Cyber security framework

The Cyber Security Framework guides overall Cyber Security Program at CPA Global by utilizing business drivers and considering cyber security risks as part of overall risk management process. It also provides governance and structure to cyber security management by assembling cyber security policies, standards, guidelines, and practices.

Cyber Security Framework applies equally to all CPA Global office locations and users worldwide, including employees, contractors, vendors, service providers, partners, affiliates, and third parties.

CyberSecurityFramework1.png

Objective

Cyber security Framework guides the overall cyber security program at CPA Global with the objective to:

  • Align cyber security initiatives to business objectives;
  • Establish cyber governance to support cybersecurity initiatives;
  • Determine current and target cyber security posture;
  • Establish cybersecurity priorities;
  • Provide cyber assurance; and
  • Communicate cyber risks among internal and external stakeholders

The Framework relies on leading cyber Security standards (NIST, ISO 27001 etc.) and guidelines to enable adoption of established, effective cyber security practices. Also, the Framework is technology neutral and promotes extensibility and technical innovation.

Key Performance Indicators

The key performance indicators of Cyber Security Framework are:

  • Compliance to Audits, standards and regulations
  • Cybersecurity incidents and events
  • Controls effectiveness
  • Overall cyber risk score against emerging cyber threats

Core Components

Cyber Scurity framework is structured into four core components as per the following:

CyberSecurityFramework2.png

I. Organizational Parameters:
Organizational Parameters comprise of components that ensure Cyber Security Program is aligned to business strategy, objectives, enterprise risks, compliances and client/market requirements etc. Organizational parameters establish the alignment of cyber security initiatives with business requirements through Organizational Drivers, Enterprise Risk Management and Cyber Risk Reporting.

II. Cybersecurity Governance: 
Cybersecurity Governance monitors operationalization of developed policies and procedures. It ensures processes are in place to support compliance of cybersecurity initiatives with applicable privacy laws, regulations and to assess implementation of the framework. The two bodies responsible for cyber security governance are cyber security council and cyber security team.

III. Cyber Security Principles: 
Cyber Security Principles that guide the implementation of cybersecurity activities by organizing information, enabling risk management, addressing threats and continuous learning from cyber threats/events are Identify, Detect, Protect, Respond and Recover. Key activities covered under each principle includes:

  • IDENTIFY – Includes identification of critical information assets (“Crown Jewels”), cyber risk assessment, asset management and supply chain risk management activities.
  • PROTECT – Includes security by design, secured access management, cyber defense technologies, data security and protection, cyber security policy and procedures (including personnel and physical security), security standards and certifications (ISO 27001, SOC2), cyber awareness and training programs.
  • DETECT- Includes continuous security monitoring, detection technologies, cyber security events and exceptions management.
  • RESPOND – Includes business continuity management, cyber incident response management, cyber investigations and cyber improvements.
  • RECOVER – Includes disaster recovery capabilities along with testing and cyber communications (internal and external).
IV.  Cyber Security Assurance and Transformation:

This includes execution of cybersecurity principles, related cyber activities to ensure adequate security posture is maintained and existing cyber capacities are enhanced. Cyber Assurance includes Secured Development, Hosting, Operations and Maintenance, Information Security Management System (ISMS), SOC2 Attestations, Security Testing and Cyber Security Risk Assessment and KPIs reporting.

Cyber Transformation includes business need, requirement based self-assessment to assess and develop current and target cyber security maturity levels, prioritization of cyber security improvement areas and Cyber Security Roadmap.