assessment, the practitioner will obtain an understanding of the entity’s cybersecurity risk
               management policies, processes, and controls; review the entity’s description of its cybersecurity risk
               management program using the description criteria; conduct a gap analysis and identify any control
               gaps; and provide recommendations to remediate any control gaps identified.
              Security risk assessment. The practitioner identifies possible threats to the organization’s business
               and the mitigations; gains an understanding of cybersecurity governance, processes and technology,
               as well as critical information assets; and addresses cybersecurity risk in the context of business risk
               and use generally accepted security controls frameworks such as NIST CSF, ISO 27001, Federal
               Financial Institutions Examination Council’s Cybersecurity Assessment Tool, and the like. During a
               security risk assessment, the practitioner will analyze critical assets that store or transmit sensitive
               data; identify security requirements and potential threats; ensure compliance with regulatory
               administrative, physical, and technical safeguards; determine infrastructure, systems, and process
               vulnerabilities; and review areas where essential information could be at risk, including PII, PHI, and
               credit card data.
              Security policy plan and development. The practitioner drafts or updates new security policies and
               plans and establishes a secure foundation while meeting organizational objectives and regulatory
               requirements. This type of service involves the practitioner visiting the organization and meeting with
               various IT and information security experts, confirming the organization’s compliance requirements,
               target areas, and risk threshold, and reviewing existing policies against industry and compliance best
               practices. The practitioner will also recommend policy and procedural improvements that address
               compliance needs and mitigate risk to an acceptable level; write policies and plans; and suggest
               additional policies for the organization to consider implementing.
              Identity and access management (IAM) consulting. This practitioner assists in the design, planning,
               and integration of various technologies such as single-sign-on (SSO), federation, and password
               management. This service includes IAM strategy evaluation and business process development;
               reducing business risk and managing access through privileged access management; and support
               for on-premise and cloud IAM solutions including design, investigation, and operational governance.
              Data loss management and prevention. The practitioner assists in developing a strategy for ensuring
               that end users do not send sensitive or critical information outside the corporate network and helps
               enterprises discover, monitor, and secure data to prevent exfiltration and ensure regulatory
               compliance. This service includes consulting to define data loss management program, policies, and
               procedures and to determine data loss management and data loss prevention architecture.
              Awareness and phishing training. Training services that address technical and human elements to
               ensure that the organization is operating in a secure environment. This service could include phishing
               simulations, in which test phishing emails are sent to an organization’s employees to determine how
               well employees react.
              Vulnerability assessment. A comprehensive view of potential security flaws in an environment by
               looking for misconfigurations, unpatched services, open ports and other architectural mistakes. This
               assessment should result in a detailed report of identified vulnerabilities, in order of how critical they
               are, along with a remediation plan for those vulnerabilities, complete with detailed steps. Automated
               tools are leveraged to identify vulnerabilities.
              Penetration testing. Find the weaknesses in a system before a malicious actor does, using
               knowledgeable testers and automated tools to identify paths vulnerable to exploitation, and provide
               recommendations for how to remediate them. An internal penetration takes place from a trusted
               network connection inside the organization’s network; an external penetration test takes place over
               the public internet. This service includes practitioners attacking the organization’s network (with
               permission), and simulating what actual attackers would attempt. The practitioner operates under a
               terms of engagement protocol that stipulates what can be done and when they must stop.





            © 2019 Association of International Certified Professional Accountants. All rights reserved.    1-30