By Greg Daniel, CISA, CRMA, Senior Manager, Johnson Lambert LLP
As cyber attackers become more sophisticated, having an effective enterprise-wide cybersecurity risk management program is top of mind for organizations’ board of directors (BOD) and senior level team (SLT) members.
Continue Reading from eInterpreter...
The April 2017 Symantec Internet Security Threat Report notes, “While the number of data breaches in 2016 remained steady compared to 2015, the number of identities stolen increased significantly. Almost 1.1 billion identities were stolen in 2016, a big jump from the 563.8 million stolen in 2015”[i].
Organizations must develop a cybersecurity program that uses a risk-based approach to effectively leverage its people, processes and technology to protect against such threats and attacks. The BOD and SLT should determine which cybersecurity framework is suitable to identify gaps and the activities required to strengthen their cybersecurity posture. Investments should be made to ensure mission critical functions and data are protected, specifically in the training and technology space. Employees should be educated on how to recognize suspicious activity. They should also understand prevention procedures and reporting protocols. Tools must be implemented to identify, protect, detect, respond and recover from cybersecurity threats and attacks.
So, how does the BOD and SLT gauge their cybersecurity risk management efforts? As part of the cybersecurity program, an internal continuous monitoring process is essential to determine potential weak points within organizations. Policies and procedures should be challenged to ensure organizations are responsive to ever changing security risks. Technology must be regularly assessed and monitored to identify and detect threats. Results must be evaluated by the BOD and SLT. Corrective actions must be prioritized and tools updated to adapt to environmental changes. Organizations may also strengthen their cyber security awareness by obtaining a third-party assessment.
The AICPA Assurance Services Executive Committee (ASEC) released guidance on a new System and Organization Controls (SOC) Report for Cybersecurity[ii]. SOC reports have historically been issued for service organizations; however, the AICPA tailored the guidance to be applicable to any organization. Description Criteria for Management’s Description of an Entity’s Cybersecurity Risk Management Program helps organizations prepare a description of their cybersecurity risk management program. Practitioners/CPAs then perform an examination to validate the program’s effectiveness. Typically, a readiness assessment is performed prior to the examination to assess the status of a program. If the readiness assessment validates the implementation of sufficient processes and controls, Practitioners/CPAs will be able to opine on the description and effectiveness of controls in place to achieve the cybersecurity criteria. The AICPA requires the Cybersecurity SOC reports be based on the 2017 Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy[iii]. In addition, the Cybersecurity SOC report is a general-use report, which means the SLT may provide the report to anyone.
Cybersecurity threats and attacks cannot be eliminated entirely, but they can be managed more efficiently with an effective enterprise-wide cybersecurity risk management program. AICPA’s Cybersecurity SOC provides organizations the ability to report on the effectiveness of their program with the credibility of an independent Practitioner/CPA's report. Furthermore, external parties (i.e. potential investors, consumers, stakeholders, regulators) gain insight on the organizations’ cybersecurity preparedness. To understand how a Cybersecurity SOC report could benefit your organization, contact Kim Mobley, CPA, Partner or Greg Daniel, Senior Manager.
[i] 2017 Symantec Internet Security Threat Report (ISTR) - https://resource.elq.symantec.com/LP=3980?cid=70138000001BjppAAC&mc=202671&ot=wp&tt=sw&inid=symc_threat-report_regular_to_leadgen_form_LP-3980_ISTR22-report-main
[ii] Description Criteria for Management’s Description of an Entity’s Cybersecurity Risk Management Program - https://www.aicpa.org/InterestAreas/FRC/AssuranceAdvisoryServices/DownloadableDocuments/Cybersecurity/Description-Criteria.pdf
[iii] 2017 Trusted Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy - https://www.aicpastore.com/InternalControls/trust-services-principles-and-criteria/PRDOVR~PC-TSPC13/PC-TSPC13.jsp
Return to September eInterpreter