This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

OWASP - Cyber Security in the Boardroom

From OWASP
Jump to: navigation, search
OWASP Project Header.jpg

OWASP - Cyber Security in the Boardroom

OWASP Cyber Security in the Boardroom initiative is to provide the board of directors with a better understanding of cyber security & the challenges security professionals face in order for them to protect the companies they represent.

Equally, provide cyber security professionals with a better understanding of the board of directors expectations, what their roles and responsibilities are and, how they function. This is in order to help these professionals understand the board's needs and communicate upwards effectively.

Initiative Deliverables

  1. A Primer on Cyber Security for the Board
  2. Guidelines for selecting and evaluating the head of the Cyber Security program (e.g. CISO/CSO/CCO* )
  3. Top 10 Criteria for leading a Cyber Security program
  4. Cyber Threats per Industry Sector
  5. Cyber Security Framework

A Primer on Cyber Security for the Board

  1. Overview of Cyber Security for a Board of Directors
    • The Main Concepts of Cyber Security
    • The Challenges with Cyber Security
    • The Impacts of Cyber Security on an organisation
    • Responding to a Cyber Security Incident
    • Cyber Security Myths and Misconceptions
    • Cyber Security and Corporate Responsibility
  2. Overview of the Board of Directors for Cyber Security Professionals
    • Roles and Responsibilities of the Board
    • Board of Director Liabilities
    • Corporate Governance
    • Company Strategy and the role of Cyber Security
  3. Appendix
    • Useful Cyber Security References
    • Useful Board of Directors References
    • Scenarios

Selecting and evaluating the head of the Cyber Security Program

Head of the Cyber Security Program; Selection & Evaluation Guidelines:

  1. Background in dealing with information security challenges.
  2. Deep understanding of the Security Mindset and the Security Culture.
  3. Clear view of what it means treating security as an ‘enabler’ in the context of the organisation,
  4. taking under consideration the business needs, strategy and vision.
  5. The twin nature of regulatory compliance and the role of the DPO in Data Privacy.
  6. Translating Risk from/to Business Needs.
  7. Addressing and communicating the “so what” question(s).
  8. The functional role of IT Security and how InfoSec deals with GRC, including the legal issues.
  9. Expert input on the fast-evolving digital ecosystem.
  10. Be able to distinguish between skills gap challenges versus talent acquisition oversights.
  11. Measure risk, compliance and maturity.

Top 10 Criteria for leading a Cyber Security program

  1. Establish segregation of duties and ownership of responsibilities for the cyber security program
  2. Managing risks in an evolving cyber landscape (Management Buy-in, Strategy, Planning, Governance, etc.)
  3. Organisational culture (security culture, mindset)
  4. Sector-focused prioritization of risks, types of attacks, threat actors.
  5. Mission Critical vs Business Critical; systems, networks and data.
  6. Digital Ecosystem (Architecture, Infrastructure, Cloud, Deployment, Physical Security, IAM, etc.)
  7. Secure communications (incl. Data-at-Rest, Data-in-Transit, Data-in-Process)
  8. Third-Party Risks (incl. Supply Chain)
  9. Readiness, Containment and Treatment
  10. Response and Continuity Plan

Cyber Threats per Industry/Sector

  • Automotive
  • Oil & Gas
  • Consumer Products
  • Power & Utilities
  • Government & Public Sector
  • Life Sciences
  • Telecommunications & Media
  • Real Estate
  • Technology
  • Mining & Metals
  • Private Equity
  • Finance & Banking

Cyber Security Framework

How to build / consider starting with a framework:

  • Policies & Procedures Creation Guidelines
  • Data Classification Guidelines
  • Compliance
  • Information Security Risk Management
  • Information Security Incident Management
  • Information Systems Continuity Management
  • Third-Party Security

Footnotes

*CCO: Cheif Cyber Security Officer

Licensing

The Owasp Cyber Security in the Boardroom Initiative is free to use. It is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.

What is Cyber Security in the Boardroom?

OWASP cyber security in the Boardroom provides:

1) A primer on cyber security for the board

2) Selecting and evaluating the head of the cyber security program

3) Top 10 criteria for leading a cyber security program

4) Cyber threats per industry/sector

5) Cyber security framework

Project Leaders

  • Sherif Mansour
  • Grigorios Fragkos

Contributors

  • Paul Harragan

Quick Download

  • TBA

News and Events

  • TBD
  • TBD

In Print

This project can be purchased as a print on demand book from Lulu.com

Classifications

Owasp-incubator-trans-85.png Owasp-builders-small.png
Owasp-defenders-small.png
Cc-button-y-sa-small.png
Project Type Files DOC.jpg
Work in Progress
Q1
A1
Q2
A2
Work in Progress

Volunteers

OWASP Cyber Security in the Boardroom Initiative is developed by a worldwide team of volunteers. The primary contributors to date have been:

  • Sherif Mansour
  • Grigorios Fragkos
  • Paul Harragan

Priorities

As of 12th December 2019, the priorities are:

  • A Primer on Cyber Security for the Board
  • Guidelines for selecting and evaluating the head of the Cyber Security program (e.g. CISO/CSO/CCO)
  • Top 10 Criteria for leading a Cyber Security program
  • Cyber Threats per Industry Sector
  • Cyber Security Framework


PROJECT INFO
What does this OWASP project offer you?
RELEASE(S) INFO
What releases are available for this project?
what is this project?
Name: Cyber Security at the Board Level Project
Purpose: Provide the board of directors with a better understanding of cyber security & the challenges security professionals face order for them protect the companies they represent. Equally, provide cyber security professionals with a better understanding of the board of directors, what their roles and responsibilities are & how they function. This is in order to help these professionals understand the board's needs and communicate upwards effectively.
License: ...
who is working on this project?
Project Leader(s):
  • Sherif Mansour @
how can you learn more?
Project Pamphlet: Not Yet Created
Project Presentation:
Mailing list: N/A
Project Roadmap: Not Yet Created
Key Contacts
  • Contact Sherif Mansour @ to contribute to this project
  • Contact Sherif Mansour @ to review or sponsor this project
current release
Not Yet Published
last reviewed release
Not Yet Reviewed


other releases