Almost every day, a new cyberattack is announced in the media. Along with the increased number of reported attacks, the number of victims and the amount of information compromised by each attack is also increasing.
For most entities, cybersecurity is a significant business risk that needs to be identified, assessed, and managed. It is management’s responsibility to ensure all employees, not only those in the IT department, address cybersecurity risks.
Are you ready to demonstrate how your organization manages cybersecurity risk? Analysts, investors, business partners, regulators, members of the board of directors, senior managers of an entity, and others within the organization often want information about how management mitigates cybersecurity risks. This information can be summarized in documentation describing your entity’s cybersecurity risk management program. Controls to achieve cybersecurity objectives will be designed and implemented to minimize risks. Once this documentation is created, an audit can be conducted year after year with a report issued to give stakeholders the comfort they want and need.
Preparing for a cybersecurity risk management audit doesn’t have to be difficult. Management designs and documents:
- The Description of the entity’s cybersecurity risk management program using suitable criteria.
- Controls within the program to achieve the entity’s security objectives based on suitable control criteria.
Management may select any description or control criteria as long as they are suitable and available. Criteria are suitable when they exhibit all of the following characteristics:
Typically, suitable criteria is also publicly available. Examples of suitable and available criteria include:
- Description Criteria – Description Criteria for Management’s Description of the Entity’s Cybersecurity Risk Management Program
- Controls Criteria – TSP section 100, 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (AICPA, Trust Services Criteria)
How We Can Help
We understand that your work days are busy, and there’s never a convenient time to devote internal resources to document an effective cybersecurity risk management program. That’s where we can help.
Accounting and Business Consultants, LLC is a specialty CPA and consulting firm with expertise in documenting and auditing cybersecurity risk management programs for businesses like yours. We will help you document your entity’s cybersecurity risk management program and design effective controls.
We can also help you plan and perform a cybersecurity audit to meet your reporting needs.
Contact us to discuss the costs and benefits of a cybersecurity risk management program and report, or to learn more about our full suite of accounting, auditing and consulting services.