Cybersecurity threats are escalating, rattling boards of directors, managers, investors, customers and other stakeholders of organizations of all sizes--whether public or private. Organizations are under increasing pressure to demonstrate that they are managing these threats and have effective processes and controls in place to prevent and detect breaches that could disrupt their business, result in financial losses, or destroy their reputation.
SOC for Cybersecurity is a market-driven, flexible, and voluntary reporting framework to help organizations communicate about their cybersecurity risk management program and the effectiveness of controls within that program. It uses a common, underlying language for cybersecurity risk management reporting, almost akin to US GAAP or IFRS for financial reporting, to enable all organizations – in all industries – to communicate relevant information about their cybersecurity risk management programs. Use of this common language brings comparability to the disclosures and enhances and complements disclosures based on other commonly used security frameworks, such as NIST or ISO’s 27001, that are in the market today.
Recognizing that cybersecurity is not just an IT problem; it’s an enterprise risk management problem that requires a global solution, this robust reporting framework and related criteria can be used by organizations to enhance cybersecurity risk management reporting and for CPAs for examine and report on such information.
Difference between cybersecurity and information security
Cybersecurity refers to the processes and controls implemented by an entity to manage cybersecurity risks. Because the processes and controls that address cybersecurity risks also address the vast majority of the entity’s other information security risks, the terms cybersecurity and information security are often used interchangeably. The main difference between information security and cybersecurity is that information security also addresses risks that arise from computer systems that are physically isolated from other electronic systems and the protection of information stored in a format that is not accessible through electronic means (such as printed paper stored in filing cabinets). From a practical standpoint, however, the difference is minor because most entities store, process, use and transmit information electronically. For purposes of the cybersecurity risk management examination, there is no distinction between the two terms. By using the term cybersecurity instead of information security, boards and senior management are acknowledging the new and magnified risks inherent with doing business in cyberspace.
Additionally, they recognize that the cyberspace environment is becoming increasingly hostile. The almost daily appearance of new threat actors who exploit the vulnerabilities of cyberspace for criminal or malicious purposes, and their use of new technologies to implement their attacks, increases the risks of operating in cyberspace. Thus, entities have to continually develop more effective and more targeted processes and control to respond to those risks. This requires board members and senior management to think well beyond the traditional IT areas of networks, applications, and data stores.
Cybersecurity risk management programs
A cybersecurity risk management program is a set of policies, processes, and controls management put into place to protect information and systems from security events that could compromise the achievement of the entity’s cybersecurity objectives and to detect, respond to, mitigate, and recover from, on a timely basis, security events that are not prevented.
Management establishes cybersecurity objectives that address cybersecurity risks that could affect the achievement of the entity’s overall business objectives (including compliance, reporting, and operational objectives). They vary depending on the environment in which the entity operates, the entity’s mission and vision, the overall business objectives established by management, risk appetite, and other factors. For example, a telecommunications entity may have a cybersecurity objective related to the reliable functioning of those aspects of its operations that are deemed to be critical infrastructure, whereas an entity that promotes online dating is likely to regard the confidentiality of personal information collected from its customers as a critical factor towards the achievement of its operating objectives.
Common language (criteria)
Description Criteria for Management’s Description of an Entity’s Cybersecurity Risk Management Program (description criteria) are used by management in designing and describing their cybersecurity risk management program, and by CPAs to report on management’s description. Trust Services Criteria for Security, Availability, and Confidentiality (control criteria), are used by CPAs that provide advisory or attestation services to evaluate the controls within an entity’s cybersecurity risk management program. Management also may use the trust services control criteria to evaluate the effectiveness of controls within that program.
What is a SOC for Cybersecurity examination?
A SOC for Cybersecurity examination is an engagement performed by CPAs (practitioners) on an entity’s cybersecurity risk management program. In a cybersecurity risk management examination, there are two distinct but complementary subject matters: (a) the description of the entity’s cybersecurity risk management program and (b) the effectiveness of controls within that program to achieve the entity’s cybersecurity objectives. A cybersecurity risk management examination results in the issuance of a cybersecurity risk management examination report that is for general use. The cybersecurity risk management examination report includes the following three key components
Management’s description of the entity’s cybersecurity risk management program. The first component is a management-prepared narrative description of the entity’s cybersecurity risk management program (description). This description is designed to provide information about how the entity identifies its information assets, the ways in which the entity manages the cybersecurity risks that threaten it, and the key security policies and processes implemented and operated to protect the entity’s information assets against those risks. The description provides the context needed for users to understand the conclusions, expressed by management in its assertion and by the practitioner in his or her report. Management uses the description criteria to prepare and evaluate an entity’s cybersecurity risk management program.
Management’s assertion. The second component is an assertion provided by management, which may be as of a point in time or for a specified period of time. Specifically, the assertion addresses whether (a) the description is presented in accordance with the description criteria and (b) the controls within the entity’s cybersecurity risk management program were effective to achieve the entity’s cybersecurity objectives based on the control criteria. The AICPA has developed control criteria for use when evaluating whether the controls within the program were effective to achieve the entity’s cybersecurity objectives.
Practitioner’s report. The third component is a practitioner’s report, which contains an opinion, which addresses both subject matters in the examination. Specifically, the opinion addresses whether (a) the description is presented in accordance with the description criteria and (b) the controls within the entity’s cybersecurity risk management program were effective to achieve the entity’s cybersecurity objectives based on the control criteria.
Information for Entity Management guidance is available to assist management with understanding the cybersecurity risk management examination that can be performed by a CPA (practitioner) in connection with certain entity-prepared cybersecurity information. It is also intended to help management understand and discharge its responsibilities in connection with that engagement.