Blog

Communicating Risk Information — RockCyber

- by Your Trusted Cybersecurity Partners - Leave a Comment

[ad_1]

This time we will talk about the second point on the principle of Coso’s management of Information, communication and reporting which is Communicates risk informationS

As a reminder, the guiding principle of information, communication and Coso reporting has three points:

  1. Uses information and technology

  2. Communicates risk information

  3. Risk, Culture and Efficiency Reports

An organization must give priority to its ability to report cyber risk to internal and external partners. Communication channels are often defined in the general organization’s information security policy or its incident response plan, but they are often not available offline. Effective communication before, during and after an incident provides situational awareness throughout the workforce

Most of the time you will probably use a communication email; However, in the case of a widespread ransom event, email may be reduced. Norsk Hydro did great in 2019 with their incident and crisis management for their widely advertised ransom incident. One aspect of their answer included greetings when they arrived to work with locked doors and paper notes that warned them not to turn on their computers.

The ability to communicate cyber -risk with outside partners is also vital. Security rules worldwide have different requirements for HIPAA and CCPA reporting in the United States to GDPR in the European Union. TSA now requires oil and pipeline organizations to report cyber incidents when the colonial incident with the pipeline.

Failure to detect cyber incidents with appropriate details and timeliness can lead to significant fines from multiple entities. Other external communications include two -way communications with third -party service providers, especially when they host your critical data and have encountered a major incident that can put this data at risk. Communication plans for public relations in support of the opening of a major incident with cybersecurity of the public or partners are mandatory.

Key activities

  • Determine the internal and external stakeholders that require communication with respect to cyber risks.

  • Determine the escalation and communication channels in your common information security policy and an incident response plan and make sure they are available offline.

  • Make sure you plan a variety of communication methods if traditional methods such as email are not available.

As always, I love your comments and if you want to have a direct conversation, please shoot me a message and we will set up something.

Have a nice week!

[ad_2]

Related Posts

The Only Constant is Change. Can You Keep Up? — RockCyber

How Hungry Are You For Risk?

Strategy, Frameworks and More Frameworks — RockCyber

About Your Trusted Cybersecurity Partners

View all posts by Your Trusted Cybersecurity Partners →

Leave a Reply

Your email address will not be published. Required fields are marked *