The cyberspace is a vast unknown realm of interconnected digital information and it’s all at our fingertips. Within seconds we can obtain information about anything we want to know. It’s safe to say that we are living in the digital age as technology becomes more interconnected with our lives with each passing day. Public and private organizations are recognizing the shift to the digital age and are striving away from ‘hard copies’ in order to keep up with the transition to become fully digital. However, with this shift in focus comes the opportunity for cybersecurity threats and attacks as information can now be accessed outside of the physical walls of an organization.
In recent years, there have been multiple instances of cybersecurity attacks and information leaks that have affected organizations. Therefore, the need for security in order to protect this information is as high as it has ever been. Organization’s board and management are focusing more than ever on how to protect and secure their information and, equally as important, their customers’ information while it is being stored on local servers or in the cloud. With the focus on cybersecurity, however, comes the difficult to answer questions: “How do I know my cybersecurity programs are effective?” and “How do I know my information is being adequately protected by my vendors?”
With recently released guidance, Certified Public Accountants (CPAs) now have the ability to assist organizations by providing advisory services to help organizations evaluate and strengthen their cybersecurity risk management program. The recently released guidance also gave CPAs the ability to assist organizations in performing independent examination services over the design and effectiveness of the organization’s cybersecurity risk management program, the result of which is an issued report that can be provided to board members, management, and other stakeholders. Over the course of a series of articles, McKonly & Asbury will dive into SOC for Cybersecurity providing the foundation, importance, and framework of this examination.
What is SOC for Cybersecurity?
In April 2017, the American Institute of Certified Public Accountants (AICPA) introduced a new examination entitled System and Organization Controls (SOC) for Cybersecurity. The SOC for Cybersecurity examination builds on the AICPA standards already in place over SOC examinations. The existing SOC1, SOC2, and SOC3 framework was directly focused on organizations providing direct or indirect services to other organizations as a service provider. SOC for Cybersecurity, however, is appropriate for virtually any type of business or not-for-profit organization and is performed in accordance with the AICPA’s Cybersecurity risk management program attestation standards. It focuses on communicating the design and effectiveness of an organization’s Cybersecurity risk management program to the organization’s clients or prospective clients.
A SOC for Cybersecurity examination allows an organization’s clients and prospective clients the opportunity to understand the processes, policies, and controls that the organization has in place to mitigate and prevent cybersecurity attacks on their information. A SOC for Cybersecurity examination also allows the organization to determine potential gaps that are not addressed by processes, policies, or controls currently in place within the organization.
The SOC for Cybersecurity independent examination includes the following items:
- A detailed description of management’s cybersecurity risk management program. This description includes the processes and policies in place to protect and secure the organization’s information and systems from cybersecurity risks. This description will provide the users of the report context to understand the processes and policies in place to protect information within the organization.
- Management’s assertion that their cybersecurity risk management program description is in accordance with the AICPA description criteria and that the controls within the organization’s cybersecurity risk management program were effective to achieve the organization’s objectives based on the AICPA control criteria.
- Auditor’s opinion on whether the organization’s cybersecurity risk management program description is in accordance with the AICPA description criteria and whether the controls within the organization’s cybersecurity risk management program effectively achieved the organization’s objectives based on the AICPA control criteria.
What is Cybersecurity Risk Management Program?
Most organizations have an IT policy already in place to prevent the unauthorized use of the organization’s electronic equipment in order to protect the entity from malicious threats. A cybersecurity risk management program expands upon a routine IT policy by including an organization’s processes, policies, and controls implemented by the organization to protect and secure the organization’s information and systems from cybersecurity attacks and events. The objective of the cybersecurity risk management program is to detect and mitigate cybersecurity attacks and events while including processes and controls in place to respond to and to recover from cybersecurity attacks and events that are not prevented.
Does Your Organization Need a SOC for Cybersecurity?
A SOC for Cybersecurity examination is not required but is without question useful for an organization and its stakeholders in understanding the cybersecurity programs in place. If a company relies on the integrity and security of its systems for its ongoing business operations or fields regular questions from customers or prospects on the nature if its cybersecurity programs, a SOC for Cybersecurity report should be strongly considered.
McKonly & Asbury recommends that organizations that have previously not had a SOC for Cybersecurity examination have a pre-assessment as the first step in the SOC for Cybersecurity process. The pre-assessment benefits organizations as McKonly & Asbury will work closely with the organization in order to prepare them for the SOC for Cybersecurity independent examination. The pre-assessment includes communication of all gaps or issues within the organization’s current cybersecurity risk management program control structure, remediation time for the organization to remediate any issues noted in the cybersecurity risk management program control structure, and discussion of the scope of the SOC for Cybersecurity examination along with the final results of the pre-assessment.
McKonly & Asbury has the experience and expertise to work with your organization to evaluate your preparedness for a SOC for Cybersecurity examination. Our goal is to work with you to evaluate your internal controls and reporting needs and then provide you with valuable recommendations to ensure your SOC for Cybersecurity examination goes smoothly.
Stay tuned for our next article, where we will discuss the importance of the SOC for Cybersecurity Examination. And if you have any questions regarding this article or for more information about our SOC for Cybersecurity services, please contact Michael Hoffner, Partner and Leader of McKonly & Asbury’s SOC practice, at email@example.com.