The document outlines the importance of a Cybersecurity Risk Management Program (CRMP) for finance and accounting professionals, detailing its objectives, components, and the protective role it plays in safeguarding data. It also explores various cybersecurity frameworks and standards, such as NIST, ISO, and HITRUST, explaining their functions, pros, and cons, as well as when organizations should utilize them. Overall, the document aims to equip professionals with critical knowledge on cybersecurity risks and management strategies.

5. Introductions
Michael Hoffner,
Partner
mhoffner@macpas.com
David Hammarberg,
Principal/IT Director
dhammarberg@macpas.com

6. *The following information was gathered from the Association of
International Certified Professional Accountants.
The Association of International Certified Professional
Accountants’ (AICPA) Cybersecurity Advisory Services
Certificate Program provides finance and accounting
professionals with the knowledge needed to be a
strategic business partner within their organization
and with clients.

7. Objectives
• Understand what a Cybersecurity Risk Management Program is
as well as what it does for your organization.
• Gain a brief knowledge of frameworks that are available.
• Gain an understanding of the pros and cons of implementing a
Cybersecurity Risk Management Program.

8. What is a Cybersecurity Risk Management
Program (CRMP)
Definition:
A set of policies, processes and controls designed to:
• protect information and systems from security events that could
compromise the achievement of the entity’s cybersecurity objectives
and
• detect, respond to, mitigate, and recover from, on a timely basis,
security events that are not prevented.

9. Purpose of a CRMP
• Maintain data confidentiality by ensuring that data is accessible
only to individuals who require such access.
• Maintain data integrity by ensuring that data is not improperly
used, modified, or destroyed.
• Maintain data availability by ensuring that data is available in a
timely, reliable, and continuous manner.

10. The CIA Triad

11. What a CRMP Does
The major promise a CRMP provides is that it ensures a level of
protection of an entity’s data and information and systems from
cybersecurity risks by:
• Identifying what needs to be protected
• Defining threats
• Defining likelihood of occurrence
• Determining the potential impact
• Determining threat level

12. Knowledge Check
The primary function of risk management is:
• Satisfying assessment requirements.
• Identifying what information needs to be protected.
• Evaluating the effectiveness of the IT security and risk management
process.
• Protecting critical assets and bringing risk levels down to tolerable levels.

13. Knowledge Check
The primary function of risk management is:
• Satisfying assessment requirements. This is the fist step within the process of
risk management but not the main goal.
• Identifying what information needs to be protected. This is the goal of a risk
assessment, not risk management.
• Evaluating the effectiveness of the IT security and risk management process.
Evaluation of the risk management process would need to occur after proper
risk management was in place.
• Protecting critical assets and bringing risk levels down to tolerable levels. An
effective risk management process will help to mitigate high risk levels which,
in turn, helps protect critical assets, as long as the process is mandated on a
regular basis to keep up with changing technology and knowledge.

14. CRMP Controls
• Having proper controls is one of the most fundamental parts of
an effective CRMP.
• These controls may take one of the following forms:
• Protection controls
• Detection controls
• Reaction controls

15. Protection Controls
Protection controls are designed to safeguard against a malicious
event or to reduce risk before an actual occurrence.

16. Detection Controls
Detection controls are designed to discover a malicious event or
reduce risk during or directly after an occurrence.

17. Reaction Controls
Reaction controls are designed to address or reduce risk after a
malicious event occurrence or discovery.

18. Discussion
What are some of the protection, detection, and reaction controls
you would expect an organization to have in place as part of its
IT security and CRMP?

19. Security Frameworks
A security framework is a method to align the policies, standards,
procedures, and guidelines that are needed to:
• Securely govern an organization’s infrastructure
• Meet security standards
• Continuously identify security gaps
• Comply with compliance requirements, and communicate risk to
executives.

20. Security Frameworks (cont.)
• A comprehensive set of leading practices
• A comprehensive strategy for identifying and managing potential
threats
• A blueprint for building an information cybersecurity

21. Security Framework Benefits
Adopting a security framework, or combination of security
frameworks enables:
• Proper planning of a security infrastructure
• Proactive incident response
• Focus on high risk, critical environments
• Justification of requests for annual security budgets
• Identification of personnel and resources gaps for protecting critical
systems and data
• The use of criteria that is vetted by industry

22. Cybersecurity Standards
What is a standard?
A mandatory requirement, code of practice or specification approved
by a recognized external standards organization, such as International
Organization for Standardization (ISO).
What are security standards?
Practices, directives, guidelines, principles or baselines that state what
needs to be done and focus areas of current relevance and concern.

23. Framework vs Standard
A Framework is a high level concept or guide for implementing
types of security controls.
A Standard is a rigid code of practice or specification of controls.

24. Common Security Frameworks and Standards
• NIST CSF
• NIST SP 800-53
• ISO 27001
• HITRUST CSF
• COBIT
• SANS Institute -CIS Critical Security Controls (SANS CIS CSC)

25. Comparison of Common Security Frameworks

26. NIST Cybersecurity Framework (CSF)
• This framework’s prioritized, flexible, and cost-effective approach
helps to promote the protection and resilience of critical
infrastructure and other sectors important to the economy and
national security.

27. • It is made up of five concurrent and continuous functions:
–Identify
–Protect
–Detect
–Respond
–Recover
NIST CSF (Cont.)

28. NIST CSF (Cont.)

29. NIST CSF (Cont.)
• Outlines implementation tiers to account for control maturity:
–Partial
–Risk informed
–Repeatable
–Adaptive

30. NIST Cybersecurity Framework (CSF) Pros
• Established industry standard
• Linkage (e.g., ‘crosswalks’) provided to other major frameworks
• Supplemental guidance
• Flexible
• Freely available – no license or subscription required

31. NIST Cybersecurity Framework (CSF) Cons
• Requires development of control details
• Focused in scope to information security
• Cannot be certified against

32. When to use NIST (CSF)
• Some organizations are requiring the use of the Framework by
their vendors.
• Regulators are strongly encouraging the use of the Framework.
• Many organizations and individuals may provide a CSF
assessment.
• No license or certification is required.

33. NIST SP 800-53
• A catalog of security and privacy controls
• A process for selecting controls
• Developed and issued by the National Institute of Standards and
Technology (NIST)
• Assists in implementing the Federal Information Security
Management Act of 2002 (FISMA)

34. NIST SP 800-53 Pros
• NIST provides a large catalog of documentation
• Developed by US government agencies
• Provides a baseline of minimum requirements
• Freely available –no license or subscription required

35. NIST SP 800-53 Cons
• Focused on stored or processed information and IT systems
• Narrow approach to security
• Rigid and detailed control set
• Not acknowledged outside the US

36. When to use NIST SP 800-53
• The organization is a US government agency
• The organization is a private business doing business with the
government
• When conducting a FISMA assessment
• When a detailed cybersecurity control library is needed
• No official third-party certification program (except within the
federal government—e.g., certification & accreditation process).

37. ISO 27001
• Provides best practice recommendations
• Created and published by the International Organization for
Standardization (ISO)
• Helps manage the security of assets
• The most well-known security standard
• Commonly used by IT departments specific to an organization

38. ISO 27001 Pros
• Focuses on both technology and important assets
• Concentrates on mitigating risk for valuable business information
• Can obtain a certificate issued by certified body
• Prioritization of business process security
• Respected and widely-known standard
• Internationally recognized

39. ISO 27001 Cons
• Poorly-structured planning and implementation guidance
• Wide approach to security lacks granularity
• Low awareness/acceptance in some geographic areas (including
the US)
• Not free (although very inexpensive)

40. When to use ISO 27001
• Need to be certified due to changing regulations or expanded
customer base
• Need to meet internationally recognized and accepted standards
• Multiple types of information to protect
• Need flexible methodology to fit any approach

41. HITRUST CSF
• Developed in collaboration with healthcare and information
security professionals
• Both a risk-and compliance-based framework
• Widely-adopted security framework for the healthcare industry
• Helps prepare for when new regulations and security risks are
introduced
• Based on the ISO 27001 framework
• Version 9.1 incorporates EU and GDPR privacy regulation

42. HITRUST Pros
• Integrated approach to protecting health records
• Updated frequently, including mapping to other security and
compliance frameworks
• Aids regulatory compliance efforts
• Consistent with healthcare industry trends
• Can obtain a certificate issued by a certified body
• Can be tailored based on a variety of factors including
organization type, size, systems, and regulatory requirements

43. HITRUST Cons
• Provides a prescriptive set of controls
• Focused on protecting data
• Requires use of proprietary HITRUST CSF platform
• Requires subscription for full access to framework

44. When to use HITRUST
• Need compliance with HIPAA security rule
• Need to protect ePHI and PHI data in the healthcare industry
• Primary business partners or customers are in the healthcare
industry
• Need flexibility to scale control obligations according to the type,
size, and complexity of the organization

45. COBIT
• Created and published by ISACA
• COBIT is often adopted by public companies
• COBIT is used as a compliance tool for Sarbanes-Oxley
• Used for governance and management of enterprise IT
• Four main domains
–Plan and organize
–Acquire and Implement
–Deliver and support
–Monitor and evaluate

46. COBIT Pros
• Business focused
• Process oriented
• General acceptance with third parties and regulators
• Can be partially implemented
• Managed by ISACA
• Has good implementation guidance
• Provides a holistic approach to security

47. COBIT Cons
• Broad coverage (not to be limited to a single area) which can
often lead to gaps in coverage.
• Multiple implementation guides must be reviewed and
implemented in order to achieve compliance.
–Information security
–Assurance
–Risk
• Cannot be certified against.

48. When to use COBIT
• When you need defined controls for business objectives
• Publicly-traded company
• When your organization needs a persistent information
governance environment

49. SANS CIS CSC
• Recommended actions for cyber defense
• Provides specific and actionable ways to stop attacks
• Prioritizes/focuses on a smaller number of actions with high
pay-off results
• Transforms threat data into actionable guidance

50. SANS CIS CSC Pros
• Prioritization for high-value immediate payoff
• Rapidly defines starting point
• Derived from common attack patterns
• Freely available

51. SANS CIS CSC Cons
• Focused solely on current critical threats
• Weak on IT Security Management
• Narrow security domain focus
• Largely technical security controls

52. When to use SANS CIS CSC
• SANS CIS CSC works well as a subset of controls for other
frameworks
• Use to quickly increase cyber defense and reduce cyber risks
• As a baseline for technical security control consideration

53. Knowledge Check
What is a common goal for all security frameworks?
• Provide a voluntary framework for cybersecurity
• Provide common set of standards to improve cybersecurity
• Provide strict requirements for cybersecurity
• Provide best practices for meeting regulatory compliance goals

54. Knowledge Check Solution
What is a common goal for all security frameworks?
• Provide a voluntary framework for cybersecurity. Not all security frameworks
are voluntary and some are required for regulatory compliance.
• Provide common set of standards to improve cybersecurity. The goal of all
security frameworks is to improve the security of the organization by
implementing well tested and defined practices.
• Provide strict requirements for cybersecurity. To be compliant with some
regulations, some frameworks have strict guidance, though this is not the
primary goal of security frameworks.
• Provide best practices for meeting regulatory compliance goals. The goal of all
security frameworks is to improve the security of the organization by
implementing well tested and defined practices not regulatory compliance.

55. Framework Recap

56. Framework Recap (cont.)

57. Questions
Michael Hoffner,
Partner
mhoffner@macpas.com
David Hammarberg,
Principal/IT Director
dhammarberg@macpas.com