The CIO Security Checklist: Questions to Answer

Some larger companies will employ both a Chief Information Officer (CIO) and a Chief Information Security Officer (CISO). They are both responsible for protecting and managing sensitive data, although the role of the CIO is much broader.

The role of the CISO is to ensure that proper controls are in place to protect the company’s digital assets, while the role of the CIO is to ensure that the CISO has the necessary tools and resources to be able to do their job properly.

This includes developing security policies, procedures, training programs, budgeting, and ensuring that the company is using the most up-to-date security solutions available. Below is a brief description of the CIO’s core responsibilities, as well as some simple questions which need to be answered in order to meet them.

1. Develop an Incident Response Plan

Security incidents that are not identified, contained and eradicated in a timely manner will likely lead to even greater problems down the line. Establishing formal policies for dealing with security incidents will help to prevent down-time, minimize losses and reputational damage, and ensure that any mistakes that were made are well documented to help mitigate future incidents.

The CIO is responsible for developing an Incident Response Plan (IRP), and should be able to answer the following questions:

• Do you have an Incident Response Plan in place that covers preparation, identification, containment, eradication, recovery and lessons learned?
• Has your IRP been thoroughly tested?
• Are you periodically reviewing your IRP and making amendments/improvements where necessary?
• Have you harmonized your communication protocols to ensure that all relevant personnel are communicating on the same channels following a security incident?
• Have all relevant stakeholders received the training necessary to identify and respond to potential security incidents? It is a good idea to conduct mock tests to see how they respond, which will enable to you to identify weaknesses in your strategy.

2. Assess the Risks of Your Cloud Strategy

There are many reasons why CIO’s are keen to adopt cloud computing. Firstly, cloud services often have a relatively simple pricing system, there are usually no upfront costs, they are typically more scalable than on-premise solutions, and a trusted service provider will already be compliant with the most relevant data protection regulations.

These benefits can take pressure off the CIO, allowing them to focus on more productive tasks. However, cloud-based solutions come with their own risks, and so the CIO will still need to carry out a thorough risk assessment before using them to store confidential data.

They should start by answering the following questions:

• Have you evaluated your cloud strategy?
• Are you storing sensitive data in the cloud? If so, are you sure you need to?
• Does your cloud service provider encrypt the data before it is transferred to the cloud?
• Do you have a strong password policy in place?
• Is it possible to use multi-factor authentication?
• Have you carefully reviewed the configuration settings of any storage containers that you are using to store data? Some cloud-storage containers are accessible to the public by default.
• Does your cloud provider support a “multi-region architecture”? Having a multi-region architecture can improve latency for end-users and assist with disaster recovery.
• Have you verified the security measures that your cloud provider has advertised?

3. Ensure You Can Satisfy Regulatory Compliance

Data protection regulations are becoming increasing more stringent, and the fines for non-compliance are putting additional pressure on CIO’s. The EU’s General Data Protection Regulation (GDPR), which came into effect on the 25 May 2018, has introduced fines of up to €20 million, as well as elevated rights for data subjects relating to the way their data is used.

It has never been so important for CIO’s to streamline the protocols for collecting, storing and accessing personal data. Below are some questions CIO’s need to answer to ensure that they can satisfy the relevant compliance requirements:

• Do you know exactly which regulations apply to your industry?
• Do you know why you are collecting personal data?
• Do your customers know why you are collecting their personal data?
• Do you know how long you will be storing the data?
• Do you know where all your personal data is stored?
• Do you have an automated system for discovering and classifying personal data?
• Are you keeping track of who is accessing what personal data, and when?
• Do you have clear and concise privacy policy in place that obtains the full consent from your data subjects?
• Have you verified the age of the data subject before collecting their information to ensure that they are mature enough to understand the terms of your privacy policy?
• After collecting personal data, will it be encrypted, both at rest and in transit?
• Can you access a subject’s personal data in a fast and efficient manner?
• Do you plan to share the data with third parties, and if so, do you know why?
• Have you carried out a risk assessment of any third parties you deal with?
• Are you required to appoint a specific member of staff to oversee regulatory compliance?
• Are all staff members aware of the compliance requirements and trained accordingly?

4. Understand the Tools & Technologies Available to You

According to a survey carried out by ESG, 53% of respondents reported a “problematic shortage” of cybersecurity skills at their organization, and the shortage is set to get worse. To compensate for the lack of cyber security professionals, CIO’s must focus their attention on automation, which requires a deep understanding of the different tools and technologies available.

As a starting point, CIO’s should be able to answer the following questions:

• Are you using multi-factor authentication on your local network?
• Do you have the latest anti-virus software installed?
• Are you using an automated data discovery and classification solution?
• Are you using a DCAP (Data-Centric Audit & Protection) solution to keep track of how your sensitive data is being accessed?
• Are you using a commercial-grade firewall, and has it been configured correctly?
• Are you using an Intrusion Prevent System (IPS)?
• Are you using Data Loss Prevention (DLP) software?
• Are you using encryption software, and are the encryption algorithms strong enough?
• Are you using an automated patch management solution?
• Have you installed any vulnerability scanning or penetration testing software?

5. Ensure Physical Security Measures Are in Place and Working

Naturally, having strong physical security measures in place is very important. A failure to adequately control access to your premises could allow a criminal to break in and steal drives, devices, or even paper documents containing sensitive data.

Alternatively, they could use their smartphone to take photos of unattended computer monitors displaying sensitive data, or even rummage through your skip in search of redundant equipment.

At the very least, CIO’s should be able to answer the following questions:

• Are you controlling access to the sever room and other restricted areas?
• Are you using ID badges, locks, alarms, CCTV cameras, etc.?
• Are you allowing visitors to bring their own devices onto the premises without proper authorization?
• Are workstation monitor screens locked down?
• Are you enforcing automatic logout on all devices that have access to sensitive data?
• Are you disposing of redundant hardware in a secure manner?
• Have you secured your network-enabled printers?
• Is it possible for someone to sift through your garbage and steal sensitive data?
• Have you isolated your Guest Wi-Fi from your internal devices and data?

6. Undertake a Third-Party Risk Assessment

According to the Data Risk in the Third-Party Ecosystem study, and carried out by the Ponemon Institute, 59% of companies have experienced a data breach caused by a third-party, and only 16% say that are able to effectively mitigate third-party risks.

Companies are becoming increasingly more dependent on third parties, with companies sharing confidential data with an average of 583 third parties.

Questions CIO’s need to answer include:

• Do you have an up-to-date inventory of the vendors, partners, and associates with whom you share your critical data?
• Have you carried out an assessment to determine which third-parties present the greatest security threat?
• Have you established contracts and agreements with third parties to ensure that they are taking the steps necessary to keep your data secure, and have you recently reviewed these contracts and agreements?

7. Assess the Risks of BYOD (Bring Your Own Device)

BYOD is a growing trend that allows employees to use their personal devices in the workplace. There are many advantages of enabling BYOD. For example, when asked, employees say that they’re more productive when using their own device. They say that using their own device gives them a better work-life balance.

Adopting BYOD also saves the company money as they are not required to purchase or maintain devices for their employees. However, BYOD will also present several additional security risks, which the CIO must factor in.

As a starting point, the CIO must be able to answer the following questions:

• Do you know what devices are being used to access the data on your network?
• Do you have policy in place to determine which devices are supported, and which are not?
• Is all data stored on portable devices encrypted, both at rest and in transit?
• Have you checked to ensure that all devices are password protected?
• Do you have an application whitelisting/blacklisting policy in place to determine which applications can be used?
• Have you included BYOD best practices in your security awareness training program?
• Are you using separate networks for employee devices?
• Will the data from BYOD devices be stored locally or in the cloud?
• What happens if an employee violates the BYOD policy?
• Are your access controls aligned with the “principal of least privilege“?
• Are you enforcing the use of Mobile Device Management (MDM) software?
• Are you enforcing the use of a Virtual Private Network (VPN) to ensure that all data transmissions are encrypted when employees are using their device on an unsecure Wi-Fi network?
• Are you using a device locator service in order to track a device, were it to be lost or stolen?
• Are you using remote wiping software? If so, have you informed your users that the personal data stored on their device could get wiped if their device is compromised?
• Do you plan to compensate your employees for using their own device, and do you have agreements in place?

8. Deploy Real Time Security Auditing

Keeping track of changes to your critical data is not just necessary for regulatory compliance, but it is crucial if you want to keep your sensitive data out of the wrong hands. According to the Verizon 2019 Data Breach Investigations Report, 34% of all breaches in 2018 were caused by insiders.

One of the core responsibilities of CIO’s is to ensure that CISO’s have the visibility and control they need to be able to detect and respond to anomalous changes made by insiders.

There are several questions the CIO must answer in order to do this.

• Are you using machine learning (ME) to establish the behavioral patterns of each user?
• Are you able to automatically detect deviations from these patterns?
• Do you know who has access to what data, and when?
• Are you able to receive real-time alerts when anomalous changes are made?
• Do you have visibility into who is accessing privilege mailbox accounts?
• Do you have a means by which to manage inactive, or “ghost” user accounts?
• Are you able to automatically detect and respond to anomalous failed login attempts?
• Are you able to automatically detect and respond to bulk file encryption?
• Are you able to aggregate event logs from multiple sources, including cloud environments?
• Are you able to generate pre-defined reports that can be presented to the supervisory authorities?
• Do you have an automated system in place for managing password expirations?

To summarize…

• Make sure that you have a comprehensive incident response plan in place that has been thoroughly tested.
• Only store sensitive data in the cloud if you really must and ensure that you have carried out a risk assessment before doing so.
• Make sure you know which regulations apply to your industry and ensure that all employees are aware of their responsibilities when it comes to satisfying the compliance requirements.
• Make sure that you have the latest and greatest tools and technologies available and automate as many processes as possible to compensate for the shortage of cyber-security professionals.
• Make sure that you are controlling access to restricted areas using ID badges, locks, alarms, cameras, etc.
• Carry out a risk assessment of all third parties, including vendors, partners and associates.
• Establish a formal BYOD policy, which includes an “acceptable use policy”.
• Monitor user behavior to protect your company from insider threats.

If this sounds like a daunting task, or you need help getting the visibility you require over your sensitive data (including where it is, who has access to it and what users are doing with it), come and speak to one of our engineers or schedule a demo to find out how the Lepide Data Security Platform can help you get started.