Companies should develop and maintain a risk management program for addressing their cybersecurity risks. Besides knowing the federal, state, and local laws and regulations, companies should thoroughly access their own cybersecurity risks through a risk assessment. The assessment should include:
- Defining the system;
- identifying and classifying critical cyber assets;
- identifying and documenting the electronic security perimeters;
- performing a vulnerability assessment;
- assessing risks to system information and assets;
- selecting security controls;
- monitoring and assessing the effectiveness of controls using pre-defined metrics
- developing and implementing effective cybersecurity policies;
- determining employees’ level of understanding of cybersecurity and whether training is needed.
(Recently, the American Bar Association Cybersecurity Legal Task Force created a cybersecurity checklist.)