Organizations are under constant pressure to manage cybersecurity threats and to prove that they have effective processes and controls in place to detect, mitigate and recover from breaches.
Research by IT security and compliance specialists at 360 Advanced shows that The American Institute of CPAs (AICPA) has developed a cybersecurity risk management reporting framework to address these needs. The framework assists organizations as they communicate relevant and useful information about the effectiveness of their cybersecurity risk management programs.
The framework is a key component of a new System and Organization Controls (SOC) for cybersecurity engagement, through which a CPA reports on an organizations’ enterprise-wide cybersecurity risk management program. This information can help senior management, boards of directors, analysts, investors and business partners gain a better understanding of organizations’ efforts.
St. Petersburg-based 360 Advanced has a mission to provide exceptional value to its clients by utilizing innovative methods and thought leadership to develop complete compliance solutions, achieving this mission through its people, processes and technologies.
“We have the knowledge of relevant IT systems and technology, and understand IT processes and controls, as well as experience with common cybersecurity publications and frameworks and in evaluating processes, control effectiveness and providing compliance/audit services relating to these matters,” said Eric Ratcliffe, Director of Compliance Strategy at 360 Advanced. 360 Advanced is proficient in measuring performance against established criteria, applying appropriate procedures for evaluating against those criteria and reporting results.
SOC FOR CYBERSECURITY EXAMINATION
The SOC for cybersecurity examination provides an independent, entity-wide assessment of your organization’s cybersecurity risk management program. It is appropriate for businesses, not-for-profits and virtually any other type of organization. It helps reduce uncertainty and build resilient organizations by evaluating effectiveness of existing cybersecurity processes and controls. It permits flexibility by not constraining management to a particular security management framework or control framework. It results in a general use report on whether the description of an entity’s cybersecurity risk management program is presented in accordance with description criteria and the controls within that program were effective in achieving the entity’s cybersecurity objectives.
“Considerations in determining the type of report begin with what is the purpose of the assessment or examination,” said Ratcliffe. “Does it improve or enhance security, comply with any regulatory or compliance requirements, and does the SLA/contract require a specific report type?”
“Who are the users or recipients of the report, what are they asking for or requiring, and which report meets their needs? Most importantly, which report best aligns with the organization’s strategic plan and mission, and is the goal to provide a document looking forward or looking back?”
The AICPA cybersecurity risk management reporting framework helps organizations communicate about the effectiveness of their cybersecurity risk management programs via three components:
- Description criteria for management’s description of an entity’s cybersecurity risk management reporting program — This is used by management to provide transparency regarding its cybersecurity risk management program and used by CPAs to report on management’s description. Management’s description provides users of the report with information that can help them understand the entity’s cybersecurity risks and how it manages those risks. Description criteria includes considerations on the nature of an entity’s business and operations, factors affecting inherent cybersecurity risk, risk governance and assessment process and the monitoring of the cybersecurity program, among other criteria.
- 2017 trust services criteria for security, availability, processing integrity, confidentiality and privacy — This is used by management to evaluate the effectiveness of controls and used by CPAs providing advisory or attestation services to evaluate and report on the effectiveness of controls within the cybersecurity risk management program.
- AICPA guide reporting on an entity’s cybersecurity risk management program and controls — This attestation guidance assists CPAs engaged to examine and report on an entity’s cybersecurity risk management program (SOC for cybersecurity). This guide also contains information that can assist management in understanding the SOC for cybersecurity engagement and its responsibilities with respect to the engagement.
The AICPA will continue to evolve cybersecurity services and introduce SOC for vendor supply chain to enable users of products produced, manufactured and distributed by an entity to better understand and manage risks, including cybersecurity risks, arising from their business relationship with the entity.