Abstract
Information processing in a cyber environment offers tremendous benefits but is also accompanied by inevitable dangers including compromised confidentiality and malware such as ransomware that can shut down major segments of a country's operations. A variety of forms of guidance and regulation have been developed to deal with these cybersecurity issues. The professions of public accounting and internal audit have long worked with organizations to protect the integrity of their information systems. Both of these professions are working diligently to guide organization management in the area of cybersecurity. An important aspect of such services is an appropriate framework to use as a basis for advisement and assurance. One such framework is the Framework for Improving Critical Infrastructure Cybersecurity issued by the National Institute of Standards and Technology.
TopIntroduction
Organizations have achieved significant benefits from their ability to harness the power of the Internet to reach customers and process a variety of types of information. However, this power has come at a cost in that the use of company networks and their connections to the Internet have provided entry points for malicious persons to inappropriately access and manipulate and/or steal company information. For example, a cybersecurity breach in December 2020 at a large American software development company named Solarwinds drew the attention of the United States Congress when hackers were able to introduce malicious code into the company’s Orion IT infrastructure monitoring and administration platform. This code was then transferred to over 250 companies and government agencies by means of updates and patches that Solarwinds sent out to its customers. The SUNBURST malware produced backdoors allowing hackers to enter the systems of Solarwinds customers while bypassing normal authentication procedures (Mar, 2021). In another incident, the largest fuel pipeline in the United States was brought down when hackers got into a virtual private network of the Colonial Pipeline Company in April 2021. This ransomware attack resulted in Colonial shutting down its entire gasoline pipeline for the first time in its 57-year history (Turton and Mehrotra, 2021). As a result of incidents such as these, there have been an increasing number of regulations and other forms of guidance that organizations must comply with to protect the confidentiality, integrity, and availability of information.
Certified public accountants (CPAs) and internal auditors are well known and respected for their extensive efforts in advising organizations regarding internal controls over information processing. Both professions are working conscientiously to serve organizations in advising them in how to address cybersecurity risks. In addition, the American Institute of Certified Public Accountants (AICPA) has issued guidance on how CPAs can evaluate and report on cybersecurity programs. Of course, the offering of consulting and assurance services must be accompanied by an appropriate framework. Such frameworks must address a variety of forms of guidance and government regulation, while at the same time allowing for continuous improvement to address the constantly changing threats in a cybersecurity environment.
The Cybersecurity Enhancement Act of 2014 revised the purpose of the National Institute of Standards and Technology (NIST) to encompass finding and advancing cybersecurity risk frameworks. On April 16, 2018, the NIST issued version 1.1 of their Framework for Improving Critical Infrastructure Cybersecurity (NIST Framework). The NIST Framework recognizes that organizations will continue to have unique risks in that they face different threats and have their own levels of risk tolerance. It is for this reason that organizations will tailor practices in the NIST Framework to their specific situations. The NIST Framework may be described as consisting of four basic components:
- 1.
The Framework Core: An arrangement of cybersecurity actions, anticipated outcomes, and appropriate references that are customary across infrastructure sectors.
- 2.
Framework Implementation Tiers: Describe an organization’s procedures over a range, from Partial (Tier 1) to Adaptive (Tier 4).
- 3.
Framework Profile: Can be used to ascertain opportunities for advancing cybersecurity position by contrasting a “Current” Profile (the “as is” state) with a “Target” Profile (the “to be” state).
- 4.
Coordination of Framework Implementation: Describes a common flow of information and decisions.
Any framework of cybersecurity must be based on appropriate guidance from various organizations respected for their knowledge of technology and cybersecurity issues. The NIST Framework is indeed based on guidance from several informative references including those of the ISACA. The ISACA is well known for its development of international information system auditing and control standards. One of their most significant contributions is a continuing project known as the Control Objectives for Information and related Technology (COBIT). The management process of COBIT 2019 contains four management domains:
- •
Align, Plan and Organize (APO)
- •
Build, Acquire and Implement (BAI)
- •
Deliver, Service and Support (DSS)
- •
Monitor, Evaluate and Assess (MEA)
Key Terms in this Chapter
Framework: A grouping of rules and related concepts into a logical approach that can be used to identify complex problems and decide upon appropriate courses of action to address them.
Assurance: An independent professional service that increases the value of information for the decision maker.
Internal Controls: Systematic measures instituted by an organization to ensure the integrity of its operations.
Cloud Computing: Data centers that offer data storage and computing power to various organizations; relieving the user organizations of the need to invest resources to establish, maintain, and manage the data centers.
Cybersecurity: A set of processes, practices, and technologies designed to protect, on the realm of cyberspace, and the three tenets of information security: confidentiality, integrity, and availability.