Gleim CPA Review Updates to Business Environment and Concepts
2020 Edition, 1st Printing July 2020
NOTE: Sections with changes are indicated by a vertical bar in the left margin. Text that should be deleted is displayed with a line through it. New text is shown with blue underlined font. Introduction – Optimizing Your Business Environment and Concepts Score
Page 4: These edits reflect the AICPA’s updated pronouncement testing policy.
WHICH PRONOUNCEMENTS ARE TESTED?
The following is the section of the AICPA’s pronouncement policy that is relevant to the Business section:
For all other subjects covered in the Regulation (REG)Changes in accounting and Business Environment and Concepts (BEC) sections, materials auditing pronouncements are eligible to be tested includeon the Uniform CPA Examination in the later of: (1) the first calendar quarter beginning after the pronouncement’s earliest mandatory effective date, regardless of entity type* or (2) the first calendar quarter beginning six (6) months after the pronouncement’s issuance date.
Changes in the Internal Revenue Code, and federal taxation regulations are eligible to be tested in the calendar quarter beginning six (6) months after the change’s effective date or enactment date, whichever is later.
Changes in federal laws in the windowoutside the area of federal taxation are eligible to be tested in the calendar quarter beginning six (6) months after their effective date, and.
Changes in uniform acts are eligible to be tested in the windowcalendar quarter beginning one (1) year after their adoption by a simple majority of the jurisdictions.
For all other subjects covered in the Uniform CPA Examination, changes are eligible to be tested in the later of: (1) the first calendar quarter beginning after the earliest mandatory effective date, regardless of entity type* or (2) six (6) months after the issuance date.
[Once a change becomes eligible for testing in the Uniform CPA Examination, previous content impacted by the change is removed.]
* Note the following example: A pronouncement issued on February 1, 2019, is effective for public business entities for fiscal years beginning after December 15, 2019, and is effective for all other entities for fiscal years beginning after December 15, 2020. For purposes of the Uniform CPA Examination: (1) the pronouncement is eligible for testing on January 1, 2020 for all entity types and (2) the prior pronouncement is deemed superseded and no longer eligible for testing as of January 1, 2020.
Note that the bracketed sentence above simply means that once a new pronouncement is testable, you will no longer be tested on the old pronouncement.
Page 36, Subunit 2.1, Item 7.: This update clarifies and expands our coverage of control activities.
7. Control Activities
a. These policies and procedures help ensure that management directives to mitigate risks are carried out. Whether automated or manual, they are (1) applied at all levels of the entity, (2) within various stages of business processes, and (3) over the technology environment. They may be preventive or detective, and segregation of duties is usually present. Three principles relate to control activities:
1) The organization selects and develops control activities that contribute to the mitigation ofhelp mitigate risks to acceptable levels in order to ensure the achievement of objectives to acceptable levels.
a) Control activities are integrated with the risk assessment.
b) Management considers how entity-specific factors affect control activities.
c) Management determines which business processes require control activities.
d) The entity evaluatesorganization selects and develops a mix of automated or manual control activities at different levels. (Examples of control activities are listed in item b. on the next page.), of which transactional controls are the most basic and include the following controls:
i) Authorizations and approvals ii) Verifications iii) Physical controls iv) Controls over standing data v) Reconciliations vi) Supervisory controls
e) Control activities are selected and developed for application at different levels of the organization.
i) Transactional control activities are typically applied at lower levels. ii) Business performance or analytical reviews are typically applied at
higher levels.
f) Segregation of duties divides responsibility for the recording of the transaction, authorization (e.g., unusual credit approvals), and custody of the assets (e.g., inventory, receivables, and cash) associated with the transaction when feasible.
2) The organization selects and develops general control activities over technology to support the achievement of objectives.
3) The organization deploys control activities through policies that establish what is expected and procedures that put policies into action.
b. The two levels of control activities are entity-level and transaction-level controls.
1) Entity-level controls are controls that relate to the entire organization and affect all business processes. Examples include
a) Business performance or analytical reviews
b) The code of conduct
c) Controls over management override
d) A whistleblower system
e) Controls related to the control environment, risk assessment, and information systems
2) Transaction-level controls (also called activity-level controls) are controls that affect a transaction or a group of transactions. They include
a) Authorizations and approvals that ensure that only valid transactions are initiated. For example, biometric devices are used to verify the identity of authorized users. Additionally, a bank’s positive pay system compares the checks presented for payment with the list of issued checks provided by the payor before they are cashed.
b) Verifications of the existence and valuation of assets and liabilities.
c) Physical controls, including physical security of assets, authorization of access, and periodic counts.
d) Reconciliations that ensure two sets of records (e.g., bank balance and book balance) are in agreement, creating asset accountability.
e) Controls over standing data, including periodically checking data stored in computers against manually held data.
f) Supervisory controls, such as using a centralized system to monitor and control groups of transactions.
g) Segregation of duties dividing the following responsibilities associated with a transaction:
i) Recording ii) Authorization (e.g., unusual credit approvals) iii) Custody of assets (e.g., inventory, receivables, and cash)
Page 50, Subunit 2.2, New item 7.a.2)c): This update adds the definition for uncertainty. Subsequent items were relettered accordingly.
c) Uncertainty refers to the inability of an entity to know in advance the likelihood or impact of future events on the achievement of objectives. Management must assess both the risk and opportunity of the uncertainty.
Page 57, New Subunit 2.3: This update reflects regulations that became testable on the CPA Exam beginning July 1, 2020. The following 5 pages contain the new Subunit 2.3.
SU 2: COSO Frameworks
2.3 APPLYING THE COSO ERM FRAMEWORK TO CYBER RISK MANAGEMENT
1. Cyber Risk Definition and Concepts
a. Cyber risk, as defined by the U.S. National Institute of Standards and Technology (NIST),refers to the risk of financial loss, operational disruption, and reputational damage fromthe failure of digital technology.
b. The causes of cyber risk include but are not limited to the following:
1) Poor information system design2) Unintentional security breaches3) Intentional security breaches
c. Cyber threat actors can be classified into the following categories based on the objectivesof their attacks:
1) Nation-states (foreign nations) and spies seek out national security secrets andvaluable intellectual property (IP), such as military communications.
2) Organized criminals steal an entity’s private information for personal or financialgain, e.g., stealing credit card information for identity theft. The information stolenis usually personally identifiable information (PII), such as Social Security andbank account numbers.
3) Terrorists attack critical facilities, infrastructure, or institutions, such as securityexchanges or banks, via electronic means.
4) Hacktivists fulfill social or political purposes using the private information of anentity, such as stealing and publishing information of companies that have causedenvironmental damage.
5) Company insiders use, share, or sell private information from within an organizationfor personal gain, such as an employee using unpublished information for insidertrading.
d. As the impact, frequency, and complexity of cyber attacks continue to increase, cyberrisk management must be incorporated into the risk management programs of allorganizations.
2. COSO ERM Framework and Cyber Risk Management
a. In 2019, COSO released Managing Cyber Risk in a Digital Age, which addresses howcompanies can apply the COSO ERM framework to cyber risks. The fundamental cyberrisk management techniques provided in this guidance can be mapped to the interrelatedcomponents and principles under the COSO ERM framework to develop a cyber riskmanagement program.
b. Cyber risk management requires understanding how the COSO ERM framework can beutilized to manage cyber risks.
c. Parties responsible for an entity’s cyber risk management include but are not limited to anentity’s
1) Board of directors2) Audit committee or IT steering committee3) Executives4) Cyber practitioners (e.g., third-party IT service providers)
a. The following are the fundamental cyber risk management techniques related to the fiveprinciples of governance and culture.
1) The board exercises cyber risk oversight.
a) The board should possess or increase their competencies in understandingand evaluating cyber risks. If the board lacks the necessary knowledge andexperience, an independent advisor may be used.
2) The organization establishes operating structures.
a) A cyber risk management team should be created to manage entity-levelcyber risks.
i) The team is generally led by the chief information officer (CIO) or thechief information security officer (CISO). In addition, the team shouldbe composed of cross-departmental and cross-functional parties.
ii) The team should report to the board of directors regarding the impact ofcyber risks and the initiatives to manage such risks.
3) The organization defines the desired culture.
a) The organization embeds cybersecurity vigilance and awareness in theorganizational culture and reward systems.
4) The organization demonstrates commitment to core values.
a) Commitment can be demonstrated by a cyber risk management programthat is consistent with the core values and supports the core values throughpolicies, standards, and communications.
5) The organization attracts, develops, and retains capable individuals by
a) Continuous employee training about cybersecurity, such as email alerts andtraining on how to detect phishing emails.
b) Developing qualified cyber risk professionals internally or supplementing withoutside service providers who are tasked with assessing cyber risks andimplementing and monitoring the cyber risk management program.
a. The following are the fundamental cyber risk management techniques related to the fourprinciples of strategy and objective setting.
1) The organization analyzes the business context and its effects on the risk profile.
a) The IT-related factors that influence the organization’s strategy and businessobjectives, both in the present and future, must be taken into account.
i) For example, a retailer should consider the transaction system used in itsphysical stores and the IT-related factors (such as information security)of an online platform if it plans to open an online store.
2) The organization defines its risk appetite.
a) Risk appetite should be set to balance opportunity and risk, such as thebenefits of adopting new technologies and the associated costs.
b) The organization’s risk appetite must be continually adjusted as both cyberrisks and the business context constantly evolve.
3) The organization evaluates alternative strategies and their effects on the riskprofile.
a) Approaches to evaluating the strategies, or security models, help establishand assess the cyber risk management program.
b) Cybersecurity control frameworks, such as the Control Objectives forInformation and Related Technology (COBIT), are helpful in evaluating theeffectiveness of security models.
4) Cyber risk management should align with the organization’s strategies and businessobjectives.
a) Performance targets (e.g., eliminating the risk of opening phishing emailsby training employees) and tolerances (e.g., accepting cyber risks that donot affect day-to-day business operations) are established to evaluate theachievement of objectives.
5. Component 3 – Performance
a. The following are the fundamental cyber risk management techniques related to the fiveprinciples of performance.
1) The organization identifies risks that affect the performance of strategies andbusiness objectives.
a) The organization should identify what information, technology, and systemsare valuable to the achievement of strategies and business objectives.
i) Value depends on the specific conditions of each organization. Forexample, system downtime may be tolerable for some industries but isdisastrous for others, such as banks.
b) Emerging cyber risks (i.e., due to technological advancement) should also beidentified.
2) The organization assesses the severity of risk.
a) Severity is a combination of
i) Impact (e.g., increased cyber attacks after opening an online store) and
ii) Likelihood (e.g., the online store is targeted by a cyber attack once every2 months).
b) Assessment of cyber risks should be industry specific and based on the likelyobjectives of cyber threat actors. For example, organized criminals may havedifferent objectives than hacktivists. (The different types and objectives of threat actors are detailed in item 1.c. on page 4.)
3) Assigning values to information, technology, and systems is the foundation of riskprioritization.
a) Time, budget, and resources should first be allocated to the most valuableinformation, technology, and systems.
4) Compared to traditional risks, cyber risks may come from more entry points, bothinternal and external to the entity. Control activities that ensure that the riskresponses are carried out should therefore focus on (a) using preventive controlsto limit access to the system (e.g., user authentication) and (b) using detective andcorrective controls to identify and prevent similar breaches in the future as soon aspossible (e.g., immediately detecting access by unauthorized users and blockingthe loophole).
a) The constantly evolving nature of cyber risks makes cyber risk avoidanceineffective or impossible. Other risk responses discussed in Subunit 2.2 may,however, be used in managing cyber risks.
5) The portfolio of cyber risks, including risk identification, assessment, prioritization,and response, should be continually adjusted because of the constantly evolvingbusiness context.
6. Component 4 – Review and Revision
a. The following are the fundamental cyber risk management techniques related to the threeprinciples of review and revision.
1) Technological changes are common sources of opportunities. However, they alsocreate vulnerabilities. Thus, significant changes must be iteratively identified andassessed.
a) Significant changes may come from either
i) The internal environment (e.g., the failure of a risk response) or
ii) The external environment (e.g., evolution of a technology used inoperation).
2) Performance results that deviate from a target or tolerance may indicate
a) Unidentified cyber risks (e.g., an unidentified loophole in the system)b) Improperly assessed risks (e.g., inappropriate value assigned to a system)c) New risks (e.g., risks from new types of cyber attacks)d) Opportunities to accept more risk (e.g., emerging technology)e) The need to revise a target performance or tolerance
3) Improvements help factor in unidentified or emerging cyber risks.
a) Opportunities from technological advancement can also be captured.
Page 152, Subunit 5.2, New item 1.c. and Example 5-2: This update expands our coverage of foreign currency markets. Subsequent examples were renumbered accordingly.
c. The exchange rate between two currencies is not always available (e.g., when a market for exchanging the two currencies does not exist). To determine the exchange rate, the cross rate can be used.
1) The cross rate is the product or quotient of the exchange rates of each currency with a common currency that effectively cancels out the common currency and rearranges the remaining currencies. The desired currencies are thus valued proportionally to one another.
2) The cross rate can be calculated using the following formulas depending on which exchange rates are available (whether the common currency is in the numerator or the denominator):
Currency A Currency B Currency A × = Currency B Currency C Currency C
Currency A Currency A Currency A Currency C Currency C ÷ = × = Currency B Currency C Currency B Currency A Currency B
EXAMPLE 5-2 Cross Currency Rate
A British company needs to purchase materials from a company in Switzerland. In order to pay the Swiss company, the British company must purchase Swiss francs. The British company must determine the exchange rate of Swiss francs per British pound, which is not readily available. However, the exchange rate of U.S. dollars to each currency is available, which can be used to determine the cross rate.
The U.S. dollar to British pound exchange rate is $1.23/£, and the U.S. dollar to Swiss franc exchange rate is $1.03/₣. The Swiss franc per British pound cross rate is the quotient of the two rates. By dividing the dollar-to-pound exchange rate by the dollar-to-franc exchange rate, (1) the common U.S. dollar currency unit is canceled out and (2) the quotient is expressed as the ratio between the Swiss franc and the British pound (₣1.23/£1.03). Therefore, the Swiss franc per British pound cross rate is ₣1.19/£.
Page 309, Subunit 11.1, Item 2.b., New item 2.c., and New Example 11-2: This update clarifies and expands our coverage of relevant cash flows. Subsequent examples were renumbered accordingly.
b. The following are relevant cash flows for capital budgeting:
1) Operating cash flow (the annual after-tax cash savings or inflows)
2) Net capital expenditure, including
1)a) Cost of new equipment 1) Annual after-tax cash savings or inflows
3)b) Proceeds from disposal of old equipment (residual or salvage value) 4)c) Adjustment for depreciation expense onProceeds from disposal of new
equipment (residual or salvage value) (the depreciation tax shield that reduces taxable income and cash outflows for tax expense)
3) Net change in working capital
a) At project initiation, working capital is built up (increased) to serve liquidity needs. This represents a cash outflow.
b) At the end of the project, working capital is recovered. This represents a cash inflow.
[. . .]
c. The free cash flow of a project can be calculated using the following equation:
Free cash flow = Operating cash flow – Net capital expenditure – Net change in working capital
EXAMPLE 11-2 Relevant Cash Flows
An investment project has the following information:
Operating income after tax $ 60,000 Depreciation expense 20,000 Net capital expenditure 50,000 Net change in working capital (10,000)
Free cash flow to the project = Operating cash flow – Net capital expenditure – Net change in working capital
Study Unit 13 – IT Software, Data, and Contingency Planning
Pages 370-371 and 373, Subunits 13.2 and 13.3, 13.2: Item 1.e.1), 13.3: New item 3.h. and New Example 13-8 with New Figure 13-3: This update clarifies and expands the discussion of data keys and moves it to Subunit 13.3. Subsequent examples and figures were renumbered accordingly.
1) Some field or combination of fields on each record is designated as the key. The criterion for a key is that it contains enough information to uniquely identify each record; i.e., there can be no two records with the same key.
a) The designation of a key allows records to be sorted and managed with much greater efficiency. If all the records are sorted in the order of the key, searching for a particular one becomes much easier.
b) In Example 13-4 on the previous page, the key is the combination of the first two fields.
i) The first field alone is not enough because there could be several works by each composer. The second field alone is likewise not enough since there could be many pieces with the same title.
ii) The combination of the composer’s name and title uniquely identify each piece of music.
[. . .]
h. Data relationships are situations in which records (rows) in relational database tables are referred to by records in different tables.
1) Records are referenced to each other by pairs of primary and foreign keys.
a) Primary keys are the data fields in a table that uniquely identify the records in the table.
b) Foreign keys are the data fields or groups of data fields that reference a primary key in another table.
c) Thus, the key in the referencing table is the foreign key, and that in the referenced table is the primary key.
2) In Example 13-7, the Part_Nbr attribute in the Parts Table uniquely identifies each part and is thus a primary key. The Part_Nbr attribute in the Order Table references the primary key in the Parts Table. Therefore, it is the foreign key in the Order-Parts relationship. Similarly, the Customer_Nbr attribute in the Customer Table is a primary key, and the Customer_Nbr attribute in the Order Table is the foreign key in the Customer-Order relationship.
3) If two tables use the same primary key, either primary key can be used as the foreign key to reference the other.
4) The primary key and the foreign key can be referenced using the following three relationships:
a) One-to-one. A foreign key can only link to one primary key, and vice versa.
b) One-to-many. A foreign key can link to many primary keys, but a primary key can only link to one foreign key.
c) Many-to-many. A foreign key can link to many primary keys, and a primary key can also link to many foreign keys.
Data relationships can be illustrated using a publisher-book-author-biography relationship.
1. Each book can have only one publisher, while one publisher may publish more than one book.Thus, the publisher-book relationship is a one-to-many relationship.
2. Each book can have more than one author, and each author can write more than one book.Thus, the book-author relationship is a many-to-many relationship.
3. Each author can have only one set of biographies written about them, and each set ofbiographies can only belong to one author. Thus, the author-biography relationship is a one-to-one relationship.
Figure 13-3
Page 376, Subunit 13.5, New items 1.a.3)a) and b): This update adds definitions for horizontal and vertical scalability.
3) Determine the capacity of current systems to accommodate projected growth
a) Horizontal scalability is the ability of an entity to increase its processingcapacity by adding more machines to its IT system. Horizontal scaling increases the number of machines in the system.
b) Vertical scalability is the ability of an entity to increase its processing capacityby adding more processing power to the existing machines (e.g., by adding more CPUs). Vertical scaling does not increase the number of machines in the system.
Pages 428-433, Subunit 15.2: This update reflects regulations that became testable on the CPA Exam beginning July 1, 2020.
15.2 COBIT -- A FRAMEWORK FOR IT AND DATA GOVERNANCE
1. Overview
a. COBIT is the best-known control and governance framework that addresses information technologyIT-related governance and management.
1) In its original version, COBIT was focused on controls for specific IT processes.
2) Over the years, information technology has gradually pervaded every facet of the organization’s operations and functions. IT can no longer be viewed as a function distinct from other aspects of the organization.
[. . .]
4. COBIT defines IT activities in a generic process model within four processes:
a. Plan and Organize – Provides direction to solution delivery and service delivery.
b. Acquire and Implement – Solutions need to be identified, developed, or acquired and integrated into the business process.
c. Deliver and Support – Provides instruction for the management of security and continuity, service support for users, and management of data and operational facilities.
d. Monitor and Evaluate – Processes need to be regularly assessed over time for their quality and compliance with control requirements.
5. IT Resources
a. Applications are the automated user systems and manual procedures that process the information.
b. Information is the data, in all their forms, input, processed, and output by the information systems in whatever form is used by the business.
c. Infrastructure is the technology and facilities that enable the processing of the applications.
d. People are the personnel required to plan, organize, acquire, implement, deliver, support, monitor, and evaluate the information systems.
3) In response to the identified stakeholder needs, enterprise goals are established.
a) COBIT 5 supplies 17 generic enterprise goals that are tied directly to the balanced scorecard model.
b) Next, IT-related goals (referred to as alignment goals) are drawn up to address the enterprise goals.
c) Finally, enablers (referred to as components by COBIT 2019) that support the pursuit of the IT-related goals are identified. An enabler is broadly defined as anything that helps achieve objectivesCategories of the enablers are identified in principle 4 below.
d) COBIT 5 refers to the process described above as the goals cascade.
b. Principle 2: Covering the Enterprise End-to-End
1) COBIT 5 takes a comprehensive view of all of the enterprise’s functions and processes. Information technology pervades them all; it cannot be viewed as a function distinct from other enterprise activities.
a) Thus, IT governance must be integrated with enterprise governance.
2) IT must be considered enterprise-wide and end-to-end, i.e., allIT and non-IT functions and processes that govern and manage information “wherever that information may be processed.” through the enablers.
[. . .]
d. Principle 4: Enabling a Holistic Approach
1) COBIT 5 describes seven categories of enablers that support comprehensive IT governance and management:
a) Principles, policies, and frameworks to translate desired behavior into guidance
b) Processes, which are sets of practices to achieve the objectives
c) Organizational structures, which are decision-making entities
d) Culture, ethics, and behavior of individuals and the enterprise
e) Information produced and used by the enterprise
f) Services, infrastructure, and applications that provide the enterprise with IT processing and services
g) People, skills, and competencies required for operations, error detections, and corrections
e. Principle 5: Separating Governance from Management
[. . .]
2) COBIT 5 divides governance and management objectives into five domains (key areas):
a) Governance
i) Evaluate, Direct, and Monitor (EDM)
● Evaluate. Evaluate stakeholder needs, conditions, and options. ● Direct. Set direction through prioritization and decision making. ● Monitor. Monitor performance and compliance.
b) Management
i) Align, Plan, and Organize (APO). Plan how IT can be used to achieve the company’s goals and objectives.
ii) Build, Acquire, and Implement (BAI). Identify IT requirements, build or acquire the technology, and incorporate into business processes.
iii) Deliver, Service, and Support (DSS). Execute and support the application of the technology in business processes.
iv) Monitor, Evaluate, and Assess (MEA). Monitor and evaluate whether the current IT system and internal control system meet the company’s goals and objectives.
c) Processes under each of the domains above are also defined.
75. COBIT 5 Conversion to COBIT 2019
a. COBIT 2019 expands on COBIT 5’s key principles for a governance system applicable to IT governance to include six governance system principles and three governance framework principles. A governance system is the rules, practices, and processes that direct and regulate an entity. A governance framework is the structure upon which the governance system is built.
1) The six principles for a governance system are summarized as follows:
[. . .]
f) End-to-end enterprise coverage.governance system. The emphasis is not solely on the IT function but on all information, processes, and technology that contribute to organizational goal achievement.
[. . .]
3) An IT governance program has two separate phases:
a) Phase 1. Pre-planning is the development stage. It includes identifying all stakeholders and their needs and designing a course of action to create stakeholder value.
b) Phase 2. Program implementation involves activating the system, comparing the status of the system with the system’s goals, and making any necessary adjustments to ensure acceptable value is produced.
3) The COBIT implementation approach comprises seven phases, and each phase is represented by a question.
a) Program initiation – What are the drivers?
i) This phase involves recognizing change drivers and establishing management’s desire to change.
b) Problems and opportunities definition – Where are we now?
i) This phase involves assessing the current state or capability and forming an implementation team.
c) Road map definition – Where do we want to be?
i) This phase involves defining the target state and identifying the gap as well as potential solutions.
d) Program planning – What needs to be done?
i) This phase involves planning implementation to close the gap.
e) Plan execution – How do we get there?
i) This phase involves implementing the plan and establishing monitoring systems.
f) Benefits realization – Did we get there?
i) This phase involves monitoring progress and achievement.
g) Effectiveness review – How do we keep the momentum going?
i) This phase involves reviewing the overall program and reinforcing improvements.
4) Generally, these phases can be matched with the principles of the governance system. However, note that Principle 6 and Phase 7 are not matched.
Governance System Principles Implementation Phases
1. Provide stakeholder value 1. What are the drivers?
2. Holistic approach 2. Where are we now? 3. Dynamic governance system 3. Where do we want to be?
4. What needs to be done?
4. Governance distinct from management 5. How do we get there?
5. Tailored to enterprise needs 6. Did we get there?
6. End-to-end governance system
7. How do we keep the momentum going?
b. COBIT 2019 expands the COBIT model to include includes 40 governance and management objectives organized into five5 domains, expanded from 37 processes organized into the same 5 domains under COBIT 5.
1) Candidates need not memorize these elementsobjectives. They are included here because they represent one of the foundational shifts from COBIT 5 to COBIT 2019.
Page 433, New Subunit 15.3: This update reflects regulations that became testable on the CPA Exam beginning July 1, 2020. The following 3 pages contain the new Subunit 15.3. Subsequent subunits were renumbered accordingly.
SU 15: IT Security and Controls Page 17 of 19
15.3 IMPLEMENTING THE NIST CSF USING COBIT 2019
1. Overview
a. The U.S. National Institute of Standards and Technology (NIST) created the Frameworkfor Improving Critical Infrastructure Cybersecurity (commonly known as the CybersecurityFramework, or CSF) to guide the controls over cybersecurity risks.
b. The CSF defines the following five functions to control cyber risk activities and outcomes:
1) Identify – Understanding of cybersecurity risk management2) Protect – Protection of critical services3) Detect – Detective measures to identify occurrence of cybersecurity breaches4) Respond – Corrective measures to tackle identified breaches5) Recover – Plans to restore services impacted by the breaches
c. Management processes can be organized into the following four tiers:
1) Tier 1: Partial
a) Cybersecurity management practices are informal and not based on risks.
b) Awareness of cyber risk is limited.
c) Processes to enable internal sharing of cybersecurity information may notexist.
d) The organization does not collaborate (receive and share) cybersecurity risk-related information with other entities.
2) Tier 2: Risk-informed
a) Cybersecurity management practices exist but are not included as formalpolicies.
b) Awareness of cyber risk exists, but the consideration of risk is not at all levels.
c) Processes to enable internal information sharing are informal.
d) The organization receives cybersecurity risk-related information from otherentities but may not share such information.
3) Tier 3: Repeatable
a) Cybersecurity management practices are established as formal policies.
b) Awareness of cyber risks exists at all levels of the organization.
c) Processes to enable internal information sharing are formal.
d) The organization receives and shares cybersecurity risk-related information,but not proactively.
4) Tier 4: Adaptive
a) Cybersecurity management policies are constantly improving to respond torisks promptly.
b) Awareness of current and evolving cyber risks is incorporated in theorganization’s culture.
c) Information is continuously shared internally.
d) The organization collaborates with other entities proactively in real time.
Formal policies Exists at all levels FormalInformation received
and shared butnot proactively
Tier 4:Adaptive
Constantlyimproving
Incorporated incompany culture
ContinuousProactive, real-
time collaboration
2. Using COBIT 2019 to Implement the CSF
a. The CSF can be implemented in phases or across the entire organization simultaneously.In the context of COBIT 2019, the CSF is implemented incrementally in seven steps asdepicted in the following diagram:
Figure 15-1
NOTE: For Step 1, the goals cascade of COBIT 2019 is generally conducted.
b. CSF implementation concludes with two final steps:
1) CSF Action Plan Review. Determine whether the action plan is appropriate anddelivers the values desired.
2) CSF Life Cycle Management. Continually review and improve the successful actionplan.
c. The following table is a summary of the alignment between the COBIT 2019implementation phases and the CSF implementation steps. The two final steps are notincluded in the seven-step model, but they align with the phases in COBIT 2019.
