Page 38 - CITP Review
P. 38
assessment, the practitioner will obtain an understanding of the entity’s cybersecurity risk
management policies, processes, and controls; review the entity’s description of its cybersecurity risk
management program using the description criteria; conduct a gap analysis and identify any control
gaps; and provide recommendations to remediate any control gaps identified.
Security risk assessment. The practitioner identifies possible threats to the organization’s business
and the mitigations; gains an understanding of cybersecurity governance, processes and technology,
as well as critical information assets; and addresses cybersecurity risk in the context of business risk
and use generally accepted security controls frameworks such as NIST CSF, ISO 27001, Federal
Financial Institutions Examination Council’s Cybersecurity Assessment Tool, and the like. During a
security risk assessment, the practitioner will analyze critical assets that store or transmit sensitive
data; identify security requirements and potential threats; ensure compliance with regulatory
administrative, physical, and technical safeguards; determine infrastructure, systems, and process
vulnerabilities; and review areas where essential information could be at risk, including PII, PHI, and
credit card data.
Security policy plan and development. The practitioner drafts or updates new security policies and
plans and establishes a secure foundation while meeting organizational objectives and regulatory
requirements. This type of service involves the practitioner visiting the organization and meeting with
various IT and information security experts, confirming the organization’s compliance requirements,
target areas, and risk threshold, and reviewing existing policies against industry and compliance best
practices. The practitioner will also recommend policy and procedural improvements that address
compliance needs and mitigate risk to an acceptable level; write policies and plans; and suggest
additional policies for the organization to consider implementing.
Identity and access management (IAM) consulting. This practitioner assists in the design, planning,
and integration of various technologies such as single-sign-on (SSO), federation, and password
management. This service includes IAM strategy evaluation and business process development;
reducing business risk and managing access through privileged access management; and support
for on-premise and cloud IAM solutions including design, investigation, and operational governance.
Data loss management and prevention. The practitioner assists in developing a strategy for ensuring
that end users do not send sensitive or critical information outside the corporate network and helps
enterprises discover, monitor, and secure data to prevent exfiltration and ensure regulatory
compliance. This service includes consulting to define data loss management program, policies, and
procedures and to determine data loss management and data loss prevention architecture.
Awareness and phishing training. Training services that address technical and human elements to
ensure that the organization is operating in a secure environment. This service could include phishing
simulations, in which test phishing emails are sent to an organization’s employees to determine how
well employees react.
Vulnerability assessment. A comprehensive view of potential security flaws in an environment by
looking for misconfigurations, unpatched services, open ports and other architectural mistakes. This
assessment should result in a detailed report of identified vulnerabilities, in order of how critical they
are, along with a remediation plan for those vulnerabilities, complete with detailed steps. Automated
tools are leveraged to identify vulnerabilities.
Penetration testing. Find the weaknesses in a system before a malicious actor does, using
knowledgeable testers and automated tools to identify paths vulnerable to exploitation, and provide
recommendations for how to remediate them. An internal penetration takes place from a trusted
network connection inside the organization’s network; an external penetration test takes place over
the public internet. This service includes practitioners attacking the organization’s network (with
permission), and simulating what actual attackers would attempt. The practitioner operates under a
terms of engagement protocol that stipulates what can be done and when they must stop.
© 2019 Association of International Certified Professional Accountants. All rights reserved. 1-30