11. Wiping. In case a laptop or mobile device is lost or stolen, sensitive data can be remotely wiped (but not
               recovered) using security features of a particular vendor (for example, Microsoft Intune) or other third-
               party software.
            12. Training. It is important to increase user awareness of the types of cyberthreats that could occur at their
               entity and measures users should take in case of an adverse event. For example, if a user receives an
               email with grammatical and spelling errors that has other signs of being suspicious, the user should be
               required to notify appropriate personnel that a suspicious email was able to bypass IT security software.

            COSO in the Cyber Age
            In 2015, COSO issued the guidance COSO in the Cyber Age, a portion of which provides a methodology for
            identifying risks (including cyber risks) in information systems.   After cyber risks are identified, controls
                                                                        22
            can be designed to mitigate them. The methodology follows:

            Identify critical information systems.

              Identify information categories based on business and organization objectives using the following as
               a guide:
               –  Corporate policies
               –  Industry standards (e.g., ISO)
               –  Regulatory requirements
               –  Business objectives
               –  Intellectual property
               –  Financials
               –  Customer or employee data
              Identify where information exists.
               –  Identify how information is collected, used, transferred, stored, and archived.
               –  Identify business, system, and application owners for information assets.
               –  Create data flows to understand how information moves within business processes, systems,
                   and applications.
              Understand risks associated with the information system.
               –  Analyze asset inventories and data flows to control risks.
               –  Assess the likely perpetrators of cyberattacks and their likely attack methods.
               –  Identify controls to address identified risks based on risk profile of the process, system, or
                   application.



            Control activities principle 12: Deploys through

            policies and procedures

            The organization deploys control activities through policies that establish what is expected and
            procedures that put policies into action.

            The following six points of focus emphasize important characteristics relating to this principle:

              Point of focus — Establishes policies and procedures to support deployment of management’s
               directives

            22
              https://www.coso.org/documents/COSO%20in%20the%20Cyber%20Age_FULL_r11.pdf

            © 2020 Association of International Certified Professional Accountants. All rights reserved.    5-19