experience weaknesses that are associated with a complete understanding of the threats, such as malicious code and human factors?
If not, why not?
If so, what are you going to do about it?
Does your CIAPP have contingency plans for terminating employees who, for example, are given 60 days' notice?
When do you terminate an employee's access to sensitive information and systems?
When the employee is given a 60-day notice?
When they leave?
Does it depend on their position in the company and their access?
What is your definition of cyber-terrorism?
Do you agree with the terrorist-related definitions cited above?
If no, what are your definitions for each of those definitions that you do not agree with?
Do you believe that a true cyber-terrorist attack will affect your corporation?
If so, what plans do you have in place to mitigate it?
|