The risky six

Is the board of your organization under the impression that the organization is cyber resilient? On what is the impression based? Has the internal audit team assessed the organization's cyber resiliency?

Practitioners and researchers from The IIA and EY conducted extensive analysis to determine the root cause of how and why boards within all industries get a skewed picture of their organizations’ ability to protect themselves from cyber-related risks with the requisite resiliency.

The team identified six key questions that if unanswered, or answered with a 'No', likely means a disconnect exists:

1. Has the organization conducted a recent enterprise-wide cyber risk assessment?

2. Has the organization implemented a data governance program beyond basic classification?

3. Have cyber risks and responses been incorporated distinctly into the crisis management program?

4. Has the organization conducted a recent third-party and/or joint venture cyber risk assessment?

5. Is cybersecurity included in the audit plan and/or is internal audit being leveraged as a tool to help the organization assess the management of cyber risks?

6. Is the effectiveness of cyber controls measured and reported in a consistent, meaningful manner?