Sony shut down its PlayStation Network after discovering it was hacked. Personal information of approximately 77 million of its users has been stolen. It took Sony seven days to reveal the extent of the attack, which was discovered following forensic security testing.
Consider the following aspects:
• What type of information do you have, use and store? And what is the level of security required to protect it?
• How well is client-provided (and your other) data secured? Do you know? Can you find out?
• What is the potential impact of losing information (make sure to clearly identify the various situations such as: deletion of information, stolen information, virus, etc).
• Do we have the means to discover that our system has been hacked? How soon will it be?
• If we hold sensitive information, have we articulated how it is to be handled?
• In the worst case, do we have a recovery plan in place? Or will we invent it when something happens?
• Are we a likely or reasonable target for some reason?