Carnegie Mellon Assesses Cyber Risk Management

Carnegie Mellon University’s CyLab has just released results from its third biennial survey on how boards of directors and senior management are governing the security of their organizations’ information, applications, and networks (digital assets).  The surveys are intended to measure the extent to which cyber governance is improving.

In general, the report finds that, “Although there have been some measurable improvements since the 2008 and 2010 surveys, boards still are not undertaking key oversight activities related to cyber risks, such as reviewing budgets, security program assessments, and top-level policies; assigning roles and responsibilities for privacy and security; and receiving regular reports on breaches.”

While much of the report focuses on corporate and private sector efforts, most of the following recommendations can be adapted and applied to water utilities as well.  Cyber is a key component of a water system’s overall security posture and must be addressed.


 The survey revealed that governance of enterprise security is still lacking in most corporations, with gaps in critical areas. If boards and senior management take the following 12 actions, they could significantly improve their organizations’ security posture and reduce risk:

1. Establish a board Risk Committee separate from the Audit Committee and assign it responsibility for enterprise risks, including IT risks. Recruit directors with security and IT governance and cyber risk expertise.

2. Ensure that privacy and security roles within the organization are separated and that responsibilities are appropriately assigned. The CIO, CISO/CSO, and CPO should report independently to senior management.

3. Evaluate the existing organizational structure and establish a cross-organizational team that is required to meet at least monthly to coordinate and communicate on privacy and security issues. This team should include senior management from human resources, public relations, legal, and procurement, as well as the CFO, the CIO, CISO/CSO, CRO, the CPO, and business line executives.

4. Review existing top-level policies to create a culture of security and respect for privacy. Organizations can enhance their reputation by valuing cyber security and the protection of privacy and viewing it as a corporate social responsibility.

5. Review assessments of the organization’s security program and ensure that it comports with best practices and standards and includes incident response, breach notification, disaster recovery, and crisis communications plans.

6. Ensure that privacy and security requirements for vendors (including cloud and software-as-a-service providers) are based upon key aspects of the organization’s security program, including annual audits and control requirements. Carefully review notification procedures in the event of a breach or security incident.

7. Conduct an annual audit of the organization’s enterprise security program, to be reviewed by the Audit Committee.

8. Conduct an annual review of the enterprise security program and effectiveness of controls, to be reviewed by the board Risk Committee, and ensure that identified gaps or weaknesses are addressed.

9. Require regular reports from senior management on privacy and security risks.

10. Require annual board review of budgets for privacy and security risk management.

11. Conduct annual privacy compliance audits and review incident response, breach notification, disaster recovery, and crisis communication plans.

12. Assess cyber risks and potential loss valuations and review adequacy of cyber insurance coverage.

To read or download a copy of the full report, please go to:


Comments are closed.