As a relentless wave of cyberattacks continues, 各组织正面临着来自主要利益相关者和监管机构的巨大压力,要求他们实施和加强网络安全计划,以保护客户, employees and the valuable information in their possession. According to research from IBM Security and the 波耐蒙研究所, 每家公司的平均总成本, per event of a data breach is US $3.6200万年.1 Initial damage estimates of a single breach, 虽然常常令人惊愕, may not take into account less obvious and often undetectable threats such as theft of intellectual property, 间谍活动, 数据销毁, attacks on core operations or attempts to disable critical infrastructure. These effects can last for years and have devastating 金融, operational and brand ramifications.
鉴于加强网络安全控制的广泛监管压力,以及围绕网络风险的可见性, 在过去几年中,美国各管理机构提出了一系列旨在改善网络安全风险管理计划的拟议法规. 其中最突出的是纽约金融服务部(NYDFS)最近发布的一项规定,该规定规定了受NYDFS监管的实体的某些最低网络安全标准. Based on the entity’s risk assessment, the NYDFS law has specific requirements around data encryption, 保护和保留, 第三方信息安全, App 保护, incident response and breach notification, 董事会报告, 以及年度认证.
然而, 各组织仍在努力报告其网络安全风险管理计划的整体有效性. 美国注册会计师协会(AICPA)发布了新的网络安全风险管理报告框架2 intended to help organizations expand cyberrisk reporting to a broad range of internal and external users, including the C-suite and the board of directors (BoD). 美国注册会计师协会(AICPA)的新报告框架旨在通过提供更深入的信息,满足利益相关者提高透明度的需求, easily consumable information about an organization’s cyberrisk management program. The cyber security risk management examination uses an independent, objective reporting approach and employs broader and more flexible criteria. 例如, 它允许选择和使用任何被认为适合和可用的控制框架,以建立实体的网络安全目标,并在实体的网络安全风险管理计划中制定和维护控制,无论该控制框架是否为美国国家标准与技术研究院(NIST)的网络安全框架, the International Organization for Standardization (ISO)’s ISO 27001/2 and related frameworks, or internally developed frameworks based on a combination of sources. 考试是自愿的, and applies to all types of entities, but should be considered a leading practice that provides the C-suite, 董事会和其他关键利益相关者清楚地了解组织的网络安全计划,并确定使组织易受攻击的漏洞或陷阱.
Who can benefit from a cyber security risk management examination report? 这样的报告对于帮助组织的董事会建立对公司网络安全风险计划的适当监督,并将其有效性可靠地传达给利益相关者至关重要, 包括投资者, 分析师, 客户, 业务伙伴及规管机构(图1). 通过利用这些信息, 董事会可以挑战管理层对其网络风险管理计划有效性的断言,并推动更有效的决策制定. 董事会的积极参与和监督有助于确保组织对网络风险管理给予足够的重视. 该委员会可以帮助塑造对网络威胁报告的期望,同时也倡导提高项目有效性的透明度和保证.
选择使用AICPA的网络安全认证报告框架并对其网络安全计划进行检查的组织可能会更好地获得竞争优势并提升其在市场中的品牌. 例如, 外包服务提供商(OSP)如果能够提供证据证明其组织中有完善和健全的网络安全风险管理计划,则可以主动向现有和潜在客户提供报告, 证明它已经实施了适当的控制来保护敏感的it资产和有价值的数据. 同时, OSP的现有和潜在客户希望与他们合作的第三方也高度重视网络安全. 要求将网络安全审查报告作为选择标准的一部分,将为外包商的网络安全计划提供透明度,并可能成为选择过程中的一个决定性因素.
撰写网络保险政策的保险公司可以在承保和风险评估过程中使用客户网络安全检查报告中的信息,通过更有效地确定保险需求,帮助他们评估公司的风险状况和潜在风险. 他们可以进一步利用这些信息,通过向展示有效网络安全计划的客户提供潜在的利益,来增强他们的竞争优势. 相反, 客户和潜在客户可以利用他们自己的网络安全检查报告,根据他们对网络攻击的准备情况,要求对网络保险政策进行更优惠的定价.
在监管授权确立或危机发生之前,通过开展网络安全风险管理审查来解决网络安全关切和问题的价值是非常明显的. 组织可以将新的网络安全认证报告框架视为增强其现有网络安全计划并获得竞争优势的机会. The attestation reporting framework addresses the needs of a variety of key stakeholder groups and, 反过来, limits the communication and compliance burden. Organizations that view the cyber security reporting landscape as an opportunity can use it to lead, navigate and disrupt in today’s rapidly evolving cyberrisk environment.
尾注
1 波耐蒙研究所, 2017年数据泄露成本研究, IBM Security, 2017年6月; http://www-01.ibm.com/common/ssi/cgi-bin/ssialias?htmlfid=SEL03130WWEN
2 American Institute of Certified Public Accountants, System and Organization Controls for 网络安全, 美国, 2017, www.会计师协会.org/InterestAreas/FRC/AssuranceAdvisoryServices/Pages/AICPA网络安全Initiative.aspx
桑德拉Herrygers
是德勤的合伙人 & Touche LLP) and is the global assurance leader.
Gaurav库马尔
是德勤的负责人吗 & Touche LLP), specializing in assurance and risk and controls transformation services.
杰夫·斯
是德勤的董事总经理吗 & Touche LLP), 专门从事风险管理, 公司治理, and compliance and controls transformation within the 金融 services industry.
免责声明
This article contains general information only and 德勤 is not, 通过这篇文章, 呈现会计, 业务, 金融, 投资, 法律, 税, or other professional advice or services. This article is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may affect your 业务. Before making any decision or taking any action that may affect your 业务, you should consult a qualified professional advisor. 德勤 shall not be responsible for any loss sustained by any person who relies on this article.
关于德勤
德勤 refers to one or more of 德勤 Touche Tohmatsu Limited, a UK private company limited by guarantee (“DTTL”), 它的成员公司网络, 以及它们的相关实体. DTTL and each of its member firms are 法律ly separate and independent entities. DTTL (also referred to as “德勤 Global”) does not provide services to clients. 在美国, 德勤 refers to one or more of the US member firms of DTTL, 在美国以“德勤”名义经营的相关实体及其各自的附属公司. Certain services may not be available to attest clients under the rules and regulations of public accounting.
Copyright © 2017 德勤 Development LLC. 版权所有.