Cybersecurity objectives

Businesses must address these risks and implement security measures to protect their information assets and ensure their enterprises’ ongoing viability. Management objectives As outlined in appendix II, the AICPA developed a cybersecurity reporting framework that organizations can use to demonstrate the extent and effectiveness of an entity’s cybersecurity risk management programme to key stakeholders. A critical element of any cybersecurity risk management programme is management's formulation of objectives. Management establishes cybersecurity objectives addressing cybersecurity risks that could affect achievement of the entity’s overall business objectives (including compliance, reporting, and operational objectives). Cybersecurity objectives vary depending on the environment in which the entity operates, the entity’s mission and vision, management’s established overall business objectives, risk appetite, and other factors. Key cybersecurity objectives outlined in the AICPA's framework resource, Description Criteria for Management’s Description of the Entity’s Cybersecurity Risk Management Program, include:

Availability. Enabling timely, reliable, and continuous access to and use of information and systems

Confidentiality. Protecting information from unauthorised access and disclosure, including means for protecting proprietary information and personal information subject to privacy requirements

Integrity of data. Guarding against improper capture, modification, or destruction of information

Integrity of processing. Guarding against the improper use, modification, or destruction of systems¹²

Data backup objectivesData backup objectives are commonly referred to as the “CIA” of cybersecurity — confidentiality, integrity, and availability. In this era with an extensive market for personal information on the dark web, along with the proliferation of ransomware attacks, ensuring data availability is key. Although you may not be able to totally prevent a breach, if you back up your data, you may not have to consider paying a ransom. Because breaches can sometimes go undetected for quite some time, it is important to have multiple versions of backups, with some backups being stored off-site to preclude ransomware attackers from encrypting back up files as well as currently active files. One common method for maintaining data backup files is the 3-2-1 model. This model suggests that you need three copies of your data, two of which are backups on different media, with one being stored offsite. See appendix III for a summary of key steps to take in the event of a ransomware attack, which include immediately isolating infected systems to minimise the impact.

Data backup 3-2-1

3 — Production copy plus two backups
2 — Backup copies on two different media
1 — Backup copy off-site