Tuesday, 8 September 2015

COSO-Guided Cybersecurity: Risk Assessment

As cyber risk continues to be a critical topic of discussion in the C-suite and boardroom, organizations should consider how to adapt cyber security strategies, processes and technologies to meet this significant and constantly evolving threat. By considering the likely attack methods and routes of exploitation through a risk-assessment process, organizations can be better positioned to mitigate the potential impact that cyber breaches have on achievement of their objectives.

Developing effective controls requires that organizations view the task in a comprehensive way. “Cybersecurity controls are not an IT-only problem, but rather a mission-critical business challenge,” said Robert Hirth, chairman of the Committee of Sponsoring Organizations of the Treadway Commission (COSO), during a Deloitte webcast. “It is something that involves everyone within an organization and a strategy that the organization as a whole has to get its arms and mind around,” he added.

One effective risk-assessment strategy is to leverage the 2013 internal control framework issued by COSO. “Organizations may want to look at cyber risk management by viewing their cyber profile through the components of internal control,” said Donna Epps, Deloitte Advisory partner at Deloitte Financial Advisory Services LLP, and a member of Deloitte’s Global Governance, Risk and Compliance practice, during the webcast. “The 2013 Framework has been enhanced and incorporates how organizations should manage IT innovation in light of globalization, complex business processes, regulatory demands and fraud risk assessments,” she noted.

Managing cyber risk through a COSO lens can help the board and senior executives better communicate their risk tolerance levels and risk-related objectives for the business.

“It is important to start the cybersecurity discussion at the highest level of ownership and oversight of cyber, which is the board,” observed Sandra Herrygers, Deloitte Advisory partner at Deloitte & Touche LLP and leader of its Information Technology Specialist group. “The board is responsible for oversight of the broad business risks that can affect an entity, and cyber risk falls into that category,” she added.

With clear priorities set by the board and senior management, others within the organization, including IT personnel, can focus on assessing the information systems most likely to be targeted by attackers, possible attack methods and points of potential vulnerability.

“The results of a risk assessment ultimately drive the allocation of an organization’s resources against control activities that prevent, detect and manage cyber risk,” said Mary Galligan, Deloitte Advisory director at Deloitte & Touche LLP in Cyber Risk Services, and former FBI special agent in charge of Cyber and Special Operations for the New York office. However, companies should consider directing investments at the risk assessment process itself.

“An organization has finite resources and its decision to invest in control activities should be made upon relevant, quality information that prioritizes funding to information systems critical to the company,” added Ms. Galligan.

Most organizations face a variety of cyber risks from external and internal sources. Cyber risks should be evaluated against the possibility that an event will occur and adversely affect the achievement of the organization’s objectives. Malicious actors, especially those motivated by financial gain, tend to operate on a risk/reward basis. The perpetrators of cyberattacks, and the motivations behind their attacks, generally fall into the following broad categories: national states and spies, organized criminals, terrorists, hacktivists (individuals or groups that want to make a social or political statement by stealing or publishing an organization’s sensitive information) and, equally important, insiders.

Using COSO to Assess Cyber Risk  

The COSO framework comprises five internal control components—control environment, risk assessment, control activities, information and communication, and monitoring activities—and 17 related principles. Several of the COSO principles can be used to help organizations develop a cyber risk assessment process.

For example, many organizations spend little time gaining an understanding of which information systems are critical to the organization and have difficulty understanding where and how information is stored. Either miscue can lead to attempts to protect everything, which can lead to overprotecting certain information systems and underprotecting others.

COSO’s Principle 6, which recommends that an organization specify company objectives with enough clarity to identify and assess risks that may hamper business goals, can help direct organizations in pinpointing potential vulnerabilities. Organizations should consider evaluating objectives in the areas of operations, external financial reporting, external nonfinancial reporting, internal reporting and compliance. “This is a critical step because until an organization establishes and prioritizes corporate objectives, management and the board can’t be sure which risks might hinder achievement of those objectives,” noted Ms. Herrygers.

Applying two other COSO elements, Principle 7 and Principle 8, can help create a deeper risk assessment that evaluates the severity and likelihood of cyber risk impacts. Principle 7 relates to the overall risk assessment process, and Principle 8 focuses on fraud risk assessment.

Industry considerations also are important, as perpetrators typically have objectives that differ depending on the sector. In the retail sector, organized criminals are the most likely attackers, focused primarily on exploiting vulnerabilities in systems containing information that can be used for profit (e.g., credit card data or personally identifiable information). Alternatively, the oil and gas industry might be targeted by nation states with a motive to steal strategic data about future exploration sites. Chemical companies may find themselves targeted by hacktivists because of perceived environmental issues around their products.

“The costliest attacks tend to be the ones that are highly targeted at an organization for specific reasons,” noted Ms. Galligan. Therefore, individuals involved in assessments may want to focus on, for example, financial or strategic information considered valuable to perpetrators, or information linked to M&A activity or intellectual property. “Organizations should identify cyber risks that are unique not only to their industry but also to their individual company and operations,” she added.

Principle 9 introduces a topic new to the COSO framework: Identifying and assessing changes that could significantly affect internal control systems. Such changes could be the adoption of Web, mobile, cloud and social media technologies, which like outsourcing, offshoring and third-party contracting often increase the opportunity for cyberattacks. “Business and technology innovations adopted by organizations can create exposure, which is why risk assessment processes should be dynamic and iterative and consider internal and external threats,” said Ms. Galligan.

Ideally, risk assessments should be updated on a continuous basis to reflect changes that could impact an organization’s deployment of cyber controls to protect its most critical information systems. As information is generated from monitoring the changing threat landscape and the risk assessment process, senior executives and other stakeholders can share and discuss this information to make informed decisions on how to protect the organization against exposure to cyber risks.

When considering changes, risk assessments also should include personnel changes. Turnover of personnel at operational levels can have a significant impact on whether control responsibilities designed to minimize effects of potential cyberattacks are carried out effectively.

“In general, cyber risk should be considered in terms of relevance to all other business risks,” noted Ms. Epps. “When an organization undertakes a risk assessment, the board, executives and managers should evaluate cyber threats in each area, and determine how cyber risk may impact the business broadly,” she added.

View the original content and more from this author here: http://ift.tt/1Ou1pXf



from cyber security caucus http://ift.tt/1Ou1n1t
via IFTTT

No comments:

Post a Comment