Raise your hand if you've ever gotten one of these questions: the kind where the correct answer is yes.
We think a cybersecurity question like this was just asked. It went to CEOs of electronic voting machine manufacturers.
U.S. Senator Ron Wyden, an Oregon Democrat, fired off the information security letters loaded with very specific cybersecurity questions on October 3, 2017.
Cybersecurity question number one for voting machine CEOs:
"Does your company employ a Chief Information Security Officer? If yes, to whom do they directly report? If not, why not?"
Do you agree that a "yes" is the preferred answer here?
The senator is also digging into how prominent InfoSec is within each voting machine manufacturer's corporate structure.
Cybersecurity gaining prominence in 2017
Along those lines, our SecureWorld Advisory Council Members across the country tell us that cybersecurity is really gaining prominence within their enterprise or organization this year.
But is it being taken seriously enough by those who play a part in determining the next U.S. leader or next president?
The rest of Senator Wyden's questions go to the heart of cybersecurity. They ask about the size of security teams, vulnerabilities, and even the NIST Cybersecurity Framework.
How would you or your team respond to a letter like this?
U.S. Senator Ron Wyden - 8 questions to voting machine maker CEOs
- Does your company employ a Chief Information Security Officer? If yes, to whom do they directly report? If not, why not?
- How many employees work solely on corporate or product information security?
- In the last five years, how many times has your company utilized an outside
cybersecurityfirm to audit the security of your products and conduct penetration tests of your corporate information technology infrastructure?
- Has your company addressed all of the issues discovered by these cybersecurity experts and implemented all of their recommendations? If not, why not?
- Do you have a process in place to receive and respond to unsolicited vulnerability reports from cybersecurity researchers and other third parties? How many times in the past five years has your company received such reports?
- Are you aware of any data breaches or other cybersecurity incidents in which an attacker gained unauthorized access to your internal systems, corporate data or customer data? If your company has suffered one or more data breaches or other cybersecurity incidents, have you reported these incidents to federal, state and local authorities? If not, why not?
- Has your company implemented the best practices described in the National Institute of Standards and Technology (NIST) 2015 Voluntary Voting Systems Guidelines 1.1? If not, why not?
- Has your firm implemented the best practices described in the NIST Cybersecurity Framework 1.0? If not, why not?
The senator also sent similar letters to voting system test laboratories and asked for a response by October 31, 2017.