Effective April 15th 2017, AICPA's New Cybersecurity Risk Management Examination Report

Now what? In the midst of GDPR, new PCI DSS 3.2 standards, and expanded controls for all privacy aspects of your SOC 2, things just got ratcheted up another notch.  The AICPA has released its Descriptions Criteria for the examination of the Entity's Cybersecurity Risk Management Program.  Needless to say, the evidence requirements are piling up.  EnterpriseGRC Solutions has already loaded this standard to our existing SOC2 and other assessment and mapping programs.  To help you assess where this new guidance will be sending your external auditors, we've included a summary of the text below.

Please visit the AICPA to get your resources and full understanding of this new requirement.

As stated by the AICPA in their FACT SHEET explanation of the standard:

The framework for reporting on an entity’s cybersecurity risk management program calls for management to prepare certain information about the entity’s cybersecurity risk management program and for the CPA to examine and report on that information in accordance with the AICPA’s attestation standards. The resulting cybersecurity report includes the following three key sets of information:

  1. Management’s description

— The first component is a management-prepared narrative description of the entity’s cybersecurity risk management program (the description). This description is designed to provide information about how the entity identifies its most sensitive information, the ways in which the entity manages the cybersecurity risks that threaten it, and the key security policies and processes implemented and operated to protect the entity’s information assets against those risks. The description provides the context report users need to understand the conclusions, expressed by management in its assertion and by the CPA in the opinion, about the effectiveness of the controls included in the entity’s cybersecurity risk management program.

  1. Management’s assertion

— Management provides an assertion about whether the description is presented in accordance with the description criteria and whether the controls within the program were effective to achieve the entity’s cybersecurity objectives based on the control criteria. (These criteria are discussed below.)

  1. The practitioner’s opinion

— The final component in the reporting framework is the CPA’s opinion on the description and on the effectiveness of controls within that program.  

AdobeStock 86703264TRUST


If you need assistance to design or map your existing audit program to these new criteria, please give us a call.  We're ready for you.

DesCritCyberRisk

We've extracted and formatted some of the content to help you get started.  Here's the high-level content of the guidance report.

NATURE OF BUSINESS AND OPERATIONS

DC1: The nature of the entity's business and operations, including the principal products or services
  • The entity's principal markets, including the geographic locations of those markets, and changes to those markets
  • If the entity operates more than one business, the relative importance of the entity's operations in each business and the basis for management's determination (for example, revenues or asset values)

NATURE OF INFORMATION AT RISK

DC2: The principal types of sensitive information created, collected, transmitted, used, or stored by the entity

  • Information regarding individuals that warrants protection based on law, commitment, or reasonable expectation of confidentiality (for example, personally identifiable information, protected health information, and payment card data)
  • Third-party entity information (for example, information subject to confidentiality requirements in contracts) that warrants protection based on law, commitment, or reasonable expectation of confidentiality, availability, and integrity
  • Entity information (for example, trade secrets, corporate strategy, and financial and operational data) whose confidentiality, availability and integrity is necessary to the achievement of the entity's business objectives
DC3: The entity's principal cybersecurity risk management program objectives (cybersecurity objectives) related to availability, confidentiality, integrity of data, and integrity of processing
  • The accuracy, completeness, and reliability of information, goods, and services produced
  • The safeguarding of entity assets
  • Safeguarding of life and health

CYBERSECURITY RISK MANAGEMENT PROGRAM OBJECTIVES (CYBERSECURITY OBJECTIVES)

DC4: The process for establishing, maintaining, and approving cybersecurity objectives to support the achievement of the entity's objectives
  • The process for establishing cybersecurity objectives based on the entity's business and strategic objectives established by the board of directors and management
  • The process for obtaining board of director or executive management approval of the entity's cybersecurity objectives
  • The use of security management and control frameworks in establishing the entity's cybersecurity objectives and developing and maintaining controls within the entity's cybersecurity risk management program, including disclosure of the particular framework(s) used (for example, NIST Cybersecurity Framework, ISO 27001/2 and related frameworks, or internally- developed frameworks based on a combination of sources)

FACTORS THAT HAVE A SIGNIFICANT EFFECT ON INHERENT CYBERSECURITY RISKS

DC5: Factors that have a significant effect on the entity's inherent cybersecurity risks, including the (1) characteristics of technologies, connection types, use of service providers, and delivery channels used by the entity, (2) organizational and user characteristics, and (3) environmental, technological, organizational and other changes during the period covered by the description at the entity and in its environment.
  • Changes to the entity's principal products, services, or distribution methods
  • Significant changes to entity processes, IT architecture and applications, and the processes and systems used by outsourced service providers
  • Acquisitions and other business units that have not been fully integrated into the cybersecurity risk management program including the integration or segmentation strategy used for the acquiree's IT systems, and the current state of those activities
  • Changes to legal and regulatory requirements
  • Divestures and other cessation of operations, particularly those that have ongoing service support obligations for systems related to those operations (if any), and the current status of those activities
DC6: For security incidents that (1) were identified during the 12-month period preceding the period end date of management's description and (2) resulted in a significant impairment of the entity's achievement of its cybersecurity objectives, disclosure of the following (a) nature of the incident; (b) timing surrounding the incident; and (c) extent (or effect) of those incidents and their disposition
  • Was considered sufficiently significant based on law or regulation to require public disclosure
  • Had a material effect on the financial position or results of operations and required disclosure in financial statement filings
  • Resulted in sanctions by any legal or regulatory agency
  • Resulted in withdrawal from material markets or cancellation of material contracts

CYBERSECURITY RISK GOVERNANCE STRUCTURE

DC7: The process for establishing, maintaining, and communicating integrity and ethical values to support the functioning of the cybersecurity risk management program
  • How management sets the tone at the top
  • The establishment and enforcement of standards of conduct for entity personnel
  • The process used to identify and remedy deviations from established standards
  • Consideration of contractors and vendors in process for establishing standards of conduct, evaluating adherence to those standards, and addressing deviations in a timely manner
DC8: The process for board oversight of the entity's cybersecurity risk management program
  • The extent of the board of directors' cybersecurity and IT expertise or access to external cybersecurity and IT expertise, or both
  • Identification of the board committee designated with oversight of the entity's cybersecurity risk management program, if any
  • The frequency and detail with which the board or committee reviews or provides input into cybersecurity-related matters, including board oversight of security incidents
DC9: Established cybersecurity accountability and reporting lines
  • The responsibility for the review and oversight of the cybersecurity risk management program by senior management
  • The identification of the designated cybersecurity leader (for example, chief information security officer), and the reporting of that individual to executive management and board of directors
  • The roles and responsibilities of entity personnel who perform cybersecurity controls and activities
  • The process for addressing the oversight and management of external parties (for example, vendors) when establishing structures, reporting lines, authorities, and responsibilities
DC10: The process used to hire and develop competent individuals and contractors and to hold those individuals accountable for their cybersecurity responsibilities
  • The process for considering the competence of qualified personnel with cybersecurity responsibilities, including the performance of background checks, assessment of educational levels and certifications, requirements for ongoing training, hiring contractors, and the use of offshore recruiting
  • The program for providing cybersecurity awareness and training to employees and contractors based on their cybersecurity responsibilities and access to information and information systems
  • The process for making sure that employees and contractors have the resources necessary to carry out their cybersecurity responsibilities
  • The process for identifying the types and levels of cybersecurity professionals needed
  • The processes used to communicate performance expectations and hold individuals accountable for the performance of their responsibilities
  • The processes to update communication and accountability mechanisms and monitor employee compliance with their responsibilities and entity policies
  • The process used to reward individuals for performance and the process used to align the measures used to the achievement of the entity's objectives

CYBERSECURITY RISK ASSESSMENT PROCESS

DC11: The process for (1) identifying cybersecurity risks and environmental, technological, organizational and other changes that could have a significant effect on the entity's cybersecurity risk management program and (2) assessing the related risks to the achievement of the entity's cybersecurity objectives
  • The use of new technologies
  • Changes to the regulatory, economic, and physical environment in which the entity operates
  • New business lines
  • Changes to the composition of existing business lines
  • Changes in available resources
  • Acquired or divested business operations
  • Rapid growth
  • Changing operational presence in foreign countries
  • Changing political climates
DC12: The process for identifying, assessing, and managing the risks associated with vendors and business partners
  • Establishing specific requirements for a vendor and other business partner engagement that includes scope of services and product specifications, roles and responsibilities, compliance requirements, and service levels
  • Assessing, on a periodic basis, the risks that the vendors and business partners represent to the achievement of the entity's objectives, including risks that arise from those entities' relevant vendors and business partners (often referred to as fourth party risk)
  • Assigning responsibility and accountability for the management of associated risks
  • Establishing communication and resolution protocols for service and product issues, including reporting of identified threats
  • Establishing exception-handling procedures
  • Periodically assessing the performance of vendors and business partners and those entities' relevant vendors and business partners
  • Implementing procedures for addressing associated risks

CYBERSECURITY COMMUNICATIONS AND QUALITY OF CYBERSECURITY INFORMATION

DC13: The process for internally communicating relevant cybersecurity information necessary to support the functioning of the entity's cybersecurity risk management program, including (1) objectives and responsibilities for cybersecurity and (2) thresholds for communicating identified security events that are monitored, investigated, and determined to be security incidents requiring a response, remediation, or both
  • Awareness programs, including training about detecting and avoiding social engineering threats and security breach reporting and response
  • Job descriptions
  • Acknowledgement of code of conduct and policies,
  • Employee signed confidentiality agreements, and
  • Policy and procedures manuals)
DC14: The process for communicating with external parties regarding matters affecting the functioning of the entity's cybersecurity risk management program
  • The existence and use of open communication channels that allow input from customers, consumers, vendors, business partners, external auditors, regulators, financial analysts, and others to provide management and the board of directors with relevant information
  • The process for creating and updating communications regarding cybersecurity, including considerations of timing, audience, and nature of information when selecting the communication method to be used
  • The use of various communication channels, such as whistle-blower hotlines, to enable anonymous or confidential communication when normal channels are inoperative or ineffective
  • The process by which legal, regulatory, and fiduciary requirements, including required communication of data breaches and incidents, are considered when making communications

MONITORING OF THE CYBERSECURITY RISK MANAGEMENT PROGRAM

DC15: The process for conducting ongoing and periodic evaluations of the operating effectiveness of key control activities and other components of internal control related to cybersecurity
  • The variety of different types of ongoing and separate evaluations used, which may include a combination of periodic and continuous internal audit assessments, penetration testing, and independent certifications made against established security and other specifications (for example, ISO 27001 and HITRUST)
  • The process for considering the rate of change in business and business processes when selecting and developing such evaluations
  • The process for performing the ongoing and periodic evaluations, including whether (a) the design and current state of the entity's cybersecurity risk management program, including the controls, are used to establish a baseline; (b) evaluators have sufficient knowledge to understand what is being evaluated; and (c) the scope and frequency of the evaluations is commensurate with the risk
DC16: The process used to evaluate and communicate, in a timely manner, identified security threats, vulnerabilities, and control deficiencies to parties responsible for taking corrective actions, including management and the board of directors, as appropriate
  • The process by which management and the board of directors, as appropriate, assess results of ongoing and periodic evaluations, including whether the process considers the remediation of identified security threats, vulnerabilities, and control deficiencies
  • The process for communicating identified security threats, vulnerabilities, and control deficiencies to parties responsible for taking corrective action and to senior management and the board of directors, as appropriate
  • The process for monitoring remediation of identified deficiencies
DC17: The process for developing a response to assessed risks, including the design and implementation of control processes
  • The process to align controls with risk responses needed to protect information assets and to detect, respond to, mitigate and recover from security events based on the assessed risks
  • The consideration of the environment in which the entity operates, the complexity of the environment, the nature and scope of the entity's operations, and its specific characteristics when selecting and developing control processes
  • The process for including a range and variety of controls (for example, manual and automated controls and preventive and detective controls) in risk mitigation activities to achieve a balanced approach to the mitigation of identified cybersecurity risks
  • The use of risk transfer strategies, including the purchase of insurance, to address risks that are not addressed by controls
DC18: A summary of the entity's IT infrastructure and its network architectural characteristics
  • The use of segmentation, where appropriate, and baseline configurations of both physical and virtual endpoints, devices, firewalls, routers, switches, operating systems, databases, and applications
  • The use of infrastructure and network elements provided by outsourced service providers
DC19: The key security policies and processes implemented and operated to address the entity's cybersecurity risks, including those addressing the following:
  • The process for establishing retention periods for types of confidential information and identifying the information when received or created and associating the information to a specific retention period
  • The process for identifying information classified as confidential
  • The process for preventing the destruction of identified information during its specified retention period
  • The process for identifying information that has reached the end of its retention period and information that is an exception to the retention policies
  • The process for destroying information identified for destruction

We hope you are adequately preparing for the new AICPA Assessment criteria.  We advise that everyone begins at the end, with DC19.  Comparatively, by the size of the implementation guidance, it's a whopper.

DC 19

As a sample of the size of the last control area in this guidance, here's the text for section DC-19

DC19: The key security policies and processes implemented and operated to address the entity's cybersecurity risks, including those addressing the following:

  • The process for establishing retention periods for types of confidential information and identifying the information when received or created and associating the information to a specific retention period
  • The process for identifying information classified as confidential
  • The process for preventing the destruction of identified information during its specified retention period
  • The process for identifying information that has reached the end of its retention period and information that is an exception to the retention policies
  • The process for destroying information identified for destruction

Implementation Guidance

When making judgments about the nature and extent of disclosures to include about the key security policies and processes, consider the following:

  • The existence of a formal security policy established to implement the entity's cybersecurity strategy
  • Key topics addressed by the security policy

When making judgments about the nature and extent of disclosures to include about the prevention of intentional and unintentional security events, consider the following:

  • Protection of data whether at-rest, during processing, or in-transit
  • Data loss prevention
  • User identification, authentication, authorization, and credentials management
  • Physical and logical access provisioning and de-provisioning, including remote access
  • Privileged account management
  • IT asset management, including hardware and software commissioning, configuration, maintenance, and decommissioning, as well as physical and logical servers and other devices
  • Operating location and data center physical security and environmental safeguards
  • Monitoring and managing changes to systems made internally or by external parties, including software acquisition, development, and maintenance and patch management

When making judgments about the nature and extent of disclosures to include about the detection of security events; identification of security incidents; development of a response to those incidents; and implementation activities to mitigate and recover from identified security incidents; consider the following:

  • The deployment of tools and programs, the implementation of monitoring processes and procedures, or operation of other measures to identify anomalies, analyzing anomalies to identify security events, and communicating identified security events to appropriate parties
  • The deployment of procedures to measure the effectiveness of activities planned in the event of a disruption to operations that requires the recovery of processing at alternate locations and the updating of plans based on the result of those procedures
  • The process by which management identifies security incidents from detected security events
  • The process by which management identifies security incidents based on notification of security events received from third parties
  • The process by which management evaluates security incidents and assesses the corrective actions needed to respond to and mitigate the harm from incidents
  • The process by which management assesses the impact of security incidents to data, software, and infrastructure
  • The process by which management restores operations after identified security incidents, including the oversight and review of the recovery activities by executive management
  • The process by which the incident response plan is updated based on the analysis of lessons learned
  • The process used to communicate information about the security incident, including the nature of the incident, restoration actions taken, and activities required for future prevention of the event to management and executive management
  • The process used to make communications to affected third parties about the security incident
  • The process for periodically testing the incident response plan

When making judgments about the nature and extent of disclosures to include about the management of processing capacity to provide for continued operations during security, operational, and environmental events, consider the following:

  • The deployment of tools and programs, the implementation of monitoring processes and procedures, or operation of other measures to monitoring capacity usage
  • The process for forecasting capacity needs and the process for requesting system changes to address those needs
  • The procedures for assessing the accuracy of the capacity forecasting process and revising the process to improve accuracy

When making judgments about the nature and extent of disclosures to include about the detection, mitigation, and recovery from environmental events and the use of back-up procedures to support system availability, consider the following:

  • The deployment of tools and programs, the implementation of monitoring processes and procedures, or operation of other measures to identify developing environmental threat events and the mitigation of those threats
  • The processes identifying data for backup and for backing up and restoring data to support continued availability in the event of the destruction of data within systems
  • The process for developing and maintaining a business continuity plan, including procedures for the recovery of operations in the event of a disaster at key processing locations
  • Key topics addressed by the business continuity plan, including identification and prioritization of systems and data for recovery and provision for alternate processing infrastructure in the event normal processing infrastructure becoming unavailable
  • Procedures for periodically testing the procedures set forth in the business continuity plan

When making judgments about the nature and extent of disclosures to include about the identification of confidential information when received or created; determination of the retention period for that information; retention of the information for the specified period; and destruction of the information at the end of the retention period, consider the following:

  • The process for establishing retention periods for types of confidential information and identifying the information when received or created and associating the information to a specific retention period
  • The process for identifying information classified as confidential
  • The process for preventing the destruction of identified information during its specified retention period
  • The process for identifying information that has reached the end of its retention period and information that is an exception to the retention policies
  • The process for destroying information identified for destruction