Cyber-risk in your governance framework – Part 1

Ensuring that your association or charity has established appropriate defences against cyber attack is now a core aspect of risk management.

If your organisation has not yet integrated cyber-risk management within your risk management and governance framework, the following checklist may offer some helpful starting points.

The issues encompassed in IT risk management and cyber-risk prevention are complex and wide-ranging, and so the governance and management perspectives on this matter are addressed in a series of posts.

The following questions are suggested for consideration by your governance and risk committee.  Depending on your organisation’s structure and functions, additional questions may also need to be addressed e.g. re obligations arising under the Notifiable Data Breaches Scheme which take effect from 22 February 2018.

A selection of operational cyber risk questions for consideration by relevant managers and consultants will be canvassed in later posts.

Cyber Risk Management Checkup

  • Does our governance framework include data governance as a key area for risk management?
  • Are we adhering to Australian Privacy Principles and have we done training on this?
  • Have we considered the guidance offered in ISO/IEC 38500:2015 Information Technology – Governance of IT for the organisation?
  • Have we reviewed and updated our IT security, data protection and privacy policies and procedures in the last year (recognising new security threats and any staff changes)?
  • When was the last time we performed a self-audit of our security measures?
  • Have we conducted a risk assessment to identify and assign value to our organisation’s critical data assets?
  • Have we confirmed that our IT consultant is knowledgeable about current and emerging cyber risks faced by our organisation, and that they have equipped us with the infrastructure and training required to protect our business continuity and sensitive client data?
  • How much of our client’s private information is kept secure?
  • What would we do if we had a data leak?
  • Do we know our cost of downtime? Figuring this out will help us put a dollar amount on keeping our systems up and ransomware-free.
  • What would the cost be to the organisation if clients’ personal and sensitive information were stolen?
  • Are we confident our business insurance covers the expense of potential data breaches or a ransomware attack?
  • Do our staff and office-bearer induction processes highlight cyber-risk preventive measures?
  • Has management instituted a range of IT security policies and procedures based on regularly updated operational risk assessments?
  • Do we undertake annual system access risk assessment with our IT consultant?

Call to Action

Contact Garry Pearson at PolGovPro Pty Ltd (Mobile 0419 347 599) if you would like:

  • a Board or committee briefing on measures by which to address cyber risk in your governance framework, or
  • assistance in updating your governance framework to better address IT governance, including data protection and cyber risk management.  NB PolGovPro does not offer technical IT services, and these should be sourced from reputable IT consultants and service providers.


One thought on “Cyber-risk in your governance framework – Part 1

Leave a Reply