With an increase in employees working from home, there’s a new set of risks that security executives and teams must address as the workforce moves from physical offices to working remotely.
5.2% of employees worked from home in 2017. Today, with COVID-19, that number is closer to 25% or 30%. Some sectors, such as technology, have effectively gone 100% remote. According to many surveys of executives and office employees, most desire a more flexible working arrangement and believe they’ll continue to work from home one to two days a week in the future.
Implementing a work-from-home strategy has impacted management’s risk environment and corresponding internal controls—from execution controls and virtual private network (VPN) access to assessing the infrastructure changes required to support a large remote workforce.
Here, we’ll outline how cyber-risks are increasing as companies transition to remote work and the ways a System and Organization Controls (SOC) examination for Cybersecurity can help your organization.
With a greater reliance on collaboration tools and technologies for remote workers, there has been a marked increase in phishing attempts and ransomware attacks. In addition, changes in regular operations could mean that standard monitoring controls no longer take place.
Robust monitoring controls to counteract these threats are a necessity along with vigilant oversight from management. Companies should evaluate if they can still obtain sufficient evidence to verify the functioning of internal control operation effectiveness. This includes checking that all monitoring functions remain in effect and documenting those for eventual use as audit evidence.
As a result of the changing work-from-home environment, boards of directors and senior executives of organizations see an increased need to better understand their cybersecurity risks. One solution is a System and Organization Control (SOC) examination for Cybersecurity.
SOC Examination for Cybersecurity
A SOC examination for Cybersecurity can help provide a reporting mechanism that organizations can use to communicate relevant information about the effectiveness of their Cybersecurity Risk Management Program (CRMP).
This examination provides an independent, entity-wide assessment that gives boards, investors, business partners, and other stakeholders confidence in an organization’s CRMP. This can help organizations better identify and contain potential cyberthreats.
Following are some commonly asked questions about this process.
Who’s the intended audience?
This examination can benefit any type of organization, whether it’s a business or not-for-profit.
The examination is designed to meet the needs of a broad range of users, but the intended audience is often board members, management, regulators, and analysts.
The report is appropriate for general use; its use isn’t restricted to specified parties. Nevertheless, practitioners may decide to restrict the use of their report to specified parties to limit the distribution of the report to only those who need to know or who have specifically requested the information.
Why do you need a SOC examination for Cybersecurity?
Management and directors commonly want information about the effectiveness of an entity’s cybersecurity controls.
Investors, analysts, and others could request an examination because their decisions might be affected by management’s process for managing cybersecurity risks.
The benefit is having transparent insight into the entity’s CRMP, which addresses the risks and mitigation strategies to combat cyberattacks.
What’s management’s responsibility?
Management is responsible for all of the controls within the entity’s CRMP, regardless of whether those controls are performed by the entity or by a service organization.
While the scope of the examination report can be limited to a portion of the entity or to the larger organization as a whole, the description criteria is required to address all controls within the entity’s CRMP.
What’s the subject matter of management’s report and assertion?
The subject matter of a SOC examination for Cybersecurity is the entity’s CRMP.
The report contains a written description that contains the CRMP control objectives and related controls. The controls within the program achieve the entity’s cybersecurity objectives.
What are the contents of the report?
The contents of the SOC examination for Cybersecurity report contains three sections.
- An opinion by the independent service examinor stating whether or not the description of the entity’s CRMP was presented in accordance with the description criteria.
- Written assertion by management stating that:
- Description of the entity’s CRMP was presented in accordance with the description criteria
- Controls within the program were effective in achieving the entity’s cybersecurity objectives based on the control criteria
- Written description, or narrative, that contains the CRMP control objectives and related controls.
How do you select a security framework?
Select the framework that best meets the needs of the organization and base the SOC examination for Cybersecurity on that framework.
The National Institute of Standards and Technology (NIST) guidelines are generally the security industry golden rule; there are quite a few security assessments that are based on the different NIST 800-xx rules.
A SOC examination for Cybersecurity can also be based on the American Institute of Certified Public Accountants (AICPA) SOC Security principles for security, availability, and confidentiality. Such criteria are suitable for use as control criteria.
Additional Security Frameworks to Consider
- National Institute of Standards and Technology Cybersecurity Framework (NIST CSF)
- International Organization for Standardization (ISO)/IEC 27001/27002 and related standards
- US Department of Homeland Security requirements for annual Federal Information Security Management Act (FISMA) reporting
- Federal Financial Institutions Examination Council (FFIEC) questionnaires
- Control Objectives for Information and Related Technologies (COBIT) 5
- Committee of Sponsoring Organizations of the Treadway Commission (COSO) 2013 framework
- Health Insurance Portability and Accountability Act (HIPAA) Security Rule
- Payment Card Industry Data Security Standard (PCI DSS) 3.2
- NIST Special Publications 800 series
- HITRUST CSF
Cybersecurity Disclosures for SEC Companies
In addition, public companies must routinely prepare disclosures about cybersecurity risks and incidents.
In an SEC Commission Statement and Guidance on Public Company Cybersecurity Disclosures published on February 26, 2018, the SEC states companies should consider the materiality of cybersecurity risks and incidents when preparing the required disclosure in registration statements under the Securities Act of 1933, the Securities Exchange Act of 1934, and periodic and current reports under the Exchange Act.
We’re Here to Help
If you have questions about a SOC examination for Cybersecurity or how to get started, please contact your Moss Adams professional.
For regulatory updates, strategies to help cope with subsequent risk, and possible steps to bolster your workforce and organization, please see the following resources: