Description Criteria for Use in the Cybersecurity Risk Management Examination
This appendix is nonauthoritative and is included for informational purposes only.
The description criteria and related implementation guidance in this appendix has been extracted from Description Criteria for Management’s Description of the Entity’s Cybersecurity Risk Management Program issued in April 2017 by the AICPA’s Assurance Services Executive Committee. The complete text may be found at www.aicpa.org/cybersecurityriskmanagement.
NATURE OF BUSINESS AND OPERATIONS |
DC1: The nature of the entity’s business and operations, including the principal products or services the entity sells or provides and the methods by which they are distributed |
Implementation Guidance When making judgments about the nature and extent of disclosures to include about this criterion, consider the following: |
• The entity’s principal markets, including the geographic locations of those markets, and changes to those markets |
• If the entity operates more than one business, the relative importance of the entity’s operations in each business and the basis for management’s determination (for example, revenues or asset values) |
NATURE OF INFORMATION AT RISK |
DC2: The principal types of sensitive information created, collected, transmitted, used, or stored by the entity |
Implementation Guidance When making judgments about the nature and extent of disclosures to include about this criterion, consider the following: |
• Information regarding individuals that warrants protection based on law, commitment, or reasonable expectation of confidentiality (for example, personally identifiable information, protected health information, and payment card data) |
• Third-party entity information (for example, information subject to confidentiality requirements in contracts) that warrants protection based on law, commitment, or reasonable expectation of confidentiality, availability, and integrity |
• Entity information (for example, trade secrets, corporate strategy, and financial and operational data) whose confidentiality, availability and integrity is necessary to the achievement of the entity’s business objectives |
CYBERSECURITY RISK MANAGEMENT PROGRAM OBJECTIVES (CYBERSECURITY OBJECTIVES) |
DC3: The entity’s principal cybersecurity risk management program objectives (cybersecurity objectives) related to availability, confidentiality, integrity of data, and integrity of processing |
Implementation Guidance When making judgments about the nature and extent of disclosures to include about this criterion, consider the following: |
• An entity ordinarily establishes cybersecurity objectives that address the following: — Commitments made to customers, vendors, business partners, and others related to the security and availability of information and systems, including commitments related to public well-being as it relates to the entity’s products and operations, infrastructure, and extended supply chains — Laws and regulations to which the entity is subject as a result of the types of information it possesses or uses (for example, protected health information and personally identifiable information) — Commitments made as part of a certification and authorization process for government agencies and other parties — Industry standards to which the entity is subject as a result of the types of information it uses (for example, Payment Card Industry Data Security Standards for organizations that accept or process credit card transactions) and — Other business initiatives |
• An entity’s cybersecurity objectives depend on the nature of the entity’s business and the industry in which it operates; accordingly, they should reflect the entity’s specific cybersecurity risks. The following is an example of cybersecurity objectives an entity might establish. Availability Enabling timely, reliable, and continuous access to and use of information and systems to support operations and to • comply with applicable laws and regulations; • meet contractual obligations and other commitments; • provide goods and services to customers without disruption; • safeguard entity assets and assets held in custody for others; and • facilitate decision making in a timely manner. Confidentiality Protecting information from unauthorized access and disclosure, including means for protecting proprietary information and personal information subject to privacy requirements, to • comply with applicable laws and regulations; • meet contractual obligations and other commitments; and • safeguard the informational assets of an entity. Integrity of Data Guarding against improper capture, modification or destruction of information to support the following: • The preparation of reliable financial information for external reporting purposes • The preparation of reliable nonfinancial information for external reporting purposes • The preparation of reliable information for internal use • Information nonrepudiation and authenticity • The completeness, accuracy, and timeliness of processing • Management, in holding employees and users accountable for their actions • The storage, processing, and disclosure of information, including personal and third-party information Integrity of Processing Guarding against improper use, modification, or destruction of systems to support the following: • The accuracy, completeness, and reliability of information, goods, and services produced • The safeguarding of entity assets • Safeguarding of life and health Guarding against the unauthorized use or misuse of processing capabilities that could be used to impair the security or operations of external parties |
• An entity may consider risk appetite when establishing its cybersecurity objectives. An entity’s risk appetite refers to the amount of risk it is willing to accept to achieve its business objectives. Risk appetite often affects the entity’s risk management philosophy, influences the entity’s culture and operating style, and guides resource allocation. Therefore, it might be helpful for an entity to describe its cybersecurity objectives in relation to its risk appetite. |
DC4: The process for establishing, maintaining, and approving cybersecurity objectives to support the achievement of the entity’s objectives |
Implementation Guidance When making judgments about the nature and extent of disclosures to include about this criterion, consider the following: |
• The process for establishing cybersecurity objectives based on the entity’s business and strategic objectives established by the board of directors1 and management |
• The process for obtaining board of director or executive management approval of the entity’s cybersecurity objectives |
• The use of security management and control frameworks in establishing the entity’s cybersecurity objectives and developing and maintaining controls within the entity’s cybersecurity risk management program, including disclosure of the particular framework(s) used (for example, NIST Cybersecurity Framework, ISO 27001/2 and related frameworks, or internally- developed frameworks based on a combination of sources) |
FACTORS THAT HAVE A SIGNIFICANT EFFECT ON INHERENT CYBERSECURITY RISKS |
DC5: Factors that have a significant effect on the entity’s inherent cybersecurity risks, including the (1) characteristics of technologies, connection types, use of service providers, and delivery channels used by the entity, (2) organizational and user characteristics, and (3) environmental, technological, organizational and other changes during the period covered by the description at the entity and in its environment. |
Implementation Guidance When making judgments about the nature and extent of disclosures to include about the characteristics of technologies, connection types, use of service providers, and delivery channels used by the entity, consider the following: |
• Use of outsourcing such as cloud computing and IT-hosted services |
• Use of mobile devices, platforms, and deployment approaches |
• Network architecture and strategy, including the extent of the use of virtualization |
• Types of application and infrastructure (for example, DB, OS types and technologies) and the source (for example, internally developed or purchased without modification) of such applications and infrastructure |
• Types of service providers that store, process, and transmit sensitive data or access the entity’s systems, the nature of the services provided, and the nature of their access and connectivity to environment and sensitive data |
• Types of other external party access and connectivity to information systems and sensitive data |
• Nature of external-facing web applications and the nature of applications developed in-house |
• Dependency on strategically significant IT equipment and systems that are no longer supported or would be difficult to repair or replace in the event of failure |
• Dependency on strategically significant IT equipment and systems based on emerging technologies |
When making judgments about the nature and extent of disclosures to include about organizational and user characteristics, consider the following: |
• IT organization size and structure (for example, centralized versus decentralized, insourced or outsourced) |
• Types of user groups (for example, employees, customers, vendors, and business partners) |
• Whether the entity’s information assets, employees, customers, vendors, or business partners are located in countries deemed high risk by management as part of its risk assessment process |
• The distribution of responsibilities related to the cybersecurity risk management program between business functions (for example, operating units, risk management, and legal) and IT |
• Business units with IT systems administered under a separate management structure (for example, outside of a centralized IT function) |
When making judgments about the nature and extent of disclosures to include about environmental, technological, organizational, and other changes at the entity and in its environment during the period covered by the description, consider the following: |
• Changes to the entity’s principal products, services, or distribution methods |
• Changes to business unit, IT, and security personnel |
• Significant changes to entity processes, IT architecture and applications, and the processes and systems used by outsourced service providers |
• Acquisitions and other business units that have not been fully integrated into the cybersecurity risk management program including the integration or segmentation strategy used for the acquiree’s IT systems, and the current state of those activities |
• Changes to legal and regulatory requirements |
• Divestures and other cessation of operations, particularly those that have ongoing service support obligations for systems related to those operations (if any), and the current status of those activities |
DC6: For security incidents that (1) were identified during the 12-month period preceding the period end date of management’s description and (2) resulted in a significant impairment of the entity’s achievement of its cybersecurity objectives, disclosure of the following (a) nature of the incident; (b) timing surrounding the incident; and (c) extent (or effect) of those incidents and their disposition |
Implementation Guidance When making judgments about the nature and extent of disclosures to include about this criterion, consider the following regarding the incident: |
• Was considered sufficiently significant based on law or regulation to require public disclosure |
• Had a material effect on the financial position or results of operations and required disclosure in financial statement filings |
• Resulted in sanctions by any legal or regulatory agency |
• Resulted in withdrawal from material markets or cancellation of material contracts |
CYBERSECURITY RISK GOVERNANCE STRUCTURE |
DC7: The process for establishing, maintaining, and communicating integrity and ethical values to support the functioning of the cybersecurity risk management program |
Implementation Guidance When making judgments about the nature and extent of disclosures to include about this criterion, consider the following: |
• How management sets the tone at the top |
• The establishment and enforcement of standards of conduct for entity personnel |
• The process used to identify and remedy deviations from established standards |
• Consideration of contractors and vendors in process for establishing standards of conduct, evaluating adherence to those standards, and addressing deviations in a timely manner |
DC8: The process for board oversight of the entity’s cybersecurity risk management program |
Implementation Guidance When making judgments about the nature and extent of disclosures to include about this criterion, consider the following: |
• The extent of the board of directors’ cybersecurity and IT expertise or access to external cybersecurity and IT expertise, or both |
• Identification of the board committee designated with oversight of the entity’s cybersecurity risk management program, if any |
• The frequency and detail with which the board or committee reviews or provides input into cybersecurity-related matters, including board oversight of security incidents |
DC9: Established cybersecurity accountability and reporting lines |
Implementation Guidance When making judgments about the nature and extent of disclosures to include about this criterion, consider the following: |
• The responsibility for the review and oversight of the cybersecurity risk management program by senior management |
• The identification of the designated cybersecurity leader (for example, chief information security officer), and the reporting of that individual to executive management and board of directors |
• The roles and responsibilities of entity personnel who perform cybersecurity controls and activities |
• The process for addressing the oversight and management of external parties (for example, vendors) when establishing structures, reporting lines, authorities, and responsibilities |
DC10: The process used to hire and develop competent individuals and contractors and to hold those individuals accountable for their cybersecurity responsibilities |
Implementation Guidance When making judgments about the nature and extent of disclosures to include about this criterion, consider the following: |
• The process for considering the competence of qualified personnel with cybersecurity responsibilities, including the performance of background checks, assessment of educational levels and certifications, requirements for ongoing training, hiring contractors, and the use of offshore recruiting |
• The program for providing cybersecurity awareness and training to employees and contractors based on their cybersecurity responsibilities and access to information and information systems |
• The process for making sure that employees and contractors have the resources necessary to carry out their cybersecurity responsibilities |
• The process for identifying the types and levels of cybersecurity professionals needed |
• The processes used to communicate performance expectations and hold individuals accountable for the performance of their responsibilities |
• The processes to update communication and accountability mechanisms and monitor employee compliance with their responsibilities and entity policies |
• The process used to reward individuals for performance and the process used to align the measures used to the achievement of the entity’s objectives |
CYBERSECURITY RISK ASSESSMENT PROCESS |
DC11: The process for (1) identifying cybersecurity risks and environmental, technological, organizational and other changes that could have a significant effect on the entity’s cybersecurity risk management program and (2) assessing the related risks to the achievement of the entity’s cybersecurity objectives |
Implementation Guidance When making judgments about the nature and extent of disclosures to include about this criterion, consider the following: |
• The use of inventory management to classify the entity’s information assets, including hardware, virtualized systems and software (licensed and public domain), according to their nature, criticality, and sensitivity |
• The identification of the roles responsible for or participating in the risk assessment process |
• How the process includes the consideration of the types, likelihood, and impact of risks to information assets, including manufacturing and industrial control systems, from potential threats including: — Intentional (for example, fraud) and unintentional internal and external acts — Identified and unidentified threats — Those risks arising from different types of employee personnel (for example, finance, administrative, operations, IT, and sales and marketing) and others (for example, contractors, vendor employees, and business partners) with access to information and systems |
• How the process includes the consideration of identified and unidentified vulnerabilities and control deficiencies |
• Obtaining threat and vulnerability information from information-sharing forums and other sources |
• The on-going process for identifying changes in the entity and its environment that would result in new risks or changes to existing risks, including these: — The use of new technologies — Changes to the regulatory, economic, and physical environment in which the entity operates — New business lines — Changes to the composition of existing business lines — Changes in available resources — Acquired or divested business operations — Rapid growth — Changing operational presence in foreign countries — Changing political climates |
• The process for identifying the need for and performing ad hoc risk assessments |
• The roles responsible and accountable for identifying and assessing changes |
DC12: The process for identifying, assessing, and managing the risks associated with vendors and business partners |
Implementation Guidance When making judgments about the nature and extent of disclosures to include about this criterion, consider the following: |
• The process for identifying vendors and business partners affecting the entity’s cybersecurity risk management program and maintaining an inventory of those parties |
• How the process takes into consideration the types, likelihood, and impact of risks to information assets (including manufacturing and industrial control systems) from potential threats, including the risks arising from the use of external parties that store, process, or transmit sensitive information on the entity’s behalf (for example, suppliers, customers, vendors, business partners, and those entities’ relevant vendors and business partners) |
• The process for identifying and evaluating risks that could be mitigated through the purchase of cybersecurity insurance |
• How the entity manages risks to the achievement of its cybersecurity objectives arising from vendors and business partners, including the following: — Establishing specific requirements for a vendor and other business partner engagement that includes scope of services and product specifications, roles and responsibilities, compliance requirements, and service levels — Assessing, on a periodic basis, the risks that the vendors and business partners represent to the achievement of the entity’s objectives, including risks that arise from those entities’ relevant vendors and business partners (often referred to as fourth party risk) — Assigning responsibility and accountability for the management of associated risks — Establishing communication and resolution protocols for service and product issues, including reporting of identified threats — Establishing exception-handling procedures — Periodically assessing the performance of vendors and business partners and those entities’ relevant vendors and business partners — Implementing procedures for addressing associated risks |
CYBERSECURITY COMMUNICATIONS AND QUALITY OF CYBERSECURITY INFORMATION |
DC13: The process for internally communicating relevant cybersecurity information necessary to support the functioning of the entity’s cybersecurity risk management program, including (1) objectives and responsibilities for cybersecurity and (2) thresholds for communicating identified security events that are monitored, investigated, and determined to be security incidents requiring a response, remediation, or both |
Implementation Guidance When making judgments about the nature and extent of disclosures to include about this criterion, consider the following: |
• Methods used to communicate to personnel, including executive management, information to enable them to understand and carry out their cybersecurity responsibilities (for example, through the use of — Awareness programs, including training about detecting and avoiding social engineering threats and security breach reporting and response — Job descriptions — Acknowledgement of code of conduct and policies, — Employee signed confidentiality agreements, and — Policy and procedures manuals) |
• Communications with the board of directors to enable members to have the information, including training and reference materials, needed to fulfill their roles |
• The process for creating and updating communications, including considerations of timing, audience, and nature of information when selecting the communication method to be used |
• The use of various communication channels, such as whistle-blower hotlines, to enable anonymous or confidential communication when normal channels are inoperative or ineffective |
DC14: The process for communicating with external parties regarding matters affecting the functioning of the entity’s cybersecurity risk management program |
Implementation Guidance When making judgments about the nature and extent of disclosures to include about this criterion, consider the following: |
• The existence and use of open communication channels that allow input from customers, consumers, vendors, business partners, external auditors, regulators, financial analysts, and others to provide management and the board of directors with relevant information |
• The process for creating and updating communications regarding cybersecurity, including considerations of timing, audience, and nature of information when selecting the communication method to be used |
• The use of various communication channels, such as whistle-blower hotlines, to enable anonymous or confidential communication when normal channels are inoperative or ineffective |
• The process by which legal, regulatory, and fiduciary requirements, including required communication of data breaches and incidents, are considered when making communications |
MONITORING OF THE CYBERSECURITY RISK MANAGEMENT PROGRAM |
DC15: The process for conducting ongoing and periodic evaluations of the operating effectiveness of key control activities and other components of internal control related to cybersecurity |
Implementation Guidance When making judgments about the nature and extent of disclosures to include about this criterion, consider the following: |
• The variety of different types of ongoing and separate evaluations used, which may include a combination of periodic and continuous internal audit assessments, penetration testing, and independent certifications made against established security and other specifications (for example, ISO 27001 and HITRUST) |
• The process for considering the rate of change in business and business processes when selecting and developing such evaluations |
• The process for performing the ongoing and periodic evaluations, including whether (a) the design and current state of the entity’s cybersecurity risk management program, including the controls, are used to establish a baseline; (b) evaluators have sufficient knowledge to understand what is being evaluated; and (c) the scope and frequency of the evaluations is commensurate with the risk |
DC16: The process used to evaluate and communicate, in a timely manner, identified security threats, vulnerabilities, and control deficiencies to parties responsible for taking corrective actions, including management and the board of directors, as appropriate |
Implementation Guidance When making judgments about the nature and extent of disclosures to include about this criterion, consider the following: |
• The process by which management and the board of directors, as appropriate, assess results of ongoing and periodic evaluations, including whether the process considers the remediation of identified security threats, vulnerabilities, and control deficiencies |
• The process for communicating identified security threats, vulnerabilities, and control deficiencies to parties responsible for taking corrective action and to senior management and the board of directors, as appropriate |
• The process for monitoring remediation of identified deficiencies |
CYBERSECURITY CONTROL PROCESSES |
DC17: The process for developing a response to assessed risks, including the design and implementation of control processes |
Implementation Guidance When making judgments about the nature and extent of disclosures to include about this criterion, consider the following: |
• The process to align controls with risk responses needed to protect information assets and to detect, respond to, mitigate and recover from security events based on the assessed risks |
• The consideration of the environment in which the entity operates, the complexity of the environment, the nature and scope of the entity’s operations, and its specific characteristics when selecting and developing control processes |
• The process for including a range and variety of controls (for example, manual and automated controls and preventive and detective controls) in risk mitigation activities to achieve a balanced approach to the mitigation of identified cybersecurity risks |
• The use of risk transfer strategies, including the purchase of insurance, to address risks that are not addressed by controls |
DC18: A summary of the entity’s IT infrastructure and its network architectural characteristics |
Implementation Guidance When making judgments about the nature and extent of disclosures to include about this criterion, consider the following: |
• The use of segmentation, where appropriate, and baseline configurations of both physical and virtual end points, devices, firewalls, routers, switches, operating systems, databases, and applications |
• The use of infrastructure and network elements provided by outsourced service providers |
DC19: The key security policies and processes implemented and operated to address the entity’s cybersecurity risks, including those addressing the following:
|
Implementation Guidance When making judgments about the nature and extent of disclosures to include about the key security policies and processes, consider the following: |
• The existence of a formal security policy established to implement the entity’s cybersecurity strategy |
• Key topics addressed by the security policy |
When making judgments about the nature and extent of disclosures to include about the prevention of intentional and unintentional security events, consider the following: |
• Protection of data whether at-rest, during processing, or in-transit |
• Data loss prevention |
• User identification, authentication, authorization, and credentials management |
• Physical and logical access provisioning and de-provisioning, including remote access |
• Privileged account management |
• IT asset management, including hardware and software commissioning, configuration, maintenance, and decommissioning, as well as physical and logical servers and other devices |
• Operating location and data center physical security and environmental safeguards |
• Monitoring and managing changes to systems made internally or by external parties, including software acquisition, development, and maintenance and patch management |
When making judgments about the nature and extent of disclosures to include about the detection of security events; identification of security incidents; development of a response to those incidents; and implementation activities to mitigate and recover from identified security incidents; consider the following: |
• The deployment of tools and programs, the implementation of monitoring processes and procedures, or operation of other measures to identify anomalies, analyzing anomalies to identify security events, and communicating identified security events to appropriate parties |
• The deployment of procedures to measure the effectiveness of activities planned in the event of a disruption to operations that requires the recovery of processing at alternate locations and the updating of plans based on the result of those procedures |
• The process by which management identifies security incidents from detected security events |
• The process by which management identifies security incidents based on notification of security events received from third parties |
• The process by which management evaluates security incidents and assesses the corrective actions needed to respond to and mitigate the harm from incidents |
• The process by which management assesses the impact of security incidents to data, software, and infrastructure |
• The process by which management restores operations after identified security incidents, including the oversight and review of the recovery activities by executive management |
• The process by which the incident response plan is updated based on the analysis of lessons learned |
• The process used to communicate information about the security incident, including the nature of the incident, restoration actions taken, and activities required for future prevention of the event to management and executive management |
• The process used to make communications to affected third parties about the security incident |
• The process for periodically testing the incident response plan |
When making judgments about the nature and extent of disclosures to include about the management of processing capacity to provide for continued operations during security, operational, and environmental events, consider the following: |
• The deployment of tools and programs, the implementation of monitoring processes and procedures, or operation of other measures to monitoring capacity usage |
• The process for forecasting capacity needs and the process for requesting system changes to address those needs |
• The procedures for assessing the accuracy of the capacity forecasting process and revising the process to improve accuracy |
When making judgments about the nature and extent of disclosures to include about the detection, mitigation, and recovery from environmental events and the use of back-up procedures to support system availability, consider the following: |
• The deployment of tools and programs, the implementation of monitoring processes and procedures, or operation of other measures to identify developing environmental threat events and the mitigation of those threats |
• The processes identifying data for backup and for backing up and restoring data to support continued availability in the event of the destruction of data within systems |
• The process for developing and maintaining a business continuity plan, including procedures for the recovery of operations in the event of a disaster at key processing locations |
• Key topics addressed by the business continuity plan, including identification and prioritization of systems and data for recovery and provision for alternate processing infrastructure in the event normal processing infrastructure becoming unavailable |
• Procedures for periodically testing the procedures set forth in the business continuity plan |
When making judgments about the nature and extent of disclosures to include about the identification of confidential information when received or created; determination of the retention period for that information; retention of the information for the specified period; and destruction of the information at the end of the retention period, consider the following: |
• The process for establishing retention periods for types of confidential information and identifying the information when received or created and associating the information to a specific retention period |
• The process for identifying information classified as confidential |
• The process for preventing the destruction of identified information during its specified retention period |
• The process for identifying information that has reached the end of its retention period and information that is an exception to the retention policies |
• The process for destroying information identified for destruction |