The American Institute of Certified Public Accountants (AICPA) has released new guidance for examination and reporting of an organization’s cybersecurity risk management program. The guidance is called Description Criteria for Management’s Description of the Entity’s Cybersecurity Risk Management Program and is supplementary to the existing SOC 2 reporting standard used by many organizations that provide a service to other organizations.
Concurrent with this new reporting framework, the AICPA has also issued an update to the existing Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy. These criteria are used within the existing Service Organization Controls (SOC) 2 reporting framework.
What does this mean?
The existing Trust Services Criteria and Principles within the SOC 2 reporting framework is designed to allow an organization to report on the control environment relative to a particular system or service offering. The new Cybersecurity Risk Management guidance allows an organization to report on management of cybersecurity risk across an entire organization or business segment.
Why was the new framework created?
The AICPA is responding to requests across industries for a way to examine and report on the effectiveness of cybersecurity risk management within an organization. While there are numerous control frameworks, certifications, and compliance requirements in the marketplace, to date there is no industry agnostic standard for allowing companies to share reporting on their cybersecurity risk management program. This new reporting framework allows entities to share information about the effectiveness of their cybersecurity risk management programs.
Do I need to consider it?
As organizations seek better methods of cybersecurity risk management associated with the use of service providers, boards and senior leadership may look to this new standard as a baseline consideration of a service provider’s management of cyber risk. Even organizations that complete a SOC 1 or 2 examination around a particular service offering may be pressed to demonstrate integration of cybersecurity risk management across the organization or business segment. Such a practice would provide comfort that data security is a top priority for organizational leadership. If an organization has established a cyber risk management program, or aligned itself with an industry standard framework such as the NIST Cybersecurity Framework or ISO 27001, it likely has a head start in preparing to undergo an examination with this new framework. If an organization has not established a cybersecurity risk management program, leadership should begin thinking about designing a program that effectively addresses cyber risk.
How do I get started?
It is recommended that risk management professionals assess the status of a cybersecurity risk management program within their organization through the performance of a readiness assessment. The cyber risk framework developed by the AICPA includes description criteria (DC) categories that describe the nature of the business and operation, and governance, assessment and monitoring of the cyber risk management program. If a readiness assessment validates the implementation of controls surrounding these criteria, a Description of the cybersecurity risk management program can be prepared for inclusion in a future SOC report.
As a Top 20 public accounting firm with a strong IT Advisory Services team and significant experience preparing SOC reports, DHG is well positioned to assist clients with preparing and completing an examination using the AICPA’s new Cybersecurity Risk Management framework. Contact Tom Tollerton or Ryan Boggs within the DHG IT Advisory practice for more details about the new guidance and DHG’s approach to completing an examination.
About The Authors
Tom Tollerton, CISSP, CISA, QSA | Manager, DHG IT Advisory | firstname.lastname@example.org
Tom Tollerton, CISSP, CISA, QSA is a manager in the DHG IT Advisory practice. With more than 10 years of experience in the cybersecurity field, Tom helps manage the firm’s cybersecurity services, and serves as a subject matter leader in cybersecurity risk assessments, payment card industry (PCI) compliance assessments, ACH Data Security Audits, cyber forensics and data breach incident response.
Ryan Boggs, CISA, CRISC | Manager, DHG IT Advisory | email@example.com
Ryan Boggs, CISA, CRISC, is a manager in the DHG IT Advisory practice. He has managed both domestic and international engagements that include internal audits, SOC 1 and SOC 2 examinations, security and privacy compliance assessments and technology control reviews. In addition, Ryan has led multiple consulting engagements with a wide array of clients to assist with IT strategic alignment, governance, security, operations and business continuity.
About DHG IT Advisory
DHG IT Advisory, a national practice of Dixon Hughes Goodman, works with companies to manage technology risk while maintaining data integrity, protecting privacy and complying with regulations. From project management and regulatory compliance assistance to digital forensics and incident response, DHG is equipped to meet your IT advisory needs that drive your business. For more information, visit dhg.com/itadvisory.