Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Information Security

Robert-Parker-Panel-4

advertisement 
Panel 4:
Accounting for Cybersecurity
Reporting and Attestation Issues
October 2, 2015
S-1
The Cybersecurity Issue
Increasing Board Concern
As a result of the widely publicized cyber attacks on major corporations and public
sector entities by hackers, criminals and foreign governments, cybersecurity is
gaining increasing attention by boards of directors, customers, business partners,
and regulators.
Causes Not Well Defined or Understood
Are these attacks due to a lack of standards, inadequate regulations,
managements' failures to adopt adequate countermeasures, lapses in monitoring
or a lack of satisfactory technical solutions?
Evaluating Cybersecurity Initiatives
Entities are currently in the process of evaluating their cybersecurity programs, and
are discussing options for communicating how they achieve their cybersecurity
objectives.
Independent Reporting
One key aspect of communicating the achievement of cybersecurity
objectives is the ability to provide assurance by way of a report on cybersecurity
from an independent assessor.
S controls
-2
The Cybersecurity Issue
The AICPA’s Response
The AICPA’s Assurance Services Executive Committee (ASEC) formed the ASEC
Cybersecurity Working Group to work in collaboration with the AICPA’s Auditing
Standards Board (ASB) in develop practitioner guidance for performing
examination-level attestation engagements related to cybersecurity.
Tools for the Profession
The working group will be responsible for identifying or developing suitable
measurement criteria and for developing a cybersecurity attestation guide, as well
as a supply chain/vendor management attestation guide, to provide performance
and reporting guidance for practitioners engaged to report on controls over
cybersecurity for an entity or portions of an entity (i.e. system(s), related
systems, operating unit or division).
Effective Reporting
A cybersecurity attestation report will provide useful information to users in
making decisions as stakeholders in the entity.
S-3
Cybersecurity Discussants
Chris Halterman, Partner EY
Chris Halterman is an Executive Director in the Advisory Services
practice of Ernst & Young LLP, with more than 26 years of
experience in the public accounting profession, focusing on IT
and process controls and information integrity. He leads EY’s
Advisory Service Organization Control Reporting practice
globally and in the Americas, with responsibility for developing
methodology, training, client service strategy, quality assurance
programs and market initiatives.
Chris is a member of the AICPA Assurance Services Executive Committee (ASEC)
and chairs the ASEC Trust/Information Integrity Task Force. In this role, he leads the
AICPA’s efforts to establish the criteria for evaluating the system security,
availability, processing integrity, confidentiality and privacy. In his role as Chair of
the ASEC task force, Chris speaks regularly on SOC 1 (formerly SSAE 16) and SOC 2
reports in the US and internationally He also serves as signing executive for a major
service organization’s SOC 1 and SOC 2 reports and performs quality review on
numerous other reports.
S-4
Cybersecurity Discussants
Graham Gal, University of Massachusetts
Graham Gal is an Associate Professor of Business Administration
at the Isenberg School of Management in the Department of
Accounting and Information Systems. His research interests
include business ontologies, specification of internal controls,
continuous monitoring, continuous reporting, organizational
security policies, and controls for sustainability reporting.
Dr. Gal has recently presented his work at the University of Vienna’s Value Modeling
and Business Ontologies symposium, the REA Workshop at CAISE, The University of
Melbourne, Marmara University’s Ethics, Fraud, Governance and Social Responsibility
Symposium, and Rutgers’ Continuous Reporting and Monitoring workshops. He has
published in a number of journals including;Journal of Emerging Technologies in
Accounting, Decision Sciences, Expert Systems Review, Expert Systems, Journal of
Information Systems, The Information Systems Control Journal, Advances in Accounting
Information Systems, The International Journal of Accounting Information Systems,
and The International Journal of Information Management. Dr. Gal is an associate editor
of the Journal of Emerging Technologies in Accounting and The International Journal of
Auditing Technology.
S-5
Cybersecurity Moderator
Robert G. Parker, Retired Deloitte Partner, UW-CISA
Robert Parker is a retired Deloitte Enterprise risk partner. He has
been involved with Information technology for many years, is a
Past International President of ISACA, has served on many AICPA
committees; SysTrust, Privacy Task Force and Top Tech Issues
and on many CPA Canada Committees; Privacy , the Information
Technology Management Advisory Committee, Year 2000
Committee and Database Auditing to name a few.
He is a member of the Board of Directors of the University of Waterloo Centre for
Information Integrity and Systems Assurance.
Cybersecurity Participation
Open Discussion Following the Discussants’ Presentations
S-6
Opening Comments
Security continues to rank highly on nearly everyone’s list of concerns
ISSUES
AICPA – CPA Canada’s 25th Anniversary Top Tech Issues survey ranked
security
S-7
Source: AICPA-CPA Canada 25th Anniversary Top Tech Survey
CONFIDENCE
Opening Comments
Security breaches involving personal information – information about an
identifiable individual – are quickly becoming the norm
S-8
Source: AICPA-CPA Canada 25th Anniversary Top Tech Survey
Cybersecurity
CONFIDENCE
Dropdown Questions
S-9
Source: AICPA-CPA Canada 25th Anniversary Top Tech Survey
CONFIDENCE
Cybersecurity
S - 10
Source: AICPA-CPA Canada 25th Anniversary Top Tech Survey
CYBERSECURITY
S - 11
CYBERSECURITY
Source: http://www.idigitaltimes.com/10-largest-data-breaches-2014-sony-hack-not-one-them-403
S - 12
CYBERSECURITY
Source: http://www.idigitaltimes.com/10-largest-data-breaches-2014-sony-hack-not-one-them-403
S - 13
CYBERSECURITY
Source: http://www.idigitaltimes.com/10-largest-data-breaches-2014-sony-hack-not-one-them-403
S - 14
CYBERSECURITY
2015 Data Breaches
Anthem BlueCross BlueShield – 80 million patient records - February
Office Of Personnel Management – 21.5 Million May
Premera BlueCross BlueShield – 11.2 Million records
January
Office Of Personnel Management – 4.2 million records April
Ashley Madison - 25 gigabytes (no indication of how may of their over 40.8
million members were exposed ) – August
CareFirst BlueCross BlueShield – 1.1 million records May
Hacking Team - 1 million emails
July
Army National Guard - 850,000 records July
Penn State University – 18,000 February
S - 15
CYBERSECURITY
Data Breach Costs
By design, the data breach cases included in this research had a minimum value of
1,000 records and a maximum value of 100,000 records. As discussed, we do not
include data breach cases in excess of 100,000 records because this would affect the
findings and are not representative of the data breaches most companies experience.
S - 16
Cybersecurity
How many have this or a similar type of communication?
S - 17
USA adopting chip & signature and not chip & pin
Among those many options are three for the cardholder verification
method (CVM):
1) Chip and PIN - the most secure option because it requires the
cardholder to enter a personal identification number with each
purchase;
2) Chip and Signature - where the cardholder need only sign a
receipt; and,
3) Chip and Nothing - where, as the name implies, the cardholder
is not verified.
Likely motivation for not adopting Chip and Signature:
• Lack of desire to alter existing cardholder behavior by
introducing PINs with credit cards
• An attempt to limit the cost of EMV (Electronic Member
Verification) for merchants by not requiring the purchase of an
EMV-compliant PIN pad.
S - 18
Cybersecurity Participation
Open Discussion Following the Discussants’ Presentations
S - 19
Questions
Given the requirements for assessment criteria, is there a
plan in place to continually or periodically review the
technical information on cybersecurity and cyber
breaches and update the AICPA’s guidance material?
Assessment Criteria
Scope of Assessments
S - 20
Questions
A number of high profile cyber security breaches have
been successful by exploiting the “soft underbelly” of
an almost unrelated organization.
Organizations are allowing or welcoming the
perpetrators into their organization, sometimes
unwittingly and at times as trusted business partners.
Where do we go from here?
What do we have to do the get managements’ attention?
S - 21
Questions
What are the top 3 cybersecurity risks that
management must address?
S - 22
Questions
What impact has the “Internet of Things” had on
the way businesses address or should address
cybersecurity?
S - 23
Questions
Does BYOD significantly alter the Cybersecurity
requirements?
Does MDM (Mobile Device Management)
software do much to protect the organization?
S - 24
Questions
The media focuses on large security breaches
involving personal information; is this useful,
meaningful or appropriate?
What about SCADA controlled devices?
S - 25
Questions
Many organizations rely on the Fortress Model
whereby a strong and robust perimeter is
established and monitored using IDS (Intrusion
Detection Software) and IPS (Intrusion
Prevention Software) software.
What else would you recommend that
organizations do to strengthen their
Cybersecurity defences to lessen the risk of an
event occurring or, if one does occur, the
impact of the Cybersecurity breach?.
S - 26
Questions
The Ponemom Institute and others have frequently
identified internal data breaches as being more
prevalent than external cyber breaches, although fewer
records may be accessed; is management focusing
resources in the most appropriate area?
S - 27
Questions
Which is the most frequently adopted cybersecurity standard? (CobIT,
NIST, ISO, Industry, AICPA, etc.)
S - 28
Questions
What are the key failings that management should avoid in
ensuring that their organization is not a victim of a cyber
security breach? What is management not doing that they
should?
What are the key security controls that management should
implement and monitor to ensure that their organization is not a
victim of a cyber security breach?”
S - 29
Questions
Where should cybersecurity responsibility reside? (ISP,
Organization, Network Management, Data Owners, End
Users, Subject Data)
S - 30
Questions
Has the general public become too acclimated and now accepts
cyber security breaches as the norm?
Do you believe that users, customers and others will require a
Cybersecurity certificate before doing business with an organization?
S - 31
Questions
On a scale of 1 to 10 with 10 being excellent and 1 being nonexistent
or ineffective, where would you rank the existing technology based
tools designed to protect data in the event of a cyber-attack?
S - 32
Questions
Legislation, regulations and rules can only go so far in preventing
cyber-attacks;
Do they go far enough?
Where are they weak or non-existent?
Are the penalties severe enough?
Can they ever be effective?
How can we motivate management to do it better?
S - 33
Thank You For
Your
Interest and Participation
S - 34
S - 35
Related documents
Read Key Cybersecurity`s full description of
Read Key Cybersecurity`s full description of
BroadBand Building Future Skills for National Security and Business
BroadBand Building Future Skills for National Security and Business
ARS Results
ARS Results
Improving Critical Infastructure Cybersecurity
Improving Critical Infastructure Cybersecurity
Final Reflection Essay–Qi Zhu
Final Reflection Essay–Qi Zhu
Joining the Cybersecurity Revolution: What it means, where the jobs
Joining the Cybersecurity Revolution: What it means, where the jobs
The Political Economy of Cybersecurity
The Political Economy of Cybersecurity
Download
advertisement