The Journal Fall 2015 Issue
Cybersecurity Primer
By Sumit K. Pal, CGEIT, CISA, CRISC, Principal
What is Cybersecurity?
Cybersecurity, commonly also referred to as information technology security (though not exactly the same), focuses on protecting computers, networks, programs and data from unintended or unauthorized access, change or destruction.
Why is Cybersecurity Important?
Governments, militaries, corporations, financial institutions, hospitals and businesses collect, process and store a great deal of confidential information on computers and transmit that data across networks to other computers. With the growing volume and sophistication of cyber-attacks, ongoing attention is required to protect sensitive business and personal information, as well as safeguard national security.
During a Senate hearing in March 2013, the nation’s top intelligence officials warned that cyber-attacks and digital spying are the top threat to national security, eclipsing terrorism.
Challenges of Cybersecurity
For effective cybersecurity, an organization needs to coordinate its efforts throughout its entire information system. The most difficult challenge in cybersecurity is the ever-evolving nature of security risks themselves. Traditionally, organizations and the government have focused most of their cybersecurity resources on perimeter security to protect only their most crucial system components and defend against known threats. Today, this approach is insufficient, as the threats advance and change more quickly than organizations can keep up with. As a result, advisory organizations promote more proactive and adaptive approaches to cybersecurity. Similarly, the National Institute of Standards and Technology (NIST) issued the cybersecurity framework in February 2014 that recommend a shift toward detection (continuous monitoring and real-time assessments), response and recovery based on a data-focused approach to security as opposed to the traditional perimeter-based model.
Continuous Monitoring
Continuous monitoring is a risk management approach to cybersecurity that maintains an accurate picture of a company’s security risk posture, provides visibility into assets and leverages use of automated data feeds to quantify risk, ensure effectiveness of security controls and implement prioritized remedies. A well-designed and well-managed continuous monitoring program can effectively transform an otherwise static security control assessment and risk determination process into a dynamic process that provides essential, near real-time security status.
Managing Cybersecurity
The National Cyber Security Alliance (NCSA), through SafeOnline.org, recommends a top-down approach to cybersecurity in which corporate management leads the charge in prioritizing cybersecurity management across all business practices. NCSA advises that companies must be prepared to “respond to the inevitable cyber incident, restore normal operations, and ensure that company assets and the company’s reputation are protected.” NCSA’s guidelines for conducting cyber-risk assessments focus on five key areas: identifying your organization’s “crown jewels” or your most valuable information requiring protection; identifying the threats and risks facing that information; outlining the damage your organization would incur should that data be lost or wrongfully exposed; detecting any nefarious activities (i.e. breach) on your network; and timely and appropriate response to any such activities and the ability of the company to recover from such an event. Cyber-risk assessments should also consider any regulations that impact the way your company collects, stores and secures data. Following a cyber-risk assessment, develop and implement a plan to mitigate cyber risk, protect the “crown jewels,” and effectively detect, respond to and recover from security incidents. This plan should encompass both the processes and technologies required to build a mature cybersecurity program. While it may seem like a daunting task, start small and focus on your most sensitive data, scaling your efforts as your cyber program matures.
In today’s environment of widespread cyber-intrusions, advanced persistent threats and insider threats, it is essential for organizations to have real-time accurate knowledge of their enterprise IT security posture so that responses to external and internal threats can be made swiftly.
Cybersecurity Glossary of Terms
Learn cyber speak by familiarizing yourself with cybersecurity terminology.
Active Attack |
| An actual assault perpetrated by an intentional threat source that attempts to alter a system, its resources, its data or its operations. |
Blacklist |
| A list of entities that are blocked or denied privileges or access. |
Bot |
| A computer connected to the Internet that has been surreptitiously/secretly compromised with malicious logic to perform activities under the remote command and control of a remote administrator. |
Cloud Computing |
| A model for enabling on-demand network access to a shared pool of configurable computing capabilities or resources (e.g., networks, servers, storage, applications and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. |
Critical Infrastructure |
| The systems and assets, whether physical or virtual, so vital to society that the incapacity or destruction of such may have a debilitating impact on the security, economy, public health or safety, environment or any combination of these matters. |
Cyberspace |
| The interdependent network of information technology infrastructures, which includes the Internet, telecommunications networks, computer systems and embedded processors and controllers. |
Digital Forensics |
| The processes and specialized techniques for gathering, retaining and analyzing system-related data (digital evidence) for investigative purposes. |
Enterprise Risk Management |
| A comprehensive approach to risk management that engages people, processes and systems across an organization to improve the quality of decision making for managing risks that may hinder an organization’s ability to achieve its objectives. |
Information Assurance |
| The measures that protect and defend information and information systems by ensuring their availability, integrity and confidentiality. |
Intrusion Detection |
| The process and methods for analyzing information from networks and information systems to determine if a security breach or security violation has occurred. |
Malware |
| Software that compromises the operation of a system by performing an unauthorized function or process. |
Passive Attack |
| An actual assault perpetrated by an intentional threat source that attempts to learn or make use of information from a system but does not attempt to alter the system, its resources, its data or its operations. |
Penetration Testing |
| An evaluation methodology whereby assessors search for vulnerabilities and attempt to circumvent the security features of a network and/or information system. |
Phishing |
| A digital form of social engineering to deceive individuals into providing sensitive information. |
Root |
| A set of software tools with administrator-level access privileges installed on an information system and designed to hide the presence of the tools, maintain the access privileges and conceal the activities conducted by the tools. |
Virus |
| A computer program that can replicate itself, infect a computer without permission or knowledge of the user and then spread or propagate to another computer. |
Whitelist |
| A list of entities that are considered trustworthy and are granted access or privileges. |
 |
Sumit K. Pal, CGEIT, CISA, CRISC, Principal 609-520-1188 [email protected] View Experiences
|
Ask Our Experts
To ensure compliance with U.S. Treasury rules, unless expressly stated otherwise, any U.S. tax advice contained in this communication is not intended or written to be used, and cannot be used, by the recipient for the purpose of avoiding penalties that may be imposed under the Internal Revenue Code.
Internal Control 101
[author-style]By Beverly H. Linane, CPA, PSA [/author-style]
It is probably fair to say that many organizations have developed internal control systems that are not effective in reducing risk or that the systems do not function as intended. To achieve a more robust implementation of internal control, look to where the guidance on internal control is found.
In 1992 the Committee of Sponsoring Organizations of the Treadway Commission (COSO) released its Internal Control – Integrated Framework (the original framework) which has become the most widely used internal control framework not only in the U.S. but in countries and companies around the world. This document defined the internal control framework as having five components: 1) control environment, 2) risk assessment, 3) information and communication, 4) control activities and 5) monitoring.
These components are as fundamental today as when they were originally outlined and remain unchanged. However, in 2014 the original framework was superseded by the 2013 Internal Control – Integrated Framework (the “Framework”) which was created to assist businesses in light of an economy that had become more complex, technologically-driven and global. The Framework acknowledges that internal control is a dynamic and integrated process and that its application is intended for all entities regardless of size and nature. This is accomplished via a principles-based approach that provides flexibility and allows for judgment in its design, implementation and execution by both management and external stakeholders. It incorporates three objectives: operations, reporting and compliance —along with 17 principles which represent the fundamental concept associated with each of the above components.
According to the Framework, everyone in an organization has responsibility for internal control to some extent. However, while the Framework outlines the components, principles and factors necessary for an organization to effectively manage its risks, it is largely silent regarding who is responsible for each specific duty. The result can be either gaps in control or an unnecessary duplication of assigned duties.
To help resolve this issue, a new COSO white paper, “Leveraging COSO Across the Three Lines of Defense,” was published in July 2015. The Three Lines of Defense Model (the “Model”) describes how organizations can better establish and coordinate duties related to risk and control. The Model strives to clarify essential roles and duties across an organization with regard to risk and control. The basic premises are:
| Senior management and the Board of Directors have the ultimate responsibility for ensuring the effectiveness of governance, risk management and control processes; |
Risk management is strongest when there are three separate and clearly identified lines of defense. The three groups, who should have clearly defined roles and responsibilities, are those who:
|
| Information should be shared and activities coordinated among each of the lines. |
Much has been written about the objectives and functions of internal control. However, the implementation of the Model, when applied to an existing system of internal control, should provide management with tools to ensure that there are no “gaps” in controls and/or any unnecessary duplications of effort. The result is what we call an “efficient and effective” system of internal control.
For more information on ensuring your organization has a proper system of internal control, please contact your local WS+B advisor.
 |
Beverly H. Linane, CPA, PSA 732-842-3113 [email protected]
|
Ask Our Experts
To ensure compliance with U.S. Treasury rules, unless expressly stated otherwise, any U.S. tax advice contained in this communication is not intended or written to be used, and cannot be used, by the recipient for the purpose of avoiding penalties that may be imposed under the Internal Revenue Code.
To Uber or Not to Uber – That’s Not the Only Question
[author-style]BY Richard C. Coyne, CPA, Partner [/author-style]
Times are changing — Uber and other Transportation Network Companies (TNC) have invaded the transportation market in a huge way. Uber, founded five years ago in San Francisco using a mobile app and a large group of unknown (and unregulated) drivers, serves over 300 cities throughout the world. In Pennsylvania throughout 11 cities, there will be approximately 20,000 drivers taking home more than $100 million dollars.
So what’s the big deal?
Do they work directly for Uber? Are they employees? Are they independent contractors? Should they be regulated the same as Uber’s competitors like taxi and limo services? Are they covered under Uber’s insurance policy? Should the drivers have their own separate policies? And the questions go on and on.
Approximately 20 states and DC have regulations (some including insurance) in place for TNCs. The National Association of Insurance Commissioners (NAIC) has adopted a white paper on the ride-sharing concept entitled, “Transportation Network Company Insurance Principles for Legislators and Regulators.” The paper discusses the evolving “ride-sharing” industry from TNC to the drivers and passengers. Issues such as insurance coverage amounts, types of coverage and potential gaps in coverage are covered along with education relating to these new transportation services. As most of these ride-sharing drivers are not full-time, it seems unnecessary and unfair to have insurance that covers them full-time. The NAIC discusses the California model which splits the ride-sharing process into three periods:
When the driver is looking for a rider, and the smartphone app is on;
After a match has been found, and the driver is on the way to pick up a rider; and
When the driver is transporting the rider to his or her desired location.
There are various combinations of coverage that can be applied to these three periods, and the NAIC suggests that the states consider this model in their regulations.
Some insurers are developing policy endorsements or hybrid insurance products to cover the ride-sharing gaps. There are insurers that also liken the ride-sharing need for insurance to the pizza delivery business where drivers use their own auto for deliveries and have their own insurance (at minimum levels of coverage) while the business also has insurance coverage for non-company-owned vehicles. Farmers Insurance Group, USAA, GEICO and a few other insurers have started developing products for the TNC drivers.
Be warned the next time you ride-share — you might want to ask, “Are you insured?”
For more information on this topic, check out WS+B’s podcast channel, Withum Sounding Board, at www.withum.com/podcast. Our series of podcasts contain practical audio-based information for today’s on-the-go professional. Segment topics feature important accounting, auditing and tax issues relevant to most businesses and also explore specific niche areas.
 |
Rick Coyne, CPA 609-520-1188 [email protected] View Experience 
|
Ask Our Experts
To ensure compliance with U.S. Treasury rules, unless expressly stated otherwise, any U.S. tax advice contained in this communication is not intended or written to be used, and cannot be used, by the recipient for the purpose of avoiding penalties that may be imposed under the Internal Revenue Code.
What You Need to Know About Perpetual Care Cemeteries
[author-style]By William E. Newman, CPA, Partner [/author-style]
The first step is to determine if the cemetery is structured as a for-profit or not-for-profit organization. Not-for-profit cemeteries are much easier to evaluate in terms of their financial stability. Therefore, the likelihood of actually being perpetual is easier to determine. For-profit cemeteries are essentially businesses, and even though they are subject to the trust fund laws, their financial records are not available to the general public. As a result, their perpetuity is not readily determinable. There are also religious cemeteries that are not subject to any state regulatory laws. However, most religious cemeteries do have and fund maintenance and preservation trust funds. The selection of a mausoleum should follow the same investigation as a selection for a gravesite since the same risks are present. The following steps can be taken into your evaluation of a final resting place before any purchases:
| Not-For-Profit Cemeteries | For-Profit Cemeteries |
|
|
In addition to all of the above, secure a copy of your state’s cemetery laws, including trusting to make sure your choice of cemetery is following the state’s mandated laws. Additionally, make sure you know how a cemetery that is abandoned or that has had trust funds embezzled is maintained.
Be careful when choosing your final resting place. If you should need any further assistance with your choice, please do not hesitate to contact William Newman at 609.520.1188 or [email protected].
 |
William E. Newman, CPA, Partner 609-520-1188 [email protected] View Experience
|
Ask Our Experts
To ensure compliance with U.S. Treasury rules, unless expressly stated otherwise, any U.S. tax advice contained in this communication is not intended or written to be used, and cannot be used, by the recipient for the purpose of avoiding penalties that may be imposed under the Internal Revenue Code.
WS+B Recognized By Industry Publications
WS+B was recently named as one of the 2015 Accounting Today’s “Best Accounting Firms to Work For.” Accounting Today has partnered with Best Companies Group to identify companies that have excelled in creating quality workplaces for employees.
This survey and awards program is designed to identify, recognize and honor the best employers in the accounting industry, benefiting the industry’s economy, workforce and businesses. The list is made up of 100 companies.
In addition, WS+B has once again been named on INSIDE Public Accounting’s Top 100 Firm ranking list. The firm increased its placement on the 2015 list and is now ranked as number 28. WS+B’s higher position in the IPA Top 100 Firms Rankings for 2015 is based on the firm’s 7.3% increase in net revenues to more than $115 million.
“We are thrilled to have made both lists this year,” says Withum’s Managing Partner and CEO, Bill Hagaman. “The cornerstone of our success is truly the loyal and talented professionals who work here every day. Our firm’s culture and commitment to providing a great working environment allows our professionals to learn and grow in their careers, and also have fun while doing so.”
