Page 234 - CA Final Audit Titanium Full Book. (With Cover Pages)
P. 234
CA Ravi Taori
Respond to the risk.
Recover from risk
Identify the risk:
Asset Management: The entity should maintain an inventory of their information assets, including intellectual
property, patents, copyrighted material, trade secrets, and other intangibles, and review it periodically.
Asset Protection: The entity should classify their information assets based on sensitivity and business value,
prioritize their protection, and periodically review the systems where these assets reside.
Risk Assessment: The entity should conduct and periodically review a risk assessment that identifies
cybersecurity risks, such as IT system failure, data loss, and unauthorized network access.
Financial Impact: Management should assess how cybersecurity risks affect internal controls over financial
reporting, including the impact of potential attacks on the recoverability of financial data and revenue
recognition.
Cybersecurity Program: Management should identify if any established risk-based cybersecurity programs, such
as NIST or ISO, can be leveraged.
Governance: The entity should establish roles and responsibilities for cybersecurity, such as CISO and CIO roles,
and discuss the risk assessment with those charged with governance, such as the Audit Committee or Board of
Directors.
Protect the risk
Repetition:
Asset Identification: Entity should identify material digital/electronic assets on the balance sheet subject to
cybersecurity risk (e.g., intellectual property, patents, copyrighted material, trade secrets).
Protection Prioritization: Based on their criticality, prioritize the protection of identified assets.
Protection:
Control Implementation: Implement effective controls for data security to prevent unauthorized access &
safeguarding assets.
Training: Conduct formal training to make teams aware of the risk associated with cyberattacks.
Monitoring: Entity should monitor for unauthorized access to electronic assets and assess any related impact on
financial reporting.
Detect The risk (Attack)
1A. Identification: The entity should have controls and procedures to identify cybersecurity risks and incidents,
assessing their impact on the business.
1B. Significance Evaluation: The entity should evaluate the significance of cybersecurity risks and incidents,
considering timely disclosures.
1C. Breach Monitoring: Review the entity's processes to monitor and detect security breaches or incidents.
2A. Security Measures: Check if management has implemented anti-virus and continuously monitors firewall
logs to secure the system and detect repetitive attacks.
2B. System Updates: The monitoring process should include checking for necessary system upgrades or updates
to safeguard against vulnerabilities.
Respond to the risk
Incident Identification: Management should capture the details of the cybersecurity incident or data breach,
including its nature and how it was identified.
Response Planning: The entity should have a response plan in place to document the incident details. This
information should be communicated to those responsible for the framework and governance.
Impact Analysis: The security incident response plan aids in assessing the impact and severity of the attack,
guiding the organization in taking appropriate actions.
Cost Assessment: Management should evaluate potential litigation costs, regulatory investigation costs, and
remediation costs as part of the mitigation process.
www.auditguru.in 12.9
