The COSO framework is used to guide the audit processes for this company for some very important reasons. The risks that face any company operating today are as numerous as they are dynamic. The COSO Framework was created and developed to adapt to the risk environment that has evolved with time and the modernizations of the business world. Originally published in 1992 and continually refined to its most recent iteration in 2013, the COSO Framework has strived to embrace evolving technologies and their effect on business practices. It also has endeavored to remain mindful of the realities of the cyber-enabled business world operating in the information age, in an environment created for sharing information, not protecting it. Where the protection of all data is not possible, despite the grandest efforts and the most extravagant expenditures. As organizations change the way they operate, they broaden their attack surfaces whether knowingly or not. The COSO Framework aims to remain faithful to the development of internal controls for the management risk as opposed to becoming foolishly beholden to the fantasy that all risk can be prevented or avoided.
According to the Committee of Sponsoring Organizations of the Treadway Commission (COSO), there are five components to the framework (Galligan & Rau, 2015):
Control Environment: Does the board of directors understand the organization’s cyber risk profile and are they informed of how the organization is managing the evolving cyber risks management faces?
Risk Assessment: Has the organization and its critical stakeholders evaluated its operations, reporting, and compliance objectives and gathered information to understand how cyber risk could impact such objectives?
Control Activities: Has the entity developed control activities, including general control activities over technology, that enable the organization to manage cyber risk within the level of tolerance acceptable to the organization? Have such control activities been deployed through formalized policies and procedures?
Information and Communication: Has the organization identified information requirements to manage internal control over cyber risk? Has the organization defined internal and external communication channels and protocols that support the functioning of internal control? How will the organization respond to, manage, and communicate a cyber risk event?
Monitoring Activities: How will the organization select, develop, and perform evaluations to ascertain the design and operating effectiveness of internal controls that address cyber risks? When deficiencies are identified how are these deficiencies communicated and prioritized for corrective action? What is the organization doing to monitor their cyber risk profile?
Figure 1: The COSO Cube
Proper implementation of the COSO Framework requires commitment from the senior management of any organization. Our organization understands this. The COSO Framework states that “The control environment is the set of standards, processes, and structures that provide the basis for carrying out the internal control across the organization. The board of directors and senior management establish the tone at the top regarding the importance of internal control and expected standards of conduct.” (Galligan & Rau, 2015). Our organization’s senior management from the Board of Directors down to the functional management embrace this point of view and prioritize the protection of our data and understand what that means in terms of the allocation of resources and the attitudes within the organization toward the protection of its data.
Risk Assessment
From the most recent COSO Framework document: “Because the cyber risk assessment informs management’s decisions about control activities deployed against information systems that support an entity’s objectives, it is important that senior management and other critical stakeholders drive the risk assessment process to identify what must be protected in alignment with the entity’s objectives. Many organizations do not spend enough time gaining an understanding of what information systems are truly critical to the organization; they also may have difficulty understanding where and how the information is stored. This can lead to attempts to protect everything, which leads to overprotecting certain information systems and under protecting others” (Galligan & Rau, 2015).
Our organization is fully committed to combating the external and internal risks it constantly faces. Utilizing a multidimensional threat matrix informed by divisions throughout the organization and refined by external cyber risk assessment subject matter experts, decisions are made with clear visibility of the likelihood of the potential occurrence of specific risks and their impact to the organization’s operations. This enables well-informed decision making that enables a cyber posture that is ready for anything.
In accordance with the COSO Framework, our organization specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives. This clarity is essential to provide the direction and context for what we do with our risk assessment processes. Resources are not unlimited, so well-informed decision-making is essential to prevent, detect, and manage the cyber risks that the organization faces.
Our organization begins by declaring the information systems that are the most valuable by measuring the impact of their potential loss. Quantifying these values is possible because of the excellent communication by stakeholders across our organization. Like any organization, we cannot act on every risk, given our limited time, budget, and resources, so management determines the levels of risk tolerance acceptable to the organization to focus its efforts to protect the information systems most critical to the organization.
Our risk assessment processes are so successful because our decision makers understand what information systems are valuable to perpetrators of cyberattacks, and they understanding how attacks are likely to occur. The costliest attacks tend to be targeted at an organization for specific reasons. Our organization understands its cyber threat profile.
Successful organizations incorporate their cyber threat profile into their overall risk assessment process in order to understand where controls should be placed to keep those assets secure. Our organization has successfully established threat awareness throughout the organization and developed the capacity to detect patterns of behavior that indicate and predict compromise of our critical assets.
“It is also important to apply an industry lens to cyber risks versus just looking broadly at cyber risks. The perpetrators of cyberattacks have unique objectives that differ between industry sectors. For example, in the retail sector, organized criminals are the most likely attackers, focused primarily on exploiting vulnerabilities in systems that contain information that can be used for profit (e.g., credit card data or Personally Identifiable Information (PII)). Alternatively, the oil and gas industry might be targeted by nation states with a motive to steal strategic data about future exploration sites. Chemical companies may find themselves targeted by hacktivists because of perceived environmental issues around their products. Regardless of their motives, cyber attackers are relentless, sophisticated, and patient. They will stage attacks over time by gathering information that will expose weaknesses within the organization’s information systems and internal controls. Through careful evaluation of the motives and likely attack methods and the techniques, tools, and processes (TTPs) the attackers may use, the organization can better anticipate what might occur and be in a position to design controls that are highly effective in minimizing the disruption of potential cyberattacks and keeping highly valued assets secure.” (Galligan & Rau, 2015).
Every organization should anticipate change while performing cyber risk assessments. As our organization has evolved over time, we have made changes to our objectives, people, processes, and technologies. As our cyber landscape changes, new perpetrators of cyber attacks along with new methods of exploitation emerge. While cyber risk assessments generally reflect the current state of the organization, processes must be dynamic and iterative and consider changes to the internal and external threat landscapes that could lead to change in the management of cyber risks. We have been successful with this.
“Business and technology innovations are adopted by organizations in their quest for growth, innovation, and cost optimization. However, such innovations also create exposure to new cyber risks. For example, the continued adoption of Web, mobile, cloud, and social media technologies has increased the opportunity for exploitation by the perpetrators of cyberattacks. Similarly, outsourcing, offshoring, and third-party contracting have exposed organizations to potential cyber vulnerabilities that are ultimately outside of the organization’s control. These trends have resulted in the development of cyber ecosystems that provide a broad attack surface for the perpetrators to exploit. The assessment of changes that could have an impact on the system of internal control should include considerations regarding changes in personnel. Turnover of personnel at operational levels of the organization can have a significant impact on the organization’s ability to effectively perform their control responsibilities that are designed to minimize the potential impacts of cyberattacks. Risk assessments should be updated on a continuous basis to reflect changes that could impact an organization’s deployment of cyber controls to protect its most critical information systems. As information is generated from the vigilant monitoring of the changing threat landscape and the risk assessment process, senior executives and other stakeholders must share and discuss this information to make informed decisions on how to best protect the organization against exposure to cyber risks” (Galligan & Rau, 2015).
Identifying and Implementing Control Activities that Address Cyber Risks
“Control activities are the actions performed by individuals within the organization that help to ensure management’s directives are followed in order to mitigate risks to the achievement of the objectives. Such control activities should be documented in policies to help ensure that control activities are carried out consistently across the organization” (Galligan & Rau, 2015).
As mentioned earlier, cyber risks cannot be avoided, but they can be managed with the implementation of appropriately designed controls. When an organization considers the likely attack methods and routes of exploitation (through the risk-assessment process), they are better positioned to minimize the potential impact that cyber breaches may have on its objectives. As organizations arrive at the reality that cyber breaches are inevitable, and have performed an appropriate cyber risk assessment, control structures should be deployed in a layered approach that prevent intruders from freely roaming the information systems after the initial layers of defense are compromised.
Adherence to the COSO Framework enables our organization to conduct its business in a way that is adaptable in how it faces its cyber risks. It allows for effective audit processes that allow for visibility and accountability across the organization.