Viewing cybersecurity through a COSO lens

Viewing cybersecurity through a COSO lens

Cybersecurity is a constant source of concern for businesses as
high-profile breaches make headlines almost daily.

Nation states, organized crime, hacktivists, and even terrorists
have demonstrated the ability to compromise technology and systems
used by businesses as well as individuals.

A new report
released Wednesday, COSO in the Cyber Age, describes how the
popular internal control framework updated in 2013 by the Committee of
Sponsoring Organizations of the Treadway Commission (COSO) can help
organizations evaluate and manage cyberrisks.

Cybersecurity can be viewed through the lens of the principles of
the COSO framework, according to the report, in some of the following ways:

Principle 6: Organizations specify objectives with
sufficient clarity to enable the identification of risks relating to
In applying this principle, management can determine
the levels of risk tolerance acceptable to the organization and focus
on protecting the most critical information systems.

Principle 7: The organization identifies risks to the
achievement of its objectives across the entity and analyzes risks
as a basis for determining how the risks should be managed
, and
Principle 8: The organization considers the potential for
fraud in assessing risks to the achievement of objectives.
Senior management, business, and IT personnel evaluate risks in
the application of these two principles. They must understand what
information systems are valuable to potential cyberattackers and
understand how these attacks are likely to occur.

Principle 9: The organization identifies and assesses
changes that could significantly impact the system of internal
Updating risk assessments on a continuous basis to
reflect changes that could impact cyber controls is a key to applying
this principle.

Principles 10, 11, and 12: In following these principles,
the organization selects, develops, and deploys control activities.
Careful design and implementation of appropriate controls—after
consideration of likely attack methods used by hackers—can help
fulfill these principles.

Principle 13: The organization obtains or generates and uses
relevant, quality information to support the functioning of internal
Formally documenting information requirements—and the
related risk analysis and response—can help make sure that processes
and controls will be executed consistently.

Principle 14: The organization internally communicates
information, including objectives and responsibilities for internal
control, necessary to support the functioning of internal
Effective communications will educate all personnel on
their responsibilities, as well as those responsible for managing
cyberrisks, and the board of directors.

The report also suggests that organizations should ask:

“There is growing concern at all levels of industry about the
challenges posed by cybercrime,” COSO Chairman Robert Hirth said in a
news release. “This new guidance helps put organizations on the right
path toward confronting and managing the frightening number of cyberattacks.”

COSO is a joint initiative of five private-sector organizations
dedicated to providing thought leadership on enterprise risk
management, internal control, and fraud deterrence. The AICPA is a
member of COSO.

Ken Tysiac
is a
JofA editorial director.

Research & References of Viewing cybersecurity through a COSO lens|A&C Accounting And Tax Services

7 thoughts on “Viewing cybersecurity through a COSO lens

  1. Pingback: viagra prices
  2. Pingback: cialis 20mg
  3. Pingback: sildenafil 100 mg

Leave a Reply