Page 151 - Cyber Defense eMagazine RSAC Special Edition 2025
P. 151

•  Data  Classification  and  Handling:  Examine  how  sensitive  data  is  categorized,  stored  and
                   transmitted within the organization.
               •  Access Controls: Assess whether data access is based on the principle of least privilege (PoLP),
                   ensuring that employees can only access information necessary for their roles.
               •  Data Retention and Deletion Policies: Determine how long data is retained and whether the
                   company follows best practices for securely deleting obsolete information. The company may
                   have legal and contractual obligations related to its retention and deletion practices.
               •  Encryption Standards: Review whether sensitive data is encrypted at rest and in transit.
               •  Data Breach History: Investigate whether the company has suffered data breaches, how they
                   were  handled,  and  whether  vulnerabilities  were  adequately  remediated  and  proper  notice
                   procedures were followed.
               •  Data Backup and Recovery Plans: Review the robustness of data backup policies and disaster
                   recovery plans to understand the company’s business continuity in case of security incidents.
               •  Cloud  Security:  Examine  security  controls  in  place  for  cloud-based  infrastructure,  including
                   vendor management, access controls and encryption protocols.



            3. The Role of Emerging Technology Within the Company

            As emerging technologies such as artificial intelligence (AI) and machine learning (ML) become more
            prevalent in business operations, cybersecurity due diligence must evaluate the security implications
            related to those technologies. Key considerations include:

               •  AI/ML-Driven  Security  Measures:  Determine  whether  AI  and  ML  are  being  used  for  threat
                   detection, anomaly detection and automated incident response.
               •  Potential AI-Related Risks: Assess whether AI systems are susceptible to adversarial attacks,
                   model or data poisoning, or data manipulation.
               •  Third-Party AI Vendors: Evaluate the security posture of AI service providers and the potential
                   risks associated with outsourcing AI-driven tasks.
               •  Automated Decision-Making Risks: Review the company’s AI governance policies to ensure
                   that automated decisions do not introduce security blind spots or biases.
               •  Regulatory  Compliance:  Confirm  that  AI-driven  data  processing  aligns  with  relevant  data
                   protection regulations and ethical AI standards.
               •  Integration  with  Legacy  Systems:  Examine  how  AI  solutions  integrate  with  existing
                   infrastructure and assess potential security gaps in interoperability.
               •  AI Model Transparency and Accountability: Ensure that AI models used in the organization
                   maintain  transparency  and  auditability  to  prevent  biased  or  erroneous  decisions  that  could
                   compromise security.



            4. Assessments of Employee Access to Secure Information










                                                                                                            151
   146   147   148   149   150   151   152   153   154   155   156