Last weekend I came across this gem of guidance: a taxonomy of operational risks for cyber-security, published by the Software Engineering Institute, a division of CERT at Carnegie Mellon University. How I missed this taxonomy until now, I don’t know, but since your board of directors is likely to resolve at its January meeting not to become the next Sony (or Target, or Home Depot, or JP Morgan), it is worth a fresh look.
CERT also posted a podcast about the taxonomy, featuring an interview with its principal developer. That podcast is worth your time too (30 minutes), and the crucial insight comes at the 5:30-minute mark when a CERT staffer asks this question:
Would you say that having a taxonomy can serve as a structure by which organizations can begin to get a better handle on how to identify and prioritize their risks?
Most compliance, audit, and cyber-security professionals would answer “yes” to that rather obvious question. The real trick for getting your head around cyber-security risks and how to manage them is considering all the implications that come after you say yes.
The taxonomy is a structure to help you identify and prioritize your risks—which therefore means it is a tool to be used in your risk assessment. And risk assessment is one of the five elements of the COSO framework for effective internal control. The other four elements, however, help guide the controls you should put in place to manage the risks that you uncover during the risk assessment.
And suddenly our minds are off to the races, piecing together how this CERT taxonomy can help drive intelligent use of the COSO 2013 framework to manage your cyber-security risks.
Readers of this column will know that I’ve been a fan of the new COSO framework in theory, but skeptical about how quickly it can be adopted—particularly once we get beyond financial reporting risks. The framework’s 17 underlying principles do an admirable job of getting compliance and audit executives to contemplate what the spirit of effective internal control is, and they certainly should think about it that way. But financial reporting risks are straightforward: the law and accounting rules spell out what “compliance” is, and from that you can use the COSO framework to derive what effective internal control for financial reporting should look like.
Cyber-security risks are wholly different: more points of failure, more types of failure, and far fewer laws to help companies understand what their obligations and liabilities are. Tackling them with something as broad and philosophical as the COSO framework can leave many compliance officers wondering, “So how do I get started, exactly?”
The CERT taxonomy is a way to get started. It drives the risk assessment, and from there everything else starts to feel more familiar.
Start by looking at the CERT taxonomy. It groups operational risks in cyber-security into four categories: actions of people; failures of systems and technology; failed internal processes; and external events. Each category has several subclasses of risk, and each subclass has several elements. Once you start thinking about cyber-security risks at those lower levels, visualizing real-world examples becomes much easier. So does mapping those risks to COSO principles you can use to address them.
Consider Subclass 1.3, titled “Inaction”—risks that stem from a person not acting to prevent a risk because he or she didn’t know what to do. They include examples such as a person’s ignorance of the need to take action; a person’s lack of ability to take action; or the unavailability of a resource the person needs to act. Those risks correspond, respectively, to Principle 4 (demonstrate commitment to a competent workforce), Principle 10 (develop control activities that mitigate risks), and (communicate internal control deficiencies). The taxonomy helps you state what your cyber-security problem is; the COSO principles help you decide what to do about it.
Let’s take Target as a more specific example. As we’ve all heard by now, its customer payment system was breached by hackers who first penetrated the security of a Target HVAC contractor. That contractor billed Target electronically, which is how the hackers reached Target’s financial department, and from there reached the point-of-sale card readers at every Target cash register. In the real world that would be akin to letting the ventilation repair man loiter in the CFO’s office because he gives the CFO an invoice every month.
In the CERT taxonomy, that is also called Risk 2.3.3—failure of various components of the system to interface correctly. It also corresponds to COSO Principle 10 and Principle 11 (select and develop technology controls).
Even with the CERT taxonomy, the COSO framework, and the many other pieces of guidance out there that address cyber-security (don’t forget the NIST framework for cyber-security risks published last February), companies have a long and difficult road ahead. But let’s not kid ourselves: the most difficult questions come at the start, especially when the board asks what the company’s risk exposure is. Every tool you can find helps.