CISO

Enterprise Information Security

Cyber security risks and cyber incidents.SEC Guidance

by Leave a Comment

Division of Corporation Finance at Securities and Exchange Commission has released guidance on reporting the cyber security risks and cyber incidents. This has come after the realization of the SEC that a cyber security incident can have a direct impact on the shareholder value of the company. This move by the SEC indicates that it is time for businesses to consider information security incidents as a business or operational incident which can have direct impact on the costs and thus profitability of an organization

    The objectives of cyber attacks vary widely and may include theft of financial assets, intellectual property, or other sensitive information belonging to registrants, their customers, or other business partners. Cyber attacks may also be directed at disrupting the operations of registrants or their business partners. Registrants that fall victim to successful cyber attacks may incur substantial costs and suffer other negative consequences, which may include, but are not limited to:

  • Remediation costs that may include liability for stolen assets or information and repairing system damage that may have been caused. Remediation costs may also include incentives offered to customers or other business partners in an effort to maintain the business relationships after an attack;

  • Increased cyber security protection costs that may include organizational changes, deploying additional personnel and protection technologies, training employees, and engaging third party experts and consultants;

  • Lost revenues resulting from unauthorized use of proprietary information or the failure to retain or attract customers following an attack;

  • Litigation; and

  • Reputational damage adversely affecting customer or investor confidence

    • The above excerpt from the guidance gives a number of high level impacts of a cyber security breach.

    The following sections provide an overview of specific disclosure obligations that may require a discussion of cybersecurity risks and cyber incidents.

  • Risk Factors – Registrants should disclose the risk of cyber incidents if these issues are among the most significant factors that make an investment in the company speculative or risky. In evaluating whether risk factor disclosure should be provided, registrants should also consider the adequacy of preventative actions taken to reduce cybersecurity risks in the context of the industry in which they operate and risks to that security, including threatened attacks of which they are aware.
  • Management.s Discussion and Analysis of Financial Condition and Results of Operations (MD&A)

If material intellectual property is stolen in a cyber attack, and the effects of the theft are reasonably likely to be material, the registrant should describe the property that was stolen and the effect of the attack on its results of operations, liquidity, and financial condition and whether the attack would cause reported financial information not to be indicative of future operating results or financial condition

  • Description of Business

If a registrant has a new product in development and learns of a cyber incident that could materially impair its future viability, the registrant should discuss the incident and the potential impact to the extent material.

  • Legal Proceedings

    • If a material pending legal proceeding to which a registrant or any of its subsidiaries is a party involves a cyber incident, the registrant may need to disclose information regarding this litigation in its .Legal Proceedings. disclosure

  • Financial Statement Disclosures

Cybersecurity risks and cyber incidents may have a broad impact on a registrant.s financial statements, depending on the nature and severity of the potential or actual incident.

  • Disclosure Controls and Procedures

    • Registrants are required to disclose conclusions on the effectiveness of disclosure controls and procedures. To the extent cyber incidents pose a risk to a registrant.s ability to record, process, summarize, and report information that is required to be disclosed in Commission filings, management should also consider whether there are any deficiencies in its disclosure controls and procedures that would render them ineffective.

    To summarize, the cyber security incidents are becoming part of business strategy and is a deciding factor in the costs of an organization. Any information security incident can have a direct impact in the organizations profitability and it should be notified to the shareholders as it could have a direct impact on the shareholder value.

    Read the full SEC Guidance here.

Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach.

by Leave a Comment

NIST has recently released the final publication of the “Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach”.

This NIST special publication (NIST Special Publication 800-37, Revision 1) can be downloaded from csrc.nist.gov website.

As per this guide, the Certification and Accreditation process of the federal government information systems transformed into a Risk Management Framework that stresses security from an information system.s initial design phase through implementation and daily operations

It places equal emphasis both on defining the correct set of security controls and on implementing them in a robust continuous monitoring process.
This is similar to the various Secure Software Development processes such as MS SDL and OWASP CLASP.
The guide can be downloaded from here

Guide to ISO 31000

by Leave a Comment

Three risk associations, Airmic, Alarm, and the IRM, have collaborated to publish a free guide to ISO 31000 titled “A structured approach to Enterprise Risk Management (ERM) and the requirements of ISO 31000“.

The guide is organized in two parts each containing four chapters with two appendices. The document is neatly organized and is useful for organizations implementing/ following ISO 31000

The full guide is available here

NIST Updates Automated Computer Security Validation Guidelines

by Leave a Comment

The National Institute of Standards and Technology (NIST) has issued a draft publication for public comment that describes changes to the Security Content Automation Protocol (SCAP). SCAP is a suite of specifications that use the eXtensible Markup Language (XML) to standardize how software products exchange information about software flaws and security configurations.

SP 800-126 Revision 1, The Technical Specification for the Security Content Automation Protocol (SCAP): SCAP Version 1.1 can be found at http://csrc.nist.gov/publications/drafts/800-126-r1/draft-sp800-126r1.pdf. The public comment period runs through Jan. 23, 2010. Comments should be addressed to [email protected]

image from www.newswise.com