- Get link
- Other Apps
Current CPA Use of the CSF
CPAs have already adapted many provisions of the existing CSF to enhance client service delivery and data protection. In providing assurance services such as the “SOC for Cybersecurity” examination, CPAs may use the CSF as one of the criteria on which the examination is based as long as “such criteria are appropriate for the engagement using the AICPA’s attestation standards” (https://tinyurl.com/bddrpen6, p. 3).” CPAs use the CSF in management accounting when they participate in teams or are responsible for assessing and managing cybersecurity risk. For CPAs providing cybersecurity advisory services, Intuit’s Tax Pro Center identifies the CSF as a tool for delivering cybersecurity advisory services (Cassidy Jakovickas, “Cybersecurity: A Critical Opportunity for Advisory Services,” Tax Pro Center, Intuit, https://tinyurl.com/4vwcb8nu). Tax professionals who need to comply with various IRS and state taxpayer data protection would find that the AICPA’s Tax Advisor journal identified the CSF as a tool that could help these practitioners implement the requisite risk management program (Byron Shinn and John Jorgensen, “Cybersecurity: An urgent priority for CPA firms,” April 1, 2020, https://tinyurl.com/mmsjj57c).
CPA non-firm employers and clients have also adopted many aspects of the CSF. For some, the adaptation resulted from the need to demonstrate that cybersecurity risk was being managed to satisfy customer expectations; for others, adaptation was driven by regulatory expectations. It is generally not the case that regulators specify the exact application of a particular framework; rather, that the regulated entity use one that was recognized. For example, The CPA Journal profiled a Financial Industry Regulatory Authority (FINRA) webpage that provided several resources for small firms, beginning with a helpful “Checklist for a Small Firm’s Cybersecurity Program,” developed from FINRA’s best practices report and the National Institute of Standards and Technology (NIST) framework (https://www.nysscpa.org/1906-sa).
Gaining Traction
In some ways, the CSF has been a victim of its own success. As organizations grew, they needed to enhance their asset protection strategies. CSF, developed in 2014, came at the right time when a practical approach was needed to manage cybersecurity risk and enable organizations to grow and leverage technological developments. CSF was first intended to protect critical infrastructure. Due to its flexibility, relative conciseness (at least for larger organizations), and established crosswalks (used to cross-reference one framework with other frameworks) with other prominent frameworks, many organizations began adapting it. The reputation of the NIST also provided vendor-neutral and “independent” well-regarded guidance. This helped entities serving in an audit or regulatory role to reference the tool and, in some cases, recommend it. Organizations looking for a practical yet reputable way to demonstrate compliance and, in some cases, essential due diligence to manage legal risks in case of a breach found a solution in the CSF.
From a professional and cybersecurity vendor perspective, a webpage from IBM represents a typical perspective: “The NIST CSF is flexible enough to integrate with the existing security processes within any organization, in any industry. It provides an excellent starting point for implementing information security and cybersecurity risk management in virtually any private sector organization in the United States” (https://tinyurl.com/mvamca3r). Larger CPA firms developed practice niches and guidance leveraging the CSF. For example, PWC produced a publication showing how boards could use the CSF to enhance risk oversight (https://tinyurl.com/35st69kc).
Small and midsize organizations seeking reputable guidance were intrigued by the tool but sometimes felt overwhelmed. In addition to the NIST, governmental agencies serving small businesses helped by developing and distributing tools to facilitate the adoption of the CSF in a smaller environment. Eventually, the CSF was translated into 12 languages.
Despite the framework’s successes—or perhaps because of them—challenges remained. The tool was popular and accessible to those with a foundational security background. There was little question about the quality and numerous supporting resources helping organizations manage the implementation. The one-size-fits-all questionnaire, however, challenged larger organizations who were concerned that something was missing, although they were happy to demonstrate due diligence with a reasonably sized tool. Smaller organizations felt that numerous questions did not apply to them or that the tool was too bureaucratic.
Initially Overwhelming, But Worth the Effort
After 10 years of technological innovation, evolving threats, and gaining experience, the NIST issued CSF version 2.0. Unlike its predecessor, CSF2 was developed from the start to consider all sizes and types of organizations. In trying to better align its guidance with its diverse constituency, some users’ initial impression may be that it is more complex and, in some cases, overwhelming. Fortunately, the NIST has provided many tools and guides that can facilitate adaptation by diverse users and their organizations. This expert guidance will enable CSF2 to be more readily used and accessible even when compared to its predecessor. A few of the more relevant guides and support materials are described below.
Financial managers can obtain the quickest overview by referring to the press release announcing CSF2. The “Resource and Overview Guide” provides an alternative introductory perspective (https://tinyurl.com/3f8en4km). In these introductory documents, users will find the NIST’s perspective on the new version’s benefits, threat identification, weblinks for supporting guidance, and highlights of critical changes from the prior version. The NIST has developed additional tools and guidance to make implementation easier. As noted in the press release: “These resources are designed to provide different audiences with tailored pathways into the CSF and make the framework easier to put into production (https://tinyurl.com/bdfbrv9z).”
An example for the general accounting community is the small business guide (SBG). Per its introduction, the guide’s purpose is to “provide small-to-medium sized businesses [SMB], specifically those who have modest or no cybersecurity plans in place, with considerations to kick-start their cybersecurity risk management strategy by using the NIST Cybersecurity Framework (CSF) 2.0. The guide also can assist other relatively small organizations, such as nonprofits, government agencies, and schools” (https://tinyurl.com/pn4689ze). The SBG extracts critical guidance and supplements—not replaces—the advice provided by CSF 2, so that SMBs and other similar organizations can readily adapt recommended cybersecurity practices to manage risk better. The nine-page document includes a general introduction to CSF 2, an introduction to profiles and references, and a one-page summary of each of the framework’s six functions. Each function’s page summary contains actions to consider (one to five bullet points on how to understand, assess, prioritize, and communicate), advice on how to get started, and a reference for more detailed information, questions to consider, and related resources. A prerecorded NIST webinar is available in which CSF development team members provide additional insight to the SMB and nonprofit communities (https://tinyurl.com/mvb7v2j5).
Financial Executive Interests
Perhaps of greatest interest to senior executives and those with financial management oversight responsibilities are CSF2’s enhancements, including cybersecurity governance and supply chain (vendor) risk management. Governance, a new function introduced in CSF2, provides guidance from cybersecurity experts on how senior executives should approach their oversight responsibilities. Detailed items are provided for organizational context, risk management strategy, roles, responsibilities and authorities, policy, oversight, and cybersecurity supply chain risk management. The latter received more detailed enhancements than what was included in previous versions.
Although not necessarily new, “The Quick-Start Guide for Using CSF Tiers” can help an organization plan for and benchmark the “rigor of an organization’s cybersecurity risk governance and management outcomes. This can help provide context on how an organization views cybersecurity risks and the processes in place to manage those risks. The tiers can also be valuable when reviewing processes and practices to determine needed improvements and monitor progress made through those improvements” (https://tinyurl.com/bde22nxf). Using the defined tiers facilitates realistic discussions as to the current status of an organization, its targeted risk mitigation strategy, and the investment needed to achieve those goals.
“The Enterprise Risk Management Quick-Start Guide” could excite many in the risk management community from its title alone. At first glance, its vocabulary is not necessarily aligned with the more familiar COSO Enterprise Risk Management (ERM) language and framework. Although some may be disappointed initially, the document presents many familiar terms to risk professionals; for others, it can bridge technical nuances presented in the CSF to ERM discussions at the board level.
Other Supporting Tools
At a more detailed level, professionals—whether auditors or information security professionals—will appreciate the more detailed and authoritative guidance provided. The “Quick-Start Guide for Cybersecurity Supply Chain Management” (https://tinyurl.com/54kapv9c) offers highlights for critical matters needed to design and operate a vendor management program. Organizational and community profiles, each with a quick-start guide, allow one to learn from others and use best practices for your organization’s needs. Reference tools provide the details to help document and support due diligence efforts. Hands-on professionals will use these and adapt as needed to deliver requisite advisory and assessment services.
Comments
Post a Comment