SlideShare a Scribd company logo

Communicating with stakeholders on cybersecurity risk-a road map for success

C
Claus Thaudahl Hansen

Communicating with stakeholders on Cyber Security risk management can be a challenge. EY has prepared this document to assist organizations in addressing the growing demand from stakeholders to provide greater transparency and confidence in their cybersecurity risk management program.

Technology
1 of 10
Download to read offline
Communicating with stakeholders on cybersecurity risk management A road map for success
This document has been prepared to assist organizations in addressing the growing demand from stakeholders to provide greater transparency and confidence in their cybersecurity risk management program (CRMP) through the issuance of enhanced stakeholder communications. In summary, the journey to issue enhanced stakeholder communications is a significant undertaking. It begins with the implementation of a robust CRMP – one that effectively manages the organization’s risks and helps to achieve its business objectives. • While most organizations have made significant investments over the past several years to continue the enhancement of their programs, many still require substantial remediation to evolve their programs to an appropriate level of maturity. • For some organizations, this activity may require an extended period of time to achieve. A valuable resource for management teams to reference as they undertake this activity is the American Institute of Certified Public Accountants’ (AICPA) CRMP evaluation criteria/framework. Unlike implementation frameworks that focus on ensuring that the key building blocks of a program are in place, the AICPA’s evaluation framework is focused on the outcome – is the program designed and operating effectively to meet the organization’s cybersecurity objective? • In addition to being more business-centric, if management is considering the issuance of an enhanced stakeholder communication under one of the AICPA’s reporting options, adherence to the evaluation framework will be essential, as the criteria and areas of focus will generally serve as the basis of those engagements. As you review this material and progress on your own journey, feel free to reach out to your local EY representatives if you would like further information on how we can assist you. Unlike implementation frameworks that focus on ensuring that the key building blocks of a program are in place, the AICPA’s evaluation framework is focused on the outcome – is the program designed and operating effectively to meet the organization’s cybersecurity objective? Communicating with stakeholders 2Managing cybersecurity risk
Evaluate the current state of your CRMP • Challenge what you currently know about your entity-wide CRMP and its maturity • As necessary, perform a rapid assessment of your program to round out the understanding of your current state • Update internal stakeholders on insights gained and next steps This road map outlines a comprehensive approach to preparing your organization for enhanced stakeholder communications. Based on the current state of your CRMP, the time required to complete each phase will vary — especially Phase 5, where remediation occurs. Understand your business objectives, enterprise risk, cybersecurity risk and cybersecurity objectives • Understand the cybersecurity risk profile of your organization (e.g., who you are, what you do, how you do it, the markets you operate in, the type of at-risk information you possess, contractual/ regulatory data obligations, etc.) • Challenge the depth of your risk assessment relative to cybersecurity risk • Identify your cybersecurity objectives relative to availability, confidentiality, integrity of data and processing, and how these objectives align with your overall business and strategic objectives • Update internal stakeholders on insights gained and next steps Evaluate your cybersecurity risk management and communication needs • Evaluate the need to further mature your CRMP • Evaluate whether formal reporting on your CRMP is needed, and if so, the type of reporting and proposed timing • Internal stakeholders • External stakeholders • Update internal stakeholders on insights gained and next steps Remediate gaps • Implement processes, controls and technology solutions to address identified gaps and issues • Update internal stakeholders on progress made As necessary or desired, prepare for cybersecurity reporting • Develop draft report description based on AICPA’s “description criteria” • Engage a qualified service provider to execute examination procedures to evaluate the design and operational effectiveness of the organization’s CRMP As necessary, perform an in- depth assessment of your CRMP • Evaluate the design, maturity and operational effectiveness of key processes and controls to achieve the organization’s cybersecurity objectives • Identify gaps/lack of maturity in the program • Develop an action plan to guide remediation of identified gaps/ maturity issues • Update internal stakeholders on insights gained and next steps Re-assess your CRMP • Following completion of remediation, re- evaluate the design, maturity and operational effectiveness of key processes and controls to achieve the organization’s cybersecurity objectives • Re-evaluate risk factors impacting the organization • Update internal stakeholders on insights gained and next steps Evaluating and reporting on cybersecurity risk management programs An implementation road map 3Managing cybersecurity risk Phase 2 Phase 1 Phase 3 Phase 5 Phase 7 Phase 4 Phase 6
Phase 1 Understand your business objectives, enterprise risks, cybersecurity, contractual/regulatory obligations and cybersecurity objectives Review and challenge (and, as necessary, update) your understanding of the “cybersecurity risk profile” of your organization; ensure this understanding identifies: • Who you are, what you do, how you do it, the markets you operate in, etc. • Compile all contractual/regulatory requirements, as well as the entity’s commitments (e.g., published data policies) and stakeholder expectations associated with data • What type of information or processing is at risk, and where that risk resides (e.g., internally, suppliers, cloud) • Data that could be extracted and monetized • Data that, if modified, could affect the integrity of processing • Applications that, if modified, could affect the integrity of processing Review and challenge (and, as necessary, update) the depth of your risk assessment relative to cybersecurity risk • Evaluate the likelihood and impact of cybersecurity risk on data and processing activities that support the organization’s key business processes (i.e., what could go wrong) • Issues beyond what is most frequently seen in the market (e.g., “data grabs”) should be considered given the growing evolution of cybersecurity attacks; examples include: • Unauthorized manipulation of data, (e.g., widespread manipulation, subtle manipulation that could eventually call into question overall data integrity) • Unauthorized manipulation of applications, business rules, etc., that affect the processing of transactions • Business interruption/ransomware attack that impacts ongoing operations • Enterprise risk management (ERM) programs often identify cybersecurity as a single, isolated risk, rather than identifying the implicit impact cybersecurity has throughout the organization • As necessary, update the enterprise risk inventory for situations where identified cybersecurity risk had not been properly reflected • Challenge whether conclusions reached in the ERM program should be revised based on the potential likelihood and impact of cybersecurity risk • Challenge the alignment of the ERM program to the organization’s business goals and objectives • Update the ERM program for any business objective that is missing a relevant enterprise risk Identify your cybersecurity objectives relative to availability, confidentiality, integrity of data and integrity of processing; these objectives generally relate to: • Organizational matters such as business strategies, protection of intellectual property, competitive advantages and business operations • Commitments made to customers, vendors, business partners and others related to the security and availability of information and systems • Laws and regulations to which the entity is subject as a result of the types of information it possesses or uses • Industry standards to which the entity is subject as a result of the types of information it uses Update internal stakeholders on insights gained and next steps Desired outcomes and benefits: • A comprehensive understanding of the organization’s cybersecurity risk profile, including a compilation of CRMP requirements (e.g., contractual obligations, regulatory requirements, company policies and perceived stakeholder expectations) • A comprehensive risk assessment that appropriately identifies the likelihood and impact of cybersecurity risk on the organization’s ERM program, and ultimately the organization’s business goals and objectives • A comprehensive listing of the cybersecurity objectives that the organization intends to achieve Build-out of key steps in road map (seven phases) 4Managing cybersecurity risk
Phase 2 Evaluate the current state of your CRMP Challenge what you currently know about the maturity of your entity-wide CRMP and its maturity • Note: Most organizations: (1) have some form of a CRMP in place and (2) periodically assess their program; however: • The depth and extent of these assessments vary considerably, ranging from high-level/inquiry- only assessments to comprehensive assessments that include the detailed review/evaluation of documentation and processes, testing, etc. • Most organizations lack an accurate understanding of the depth/extent of assessment that has been performed, or their true maturity level • Challenge the depth and breadth of previous internal and external assessments • Evaluate the results of previous assessments • The scope of the assessment (e.g., business unit/ location-specific vs. enterprise-wide) • The independence and objectivity of the assessment • The depth of the assessment • Inclusion of all critical CRMP components; program components that are often overlooked, or only covered at a superficial level include: • Risk assessment activities • Information assets (e.g., hardware, virtual servers, software, data, connections, etc.) • Monitoring capabilities • Change management system • Vendor risk management program • Threat intelligence program • Vulnerability management program • Extent of validation of process/control effectiveness performed • Extent of compliance testing performed on control procedures • Competency and independence/objectivity of assessor • Volume and severity of issues identified/ outstanding • Effectiveness of incident response detection, evaluation and response • Status of remediation of identified issues • Challenge your understanding of program maturity across the entity • In light of new information accumulated on the depth and breadth of previous assessments, challenge prior conclusions on the maturity of the organization’s CRMP • Identify a comprehensive list of known issues and related strategies to address the issues and the related remediation timeline • Ensure that the list is enterprise-wide • Validate the viability of identified remediation strategies and timelines As necessary, perform a rapid assessment of the organization’s program to round out the understanding of your current state Update internal stakeholders on insights gained and next steps Desired outcomes and benefits: • A more comprehensive understanding of the current state and maturity level of the organization’s CRMP 5Managing cybersecurity risk
Phase 3 Evaluate your cybersecurity risk management and communication needs Evaluate the need to further mature your CRMP • Compare your understanding of the current state of your program and maturity level to expectations of the Board, executive management and as necessary the market (e.g., investors, clients, business partners) • Solicit input from the Board and executive management on their expectations relative to the desired maturity level for cybersecurity risk management; compare to the organization’s current state • Evaluate your ability to achieve your identified cybersecurity objectives • Gather information on the cybersecurity risk management maturity level of market competitors; compare to the organization’s current state • As necessary, identify and execute a strategy to enhance/mature your CRMP to align with the organization’s needs Evaluate whether formal reporting on the organization’s CRMP is needed; and if so, identify the proposed time frame • Identify the organization‘s various internal and external stakeholders (e.g., Board, management, investors, analysts, business partners, regulators) and their potential need for greater transparency and confidence in the organization’s CRMP • Evaluate the range of communication options available to address each stakeholder’s unique needs; examples may include: 6Managing cybersecurity risk
Develop a proposed stakeholder communication strategy and recommended implementation timeline Review the proposed strategy and recommended implementation timeline with the Board and management (1) As an interim step to reporting under the AICPA guidance, organizations could elect to adopt a staged rollout (a) Covering some or all of their operations and/or (b) Using the AICPA evaluation framework or other suitable criteria the organization may already be leveraging. Such reports would be restricted for internal use only. (2) A further discussion of these options can be found at the AICPA’s website under the caption “SOC for Cybersecurity” or in EY’s previously issued thought leadership “Cybersecurity Reporting.” Options Scope Stakeholder applicability Benefits Limitations Do nothing • Not applicable • Not applicable • Not applicable • Cost-effective • Does not address relevant areas of concern of the stakeholders Internally prepared materials • Education sessions • Determined by management • Board • Executive management • Allows management to control the depth and breadth of the messaging • Cost-effective • Lacks objectivity • May not address relevant areas of concern of the stakeholders • Presentation materials • Determined by management • Board • Executive management • Investors • Analysts • Business partners • Regulators Pilot program (1) • Internal use only report • Entire organization, or targeted at specific business units or higher-risk areas • Board • Executive management • Heightened level of objectivity • Greater ability to manage investment in money and time • Does not address any immediate needs of outside stakeholders AICPA reporting options (2) • Service Organization Controls (SOC) for Cybersecurity report • Entire organization • Board • Executive management • Investors • Analysts • Business partners • Regulators • Heightened level of objectivity • Content based on market-vetted framework • Significant investment in money and time • SOC for Service organization report • Portion of the organization that supports the outsourced service • Business partners • Addresses all relevant areas of concern of the stakeholder • Significant investment in money and time • SOC for Supply Chain report • Portion of the organization that supports the manufacturing and distribution of supply chain goods • Business partners • Addresses all relevant areas of concern of the stakeholder • Significant investment in money and time Desired outcomes and benefits: • An evaluation of the organization’s cybersecurity risk management program maturity across the key domains • A summary of management’s point of view of its cybersecurity reporting needs • Communication strategy and timeline for addressing needs Communications options available to address stakeholders’ needs 7Managing cybersecurity risk
Phase 4 As necessary, perform an in-depth assessment of the organization’s cybersecurity risk management program Evaluate the design, maturity and operational effectiveness of key processes and controls to achieve the organization’s cybersecurity objectives • Leverage a comprehensive evaluation framework that aligns with the organization’s anticipated reporting needs (e.g., AICPA evaluation criteria) as a basis to evaluate: • Adequacy of processes/controls to identify/complicate/ detect/respond/recover from a cyber event • The framework selected must satisfy the “suitability test” if subsequent reporting is being considered • Evaluate process/control maturity • Sufficiently documented to help ensure consistent execution • Sufficiently built-out to help ensure it is responsive to the key underlying risks (or what-could-go-wrong scenarios) • Applied across the entire organization • Consistently applied (i.e., compliance) • Perform validation procedures to help ensure the effectiveness of key processes and controls • Perform process/control walk-through to confirm understanding • Validate implementation of automated processes • Validate compliance with processes involving human intervention • Evaluate results Identify key control over key process areas • Develop mapping of client’s processes and controls against the AICPA evaluation criteria or other suitable criteria Identify gaps in the program • Identify instances where current processes and controls fail to satisfy evaluation criteria or other suitable criteria Develop a prioritized and time-boxed action plan to guide remediation of gaps Update internal stakeholders on insights gained and next steps Desired outcomes and benefits: • Mapping of the organization’s processes and controls against AICPA evaluation criteria • Summary of significant deviations from the expectations identified in the AICPA evaluation criteria (i.e., gap assessment) • Action plan that outlines remediation steps to address gaps and associated timelines Phase 5 Implement comprehensive solutions to address identified gaps based on action plan As noted previously, the time required to complete this phase will vary considerably based on each organization’s current status and assumptions made in the Phase 4 action plan relative to time frames, priorities, challenges, etc. Update internal stakeholders on progress made Desired outcomes and benefits: • Execution of action plan resulting in the implementation of policies, procedures, controls and technologies to address identified gaps 8Managing cybersecurity risk
Phase 6 Re-assess the organization’s cybersecurity risk management program Following completion of remediation, re-assess the design and effectiveness of processes and controls • Perform validation procedures to help ensure the effectiveness of key processes and controls • Perform process/control walk-throughs to confirm understanding • Validate implementation of automated processes • Validate compliance with nonautomated processes Re-evaluate risk factors impacting the organization • Given the extended time frame that may be required to remediate gaps, consider changes that may have occurred to the organization’s structural, operational changes, etc., and their impact on the CRMP Update internal stakeholders on insights gained and next steps Desired outcomes and benefits: • Updated mapping of the organization’s processes and controls against AICPA evaluation criteria • Summary of any new significant deviations from the expectations identified in the AICPA evaluation criteria (i.e., gap assessment). • Action plan that outlines remediation steps to address gaps and associated timelines • Execution of action plan resulting in the implementation of policies, procedures, controls and technologies Phase 7 As necessary or desired (based on communication needs), prepare for cybersecurity reporting Prepare draft of report description • Develop report description based on AICPA “description criteria” Complete examination • Execute examination procedures to evaluate the design, maturity and operational effectiveness of the organization’s cybersecurity risk management program Desired outcomes and benefits: • Issuance of enhanced stakeholder communication report 9Managing cybersecurity risk
Conclusion • Invest time to understand the current state of your cybersecurity risk management program • Recap implementation priorities • Comprehensive risk assessment • Articulate business objectives • Comprehensive technology inventory • Recap key decision points • Need to mature the cybersecurity risk management program • Need for internal reporting • Need for external reporting EY | Assurance | Tax | Transactions | Advisory About EY EY is a global leader in assurance, tax, transaction and advisory services. The insights and quality services we deliver help build trust and confidence in the capital markets and in economies the world over. We develop outstanding leaders who team to deliver on our promises to all of our stakeholders. In so doing, we play a critical role in building a better working world for our people, for our clients and for our communities. EY refers to the global organization, and may refer to one or more, of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients. For more information about our organization, please visit ey.com. Ernst & Young LLP is a client-serving member firm of Ernst & Young Global Limited operating in the US. © 2018 Ernst & Young LLP. All Rights Reserved. SCORE no. 01325-181US 1711-2480912 ED None ey.com Why EY? Financial markets recognize EY and trust the auditing profession due to its: • Independence and objectivity • Rigorous training and certification standards it places on its employees • Use of market-vetted evaluation frameworks and transparent reporting standards • Focus on quality control • Critical mass of global resources with a wide range of competencies

Recommended

Information Security Governance and Strategy - 3
Information Security Governance and Strategy - 3Information Security Governance and Strategy - 3
Information Security Governance and Strategy - 3Dam Frank
 
SECURITY & CONTROL OF INFORMATION SYSTEM (Management Information System)
SECURITY & CONTROL OF INFORMATION SYSTEM (Management Information System)SECURITY & CONTROL OF INFORMATION SYSTEM (Management Information System)
SECURITY & CONTROL OF INFORMATION SYSTEM (Management Information System)Biswajit Bhattacharjee
 
Threats to information security
Threats to information securityThreats to information security
Threats to information securityswapneel07
 
ISO 27001 Training | ISMS Awareness Training
ISO 27001 Training | ISMS Awareness TrainingISO 27001 Training | ISMS Awareness Training
ISO 27001 Training | ISMS Awareness Traininghimalya sharma
 
Cybersecurity Risk Management Program and Your Organization
Cybersecurity Risk Management Program and Your OrganizationCybersecurity Risk Management Program and Your Organization
Cybersecurity Risk Management Program and Your OrganizationMcKonly & Asbury, LLP
 
computer forensics
computer forensicscomputer forensics
computer forensicsAkhil Kumar
 
Data Processing - data privacy and sensitive data
Data Processing - data privacy and sensitive dataData Processing - data privacy and sensitive data
Data Processing - data privacy and sensitive dataOpenAIRE
 
Information Security Awareness
Information Security Awareness Information Security Awareness
Information Security Awareness SnapComms
 

Recommended

Information Security Governance and Strategy - 3
Information Security Governance and Strategy - 3Information Security Governance and Strategy - 3
Information Security Governance and Strategy - 3Dam Frank
 
SECURITY & CONTROL OF INFORMATION SYSTEM (Management Information System)
SECURITY & CONTROL OF INFORMATION SYSTEM (Management Information System)SECURITY & CONTROL OF INFORMATION SYSTEM (Management Information System)
SECURITY & CONTROL OF INFORMATION SYSTEM (Management Information System)Biswajit Bhattacharjee
 
Threats to information security
Threats to information securityThreats to information security
Threats to information securityswapneel07
 
ISO 27001 Training | ISMS Awareness Training
ISO 27001 Training | ISMS Awareness TrainingISO 27001 Training | ISMS Awareness Training
ISO 27001 Training | ISMS Awareness Traininghimalya sharma
 
Cybersecurity Risk Management Program and Your Organization
Cybersecurity Risk Management Program and Your OrganizationCybersecurity Risk Management Program and Your Organization
Cybersecurity Risk Management Program and Your OrganizationMcKonly & Asbury, LLP
 
computer forensics
computer forensicscomputer forensics
computer forensicsAkhil Kumar
 
Data Processing - data privacy and sensitive data
Data Processing - data privacy and sensitive dataData Processing - data privacy and sensitive data
Data Processing - data privacy and sensitive dataOpenAIRE
 
Information Security Awareness
Information Security Awareness Information Security Awareness
Information Security Awareness SnapComms
 
dss
dss dss
dssShanjeet Singh Mavi
 
Review questions
Review questionsReview questions
Review questionsAnura Kumara
 
CyberSecurity Best Practices for the IIoT
CyberSecurity Best Practices for the IIoTCyberSecurity Best Practices for the IIoT
CyberSecurity Best Practices for the IIoTCreekside Marketing Group, LLC
 
Cyber security
Cyber securityCyber security
Cyber securityAnkush Verma
 
Information security governance
Information security governanceInformation security governance
Information security governanceKoen Maris
 
Security technologies
Security technologiesSecurity technologies
Security technologiesDhani Ahmad
 
Legal, Ethical and professional issues in Information Security
Legal, Ethical and professional issues in Information SecurityLegal, Ethical and professional issues in Information Security
Legal, Ethical and professional issues in Information SecurityGamentortc
 
Security and management
Security and managementSecurity and management
Security and managementArtiSolanki5
 
Introduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security FrameworkIntroduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security FrameworkPECB
 
Security Audit Best-Practices
Security Audit Best-PracticesSecurity Audit Best-Practices
Security Audit Best-PracticesMarco Raposo
 
Physical Security
Physical SecurityPhysical Security
Physical SecurityKriscila Yumul
 
Security operation center
Security operation centerSecurity operation center
Security operation centerMuthuKumaran267
 
Chapter 5
Chapter 5Chapter 5
Chapter 5sivadnolram
 
Network Security: Attacks, Tools and Techniques
Network Security: Attacks, Tools and TechniquesNetwork Security: Attacks, Tools and Techniques
Network Security: Attacks, Tools and Techniqueswaqasahmad1995
 
Network security
Network securityNetwork security
Network securityEstiak Khan
 
Introduction To Information Security
Introduction To Information SecurityIntroduction To Information Security
Introduction To Information Securitybelsis
 
Security policies
Security policiesSecurity policies
Security policiesNishant Pahad
 
Information Security
Information SecurityInformation Security
Information SecurityDhilsath Fathima
 
Cyber Security Management
Cyber Security ManagementCyber Security Management
Cyber Security ManagementIT Governance Ltd
 
Information Security Management.Introduction
Information Security Management.IntroductionInformation Security Management.Introduction
Information Security Management.Introductionyuliana_mar
 
framework_update_report-yer20170301.pptx
framework_update_report-yer20170301.pptxframework_update_report-yer20170301.pptx
framework_update_report-yer20170301.pptxMuhammadAbdullah311866
 
Chase Cooper Overview
Chase Cooper OverviewChase Cooper Overview
Chase Cooper OverviewAoife Brennan
 

More Related Content

What's hot

Information security governance
Information security governanceInformation security governance
Information security governanceKoen Maris
 
Security technologies
Security technologiesSecurity technologies
Security technologiesDhani Ahmad
 
Legal, Ethical and professional issues in Information Security
Legal, Ethical and professional issues in Information SecurityLegal, Ethical and professional issues in Information Security
Legal, Ethical and professional issues in Information SecurityGamentortc
 
Security and management
Security and managementSecurity and management
Security and managementArtiSolanki5
 
Introduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security FrameworkIntroduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security FrameworkPECB
 
Security Audit Best-Practices
Security Audit Best-PracticesSecurity Audit Best-Practices
Security Audit Best-PracticesMarco Raposo
 
Security operation center
Security operation centerSecurity operation center
Security operation centerMuthuKumaran267
 
Network Security: Attacks, Tools and Techniques
Network Security: Attacks, Tools and TechniquesNetwork Security: Attacks, Tools and Techniques
Network Security: Attacks, Tools and Techniqueswaqasahmad1995
 
Network security
Network securityNetwork security
Network securityEstiak Khan
 
Introduction To Information Security
Introduction To Information SecurityIntroduction To Information Security
Introduction To Information Securitybelsis
 
Information Security Management.Introduction
Information Security Management.IntroductionInformation Security Management.Introduction
Information Security Management.Introductionyuliana_mar
 

What's hot (20)

dss
dss dss
dss
 
Review questions
Review questionsReview questions
Review questions
 
CyberSecurity Best Practices for the IIoT
CyberSecurity Best Practices for the IIoTCyberSecurity Best Practices for the IIoT
CyberSecurity Best Practices for the IIoT
 
Cyber security
Cyber securityCyber security
Cyber security
 
Information security governance
Information security governanceInformation security governance
Information security governance
 
Security technologies
Security technologiesSecurity technologies
Security technologies
 
Legal, Ethical and professional issues in Information Security
Legal, Ethical and professional issues in Information SecurityLegal, Ethical and professional issues in Information Security
Legal, Ethical and professional issues in Information Security
 
Security and management
Security and managementSecurity and management
Security and management
 
Introduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security FrameworkIntroduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security Framework
 
Security Audit Best-Practices
Security Audit Best-PracticesSecurity Audit Best-Practices
Security Audit Best-Practices
 
Physical Security
Physical SecurityPhysical Security
Physical Security
 
Security operation center
Security operation centerSecurity operation center
Security operation center
 
Chapter 5
Chapter 5Chapter 5
Chapter 5
 
Network Security: Attacks, Tools and Techniques
Network Security: Attacks, Tools and TechniquesNetwork Security: Attacks, Tools and Techniques
Network Security: Attacks, Tools and Techniques
 
Network security
Network securityNetwork security
Network security
 
Introduction To Information Security
Introduction To Information SecurityIntroduction To Information Security
Introduction To Information Security
 
Security policies
Security policiesSecurity policies
Security policies
 
Information Security
Information SecurityInformation Security
Information Security
 
Cyber Security Management
Cyber Security ManagementCyber Security Management
Cyber Security Management
 
Information Security Management.Introduction
Information Security Management.IntroductionInformation Security Management.Introduction
Information Security Management.Introduction
 

Similar to Communicating with stakeholders on cybersecurity risk-a road map for success

framework_update_report-yer20170301.pptx
framework_update_report-yer20170301.pptxframework_update_report-yer20170301.pptx
framework_update_report-yer20170301.pptxMuhammadAbdullah311866
 
Chase Cooper Overview
Chase Cooper OverviewChase Cooper Overview
Chase Cooper OverviewAoife Brennan
 
Assuring Digital Strategic Initiatives by
Assuring Digital Strategic Initiatives by Assuring Digital Strategic Initiatives by
Assuring Digital Strategic Initiatives by FirstMutualHoldings
 
Measurement_Information Needs_paper_Crosstalk
Measurement_Information Needs_paper_CrosstalkMeasurement_Information Needs_paper_Crosstalk
Measurement_Information Needs_paper_Crosstalkpbaxter
 
CISM_WK_2.pptx
CISM_WK_2.pptxCISM_WK_2.pptx
CISM_WK_2.pptxdotco
 
The Demystification of successful cybersecurity initiatives.
The Demystification of successful cybersecurity initiatives.The Demystification of successful cybersecurity initiatives.
The Demystification of successful cybersecurity initiatives.FitCEO, Inc. (FCI)
 
TheDemystification_of_SuccessfulCyberSecurity_VIMRO_LB_VH_MHF_10_11_15
TheDemystification_of_SuccessfulCyberSecurity_VIMRO_LB_VH_MHF_10_11_15TheDemystification_of_SuccessfulCyberSecurity_VIMRO_LB_VH_MHF_10_11_15
TheDemystification_of_SuccessfulCyberSecurity_VIMRO_LB_VH_MHF_10_11_15FitCEO, Inc. (FCI)
 
CML Group GRCaaS Dashboard
CML Group GRCaaS Dashboard CML Group GRCaaS Dashboard
CML Group GRCaaS Dashboard Jim Robins
 
Vulnerability Management Whitepaper PowerPoint Presentation Slides
Vulnerability Management Whitepaper PowerPoint Presentation SlidesVulnerability Management Whitepaper PowerPoint Presentation Slides
Vulnerability Management Whitepaper PowerPoint Presentation SlidesSlideTeam
 
CISM_WK_1.pptx
CISM_WK_1.pptxCISM_WK_1.pptx
CISM_WK_1.pptxdotco
 
Crafting an End-to-End Pharma GRC Strategy
Crafting an End-to-End Pharma GRC StrategyCrafting an End-to-End Pharma GRC Strategy
Crafting an End-to-End Pharma GRC StrategyCognizant
 
Sample audit plan
Sample audit planSample audit plan
Sample audit planMaher Manan
 
ch03 Strategic CRM.ppt
ch03 Strategic CRM.pptch03 Strategic CRM.ppt
ch03 Strategic CRM.pptSrikantKapoor1
 
EUCI Mapping Cybersecurity to CIP
EUCI Mapping Cybersecurity to CIPEUCI Mapping Cybersecurity to CIP
EUCI Mapping Cybersecurity to CIPScott Baron
 
BRG_CSP_Study-Summary-nofees
BRG_CSP_Study-Summary-nofeesBRG_CSP_Study-Summary-nofees
BRG_CSP_Study-Summary-nofeesFaisal Amin
 
Enterprise 360 degree risk management
Enterprise 360 degree risk managementEnterprise 360 degree risk management
Enterprise 360 degree risk managementInfosys
 
Operational Risk : Take a look at the raw canvas
Operational Risk : Take a look at the raw canvasOperational Risk : Take a look at the raw canvas
Operational Risk : Take a look at the raw canvasTreat Risk
 

Similar to Communicating with stakeholders on cybersecurity risk-a road map for success (20)

framework_update_report-yer20170301.pptx
framework_update_report-yer20170301.pptxframework_update_report-yer20170301.pptx
framework_update_report-yer20170301.pptx
 
Chase Cooper Overview
Chase Cooper OverviewChase Cooper Overview
Chase Cooper Overview
 
Presentation_20110802213554
Presentation_20110802213554Presentation_20110802213554
Presentation_20110802213554
 
Assuring Digital Strategic Initiatives by
Assuring Digital Strategic Initiatives by Assuring Digital Strategic Initiatives by
Assuring Digital Strategic Initiatives by
 
Measurement_Information Needs_paper_Crosstalk
Measurement_Information Needs_paper_CrosstalkMeasurement_Information Needs_paper_Crosstalk
Measurement_Information Needs_paper_Crosstalk
 
CISM_WK_2.pptx
CISM_WK_2.pptxCISM_WK_2.pptx
CISM_WK_2.pptx
 
The Demystification of successful cybersecurity initiatives.
The Demystification of successful cybersecurity initiatives.The Demystification of successful cybersecurity initiatives.
The Demystification of successful cybersecurity initiatives.
 
TheDemystification_of_SuccessfulCyberSecurity_VIMRO_LB_VH_MHF_10_11_15
TheDemystification_of_SuccessfulCyberSecurity_VIMRO_LB_VH_MHF_10_11_15TheDemystification_of_SuccessfulCyberSecurity_VIMRO_LB_VH_MHF_10_11_15
TheDemystification_of_SuccessfulCyberSecurity_VIMRO_LB_VH_MHF_10_11_15
 
CML Group GRCaaS Dashboard
CML Group GRCaaS Dashboard CML Group GRCaaS Dashboard
CML Group GRCaaS Dashboard
 
Vulnerability Management Whitepaper PowerPoint Presentation Slides
Vulnerability Management Whitepaper PowerPoint Presentation SlidesVulnerability Management Whitepaper PowerPoint Presentation Slides
Vulnerability Management Whitepaper PowerPoint Presentation Slides
 
Enterprise governance risk_compliance_fcm slides
Enterprise governance risk_compliance_fcm slidesEnterprise governance risk_compliance_fcm slides
Enterprise governance risk_compliance_fcm slides
 
CISM_WK_1.pptx
CISM_WK_1.pptxCISM_WK_1.pptx
CISM_WK_1.pptx
 
Crafting an End-to-End Pharma GRC Strategy
Crafting an End-to-End Pharma GRC StrategyCrafting an End-to-End Pharma GRC Strategy
Crafting an End-to-End Pharma GRC Strategy
 
Sample audit plan
Sample audit planSample audit plan
Sample audit plan
 
ch03 Strategic CRM.ppt
ch03 Strategic CRM.pptch03 Strategic CRM.ppt
ch03 Strategic CRM.ppt
 
EUCI Mapping Cybersecurity to CIP
EUCI Mapping Cybersecurity to CIPEUCI Mapping Cybersecurity to CIP
EUCI Mapping Cybersecurity to CIP
 
BRG_CSP_Study-Summary-nofees
BRG_CSP_Study-Summary-nofeesBRG_CSP_Study-Summary-nofees
BRG_CSP_Study-Summary-nofees
 
Enterprise 360 degree risk management
Enterprise 360 degree risk managementEnterprise 360 degree risk management
Enterprise 360 degree risk management
 
Operational Risk : Take a look at the raw canvas
Operational Risk : Take a look at the raw canvasOperational Risk : Take a look at the raw canvas
Operational Risk : Take a look at the raw canvas
 
Auditing your grc programs
Auditing your grc programsAuditing your grc programs
Auditing your grc programs
 

Recently uploaded

Google AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAGGoogle AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAGSujit Pal
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...gurkirankumar98700
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 

Recently uploaded (20)

Google AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAGGoogle AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAG
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 

Communicating with stakeholders on cybersecurity risk-a road map for success

  • 1. Communicating with stakeholders on cybersecurity risk management A road map for success
  • 2. This document has been prepared to assist organizations in addressing the growing demand from stakeholders to provide greater transparency and confidence in their cybersecurity risk management program (CRMP) through the issuance of enhanced stakeholder communications. In summary, the journey to issue enhanced stakeholder communications is a significant undertaking. It begins with the implementation of a robust CRMP – one that effectively manages the organization’s risks and helps to achieve its business objectives. • While most organizations have made significant investments over the past several years to continue the enhancement of their programs, many still require substantial remediation to evolve their programs to an appropriate level of maturity. • For some organizations, this activity may require an extended period of time to achieve. A valuable resource for management teams to reference as they undertake this activity is the American Institute of Certified Public Accountants’ (AICPA) CRMP evaluation criteria/framework. Unlike implementation frameworks that focus on ensuring that the key building blocks of a program are in place, the AICPA’s evaluation framework is focused on the outcome – is the program designed and operating effectively to meet the organization’s cybersecurity objective? • In addition to being more business-centric, if management is considering the issuance of an enhanced stakeholder communication under one of the AICPA’s reporting options, adherence to the evaluation framework will be essential, as the criteria and areas of focus will generally serve as the basis of those engagements. As you review this material and progress on your own journey, feel free to reach out to your local EY representatives if you would like further information on how we can assist you. Unlike implementation frameworks that focus on ensuring that the key building blocks of a program are in place, the AICPA’s evaluation framework is focused on the outcome – is the program designed and operating effectively to meet the organization’s cybersecurity objective? Communicating with stakeholders 2Managing cybersecurity risk
  • 3. Evaluate the current state of your CRMP • Challenge what you currently know about your entity-wide CRMP and its maturity • As necessary, perform a rapid assessment of your program to round out the understanding of your current state • Update internal stakeholders on insights gained and next steps This road map outlines a comprehensive approach to preparing your organization for enhanced stakeholder communications. Based on the current state of your CRMP, the time required to complete each phase will vary — especially Phase 5, where remediation occurs. Understand your business objectives, enterprise risk, cybersecurity risk and cybersecurity objectives • Understand the cybersecurity risk profile of your organization (e.g., who you are, what you do, how you do it, the markets you operate in, the type of at-risk information you possess, contractual/ regulatory data obligations, etc.) • Challenge the depth of your risk assessment relative to cybersecurity risk • Identify your cybersecurity objectives relative to availability, confidentiality, integrity of data and processing, and how these objectives align with your overall business and strategic objectives • Update internal stakeholders on insights gained and next steps Evaluate your cybersecurity risk management and communication needs • Evaluate the need to further mature your CRMP • Evaluate whether formal reporting on your CRMP is needed, and if so, the type of reporting and proposed timing • Internal stakeholders • External stakeholders • Update internal stakeholders on insights gained and next steps Remediate gaps • Implement processes, controls and technology solutions to address identified gaps and issues • Update internal stakeholders on progress made As necessary or desired, prepare for cybersecurity reporting • Develop draft report description based on AICPA’s “description criteria” • Engage a qualified service provider to execute examination procedures to evaluate the design and operational effectiveness of the organization’s CRMP As necessary, perform an in- depth assessment of your CRMP • Evaluate the design, maturity and operational effectiveness of key processes and controls to achieve the organization’s cybersecurity objectives • Identify gaps/lack of maturity in the program • Develop an action plan to guide remediation of identified gaps/ maturity issues • Update internal stakeholders on insights gained and next steps Re-assess your CRMP • Following completion of remediation, re- evaluate the design, maturity and operational effectiveness of key processes and controls to achieve the organization’s cybersecurity objectives • Re-evaluate risk factors impacting the organization • Update internal stakeholders on insights gained and next steps Evaluating and reporting on cybersecurity risk management programs An implementation road map 3Managing cybersecurity risk Phase 2 Phase 1 Phase 3 Phase 5 Phase 7 Phase 4 Phase 6
  • 4. Phase 1 Understand your business objectives, enterprise risks, cybersecurity, contractual/regulatory obligations and cybersecurity objectives Review and challenge (and, as necessary, update) your understanding of the “cybersecurity risk profile” of your organization; ensure this understanding identifies: • Who you are, what you do, how you do it, the markets you operate in, etc. • Compile all contractual/regulatory requirements, as well as the entity’s commitments (e.g., published data policies) and stakeholder expectations associated with data • What type of information or processing is at risk, and where that risk resides (e.g., internally, suppliers, cloud) • Data that could be extracted and monetized • Data that, if modified, could affect the integrity of processing • Applications that, if modified, could affect the integrity of processing Review and challenge (and, as necessary, update) the depth of your risk assessment relative to cybersecurity risk • Evaluate the likelihood and impact of cybersecurity risk on data and processing activities that support the organization’s key business processes (i.e., what could go wrong) • Issues beyond what is most frequently seen in the market (e.g., “data grabs”) should be considered given the growing evolution of cybersecurity attacks; examples include: • Unauthorized manipulation of data, (e.g., widespread manipulation, subtle manipulation that could eventually call into question overall data integrity) • Unauthorized manipulation of applications, business rules, etc., that affect the processing of transactions • Business interruption/ransomware attack that impacts ongoing operations • Enterprise risk management (ERM) programs often identify cybersecurity as a single, isolated risk, rather than identifying the implicit impact cybersecurity has throughout the organization • As necessary, update the enterprise risk inventory for situations where identified cybersecurity risk had not been properly reflected • Challenge whether conclusions reached in the ERM program should be revised based on the potential likelihood and impact of cybersecurity risk • Challenge the alignment of the ERM program to the organization’s business goals and objectives • Update the ERM program for any business objective that is missing a relevant enterprise risk Identify your cybersecurity objectives relative to availability, confidentiality, integrity of data and integrity of processing; these objectives generally relate to: • Organizational matters such as business strategies, protection of intellectual property, competitive advantages and business operations • Commitments made to customers, vendors, business partners and others related to the security and availability of information and systems • Laws and regulations to which the entity is subject as a result of the types of information it possesses or uses • Industry standards to which the entity is subject as a result of the types of information it uses Update internal stakeholders on insights gained and next steps Desired outcomes and benefits: • A comprehensive understanding of the organization’s cybersecurity risk profile, including a compilation of CRMP requirements (e.g., contractual obligations, regulatory requirements, company policies and perceived stakeholder expectations) • A comprehensive risk assessment that appropriately identifies the likelihood and impact of cybersecurity risk on the organization’s ERM program, and ultimately the organization’s business goals and objectives • A comprehensive listing of the cybersecurity objectives that the organization intends to achieve Build-out of key steps in road map (seven phases) 4Managing cybersecurity risk
  • 5. Phase 2 Evaluate the current state of your CRMP Challenge what you currently know about the maturity of your entity-wide CRMP and its maturity • Note: Most organizations: (1) have some form of a CRMP in place and (2) periodically assess their program; however: • The depth and extent of these assessments vary considerably, ranging from high-level/inquiry- only assessments to comprehensive assessments that include the detailed review/evaluation of documentation and processes, testing, etc. • Most organizations lack an accurate understanding of the depth/extent of assessment that has been performed, or their true maturity level • Challenge the depth and breadth of previous internal and external assessments • Evaluate the results of previous assessments • The scope of the assessment (e.g., business unit/ location-specific vs. enterprise-wide) • The independence and objectivity of the assessment • The depth of the assessment • Inclusion of all critical CRMP components; program components that are often overlooked, or only covered at a superficial level include: • Risk assessment activities • Information assets (e.g., hardware, virtual servers, software, data, connections, etc.) • Monitoring capabilities • Change management system • Vendor risk management program • Threat intelligence program • Vulnerability management program • Extent of validation of process/control effectiveness performed • Extent of compliance testing performed on control procedures • Competency and independence/objectivity of assessor • Volume and severity of issues identified/ outstanding • Effectiveness of incident response detection, evaluation and response • Status of remediation of identified issues • Challenge your understanding of program maturity across the entity • In light of new information accumulated on the depth and breadth of previous assessments, challenge prior conclusions on the maturity of the organization’s CRMP • Identify a comprehensive list of known issues and related strategies to address the issues and the related remediation timeline • Ensure that the list is enterprise-wide • Validate the viability of identified remediation strategies and timelines As necessary, perform a rapid assessment of the organization’s program to round out the understanding of your current state Update internal stakeholders on insights gained and next steps Desired outcomes and benefits: • A more comprehensive understanding of the current state and maturity level of the organization’s CRMP 5Managing cybersecurity risk
  • 6. Phase 3 Evaluate your cybersecurity risk management and communication needs Evaluate the need to further mature your CRMP • Compare your understanding of the current state of your program and maturity level to expectations of the Board, executive management and as necessary the market (e.g., investors, clients, business partners) • Solicit input from the Board and executive management on their expectations relative to the desired maturity level for cybersecurity risk management; compare to the organization’s current state • Evaluate your ability to achieve your identified cybersecurity objectives • Gather information on the cybersecurity risk management maturity level of market competitors; compare to the organization’s current state • As necessary, identify and execute a strategy to enhance/mature your CRMP to align with the organization’s needs Evaluate whether formal reporting on the organization’s CRMP is needed; and if so, identify the proposed time frame • Identify the organization‘s various internal and external stakeholders (e.g., Board, management, investors, analysts, business partners, regulators) and their potential need for greater transparency and confidence in the organization’s CRMP • Evaluate the range of communication options available to address each stakeholder’s unique needs; examples may include: 6Managing cybersecurity risk
  • 7. Develop a proposed stakeholder communication strategy and recommended implementation timeline Review the proposed strategy and recommended implementation timeline with the Board and management (1) As an interim step to reporting under the AICPA guidance, organizations could elect to adopt a staged rollout (a) Covering some or all of their operations and/or (b) Using the AICPA evaluation framework or other suitable criteria the organization may already be leveraging. Such reports would be restricted for internal use only. (2) A further discussion of these options can be found at the AICPA’s website under the caption “SOC for Cybersecurity” or in EY’s previously issued thought leadership “Cybersecurity Reporting.” Options Scope Stakeholder applicability Benefits Limitations Do nothing • Not applicable • Not applicable • Not applicable • Cost-effective • Does not address relevant areas of concern of the stakeholders Internally prepared materials • Education sessions • Determined by management • Board • Executive management • Allows management to control the depth and breadth of the messaging • Cost-effective • Lacks objectivity • May not address relevant areas of concern of the stakeholders • Presentation materials • Determined by management • Board • Executive management • Investors • Analysts • Business partners • Regulators Pilot program (1) • Internal use only report • Entire organization, or targeted at specific business units or higher-risk areas • Board • Executive management • Heightened level of objectivity • Greater ability to manage investment in money and time • Does not address any immediate needs of outside stakeholders AICPA reporting options (2) • Service Organization Controls (SOC) for Cybersecurity report • Entire organization • Board • Executive management • Investors • Analysts • Business partners • Regulators • Heightened level of objectivity • Content based on market-vetted framework • Significant investment in money and time • SOC for Service organization report • Portion of the organization that supports the outsourced service • Business partners • Addresses all relevant areas of concern of the stakeholder • Significant investment in money and time • SOC for Supply Chain report • Portion of the organization that supports the manufacturing and distribution of supply chain goods • Business partners • Addresses all relevant areas of concern of the stakeholder • Significant investment in money and time Desired outcomes and benefits: • An evaluation of the organization’s cybersecurity risk management program maturity across the key domains • A summary of management’s point of view of its cybersecurity reporting needs • Communication strategy and timeline for addressing needs Communications options available to address stakeholders’ needs 7Managing cybersecurity risk
  • 8. Phase 4 As necessary, perform an in-depth assessment of the organization’s cybersecurity risk management program Evaluate the design, maturity and operational effectiveness of key processes and controls to achieve the organization’s cybersecurity objectives • Leverage a comprehensive evaluation framework that aligns with the organization’s anticipated reporting needs (e.g., AICPA evaluation criteria) as a basis to evaluate: • Adequacy of processes/controls to identify/complicate/ detect/respond/recover from a cyber event • The framework selected must satisfy the “suitability test” if subsequent reporting is being considered • Evaluate process/control maturity • Sufficiently documented to help ensure consistent execution • Sufficiently built-out to help ensure it is responsive to the key underlying risks (or what-could-go-wrong scenarios) • Applied across the entire organization • Consistently applied (i.e., compliance) • Perform validation procedures to help ensure the effectiveness of key processes and controls • Perform process/control walk-through to confirm understanding • Validate implementation of automated processes • Validate compliance with processes involving human intervention • Evaluate results Identify key control over key process areas • Develop mapping of client’s processes and controls against the AICPA evaluation criteria or other suitable criteria Identify gaps in the program • Identify instances where current processes and controls fail to satisfy evaluation criteria or other suitable criteria Develop a prioritized and time-boxed action plan to guide remediation of gaps Update internal stakeholders on insights gained and next steps Desired outcomes and benefits: • Mapping of the organization’s processes and controls against AICPA evaluation criteria • Summary of significant deviations from the expectations identified in the AICPA evaluation criteria (i.e., gap assessment) • Action plan that outlines remediation steps to address gaps and associated timelines Phase 5 Implement comprehensive solutions to address identified gaps based on action plan As noted previously, the time required to complete this phase will vary considerably based on each organization’s current status and assumptions made in the Phase 4 action plan relative to time frames, priorities, challenges, etc. Update internal stakeholders on progress made Desired outcomes and benefits: • Execution of action plan resulting in the implementation of policies, procedures, controls and technologies to address identified gaps 8Managing cybersecurity risk
  • 9. Phase 6 Re-assess the organization’s cybersecurity risk management program Following completion of remediation, re-assess the design and effectiveness of processes and controls • Perform validation procedures to help ensure the effectiveness of key processes and controls • Perform process/control walk-throughs to confirm understanding • Validate implementation of automated processes • Validate compliance with nonautomated processes Re-evaluate risk factors impacting the organization • Given the extended time frame that may be required to remediate gaps, consider changes that may have occurred to the organization’s structural, operational changes, etc., and their impact on the CRMP Update internal stakeholders on insights gained and next steps Desired outcomes and benefits: • Updated mapping of the organization’s processes and controls against AICPA evaluation criteria • Summary of any new significant deviations from the expectations identified in the AICPA evaluation criteria (i.e., gap assessment). • Action plan that outlines remediation steps to address gaps and associated timelines • Execution of action plan resulting in the implementation of policies, procedures, controls and technologies Phase 7 As necessary or desired (based on communication needs), prepare for cybersecurity reporting Prepare draft of report description • Develop report description based on AICPA “description criteria” Complete examination • Execute examination procedures to evaluate the design, maturity and operational effectiveness of the organization’s cybersecurity risk management program Desired outcomes and benefits: • Issuance of enhanced stakeholder communication report 9Managing cybersecurity risk
  • 10. Conclusion • Invest time to understand the current state of your cybersecurity risk management program • Recap implementation priorities • Comprehensive risk assessment • Articulate business objectives • Comprehensive technology inventory • Recap key decision points • Need to mature the cybersecurity risk management program • Need for internal reporting • Need for external reporting EY | Assurance | Tax | Transactions | Advisory About EY EY is a global leader in assurance, tax, transaction and advisory services. The insights and quality services we deliver help build trust and confidence in the capital markets and in economies the world over. We develop outstanding leaders who team to deliver on our promises to all of our stakeholders. In so doing, we play a critical role in building a better working world for our people, for our clients and for our communities. EY refers to the global organization, and may refer to one or more, of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients. For more information about our organization, please visit ey.com. Ernst & Young LLP is a client-serving member firm of Ernst & Young Global Limited operating in the US. © 2018 Ernst & Young LLP. All Rights Reserved. SCORE no. 01325-181US 1711-2480912 ED None ey.com Why EY? Financial markets recognize EY and trust the auditing profession due to its: • Independence and objectivity • Rigorous training and certification standards it places on its employees • Use of market-vetted evaluation frameworks and transparent reporting standards • Focus on quality control • Critical mass of global resources with a wide range of competencies