1: Do you understand the basis on which all of your corporate software is bought/licensed/updated – both the standard position and any exceptions to it?
2: Do you understand who is responsible for maintaining and updating your software, your firewalls, your system user access controls etc – outsourced/ insourced – contract terms?
3: Do you understand how, where and through whom your corporate IT actually works? (It really helps to have a reasonable grasp of this before management asks you questions about liability for business interruption. It also helps with litigation, investigations, dawn raids etc)
4: Are you reasonably on top of the technology? (e.g. Do you understand at least the basics about the move from owned to licensed operating system software, voluntary versus forced push updates to software, what a virtual private network is?)
5: Do you understand how your legal, regulatory, stock market, shareholder major client and supplier (e.g. Force Majeure clause?) obligations would be impacted by an effective Ransomware attack? (What can you do? Must you do? In what order? What is not permissible (e.g. paying the ransom?)? If you pay up anyway for business expedition then what will or may be the consequences?
6: Is your approach to this issue built into your organisation's risk management processes and policy framework so that you can respond effectively and reliably and with no surprises?
Suggestions for extra relevant questions welcomed.
