Questions for the Board

To understand how good your Executive and Board’s cyber security governance is, you may wish to ask the following questions:

• Who manages the organisation’s cyber security risk on a day-to-day basis?

Most large commercial organisations have a Chief Information Security Officer (CISO). However, very few large NHS organisations have taken the important step to appoint one.
 

• Who is the Senior Information Risk Owner (SIRO)? 

All NHS organisations must have a SIRO to take responsibility for Information Assurance (IA) issues.  
 

• Is there an executive and non-executive lead for cyber security on the Board? 
   
• How does the Executive Management Team conduct the dialogue between directors and the SIRO/CTO/CIO/CISO? 
   
• If cyber security is considered in a Board-sub-committee, such as the Audit and Risk Committee, how much time and cyber security expertise does it have to examine cyber security and how effective is the governance? 

• Has the Executive team identified the most critical assets and data?
   
• How is cyber security risk integrated into wider business risks?
   
• How frequently does the (Main) Board review Cyber security risk and is the frequency appropriate to the increased cyber security risk? How are these risks presented in performance dashboards?
   
• Has the Board reviewed the data from the Data Security and Protection Toolkit (DSPT) (see below) to inform the board risk discussion?  

• When did the Board last receive a briefing on the cyber security threat to healthcare and participate in cyber security training?
   
• When did the Board last participate in cyber security training?
   
• Is the Board briefed on cyber security risks by the technology professionals?

For cyber security to be given the appropriate recognition, it is important that technology professionals get to talk directly to the Board on cyber security rather than always through an executive Director.