With an increase in employees working from home, there’s a new set of risks that security executives and teams must address as the workforce moves from physical offices to working remotely.
5.2% of employees worked from home in 2017. Today, with COVID-19, that number is closer to 25% or 30%. Some sectors, such as technology, have effectively gone 100% remote. According to many surveys of executives and office employees, most desire a more flexible working arrangement and believe they’ll continue to work from home one to two days a week in the future.
Implementing a work-from-home strategy has impacted management’s risk environment and corresponding internal controls—from execution controls and virtual private network (VPN) access to assessing the infrastructure changes required to support a large remote workforce.
Here, we’ll outline how cyber-risks are increasing as companies transition to remote work and the ways a System and Organization Controls (SOC) examination for Cybersecurity can help your organization.
With a greater reliance on collaboration tools and technologies for remote workers, there has been a marked increase in phishing attempts and ransomware attacks. In addition, changes in regular operations could mean that standard monitoring controls no longer take place.
Robust monitoring controls to counteract these threats are a necessity along with vigilant oversight from management. Companies should evaluate if they can still obtain sufficient evidence to verify the functioning of internal control operation effectiveness. This includes checking that all monitoring functions remain in effect and documenting those for eventual use as audit evidence.
As a result of the changing work-from-home environment, boards of directors and senior executives of organizations see an increased need to better understand their cybersecurity risks. One solution is a System and Organization Control (SOC) examination for Cybersecurity.
A SOC examination for Cybersecurity can help provide a reporting mechanism that organizations can use to communicate relevant information about the effectiveness of their Cybersecurity Risk Management Program (CRMP).
This examination provides an independent, entity-wide assessment that gives boards, investors, business partners, and other stakeholders confidence in an organization’s CRMP. This can help organizations better identify and contain potential cyberthreats.
Following are some commonly asked questions about this process.
This examination can benefit any type of organization, whether it’s a business or not-for-profit.
The examination is designed to meet the needs of a broad range of users, but the intended audience is often board members, management, regulators, and analysts.
The report is appropriate for general use; its use isn’t restricted to specified parties. Nevertheless, practitioners may decide to restrict the use of their report to specified parties to limit the distribution of the report to only those who need to know or who have specifically requested the information.
Management and directors commonly want information about the effectiveness of an entity’s cybersecurity controls.
Investors, analysts, and others could request an examination because their decisions might be affected by management’s process for managing cybersecurity risks.
The benefit is having transparent insight into the entity’s CRMP, which addresses the risks and mitigation strategies to combat cyberattacks.
Management is responsible for all of the controls within the entity’s CRMP, regardless of whether those controls are performed by the entity or by a service organization.
While the scope of the examination report can be limited to a portion of the entity or to the larger organization as a whole, the description criteria is required to address all controls within the entity’s CRMP.
The subject matter of a SOC examination for Cybersecurity is the entity’s CRMP.
The report contains a written description that contains the CRMP control objectives and related controls. The controls within the program achieve the entity’s cybersecurity objectives.
The contents of the SOC examination for Cybersecurity report contains three sections.
Select the framework that best meets the needs of the organization and base the SOC examination for Cybersecurity on that framework.
The National Institute of Standards and Technology (NIST) guidelines are generally the security industry golden rule; there are quite a few security assessments that are based on the different NIST 800-xx rules.
A SOC examination for Cybersecurity can also be based on the American Institute of Certified Public Accountants (AICPA) SOC Security principles for security, availability, and confidentiality. Such criteria are suitable for use as control criteria.
In addition, public companies must routinely prepare disclosures about cybersecurity risks and incidents.
In an SEC Commission Statement and Guidance on Public Company Cybersecurity Disclosures published on February 26, 2018, the SEC states companies should consider the materiality of cybersecurity risks and incidents when preparing the required disclosure in registration statements under the Securities Act of 1933, the Securities Exchange Act of 1934, and periodic and current reports under the Exchange Act.
If you have questions about a SOC examination for Cybersecurity or how to get started, please contact your Moss Adams professional.