Professional Documents
Culture Documents
CGMA Cybersecurity Tool
CGMA Cybersecurity Tool
CGMA
Cybersecurity Tool
Risk, Response and
Remediation Strategies 2023
About the Association
The Association of International Certified Professional Accountants (the Association) is the most influential body of professional
®
accountants, combining the strengths of the American Institute of CPAs (AICPA ) and The Chartered Institute of Management
® ®
Accountants (CIMA ) to power trust, opportunity and prosperity for people, businesses and economies worldwide. It represents
® ®
650,000 members and students in public and management accounting and advocates for the public interest and business
sustainability on current and emerging issues. With broad reach, rigor and resources, the Association advances the reputation,
employability and quality of CPAs, CGMA designation holders and accounting and finance professionals globally.
®
Disclaimer: For information about obtaining permission to use this material other than for personal use, please email
copyright-permissions@aicpa-cima.com. All other rights are hereby expressly reserved. The information provided in this
publication is general and may not apply in a specific situation. Legal advice should always be sought before taking any legal
action based on the information provided. Although the information provided is believed to be correct as of the publication
date, be advised that this is a developing area. The Association, AICPA and CIMA cannot accept responsibility for the
consequences
of its use for other purposes or other contexts.
The information and any opinions expressed in this material do not represent official pronouncements of or on behalf of
the AICPA, CIMA or the Association of International Certified Professional Accountants. This material is offered with the
understanding that it does not constitute legal, accounting, or other professional services or advice. If legal advice or other
expert assistance is required, the services of a competent professional should be sought.
The information contained herein is provided to assist the reader in developing a general understanding of the topics
discussed but no attempt has been made to cover the subjects or issues exhaustively. While every attempt to verify the
timeliness and accuracy of the information herein as of the date of issuance has been made, no guarantee is or can be given
regarding the applicability of the information found within any given set of facts and circumstances.
2 Introduction 22
Appendix I:
Cybersecurity insurance
4 Understanding cybersecurity
23
Appendix II:
6 Cybersecurity objectives Cybersecurity risk management
reporting framework
7 Cybersecurity controls
24
Appendix III:
Center for Internet Security —
10 Applied cybersecurity
CIS Controls v8
13 Advanced topics
29
Appendix IV:
CISA MS-ISAC Ransomware Guide –
15 Recent trends in cybersecurity Part 2: Ransomware Response Checklist
1
Introduction
Although digital transformation was on the agenda for many businesses prior to the COVID-19
pandemic, the pandemic unquestionably accelerated the timeline. Not only did sophisticated
forecasting platforms become essential to predict customer demand and address the impacts
of supply chain disruption, but both large and small businesses created new digital business
models to meet consumers’ needs.
The AICPA & CIMA Future of Finance Leadership Group (FFLAG), a group of senior finance
executives committed to transforming the accounting profession, has consistently identified
digital transformation as one of their top challenges. While the trend towards digital
transformation yields many benefits, there is an accompanying increase in business complexity.
That complexity has driven cyber risk to a new level, impacting not only businesses and their
customers and employees, but also critical industries and the public sector.
Cybersecurity risk has become a strategic imperative not only for business but for government
as well. In March 2023, the U.S. government released a new National Cybersecurity Strategy that
emphasises working with international partners to counter threats, build resilience and defend
critical infrastructure, and create schemes to promote investment in secure infrastructure.1
The strategy calls for ‘robust collaboration’ to rebalance the burden of responsibility away from
individuals and small businesses and onto public and private organisations best placed to
address this challenge.2
On the global level, the 2023 World Economic Forum Global Risks Report ranks the impact and
severity of ‘widespread cybercrime and cyber insecurity’ as number eight out of 10 global risks
in terms of both the two-year near-term horizon and the longer-term 10-year horizon.3 When
looking at the source of these rankings and comparing government and business respondents,
businesses ranked the severity of cybercrime and cyber insecurity as the fourth most prominent
risk over the short-term.
In addition to the specific risk of cybercrime, there is also the risk of disruption to technology-
driven resources and services, including agriculture and water, energy, transportation, public
security, and so on. Related technology risks identified in the 2023 World Economic Forum
report along with their global, short-term rankings include:
• 24 — Breakdown of critical information infrastructure
• 29 — Digital power concentration
• 31 — Digital inequality and lack of access to digital services
• 32 — Adverse outcomes of frontier technologies4
One global response to this ever-present global risk is the World Economic Forum’s Centre for
Cybersecurity, an independent and impartial global platform committed to fostering international
dialogues and collaboration between the global cybersecurity community in both the public and
private sectors.
3
Understanding cybersecurity
Understanding cybersecurity in today’s complex digital • Application attacks, such as SQL injections, are
world begins with knowing the most common threats, increasingly common in today’s complex environment.
the potential ‘bad actors’, and what we can do to shore While varied in nature and design, application attacks
up our defences. usually have the same intents and purposes as
malware attacks — stealing data from database
What problems do we face today? servers, running attack scripts on other users’
The most common threats to cybersecurity include computers, stealing user credentials, etc.
malware (including ransomware and botnets),
malvertising, phishing and application attacks.
Who are the bad actors? Whatever the cause, when exploited, these
While hacker may have originated as a term describing vulnerabilities can be costly and result in:
especially talented computer programmers and • Down time. Loss of business production or
systems designers, and may still include those revenue-generation opportunities
considered ‘curious’ hackers, the term has become
• Tarnished reputation. Negatively affected company
much more widely used to describe computer intruders
and brand value
or criminals. In addition to basic thieves, these ‘bad
actors’ can be outsiders, such as business competitors • Customer flight. Loss of customers, especially critical
or nation-states. They can also be insiders, such as with increasing level of e-commerce
disgruntled, or otherwise malicious, employees. • Legal consequences. Fines, lawsuit costs and
settlements, which can be staggering
Risk of security vulnerabilities
Cybersecurity vulnerabilities can be technical in nature • Industry consequences. Exploiting vulnerabilities
or procedural. Technical deficiencies, including software across an entire sector; healthcare records breaches
defects and the failure to use security protections such have been extensive
as encryption adequately, expose sensitive functionality
or information. Procedural deficiencies can be IT related,
including system-configuration mistakes, or failure to
keep up with software security updates. However, many
procedural deficiencies are user related, such as poorly
chosen passwords.
5
Cybersecurity objectives
Businesses must address these risks and implement Data backup objectives
security measures to protect their information assets Data backup objectives are commonly referred to as
and ensure their enterprises’ ongoing viability. the CIA of cybersecurity — confidentiality, integrity,
and availability. In this era with an extensive market
Management objectives for personal information on the dark web, along with
As outlined in appendix II, the AICPA developed a the proliferation of ransomware attacks, ensuring data
cybersecurity reporting framework that organisations availability is key. Although you may not be able to
can use to demonstrate the extent and effectiveness totally prevent a breach, if you back up your data, you
of an entity’s cybersecurity risk management may not have to consider paying a ransom. Because
programme to key stakeholders. A critical element of breaches can sometimes go undetected for quite
any cybersecurity risk management programme is some time, it is important to have multiple versions of
management’s formulation of objectives. backups, with some backups being stored offsite to
Management establishes cybersecurity objectives preclude ransomware attackers from encrypting backup
addressing cybersecurity risks that could affect files as well as currently active files.
achievement of the entity’s overall business objectives One common method for maintaining data backup files
(including compliance, reporting and operational is the 3-2-1 model. This model suggests that you need
objectives). Cybersecurity objectives vary depending on three copies of your data, two of which are back-ups on
the environment in which the entity operates, the entity’s different media, with one being stored offsite.
mission and vision, management’s established overall
business objectives, risk appetite and other factors. See appendix IV for a summary of key steps to take
in the event of a ransomware attack, which include
Key cybersecurity objectives outlined in the framework immediately isolating infected systems to minimize
resource Description Criteria for Management’s the impact.
Description of the Entity’s Cybersecurity Risk
Management Program include:
• Availability. Enabling timely, reliable, and continuous
access to, and use of, information and systems Data backup 3-2-1
• Confidentiality. Protecting information from
3 — Production copy plus two backups
unauthorised access and disclosure, including means
for protecting proprietary information and personal 2 — Backup copies on two different media
information subject to privacy requirements
1 — Backup copy offsite
• Integrity of data. Guarding against improper capture,
modification or destruction of information
• Integrity of processing. Guarding against the improper
use, modification or destruction of systems8
Protection
First and foremost, we try to protect our information
assets and systems against attack. Protection
strategies are our first line of defence, and breaches are
often a failure of protection strategies.
7
Cybersecurity controls
Detection
In addition to protective or preventive strategies, it is
also essential that entities employ detection strategies Breach identification
to identify when threats occur — essentially the and containment
computer equivalent of the security camera.
The time to identify and time to contain a data
Common detection strategies include: breach have not varied much in recent years.
• Event monitoring. Documentation of events logged into
files can be reviewed for unusual patterns of activity. 277 days — Average time to detect and contain
a data breach
• Intrusion detection and prevention systems.
Sophisticated applications are available that enable 320 days — Average time to detect and
ongoing monitoring. contain a data breach by a malicious attacker
• Threat monitoring. The security community can (ransomware)
study the tools and techniques attackers use in order
to develop ‘threat intelligence’ that can inform the $1.02 milion — Average cost savings of
development of new controls. containing a breach in less than 200 days
vs. more than 200 days
• User reports. User reports can also be helpful in
identifying unusual activity. — Ponemon Institute and IBM Security®,
Response
Cost of a Data Breach Report 2023
Part of the evolution of cybersecurity is the advent of
‘computer incident response teams’ (CIRTs), sometimes
referred to as computer security incident response
teams (CSIRTS).
9
Applied cybersecurity
Centralisation is an important element of Removable media and backup storage. A common
cybersecurity with respect to implementing cyber threat is the infection of removable media such
preventive and detective controls and responding as USB flash drives and thumb drives. Removable
to cyber breaches, especially when considering media can also include external hard drives and tape
enterprise-level systems with huge numbers of drives used for back-ups. Strategies to mitigate this
desktop computers, laptops and mobile devices. risk include preventing their use, installing anti-virus/
anti-malware tools that will actively scan for issues
Centralised device management whenever removable media are used, and encrypting all
Desktops. Modern operating systems are fortunately media and devices.
feature-rich in terms of security features. Centralised
management is a key way to control and orchestrate key IoT sensors. In recent years, internet of things (IoT)
security features. The ability to ‘push’ security protocols, applications have not only become essential in many
software updates and security update ‘patches’ to industry sectors, but also in smart home devices,
remote users enables the scalability of security for large medical devices, and more. Accordingly, IoT sensors
enterprise-level systems. Centralisation also provides the should be included in enterprise cybersecurity policies
ability to maintain a directory of user profiles that enables and centralisation strategies, in addition to the more
users to access their information from multiple locations. common endpoints of computers and devices.
11
Applied cybersecurity
Centralised monitoring
Fortunately, as enterprise systems with hundreds or
even thousands of laptops have become the norm for Incident response (IR) planning
organisations, centralised monitoring of systems activity and testing
has also evolved. Important components of centralised
$1.49 million — Savings by organisations with
monitoring include:
high levels of IR planning and testing in 2023
• Event logging and aggregation. All modern computer over those with low levels
operating systems keep a ledger of their activity: Who
logged in? What programmes did they run? What — Ponemon Institute and IBM Security®,
files were accessed? What were the failures as well Cost of a Data Breach Report 2023
as the successes? Operating systems’ event logging
is largely superficial. However, it is still essential for
administrative and accountability purposes as well as
potential forensic use.
• Security information and event management (SIEM). • Security orchestration and response (SOAR). SOAR
SIEM systems have been developed to make event systems are platforms that collect security data from
monitoring more effective. SIEMs analyse all the various sources, including SIEMs. SOAR systems
available data and look for specific patterns that might automate routine responses and help prioritise
suggest a possible attack or security compromise. incident response (IR) actions.
• Security operations centre (SOC) functions. SOC
functions have a number of components, including
incident response planning and testing, as well as
threat intelligence, which involves monitoring both
external trends and potential insider threats.
A particular complication of cloud environments with Code review. This includes looking at key areas of
respect to forensic analysis involves the external sensitivity such as verification and authentication
ownership of the servers containing the data. While a processes and common areas of programming weakness.
subpoena can be issued to the owner of a hard drive
Security testing. While penetration testing involves
containing data that you want to analyse, the data
testing the resilience against some set of known
that you may be interested in may have been deleted
software vulnerabilities, security testing is diving deeply
and overwritten.
into software to verify that security requirements are
Network analysis. Collecting and analysing network being properly performed.
data ‘traffic’ provide different perspectives. While
network monitoring does not provide information about
the content of what is coming and going, it does provide
information about who is coming and going.
13
Advanced topics
15
Recent trends in cybersecurity
Impact
Figure of keyoffactors
1: Impact on total
key factors cost cost
on total of a data breach
of a data breach (Measured in USD)
MSSP -$73,082
Remote workforce $173,074
Supply chain breach $192,485
IoT or OT environment impacted $195,428
Figure
Source: IBM16. Measured
Security ®
and in USD Institute, Cost of a Data Breach Report 2023
Ponemon
28
Security investment 3. U
se security AI and automation to increase speed
Additional investment in security presents a mixed and accuracy. Organisations can benefit greatly by
picture. Only 51% of participants in the IBM Security® embedding security AI and automation throughout
and Ponemon Institute 2023 study indicated they the tool sets they use. Using new technologies
planned to make additional investments in security not only improves threat detection and response
following a breach. For those that did make investments, capabilities, but it can also drive a more proactive
IR planning and testing was the most common area security posture.
at 50%, followed closely by employee training at 46%.
4. S
trengthen resiliency by knowing your attack
Threat detection and response spending followed at
surface and practicing IR. Understand your
38%. Insurance spending following a breach was the
exposure to the attacks most relevant to your
lowest category of additional investment at only 18%.15
industry, implement network segmentation practices
Minimising financial and brand impacts to limit the spread of attacks, and put in place IR
In the IBM Security® and Ponemon Institute report, planning and testing protocols — one of the
IBM Security provides steps that can help minimise top-three cost mitigators.
the financial and brand impacts of data breaches,
summarised as follows:16
1. B
uild security into every stage of software
development and deployment — and test regularly. Adopt the principle ʻsecure by design and
Taking a DevSecOps approach, the top cost- secure by defaultʼ for all digital transformation
mitigating strategy, will be essential to building projects and cloud environments.
security into any tools or platforms the enterprise
relies upon. — IBM Security® and Ponemon, Institute Cost
of a Data Breach Report 2023
2. M
odernise data protection across hybrid cloud.
Gaining visibility and control of data spread across
hybrid cloud environments should be a top priority
for organisations of all types and should include a
focus on strong encryption, data security and data
access policies.
17
Cybersecurity and small business
Small business incidents and impacts Clearly SMBs struggle to maintain an effective security
Unfortunately, another notable trend is that data breaches posture. When asked to identify the top three challenges
and cyberattacks involving small and medium-sized that keep their security posture from being fully
business are on the rise, and addressing this risk is no effective, responses yielded the following results:22
longer an option. • 77% — Insufficient personnel
In 2019, the Ponemon Institute published 2019 Global • 55% — Insufficient budget
State of Cybersecurity in Small and Medium-Sized • 45% — No understanding of how to protect
Businesses, sponsored by Keeper Security, Inc. The against cyberattacks
report identifies two ‘key takeaways’: a ‘significant
• 36% — Insufficient enabling security technologies
increase in SMBs [small and medium-sized businesses]
experiencing data breaches’ and that ‘66% of • 35% — Lack of in-house expertise
respondents said their organization experienced a
cyberattack in the past 12 months’.17
Small business resources The Essentials Starter Kit also identifies ‘things to do
Appendix III provides a summary of the global Center for first’ including:
Internet Security, Inc. (CIS®) framework of cybersecurity • Backup data. Employ a backup solution that
controls. The structure of this framework includes automatically and continuously backs up critical data
identification of controls by different implementation and system configurations.
groups (IGs), with IG1 being enterprises that are ‘small to
• Multifactor authentication. Require multifactor
medium-sized with limited IT and cybersecurity expertise
authentication (MFA) for accessing your systems
to dedicate towards protecting IT assets and personnel’.
whenever possible.
In addition to the CIS framework, there are other
resources targeted to this audience. • Patch and update management. Enable automatic
updates whenever possible. Replace unsupported
In the United States, the Cybersecurity and operating systems, applications and hardware. Test
Infrastructure Security Agency (CISA) developed a Cyber and deploy patches quickly.26
Essentials Starter Kit: The Basics for Building a Culture
of Cyber Readiness. CISA’s Essentials Starter Kit is a The UK has a government-backed Cyber Essentials
guide for leaders of small businesses and small and certification program that has two levels. Cyber
local government agencies that is consistent with the Essentials is a self-assessment option. Cyber Essentials
National Institute of Standards and Technology (NIST) Plus involves a hands-on technical verification.27
Cybersecurity Framework and can be used as a starting
The following five technical control themes for the
point for cyber readiness.
certification program are outlined in the National Cyber
According to the Essentials Starter Kit, building a culture Security Centre guidance document Cyber Essentials:
of cyber readiness has six essential elements: Requirements for IT Infrastructure v3.1, updated in 2023:
• Yourself. Drive cybersecurity strategy, investment • Firewalls
and culture. • Secure configuration
• Your staff. Develop security awareness and vigilance. • Security update management
• Your systems. Protect critical assets and applications. • User access control
• Your surroundings. Ensure only those who belong on • Malware protection28
your digital workplace have access.
• Your data. Make backups and avoid loss of information
critical to operations.
• Your crisis response. Limit damage and quicken Reducing your organisation’s cyber risks
restoration of normal operations.25 requires a holistic approach.
19
Cybersecurity governance, risk
and reporting
Along with the ever-increasing frequency of breaches
and compromised data, regulatory requirements and
‘It is the policy of my Administration that
the demand for disclosure have also become part of
the cybersecurity landscape.
the prevention, detection, assessment and
remediation of cyber incidents is a top priority
Privacy and cybersecurity regulation and essential to national and economic security.’
On the regulatory front, perhaps most notably, there
have been significant ‘press worthy’ fines levied on — The White House, ‘Executive Order on
global organisations in connection with the EU GDPR Improving the Nation’s Cybersecurity’
(General Data Protection Regulation). While there is
not a similar national regulation in the United States
protecting the privacy of data, a range of regulations
have resulted in fines levied on financial institutions, In the United States, an ‘Executive Order on Improving
healthcare providers and other enterprises for the Nation’s Cybersecurity’ was signed on May 12, 2021.
cybersecurity breaches involving compromised data. In addition to addressing cybersecurity in the federal
government, it also makes an appeal to the private
sector and includes provisions for the Secretary of
Commerce and Federal Trade Commission to explore
In September 2023, the UK Information potential provisions for consumer labelling schemes.30
Commissioner and the Chief Executive of
the National Cyber Security Centre signed a Under these new requirements, defence contractors and
Memorandum of Understanding outlining subcontractors that make up the US Defense Industrial
Base will be required to demonstrate compliance with
their collaborative efforts on privacy
Cybersecurity Maturity Model Certification (CMMC)
and cybersecurity.
practices and policies.31 In the UK, the Cyber Essentials
— Information Commissioner’s Office, ‘UK certification has been a requirement for contractors
Information Commissioner and NCSC or subcontractors for any part of the UK central
CEO sign Memorandum of Understanding’, government since 2014.32
12 September 2023
Risk management, reporting and oversight • the prioritisation of risk management practices,
In addition to regulatory compliance risk, the business including supply chain or third-party risks, in addition to
risks associated with cybersecurity from business internal personnel policies, training, access controls, etc.
interruption have escalated the level of concern on the • incident response protocols, including thorough
part of governing boards, their audit and risk committees, analysis of events, reporting to relevant parties, and
investors, and customers and suppliers in the enterprise potential disclosure requirements.
value chain.
In July of 2023, the SEC adopted rules requiring current
As summarized in appendix II, the AICPA has developed disclosure of material cybersecurity incidents and
a cybersecurity risk management reporting framework periodic disclosure about a company’s processes to
as part of a collection of resources for both public assess, identify, and manage material cybersecurity risks;
accounting and management accounting. One resource management’s role in assessing and managing material
available is the SOC for Cybersecurity Brochure, which cybersecurity risks; and the board of directors’ oversight
provides an overview of system and organisation of cybersecurity risks. These rules impact companies
controls (SOC) assurance engagements. that have shares traded on US public markets.33
With respect to governance and board oversight, the The AICPA & CIMA, in collaboration with the CAQ have
Center for Audit Quality (CAQ), an autonomous public jointly developed What Management Needs to Know
policy organisation that is affiliated with the AICPA & About the New SEC Cybersecurity Disclosure Rules, which
CIMA, has developed Cybersecurity Risk Management provides guidance for complying with these new rules.34
Oversight: A Tool for Board Members.
Open lines of communication among the board,
This resource provides a range of guidance that management, and those responsible for managing
board members can use to discharge their cybersecurity risks for the company will be increasingly
responsibilities with respect to cybersecurity risk. In important in light of the new disclosure requirements, and
addition to providing questions to ask that can develop questions such as those described earlier may be useful.
understanding about the role of management and
the financial statement auditor, it covers how CPAs
can assist boards of directors in their oversight of
cybersecurity risk management.
New SEC rules
It also provides information and questions for board
members to ask with respect to: Require disclosure of material cybersecurity
incidents and information regarding
• their companies’ specific risk profile, particular
cybersecurity risk management, strategy
vulnerabilities, and management’s approach to
and governance.
managing these risks.
21
Appendix I:
Cybersecurity insurance
Because most commercial insurance policies exclude The National Association of Insurance Commissioners
coverage for cybersecurity-related damages, a separate has provided a primer for cyber insurance on the US
policy, or rider, is required. This is especially true for Federal Trade Commission resource page addressing
organisations that have significant customer or client cybersecurity for small businesses. While this primer is
personally identifiable information (PII), that process targeted to small businesses in the United States, the
online credit card payments, or that are otherwise highly concepts captured below are widely applicable.35
dependent on the web to conduct their business.
Insurance should cover cyberattacks on data held by
In addition to insurance that covers losses relating to vendors or other third parties as well as attacks on your
damage to, or loss of information from, IT systems own network. As noted, coverage should include theft of
and networks, policies generally include significant personally identifiable information. It should also cover
assistance with and management of the incident itself, terrorist attacks and attacks that occur anywhere in
which can be essential when faced with reputational the world. Other considerations include legal expenses,
damage or regulatory enforcement. excess coverage over any other applicable coverage,
and access to a breach hotline.
The ’Cyber Insurance’ primer explains first- and third-party coverage as follows:36
First-party cyber coverage protects your data, including Third-party cyber coverage generally protects you from
employee and customer information. This coverage liability if a third party brings claims against you. This
typically includes your business’s costs related to: coverage typically includes:
• Legal counsel to determine your notification and • Payments to consumers affected by the breach
regulatory obligations • Claims and settlement expenses relating to disputes
• Recovery and replacement of lost or stolen data or lawsuits
• Customer notification and call center services • Losses related to defamation and copyright or
• Lost income due to business interruption trademark infringement
• Crisis management and public relations • Costs for litigation and responding to
regulatory inquiries
• Cyber extortion and fraud
• Other settlements, damages and judgments
• Forensic services to investigate the breach
• Accounting costs
• Fees, fines and penalties related to the cyber incident
While cybersecurity insurance is an important aspect
of an organisation’s strategy, it should not replace
best practices, policies and controls. In fact, insurance
provider underwriting requirements and fee structures
are increasingly dependent upon effective cybersecurity
policies and programs.
23
Appendix II: Cybersecurity risk management reporting framework
The framework’s description criteria provide users • Cybersecurity risk assessment process. Disclosures
of the report with information that can help them related to the entity’s process for
understand the entity’s cybersecurity risks and how it — identifying cybersecurity risks and environmental,
manages those risks. technological, organisational and other changes
The description criteria are categorised into the that could have a significant effect on the entity’s
following sections: cybersecurity risk management programme;
— assessing the related risks to the achievement of the
• Nature of business and operations. Disclosures about
entity’s cybersecurity objectives; and
the nature of the entity’s business and operations.
— identifying, assessing, and managing the risks
• Nature of information at risk. Disclosures about the
associated with vendors and business partners.
principal types of sensitive information the entity
creates, collects, transmits, uses and stores that are • Cybersecurity communications and the quality of
susceptible to cybersecurity risk. cybersecurity information. Disclosures about the
entity’s process for communicating cybersecurity
• Cybersecurity risk management programme
objectives, expectations, responsibilities, and
objectives (cybersecurity objectives). Disclosures
related matters to both internal and external users,
about the entity’s principal cybersecurity objectives
including the thresholds for communicating identified
related to availability, confidentiality, integrity of
security events that are monitored, investigated,
data, and integrity of processing and the process for
and determined to be security incidents, requiring a
establishing, maintaining and approving them.
response, remediation or both.
• Factors that have a significant effect on inherent
• Monitoring of the cybersecurity risk management
cybersecurity risks. Disclosures about factors that
programme. Disclosures related to the process the
have a significant effect on the entity’s inherent
entity uses to assess the effectiveness of controls
cybersecurity risks, including the
included in its cybersecurity risk management
— characteristics of technologies, connection types, programme, including information about the
use of service providers, and delivery channels used corrective actions taken when security events, threats,
by the entity; vulnerabilities and control deficiencies are identified.
— organisational and user characteristics; and
• Cybersecurity control processes. Disclosures about
— environmental, technological, organisational and
— the entity’s process for developing a response
other changes during the period covered by the
to assessed risks, including the design and
description, at the entity and in its environment.
implementation of control processes;
• Cybersecurity risk governance structure. Disclosures — the entity’s IT infrastructure and its network
about the entity’s cybersecurity risk governance architectural characteristics; and
structure, including the processes for establishing,
— the key security policies and processes
maintaining and communicating integrity and ethical
implemented and operated to address the entity’s
values, providing board oversight, establishing
cybersecurity risks.
accountability, and hiring and developing qualified
personnel.
25
Appendix III: Center for Internet Security — CIS Controls v8
Overview descriptions of the 18 controls encompassed Control 04. Secure Configuration of Enterprise Assets
in this framework, including the proportion of and Software — IG1= 7/12
safeguards for each control that are applicable to Establish and maintain the secure configuration of
IG1 are as follows:39 enterprise assets (end-user devices, including portable
and mobile; network devices; non-computing/IoT
Control 01. Inventory and Control of Enterprise Assets devices; and servers) and software (operating systems
— IG1= 2/5 and applications).
Actively manage (inventory, track, and correct) all
enterprise assets (end-user devices, including portable
and mobile; network devices; non-computing/Internet
of Things (IoT) devices; and servers) connected to Default configurations for enterprise assets
the infrastructure physically, virtually, remotely, and and software are normally geared towards
those within cloud environments, to accurately know
ease-of-deployment and ease-of use rather
the totality of assets that need to be monitored and
than security.
protected within the enterprise. This will also support
identifying unauthorized and unmanaged assets to — Center for Internet Security, CIS Critical
remove or remediate. Security Controls® v8: 16.
Enterprises cannot defend what they do not Control 05. Account Management — IG1= 4/6
know they have. Use processes and tools to assign and manage
authorization to credentials for user accounts, including
— Center for Internet Security, CIS Critical administrator accounts, as well as service accounts, to
Security Controls® v8: 7. enterprise assets and software.
Control 08. Audit Log Management — IG1= 3/12 Control 12. Network Infrastructure Management —
Collect, alert, review, and retain audit logs of events IG1= 1/8
that could help detect, understand, or recover from an Establish, implement, and actively manage (track,
attack. report, correct) network devices, in order to prevent
attackers from exploiting vulnerable network services
Control 09. Email and Web Browser Protections and access points.
— IG1= 2/7
Improve protections and detections of threats from Control 13. Network Monitoring and Defense —
email and web vectors, as these are opportunities for IG1= 0/11
attackers to manipulate human behavior through direct Operate processes and tooling to establish and maintain
engagement. comprehensive network monitoring and defense
against security threats across the enterprise’s network
infrastructure and user base.
Since email and web are the main means that Control 14. Security Awareness and Skills Training —
users interact with external and untrusted IG1= 8/9
users and environments, these are prime Establish and maintain a security awareness program to
influence behavior among the workforce to be security
targets for both malicious code and social
conscious and properly skilled to reduce cybersecurity
engineering.
risks to the enterprise.
— Center for Internet Security, CIS Critical
Security Controls® v8: 28.
27
Appendix III: Center for Internet Security — CIS Controls v8
1. Determine which systems were impacted, and • After an initial compromise, malicious actors
immediately isolate them. may monitor your organization’s activity or
• If several systems or subnets appear impacted, communications to understand if their actions have
take the network offline at the switch level. It may been detected. Isolate systems in a coordinated
not be feasible to disconnect individual systems manner and use out-of-band communication
during an incident. methods such as phone calls to avoid tipping off
actors that they have been discovered and that
• Prioritize isolating critical systems that are essential mitigation actions are being undertaken. Not doing
to daily operations. so could cause actors to move laterally to preserve
• If taking the network temporarily offline is not their access or deploy ransomware widely prior to
immediately possible, locate the network cable networks being taken offline.
(e.g., ethernet) and unplug affected devices from
the network or remove them from Wi-Fi to contain
the infection.
• For cloud resources, take a snapshot of volumes
to get a point in time copy for reviewing later for
forensic investigation.
29
Appendix IV: CISA MS-ISAC Ransomware Guide –
Part 2: Ransomware Response Checklist
2. Power down devices if you are unable to disconnect — Operators of these advanced malware variants
them from the network to avoid further spread of the will often sell access to a network. Malicious
ransomware infection. actors will sometimes use this access to exfiltrate
• Note: This step will prevent your organization from data and then threaten to release the data publicly
maintaining ransomware infection artifacts and before ransoming the network to further extort
potential evidence stored in volatile memory. It the victim and pressure them into paying.
should be carried out only if it is not possible to — Malicious actors often drop ransomware variants
temporarily shut down the network or disconnect to obscure post-compromise activity. Care must
affected hosts from the network using other means. be taken to identify such dropper malware before
rebuilding from backups to prevent continuing
3. T
riage impacted systems for restoration and compromises.
recovery.
• Identify and prioritize critical systems for restoration 5. Confer with your team to develop and document an
on a clean network and confirm the nature of data initial understanding of what has occurred based on
housed on impacted systems. initial analysis.
— Signs of the presence of Cobalt Strike — Potential signs of data being exfiltrated from
beacon/client. Cobalt Strike is a commercial the network. Common tools for data exfiltration
penetration testing software suite. Malicious include Rclone, Rsync, various web-based file
actors often name Cobalt Strike Windows storage services (also used by threat actors to
processes with the same names as legitimate implant malware/tools on the affected network),
Windows processes to obfuscate their presence and FTP/SFTP.
and complicate investigations. — Newly created services, unexpected scheduled
— Signs of any unexpected usage of remote tasks, unexpected software installed, etc.
monitoring and management (RMM) software
• For cloud environments:
(including portable executables that are not
installed). RMM software is commonly used by — Enable tools to detect and prevent modifications to
malicious actors to maintain persistence. IAM, network security, and data protection resources.
— Any unexpected PowerShell execution or use of — Use automation to detect common issues (e.g.,
PsTools suite. disabling features, introduction of new firewall
rules) and take automated actions as soon as they
— Signs of enumeration of AD and/or LSASS
occur. For example, if a new firewall rule is created
credentials being dumped (e.g., Mimikatz or
that allows open traffic (0.0.0.0/0), an automated
NTDSutil.exe).
action can be taken to disable or delete this rule
— Signs of unexpected endpoint-to-endpoint and send notifications to the user that created it
(including servers) communications. as well as the security team for awareness. This
will help avoid alert fatigue and allow security
personnel to focus on critical issues.
31
Additional reading and resources
AICPA & CIMA SOC for Cybersecurity FM magazine articles:
CAQ 2022 Audit Committee Transparency Barometer ‘5 Signs There Could Be IP Theft in Your Supply Chain’
Center for Internet Security ‘Cyberattacks Stemming From Software on the Rise’
World Economic Forum Centre for Cybersecurity ‘How to Prepare for Cyberattacks at a Time of
Heightened Threat’
Journal of Accountancy articles and podcasts: ‘Organisations Ill-Prepared for the Stress of
‘Bots Emerge as Cyber Threat for Accounting Firms’ Complex Cyberattacks’
4
World Economic Forum, The Global Risks Report 2023,
22
Ibid, 7.
11. 23
Ibid, 7.
5
‘Our community’s priorities’, World Economic Forum 24
Ponemon Institute and IBM Security®, Cost of a Data
Centre for Cybersecurity, accessed September 13, 2023. Breach Report 2023.
‘Our Initiatives’, World Economic Forum Centre for
6
25
ybersecurity and Infrastructure Security Agency,
C
Cybersecurity, accessed September 13, 2023. Spring 2021, Cyber Essentials Starter Kit: The Basics
7
IBM Security® and Ponemon Institute, 2023, Cost of a for Building a Culture of Cyber Readiness: 1
Data Breach Report 2023: 5–7, 31. 26
ybersecurity and Infrastructure Security Agency,
C
8
AICPA, 2017, Description Criteria for Management’s Cyber Essentials Starter Kit, 2.
Description of the Entity’s Cybersecurity Risk 27
‘About Cyber Essentials’, National Cyber Security
Management Program: 9–10. Centre, accessed September 13, 2023.
9
ybersecurity and Infrastructure Security Agency, April
C 28
ational Cyber Security Centre, 2023, Cyber Essentials:
N
2023, Zero Trust Maturity Model (Ver. 2.0): 6. Requirements for IT infrastructure v3.1: 3.
10
IBM Security® and Ponemon Institute, 2023, Cost of a 29
Information Commissioner’s Office, 2018, Regulatory
Data Breach Report 2023: 18. Action Policy.
11
Ibid, 20. 30
The White House, May 12, 2021, ‘Executive Order on
12
Ibid, 20. Improving the Nation’s Cybersecurity’.
13
Ibid, 72.
31
‘About CMMC’, Chief Information Officer, U.S.
Department of Defense.
14
Ibid, 15.
32
‘Procurement Policy Note 09/14: Cyber Essentials
15
Ibid, 49–50. scheme certification’, Cabinet Office.
16
Ibid, 62–66. 33
‘SEC Adopts Rules on Cybersecurity Risk Management,
Strategy, Governance, and Incident Disclosure by
17
Ponemon Institute, 2019, 2019 Global State of
Public Companies’ [press release], 26 July 2023,
Cybersecurity in Small and Medium-Sized Businesses.
Securities and Exchange Commission; Public Company
Cybersecurity Disclosures; Final Rules [fact sheet],
Securities and Exchange Commission.
33
Endnotes
34
AICPA & CIMA and Center for Audit Quality, September 40
ybersecurity and Infrastructure Security Agency
C
2023, What Management Needs to Know About the (CISA) and Multi-State Information Sharing & Analysis
New SEC Cybersecurity Disclosure Rules. Center (MS-ISAC) and Joint Ransomware Task Force,
May 2023, ‘Introduction’, #StopRansomware Guide: 3.
35
‘Cyber Insurance’, Federal Trade Commission
and National Association of Insurance Cybersecurity and Infrastructure Security Agency
41
Acknowledgements
Ken Witt, CPA, CGMA, and Carrie Kostelec, CPA, of the AICPA & CIMA prepared the update of this tool. The original
tool was based on a webcast series that Kenneth R. van Wyk, President and Principal Consultant of KRvW
Associates LLC presented for AICPA & CIMA members.
35
Founded by AICPA and CIMA, the Association of International Certified Professional Accountants powers leaders in accounting and finance around the globe.
© 2023 Association of International Certified Professional Accountants. All rights reserved. AICPA and CIMA are trademarks of the American Institute of CPAs and The Chartered Institute
of Management Accountants, respectively, and are registered in the US, the EU, the UK and other countries. The Globe Design is a trademark of the Association of International Certified
Professional Accountants. 2309-555467