The victims keep piling up: Network security breaches at Chick-fil-A Inc., Home Depot, Sony Corp., and Staples Inc. in just the past few months have made 2013's Target Corp. break-in seem like ancient history. But these attacks have gotten the attention of corporate boards, with directors in a recent
National Association of Corporate Directors survey voicing complaints about being left in the dark about their organization's information security.
With cyberrisks front-and-center, senior executives, risk managers, and internal auditors need guidance on how to assess and control those risks before their organization becomes the next headline. Into this void comes new guidance from The Committee of Sponsoring Organizations of the Treadway Commission (COSO).
"There is a growing concern at all levels of industry about the challenges posed by cybercrime," COSO Chairman Robert Hirth Jr. says in a press release. "This new guidance helps put organizations on the right path toward confronting and managing the frightening number of cyberattacks."
COSO in the Cyber Age (PDF) provides guidance on how organizations can apply internal control components and principles from the updated 2013 COSO
Internal Control–Integrated Framework and the
Enterprise Risk Management–Integrated Framework to manage their constantly changing IT risks. The research report is written by Mary Galligan, director of Cyber Risk Services at Deloitte & Touche LLP, and Kelly Rau, a senior manager with the firm.
The report stresses that management needs to drive the cyberrisk assessment process. Executives should begin by working with business and IT stakeholders to place a value on the organization's information systems and determine which are most important to protect, given its limited resources. The authors cite Principle 6 of the 2013 framework as providing perspective on evaluating an organization's most critical systems in light of operations, external financial and nonfinancial reporting, internal reporting, and compliance objectives.
From there, senior management can follow Principles 7 and 8 to assess the likelihood that cyberrisks could impact the achievement of objectives and the severity of those impacts. The report says individuals conducting the assessment must understand the organization's cyberrisk profile, including which information systems are valuable to potential attackers and how those attacks might occur. Organizations also need to consider threats and potential attack sources that are more likely within their own industry.
The impact of technology change on internal controls is another risk consideration, as noted by Principle 9. New technologies and the use of outsourcing and other third parties can expose the organization to new risks, the report says.
After assessing their risks, the COSO report advises organizations to implement preventive and detective controls to address attacks from multiple entry points, using Principles 10, 11, and 12 of the 2013 framework for guidance. Deploying such controls in the IT environment can create obstacles for intruders and enable organizations to detect breaches and take corrective action timely. The report recommends that organizations compare the design and implementation of cyber control activities with information security and IT standards and frameworks such as the International Organization for Standardization's
ISO 27000, ISACA's
COBIT, and the U.S. National Institute of Standards and Technology's
Framework for Improving Critical Infrastructure Cybersecurity (PDF).
Information and Communication
COSO internal control Principles 13, 14, and 15 direct efforts to identify relevant information, define how it is communicated internally, and determine how it should be communicated externally. The report identifies several points of focus for addressing cyberrisks:
Identify information requirements. These requirements provide a basis for understanding the information systems that are at risk and communicating with the organization to ensure controls are designed to address those risks.
Process relevant data into information. Because today's information systems can generate massive amounts of log data and security alerts, organizations must distill that data into meaningful information that can be used to take appropriate action.
Capture internal and external data sources. Potential sources of external data include commercial and industry-focused data, government data, and outsourced service provider data.
Maintain quality through processing. Organizations should establish clear responsibility and accountability for the quality of information, which should be protected from being accessed or changed without authorization.
Communicate internal control information. Organizations need a plan for communicating with personnel about cyberrisks and controls, as well as channels to communicate control information to personnel who are responsible for managing and monitoring them. Moreover, the organization must communicate with external parties to obtain cybersecurity information and to inform business partners, customers, regulators, and shareholders about cyber incidents or activities.
Control Environment and Monitoring
The report calls the COSO framework's control environment and monitoring activities component "foundational" for managing cyberrisks. Although the board and senior management have ultimate authority for cybersecurity, they will need internal and outside experts to explain technical IT information, advise them on which resources are a priority to deploy, and help them monitor the design and effectiveness of cyber controls.
In assessing their organization's cyberrisks and controls, the COSO report suggests asking questions such as whether it is focused on the right things and whether it is proactive or reactive in establishing security processes and controls. Organizations also should consider whether they have personnel who are qualified to deal with cyberrisks and whether there is collaboration among IT specialists, business units, and external stakeholders. Finally, senior management must be capable of explaining its approach to cyberrisk and its response to incidents, something that may be scrutinized if the organization suffers a security breach.