Welcome to The CPA Journal Archives

Visit cpajournal.com to read the very latest from The CPA Journal

 

The National Institute of Standards and Technology

Susan B. Anders, PhD, CPA/CGMA

The National Institute for Standards and Technology (NIST, www.nist.gov) was founded in 1901 to improve U.S. measurement infrastructure and support technological advances. As an agency of the U.S. Department of Commerce, its 21st century mission is to support innovation by defining standards that allow technologies to work together, and as such NIST is responsible for accelerating the federal government's adoption of secure cloud computing. NIST's online resources on cybersecurity issues include a computer security resource center, web portals for information technology and public safety and security, educational materials, and a cybersecurity framework.

The CPA Journal's 2015 annual survey of practitioners (“Top Choices in Tax Software,” November 2015) found that 70% of respondents allowed employees to use mobile devices at work and only about half restricted use to company-owned equipment. Telecommuting options for staff were also growing, with 28% of participating firms providing that option. Symantec's “Internet Security Threat Report” (April 2016) reported that malware increased by 36% in 2015, identity theft was up 23%, and more than 75% of websites carried security risks (https://www.symantec.com/security-center/threat-report). Mobile devices can enable an organization to be agile and efficient, but raise security concerns about the protection of data and confidentiality.

Computer Security Resource Center

NIST's Computer Security Resource Center offers articles and educational resources relevant to technology specialists, managers, and advisors. Some of the technical reports are condensed to plain-language synopses. For example, the threepage executive summary “Mobile Device Security: Cloud and Hybrid Builds” (http://1.usa.gov/1VAheDb) discusses some of the security challenges and risks associated with mobile access to sensitive data and information systems. The complete practice guide, designed for information technology professionals, provides best practices for identifying security characteristics and installing security tools.

A recent article, “Attackers Honing in on Teleworkers? How Organizations Can Secure Their Data” (March 2016, http://1.usa.gov/1VhwfsQ) explains that hackers can gain initial access to an organization's data by attacking mobile devices. Risks come not only from employees using “bring your own” devices (BYOD), but also from vendors and other parties who are granted access to a company's information systems. Data breaches can also occur when information is stored on unsecured computers and portable technology that can be stolen or infected by malware. Technologies that can provide secure computing include virtual mobile infrastructures (VMI), which create a temporary environment and destroy it at the end of a work session. Mobile device management (MDM) enforces security policies on mobile devices before allowing access to an organization's information environment.

“Cloud Computing Can Assist Workers with Disabilities” (March 2016, http://1.usa.gov/1VC5nnl) summarizes a recent 57-page downloadable report on cloud computing and accessibility considerations. The report discusses barriers to cloud applications (e.g., e-mail, calendars) such as software updates that are incompatible with older functions. One remedy to cloud-based accessibility problems is an application programming interface (API), which facilitates the integration of specialized tools, such as voice recognition, into operating software.

Small and Medium-Sized Business Outreach

The Small Business Corner offers some useful training materials at http://csrc.nist.gov/groups/SMA/sbc/library.html. Although the educational tools are from prior-year seminars, they are still quite relevant. The training begins by defining information security, cybersecurity, and information systems, and explains why protecting information and systems makes good business sense. Training exercises include four PDF documents that can be used as starter lists for managers to examine their own organization's information security environment and detail the following steps:

  • Identify and prioritize an organization's information types,

  • Estimate costs from bad things happening to important information,

  • Identify the protection needed for the highest priority information types, and

  • Take action to maintain awareness of threats and vulnerabilities.

There is also a nine-minute video that explains common information security risks for small businesses, where one-third of all data breaches occur.

Cybersecurity Framework

The NIST developed its Cybersecurity Framework to coordinate existing standards, guidelines, and best practices to address cybersecurity needs, reduce cybersecurity risk, and manage related infra structure (http://www.nist.gov/cyberframework/index.cfm). The framework is voluntary guidance to help organizations manage and reduce risk by identifying the most critical operations and maximizing the benefits from cybersecurity investments. It is downloadable in Excel, PDF, and database format and can be used to increase awareness, improve communication, reconcile internal policies with industry best practices, and assess risks.

The framework's core is a set of cybersecurity activities, desired outcomes, and informative references organized across five functions: identify, protect, detect, respond, and recover. As an example, asset management is the first category under identify. The desired outcomes (action steps) include inventorying physical devices and systems, as well as software platforms and applications, within the organization. References include the Council on Cybersecurity Critical Security Controls (CCS CSC), Control Objectives for Information and Related Technology (COBIT), and NIST standards and guidelines.

The NIST is in the process of updating the framework and has published the comments received from its request for information from users (http://1.usa.gov/1NzQxpJ). Respondents recommended improving the applicability to smaller businesses and relating the implementation guidelines back to the core action steps. CPAs may be interested to know that responses were received from the AICPA, Ernst & Young, and the Sustainability Accounting Standards Board (SASB). The AICPA suggested that the framework should include more information, guidelines, and tools for boards of directors and executives (http://1.usa.gov/1S915kX). Ernst & Young provided client use examples and stated that the most useful feature was the core's common language/risk management approach (http://1.usa.gov/1Ql0oPW). The SASB noted that it references the framework in its data security standard (http://1.usa.gov/1ThGs58).

One of the gems of NIST's website is the Cybersecurity Framework industry resources web page (http://www.nist.gov/cyberframework/cybersecurity-framework-industry-resources.cfm), which lists publicly available guidelines for implementing the framework, guidance and tools for incorporating the framework, educational resources, and case studies. In addition, Rapid7 hosts a three-minute video, “NIST Cybersecurity Framework Explained,” discussing why the five core functions are important (http://bit.ly/1qD01LN). PricewaterhouseCoopers's “Why You Should Adopt the NIST Cybersecurity Framework” provides a basic introduction and recommends identifying an executive sponsor in the user's organization, assessing current cybersecurity practices, defining a target profile, executing the plan, and monitoring (http://pwc.to/1NkG7PO). The Better Business Bureau's “5 Steps to Better Business Cybersecurity Guide” is a handy twopage list of action steps based on the framework's core functions (http://go.bbb.org/1StlTWt). Finally, Finsectech has created a free cybersecurity mobile application that allows easy access and collaboration (http://www.finsectech.com).

Susan B. Anders, PhD, CPA/CGMA is the Louis J. and Ramona Rodriguez Distinguished Professor of Accounting at Midwestern State University, Wichita Falls, Tex. She is a member of The CPA Journal Editorial Board.

 
Search for archived articles, authors, and topics below:

 

Login or create a new account

 
Menu