U.S. include Target Corp., Home Depot Inc., the Internal Revenue Service, and other government agencies such as the Office of Personnel Management. Companies and governments need to consider the risks of a cyberattack, and consider backup plans in the event a cyberattack results in a loss of hardware, software, or data. The Committee of Sponsoring Organizations of the Treadway Commission (COSO) issued a thought paper, COSO in the Cyber Age, to help organizations assess and mitigate risks associated with cybersecurity through the existing COSO Framework. Visit the COSO Web site (www.coso.org), and refer to the “Guidance” tab. Read the thought paper to answer the following questions:
Required
The COSO guidance acknowledges that “cyber risk is not something that can be avoided; instead it must be managed.” Why is cyber risk unavoidable? Does this acknowledgement make it more or less difficult to address and mitigate cyber risk?
At the control environment level (the first of the five components of internal control), what should organizations do to address cyber risk?
The paper identifies five broad categories of cyberattack perpetrators and motivations. Briefly describe each group of perpetrators and their motivation.
What types of control activities are recommended to address cyber risks?
| 1 | WHY CYBER RISK IS UNAVOIDABLE? |
| a) | Over the past two decades, Information Technology (IT) has dramatically transformed the way businesses operate to the point where businesses exist in a primarily cyber-driven world. Customers’ orders are now processed over electronic data interchanges on the Internet with little or no human intervention. Business processes are often outsourced to service providers, who are enabled by interconnected networks. More and more corporate personnel work remotely or from home, with little need to come into the office. Inventory is tracked in warehouses through the use of radio-frequency identification (RFID) tags. Online only banks exist, and nearly all banks offer Internet banking to customers. |
| b) | Expectations relating to preventing and detecting fraud |
| c) | While cyber attacks in certain industries have dominated coverage in the news, all industries are susceptible to cyber attacks. Which data, systems, and assets are of value at any particular point in time depends on the cyber attacker’s motives. As long as cyber incidents continue to have a negative impact on the financial well-being of victim companies and continue to draw additional regulatory scrutiny, cyber breaches will continue to be high profile events that draw a substantial amount of press. |
| This acknowledge will surely make less difficult to address cyber risks if followed the guidance and other related technological solutions. | |
| 2 | At the control environment level what should organisations do to address cyber risks? |
| The design of cyber control activities, which are dependent upon information, should consider the quality of the information used to execute such control activities. While information management policies should be established broadly at the organization, such policies should also be applied against cyber controls. There should be clear responsibility and accountability for the quality of the information that is supported by adhering to data governance expectations that protect data and information from unauthorized access or change. | |
| Being secure, vigilant, and resilient is an organizational responsibility, where each individual plays a role in the protection of information systems. While certain personnel within the organization will have explicit roles to manage cyber risk and controls, each person within the organization must be vigilant when it comes to protecting information systems. An organization-wide communication plan should be developed and executed to raise the awareness of personnel within the organization about cyber risks and controls. | |
| communications can help strengthen what can often be the weakest link of internal control – people – due to human nature. Think of the ramifications of human curiosity: • What do people do when they receive an email from what is thought to be a trusted co-worker, customer, vendor, or other business partner? If the email looks to be official, a simple click of a hyperlink may begin the process of exploitation. • What do people do if they find a USB drive lying on the floors? When they plug the USB drive into their computer to see who it might belong to, a door may be opened that exposes the company to an attacker’s more sophisticated payload that was primed in the USB drive | |
| • Clear tone from the top regarding the importance of protecting information systems • A program of ongoing and separate evaluations to assess the design and operating effectiveness of controls that are intended to reduce potential cyber exposures • Assistance and involvement of qualified cyber risk professionals • Appropriate monitoring of cyber risk and controls related to outsourced service providers • Proper and timely communication of cyber deficiencies • Holding control owners accountable to help protect information systems | |
| 3 | The paper identifies five broad categories of cyber attack perpetrators and motivations. Briefly describe each group of perpetrators and their motivation? |
| a) | 1.Nation-states and spies |
| Hostile foreign nations who seek intellectual property and trade secrets for military and competitive advantage. Those that seek to steal national security secrets or intellectual property | |
| 2.Organized criminals | |
| Perpetrators that use sophisticated tools to steal money or private and sensitive information about an entity’s consumers (e.g.,identity theft). | |
| 3.Terrorists | |
| Rogue groups or individuals who look to use the Internet to launch cyber attacks against critical infrastructure, including financial institutions | |
| 4.Hacktivists | |
| Individuals or groups that want to make a social or political statement by stealing or publishing an organization’s sensitive information | |
| 5.Insiders | |
| Trusted individuals inside the organization who sell or share the organization’s sensitive information. | |
| 4 | .What types of control activities are recommended to address cyber risk? |
| 1.Clear tone from the top regarding the importance of protecting information systems | |
| 2.A program of ongoing and separate evaluations to assess the design and operating effectiveness of | |
| 3.controls that are intended to reduce potential cyber exposures | |
| 4.Assistance and involvement of qualified cyber risk professionals Appropriate monitoring of cyber risk and controls related to outsourced service providers | |
| 5. Proper and timely communication of cyber deficiencies | |
| 6. Holding control owners accountable to help protect information systems |
U.S. include Target Corp., Home Depot Inc., the Internal Revenue Service, and other government agencies such...
Risk management in Information Security today Everyday information security professionals are bombarded with marketing messages around risk and threat management, fostering an environment in which objectives seem clear: manage risk, manage threat, stop attacks, identify attackers. These objectives aren't wrong, but they are fundamentally misleading.In this session we'll examine the state of the information security industry in order to understand how the current climate fails to address the true needs of the business. We'll use those lessons as a foundation...