This document contains questions from regulators about a company's cybersecurity program and responses from the company. The questions cover topics such as the organization of the cybersecurity group, the metrics and reporting they use, how they manage and monitor cyber risks, the tools and capabilities they use, their incident response procedures, security awareness programs, and how management assesses internal controls for cyber-related fraud risks. The company provides descriptions of its people, processes, and technologies for each of these areas of its cybersecurity program.
This document contains questions from regulators about a company's cybersecurity program and responses from the company. The questions cover topics such as the organization of the cybersecurity group, the metrics and reporting they use, how they manage and monitor cyber risks, the tools and capabilities they use, their incident response procedures, security awareness programs, and how management assesses internal controls for cyber-related fraud risks. The company provides descriptions of its people, processes, and technologies for each of these areas of its cybersecurity program.
This document contains questions from regulators about a company's cybersecurity program and responses from the company. The questions cover topics such as the organization of the cybersecurity group, the metrics and reporting they use, how they manage and monitor cyber risks, the tools and capabilities they use, their incident response procedures, security awareness programs, and how management assesses internal controls for cyber-related fraud risks. The company provides descriptions of its people, processes, and technologies for each of these areas of its cybersecurity program.
Inquiries related to Cybersecurity Response to inquiries
1. Where does Cybersecurity Group sit in the
organization?
2. What are the metrics (KPIs, KRIs) used by
Cybersecurity Group?
3. In relation to metrics, are there reports being
submitted to Risk Management Group? Are there reports being submitted to Executive Management? How frequent is the reporting occur?
4. How do you manage cyber risks (including who
does what and when)? From identification, assessment, analysis to treatment? Please expound how these cyber risks are translated/reflected to enterprise-wide risks.
5. Who monitors these risks? How does Cyber
Group ensure treatment (either mitigation or acceptance) are applied?
1. Do you have a Security Operations Centre? If not,
who's doing monitoring and incident response?
2. What is the coverage of the monitoring? (i.e.
devices/apps being monitored, 24/7 or 24/5 or 8/5, location)
3. What are the various software/tools/solutions used
for Monitoring?
4. What are the security detection
capabilities/solutions in place? Kindly indicate the coverage of each security detection capability.
5. What are the proactive effort on
detecting/preventing cybersecurity threats? Kindly specify the enablers (i.e. tools, program/process)
6. Kindly discuss your incident response procedure,
from Preparation-Identification-Containment- Eradication-Recovery/Restoration-Lesson Learned
7. How do incidents are being reported to Senior
Management? (Describe who does what and when, escalation matrix and corresponding thresholds) 1. Have you encountered any cyber security incident which may have directly and/or remotely affected your financial systems?
2. Kindly provide the details, what happened, when it
happened and the duration of the incident, how was it resolved, and the impact to the organization?
1.Can you describe your program for Security
Awareness? Kindly list the activities and frequency of performance.
2. Have you conducted any Social Engineering
Exercise to evaluate the security awareness of your employees?
3. Can you describe the process/procedure if an
employee would like to report a suspected phishing email/scam or malicious link? And once it's reported, what are the steps being taken before closure?
1. How does Management assess its internal
accounting controls in light of risks arising from cyber-related frauds (e.g., BEC scams, spoofing, phishing, etcetera)