ENERGY COMPANY

CYBERSECURITY GOVERNANCE

Questions a Board Should Ask

Paul J Feldmanhttp://www.EnergyCollection.us/600.pdf

INTRODUCTION Cybersecurity Governance is an

emerging issue with Boards of Directors. Boards need to have at least enough

cyber-knowledge on the Board to execute their “Duty of Care” and to be able to rely on the “Business Judgment Rule”

The questions in this paper are not a substitute for the necessary skills on the Board – but Board members may find some of the questions useful in executing their responsibilities.

NEXT STEPS You can download a copy of the PDF

(with notes for each Question) for these Questions at: http://www.EnergyCollection.us/600.pdf

You can download an associated reference paper for Energy Company Boards related to the emerging issue of Governance and Cybersecurity: http://www.EnergyCollection.us/456.pdf

UPDATES Both the Questions and the Reference

paper will be updated as comments and suggestions are received.

Suggestions and comments can be sent to PaulFeldman@Gmail.com LinkedIn - www.linkedin.com/in/paulfeldman/

QUESTIONS 1-41.Do we have the skills on the Board to

properly execute our duty of care in the area of cybersecurity?

2.What is the entire set of Compliance obligations and laws we have to follow in the IT and Cybersecurity areas?

3.What is our cyber-risk tolerance?4.Are the responsibilities for

cybersecurity clearly spelled out, communicated, and being enacted across the entire organization?

QUESTIONS 5-85. How are you thinking about

Cybersecurity vs. Compliance?6. How do we measure cyber risk

and our activities to address it?7. What are our Best Practices,

where did you get them from, why did you select them, and how are we keeping them up to date?

8. What is our present status as to implementing our Best Practices and schedule going forward?

QUESTIONS 9-129. When considering the various systems

that we control – have you asked and answered the question: “What is the worst thing a person or group could do to a critical asset if they possessed the intent, access, and knowledge to perform a malicious act?

10. How are we incorporating the concepts of resilient systems into our operations?

11. Do we have a Security Operations Center (SOC)?

12. Do we have a Security Information and Event Management (SIEM) System?

QUESTIONS 13-1613. Are we testing for Advanced

Persistent Threats?14. Are we training our software

developers to build security into their code?

15. How do we stand relative to others that have the same challenges as our Company?

16. Do you have adequate budget, and how are you prioritizing?

QUESTIONS 17-2017. How do our cybersecurity policies

extend into the supply chain, and how are we protected from supply chain vulnerabilities?

18. What special risks are we running by being so interconnected with our members, and what risks do we potentially expose them to?

19. What qualifications do our employees have in the cyber area to be able to identify and put in place Best Practices?

20. Do we have a training program for all employees?

QUESTIONS 21-2421. What is our recovery plan if we

suffer a successful cyber-attack?22. Do we have Cyber-Insurance?

Should we?23. How is our D&O Insurance

connected to the question of being cybersecure?

24. What Organizations (including government) are we working with to lessen our chances of a successful attack?

QUESTIONS 2525. What question haven’t we asked

that we should have asked?

QUESTIONS, COMMENTS, MORE INFORMATION Questions were taken from a paper

prepared for the Boards of Directors for the IRC – RTO/ISO Council Members - http://www.isorto.org/Pages/Home

For a copy of the paper please email PaulFeldman@Gmail.com