HOW TO PROTECT CONFIDENTIAL

INFORMATION AT CA’s OFFICE

USING CYBER SECURITY
BEST PRACTICES?
CA. A RAFEQ
CA. BABU JAYENDRAN
CA. ANAND JANGID
Overview of Cyber Security best practices
CA A.RAFEQ
 What is a Cyber Security?

‘Cybersecurity is the body of technologies, processes and practices

designed to protect networks, computers, programs and data from
attack, damage or unauthorized’

http://whatis.techtarget.com/definition/cybersecurity

‘A major part of Cyber Security is to fix broken software’

3
 Need for Cybersecurity
• The recent ransomware attacks have demonstrated need for having an
effective cybersecurity system in place.
• Cybersecurity incidents and breaches are on the rise, despite high
investments in security.
• Enterprise cybersecurity efforts have to be implemented using a holistic
approach with focus on governance, risk and security.
• Understanding cybersecurity-related risks and opportunities is now a
critical component to the oversight, governance, and management
responsibilities for enterprises.
• CAs can guide Enterprise leaders and board members on implementing
the right cybersecurity measures to protect enterprise data.
 Why you need to learn Cyber Security?

IT is a way of life
Move to and accelerating. Technology push
Demonetization,
Digital is by Government to
E-Commerce, M- GST automation,
inevitable, curb corruption &
Commerce, digital payments,
increase
Digital is future and eBanking, Mobile eGovernance,
transparency,
Banking, online filing, etc.
Digital is Now! deliver services.
DIGITISATION!

5
 Digital Disruption

Technology is New Business Software- High impact of

driving rapid models and driven ever-changing
transformation information information technology on
in diverse and systems are systems are key enterprises and
dynamic ways rapidly differentiator professionals
implemented for enterprises

6
CAs & Cyber Security

Business Compliance
Information requirements

Trusted
Tec
Custodians

Fiduciary Technology
Responsibility Deployed

7
 Framework for Improving Critical Infrastructure
Cybersecurity

March 2017

cyberframework@nist.gov
Why does the NIST Cybersecurity Framework
matter?
• As cyberattacks become more complex, repelling them becomes
more difficult, especially without a single cohesive strategy.
• CSF aims to standardize practices to ensure uniform protection of
all US cyber assets.
Who does the NIST Cybersecurity Framework
affect?
• The CSF affects anyone who makes
decisions about cybersecurity in their
organization, and those responsible for
implementing new IT policies.
 The Cybersecurity Framework...
• Includes a set of standards, methodologies, procedures, and processes
that align policy, business, and technological approaches to address
cyber risks.

• Provides a prioritized, flexible, repeatable, performance-based, and

cost-effective approach, including information security measures and
controls, to help owners and operators of critical infrastructure identify,
assess, and manage cyber risk.

• Identifies areas for improvement to be addressed through future

collaboration with particular sectors and standards-developing
organizations.

• Is consistent with voluntary international standards. 11

 The Framework Is for Organizations…

• Of any size, in any sector in (and outside of) the critical infrastructure.
• That already have a mature cyber risk management and cybersecurity
program.
• That don’t yet have a cyber risk management or cybersecurity program.
• Needing to keep up-to-date managing risks, facing business or societal
threats.
• In the federal government, too…since it is compatible with FISMA
requirements and goals.
12
 Cybersecurity Framework Components
Aligns industry standards and best Cybersecurity activities and
practices to the Framework Core in a informative references, organized
particular implementation scenario around particular outcomes

Supports prioritization and Enables communication of

measurement while cyber risk across an
factoring in business needs organization
Framework Framework
Profile Core

Framework
Implementation
Tiers

Describes how cybersecurity

risk is managed by an organization
and degree the risk management
practices exhibit key characteristics 13
 Core
Cybersecurity Framework Component
Function Category ID
Asset Management ID.AM
Business Environment ID.BE
What processes and assets Governance ID.GV
Identify Risk Assessment ID.RA
need protection?
Risk Management Strategy ID.RM
Access Control PR.AC
Awareness and Training PR.AT
Data Security PR.DS
What safeguards are available? Protect Information Protection Processes &
PR.IP
Procedures
Maintenance PR.MA
Protective Technology PR.PT
Anomalies and Events DE.AE
What techniques can identify
Detect Security Continuous Monitoring DE.CM
incidents?
Detection Processes DE.DP
Response Planning RS.RP
Communications RS.CO
What techniques can contain
Respond Analysis RS.AN
impacts of incidents? Mitigation RS.MI
Improvements RS.IM
Recovery Planning RC.RP
What techniques can restore
Recover Improvements RC.IM 14
capabilities? Communications RC.CO
 Core: Cybersecurity Framework Component
Function Category ID
Asset Management ID.AM Subcategory Informative References
Business Environment ID.BE ID.BE-1: The organization’s COBIT 5 APO08.04, APO08.05, APO10.03,
Governance ID.GV role in the supply chain is APO10.04, APO10.05
Identify identified and communicated ISO/IEC 27001:2013 A.15.1.3, A.15.2.1,
Risk Assessment ID.RA
Risk Management A.15.2.2
ID.RM
Strategy NIST SP 800-53 Rev. 4 CP-2, SA-12
Access Control PR.AC ID.BE-2: The organization’s COBIT 5 APO02.06, APO03.01
Awareness and Training PR.AT place in critical infrastructure NIST SP 800-53 Rev. 4 PM-8
Data Security PR.DS and its industry sector is
Protect Information Protection identified and communicated
PR.IP
Processes & Procedures
Maintenance PR.MA
Protective Technology PR.PT ID.BE-3: Priorities for COBIT 5 APO02.01, APO02.06, APO03.01
organizational mission, ISA 62443-2-1:2009 4.2.2.1, 4.2.3.6
Anomalies and Events DE.AE
objectives, and activities are NIST SP 800-53 Rev. 4 PM-11, SA-14
Security Continuous
Detect DE.CM established and
Monitoring
communicated
Detection Processes DE.DP
ID.BE-4: Dependencies and ISO/IEC 27001:2013 A.11.2.2, A.11.2.3, A.12.1.3
Response Planning RS.RP
critical functions for delivery NIST SP 800-53 Rev. 4 CP-8, PE-9, PE-11,
Communications RS.CO of critical services are PM-8, SA-14
Respond Analysis RS.AN established
Mitigation RS.MI
ID.BE-5: Resilience COBIT 5 DSS04.02
Improvements RS.IM
requirements to support ISO/IEC 27001:2013 A.11.1.4, A.17.1.1, A.17.1.2,
Recovery Planning RC.RP
delivery of critical services are A.17.2.1
Recover Improvements RC.IM established NIST SP 800-53 Rev. 4 CP-2, CP-11, 15SA-14
Communications RC.CO 15
Supporting Risk Management with Framework

16
Cyber Security Framework Implementation: 7-Step Process
1: Prioritize and
Scope

7:
Implementation 2: Orient
Action Plan

6: Determine,
3: Create a
Analyze, and
Current Profile
Prioritize Gaps

4: Conduct a
5: Create a
Risk
Target Profile
Assessment

17
 CA Firms have to enhance Cyber Security

Cyber Security
• Systems and • Enhance Cyber
processes for Security by using
securing • Data Security and right knowledge,
information and Information skills and tools
related Assets Protection

Trust in
Policy
Information & IS

18
 RBI Guidelines on Cyber Security
The RBI guidance consists of the overall/introductory
framework and guidance and three annexures:
1. An indicative set of baseline cyber security and
resilience requirements.
2. Information on setting up and operationalising a
cyber security operation centre (C-SOC).
3. A template for reporting cyber incidents to the RBI.

19
 How to effectively organise data &
information repository in a CAs office?
CA BABU JAYENDRAN
 Sensitive Data in a CAs Office

Client Data Client Credentials Organization Data

Financial Information Login Credentials Clientele Information

Bank Statements Personal Information Bank Accounts

Asset Details Digital Signature Email Accounts

 Need to Protect Data

Confidential / Non-
Sensitive & Private Data Avoid Misuse / Abuse Professional Ethics
Disclosure Covenants

Compliance with Law Limit Liability Reputation & Image

 Information Technology Law in India
• Privacy Law - IT (Reasonable security practices and procedures and sensitive personal
data or information) Rules, 2011
• Sensitive Data includes:
• Password
• Bank account / credit & debit card
• Medical records
• Biometric information

• Entity who collects, receives, possess, such information, shall provide a Privacy Policy
for handling of or dealing in personal information.
• Disclosure to third party will require permission of provider
• Comply with reasonable security practices and procedures (meet ISO 27001 or
equivalent requirements)
• Penalty up to Rs. 5 Crores who is negligent in safeguarding
 Emerging Cyber Risks & Attacks
• Ransomware
• Social Engineering
• Phishing - criminal activity that attempts to fraudulently obtain
sensitive information: email
• Vishing - using the phone to solicit your personal information
• Smishing - uses cell phone text messages to lure consumers
• Malware
• Computer Viruses, Worms, Trojan horses, Spyware, Adware
• designed to interfere with normal computer operation, usually
giving hackers a chance to gain access to your computer and
collect sensitive personal information.
• DDoS - Distributed Denial of Service
• attempt to make an online service unavailable by overwhelming it
with traffic from multiple sources.
• Data Leakage
• The unauthorized transfer of classified information from a
computer or datacenter to the outside world – EMPLOYEES!!!
How to identify a phishing email?
 Sources of Cyber Risks
• E-mail - Ransomware / Malware / Phishing Attacks
• Software downloads - free utilities / software / apps
• Lack of User Awareness
• Social Media
• Free Downloads / Freebies / Offers
• Carelessness
 Governance – Policy, Procedures & Practices
• Set up a Privacy, Backup & Security Policy
• Consider exploring Cloud as Data Storage / Backup Option with auto
sync features
• Microsoft Azure, Amazon Cloud have these options at nominal cost
• Employee / Trainee Awareness & Declaration
• Regular Confirmations from Staff on Confidentiality
• Office Resources not being used for personal purposes
• Unauthorized downloads / website usage prevention
• Client data not kept in private custody
• Internal Checks & Audits
• Client Awareness Workshops / email
 Practical Tips for Protection - Organization
Perspective
• Use only Licensed Software / • Regularly scan wi-fi to identify the
Applications users
• Disable Admin Access in employee • Tools like “Who is on my Wi-Fi” can help
Computers
• Download only from authorized
• Keep anti-virus / malware updated websites

• Backup the data at least once a week • Consider encrypting of critical devices
• McAfee / Kaspersky / Symantec solutions
• Ensure wi-fi is protected and password
is frequently changed • Change Passwords Regularly

• Continuously educate users

How to audit cybersecurity risks?
CA. ANAND JANGID
 Market Response to Growing Cyber Risks and
Assessing Auditor Responsibilities
• Various organisations are issuing guidance to help improve cyber
preparedness:
• FFIEC
• FISMA
• ISACA
• NERC
• NCSC and
• MeiTY in India, ….
 IS Auditing Standards
• Provide audit professionals with necessary guidance and
information in this respect. Examples:
• ISO 27001,
• NIST,
• COSO framework,
• COBIT, ….
 • Securities regulators
• Securities Exchange Board of India (SEBI) has set up a panel on cyber
security to suggest measures to safe guard the capital markets from such
attacks.

• Securities Exchange Commission (SEC), US, has stated that “Firms must
adopt written policies to protect their clients’ private information and
they need to anticipate potential cyber security events and have clear
procedures in place rather than waiting to react once a breach occurs

• Audit committees/Boards are expected to have an appropriate

understanding of the business implications of cyber risks.
 Assessing Auditor’s Responsibilities
• Primary focus continues to be on access controls and changes to
systems and data that would impact the financial statements and
the effectiveness of internal control over financial reporting (ICFR).

• Consider whether cyber risk (like other business risks) represents a

risk of material misstatement to the financial statement as part of
the audit risk assessment activities.

• Focus should be on understanding the cyber risks affecting the

entity and the actions being taken to address these risks.
 Assessing Auditor’s Responsibilities
• In relation to cyber security threats which could impact the IT
systems of the entity, the key focus for auditors should be on
controls and systems, which directly impact the data that is used
and relied upon in the audit.

• In situations where material cyber security related breach is

discovered, the auditor would need to consider the impact on
financial reporting, including disclosures, and the impact on ICFR.
 Cyber Security Breach and Audit Risk
Assessment Strategy
Auditor may adopt following audit risk assessment strategy for cyber
risks:
• Obtain a high-level understanding, primarily via inquiry, of the
processes and controls implemented by the entity to manage cyber
risks
 Areas of review
• Privileged account access
• Governance/Risk management program
• Security monitoring/Incident management program
• Security awareness program
• Threat and vulnerability management program
• Patch management program
• Vendor risk management program
• Data classification program
 Audit Approach
• Evaluate the information obtained to assess the risk of material
misstatement to the financial statements.

• Communicate relevant observations for strengthening the cyber

control environment, as appropriate to the management and Audit
Committee.
 Suggested approach when a breach occurs
• Gain an understanding of management’s approach to investigating
the breach

• Evaluate the actions taken by management in response to the

investigation

• Assess the effect of the breach on audit

Common Areas Exploited in Cyber Attacks
Common Areas Exploited in Cyber Attacks
• Let us be pro-active & not reactive
• Let the change begin now
• Invest in tools today for a better tomorrow
• Exercise precaution in the cyber world
• Develop safeguard policies and constantly monitor
• Educate kids, youngsters, family, trainees, employees

“Trust, but ensure you verify!”

41
 Some questions for consideration of panel
• How to effectively organise data & information repository in a CAs
office?
• How to identifying risks and relevant tools to protect such confidential
information?
• What are the Best practices, frameworks and regulations relevant to data
protection?
• How is SPDI as per Information Technology Act applicable to CAs?
• How to implementing data privacy, in the context of recent Supreme
Court judgement?
• How to implement Cybersecurity to protect confidential information?
Questions?

Questions?
43