The AICPA's Common Criteria list 9 categories to evaluate the Security Trust Service Criteria. Briefly review the attached material on the Common Criteria and use it to perform a quick evaluation of your security breach that you have chosen for your research.
Reacher case "MGM resorts security breach 2023"https://techcrunch.com/2023/10/06/mgm-resorts-admits-hackers-stole-customers-personal-data-cyberattack/
Lecture – Unit 7 SoC & Common Criteria (AICPA)
ACCT 855
Seminar in Cybersecurity Audit and Disclosure
Dr. Tien Lee, Ph.D., PMP, CISA, CISSP [email protected] | (415)644-TIEN San Francisco State University Lam Family College of Business
Last Week…
Entering SOC
What is SOC, the Service Organization Control
SOC1, SOC2, SOC3 Audit Report Packages
Type I and Type II audits
The Trust Services Criteria
Security
Confidentiality
Processing Integrity
Availability
Privacy
Security TSC and Common Criteria
The Security TSC
AICPA Trust Services Criteria define five criteria for evaluating an organization’s security controls for SOC 2 compliance
HOWEVER, While organizations may pick and choose which SOC 2 Trust Services Criteria they want to include in the scope of their audit…
Every SOC 2 report must include the Security Criteria, and the criteria used to test it are known as the Common Criteria
AICPA’s Common Criteria
BE very careful! This is the AICPA’s SoC2 TSC Security Common Criteria, it’s NOT the COMMON CRITERIA (ISO 15408) as COMMONLY recognized by the rest of the industry.
AICPA’s use of COMMON CRITERIA is still debated as it causes confusion among industry participants for certification.
DO NOT Forget the REAL Common criteria, https://en.wikipedia.org/wiki/Common_Criteria
AICPA’s Common Criteria
The SOC 2 Common Criteria list, also known as the CC-series, includes nine subcategories:
CC1 — Control environment
CC2 — Communication and Information
CC3 — Risk Assessment
CC4 — Monitoring Controls
CC5 — Control Activities
CC6 – Logical and Physical Access Controls
CC7 – System Operations
CC8 – Change Management
CC9 – Risk Mitigation
CC1 – Control Environment
Control environment: The place where controls live and breathe.
Summary of focuses:
Sets the Tone at the Top
Establish standard of conduct within organization
Establish oversight responsibilities
Establish reporting lines
Establish policies and practices
Evaluates competence
Enforce accountability through structure, authorities and responsibilities
Considers excessive pressures, rewards, or disciplines
CC2 – Communication And Information
The entity obtains or generates and uses relevant, quality information to support the functioning of internal control.
Summary of focuses:
Identifies Information Requirements
Processes Relevant Data Into Information
Communicates Internal Control Information and with the BoD
communicates with external parties
Communicates system objective and responsibilities
Communication of failure, incidents, concerns, and other matters (whistleblower hotline, etc.)
CC3 – Risk Assessment
To enable the identification and assessment of risks relating to objectives.
Summary of focuses:
Considers the context and management choice of structure, industry considerations..
Considers Tolerances for Risk
Operations and Financial Performance Goal
Considers the risks to reporting, compliance, and operation objectives
Includes Entity, Subsidiary, Division, Operating Unit, and Functional Levels
CC4 – Monitoring Activities
Selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning
Summary of focuses:
Establish measuring instrument and measuring matrices
Establishes Baseline Understanding
Integrate with business process (constant monitoring and improvement)
periodic review and adjustment
assess and communicate results
monitoring of corrective actions.
CC5 – Control Activities
The entity selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels.
Summary of focuses:
Considers Entity-Specific Factors
Determines Relevant Business Processes
Evaluates a Mix of Control Activity Types
Evaluates a Mix of Control Activity Types
Performs in a Timely Manner
Takes Corrective Action
Performs Using Competent Personnel
Reassesses Policies and Procedures
CC6 – Logical and Physical Access Controls
The entity implements logical access security software, infrastructure, and architectures over protected information assets
Summary of focuses:
Identifies and Manages the Inventory of Information Assets
Restricts Logical and Physical Access where needed
Authenticates Users and Establishes Authorization over Information Asset
Uses Encryption to Protect Data and Protection of Encryption Keys
Removes Access to Protected Assets When Appropriate
CC7 – System Operations
Identify changes to configurations that result in the introduction of new vulnerabilities.
monitors system components and the operation of those components for anomalies
evaluates security events to determine whether they could or have resulted in a failure
responds to identified security incidents by executing a defined incident-response program to understand, contain, remediate, and communicate security incidents, as appropriate.
CC8 – Change Management
authorizes, designs, develops or acquires, configures, documents, tests, approves, and implements changes
Focus:
Establishes procedures to initiate change
Manages Changes Throughout the System Life Cycle
Authorizes, approve, track, and documents changes
Provides for Changes Necessary in Emergency Situations
Monitoring and detection of unauthorized changes
CC9 – Risk Mitigation
Identifies, selects, and develops risk mitigation activities for risks arising from potential
Establish mitigation strategy against identified risks
Document risk mitigation decisions
Considers Mitigation of Risks of Business Disruption
Considers the Use of Insurance to Mitigate Financial Impact Risks
Assesses and manages risks associated with vendors and business partners.
SOC and the new CPA Exam
Let’s see the exam blueprint.
image1.jpeg
image2.png
image3.png
image5.tmp
,
AICPA'S Common Criteria Analysis – Target 2013 Breach
CC1 — Control environment: The control environment in this case appears to have weaknesses related to third-party vendor management. Fazio Mechanical, a third-party vendor, lacked adequate malware detection software, which allowed cybercriminals to gain access to Target's network. Target's control environment did not ensure that its vendors had robust cybersecurity measures in place. Lessons learned include the need for organizations to assess and improve the cybersecurity posture of their third-party vendors.
CC2 — Communication and Information: There was a breakdown in communication and information sharing within Target's organization. Despite receiving reports from FireEye about the malware, Target did not take prompt action until the U.S. Department of Justice got involved. The delay in communication and action highlights the importance of effective communication channels and response procedures when dealing with cybersecurity incidents.
CC3 — Risk Assessment: The breach highlights the importance of a comprehensive risk assessment. Target did not fully assess the risks associated with its third-party vendors, and it did not anticipate the potential impact of a breach on its reputation and financials. Organizations need to conduct thorough risk assessments, including assessing third-party risks, to identify vulnerabilities and potential consequences.
CC4 — Monitoring Controls: The breach suggests that Target had inadequate monitoring controls in place. The malware went undetected for several days, allowing cybercriminals to exfiltrate customer data. Proper monitoring controls, including intrusion detection systems and continuous monitoring, could have detected and mitigated the breach earlier.
CC5 — Control Activities: The control activities were lacking in terms of network segmentation and data encryption. Proper network segmentation and data encryption could have limited the attackers' ability to move laterally within the network and access sensitive customer data.
CC6 — Logical and Physical Access Controls: The breach highlights the need for stronger logical access controls. Cybercriminals gained access to Target's network through stolen credentials. Implementing strong authentication and access controls, such as multi-factor authentication, could have prevented unauthorized access.
CC7 — System Operations: The breach shows a gap in system operations, as the malware was not detected and removed promptly. Organizations should have robust system operations in place to monitor for anomalies and respond to incidents effectively.
CC8 — Change Management: Change management processes should include security assessments and testing before implementing changes to the network or systems. In this case, the attackers were able to install malware without detection, indicating a lack of proper change management procedures.
CC9 — Risk Mitigation: The breach underscores the importance of risk mitigation strategies, including incident response plans. Target's initial response was inadequate, and the delay in responding allowed the attackers to exfiltrate data. A well-defined incident response plan could have limited the impact of the breach.
In summary, the Target data breach highlights significant deficiencies in various cybersecurity control categories, including vendor management, communication, risk assessment, monitoring, control activities, access controls, system operations, change management, and risk mitigation. Organizations can learn from this incident by strengthening these controls to better protect against cyber threats and respond more effectively to breaches.