当前位置:资讯 >> 财税金融 >> 浏览文章

新闻资讯 管理会计 内控管理 财税金融

世界在新冠疫情下的信息安全管理Information Security Management in a COVID-19 World

来源:本站原创 浏览量: 发布日期:2020/10/10 14:11:16

Despite the operational challenges resulting from COVID-19, information security’s prime objective remains enabling an organization to achieve its goals within its risk appetite. Today, organizations of all types are reconfiguring their service and product delivery strategies to both serve customers safely and obtain cost savings. Through this transition, SMEs must continue to mitigate the risks that existed before the arrival of COVID-19. For SMEs in regulated industries, this also includes the continued adherence to regulatory requirements. Those organizations accepting electronic payments, including credit cards, must also comply with applicable rules, including the Payment Card Industry Standard.

 

尽管新冠疫情为世界带来了运营挑战,但信息安全的首要任务仍然是使组织能够在其风险承受能力范围内实现其目标。今天,各种类型的组织都在重新配置他们的服务和产品交付策略,既能安全地为客户服务,又能节省成本。通过这一转变,中小企业必须继续减轻在新冠疫情到来之前存在的风险。对于受管制行业的中小企业来说,这还包括继续遵守监管要求。接受电子支付(包括信用卡)的组织也必须遵守适用的规则,包括支付卡行业标准。

 

To survive, many organizations will need to alter their methodologies. Many SMEs already faced challenges in responding to the increasing use of emerging technologies confronting traditional business models and services. These developments impacted the expectations of employees, customers, and suppliers. Unfortunately, they will need to adopt emerging technologies and change their service models more rapidly. At a minimum, this would include reconsidering the effectiveness of existing technology investments and the ability of stakeholders to use existing assets to drive value for the organization.

 

为了生存,许多组织需要改变他们的方法。许多中小企业在应对传统商业模式和服务日益增加的新兴技术使用方面已经面临挑战。这些发展影响了员工、客户和供应商的期望。不幸的是,他们将需要采用新兴技术并更快地改变服务模式。至少,这将包括重新考虑现有技术投资的有效性以及利益相关者利用现有资产为本组织创造价值的能力。

 

These developments necessitate the calibration of risk strategies and even risk tolerances with the reality of different customer expectations in the new environment. For example, consumers prize and appreciate electronic-based transactions rather than in-person transactions. When in-person interaction is required, video and other electronic modes of communication will be favored. Yet many SMEs, even if they did have an information security program, did not consider the relevant threats that have resulted from COVID-19. Although many SME executives recognize the privacy implications of maintaining and transacting data, they may not realize the need to protect the ever-growing storage of video-based information. SMEs will face additional technology risk as remote solutions for workers and vendors become part of the new mode of operation.

 

这些发展需要校准风险策略,甚至风险容忍度,以适应新环境中不同的客户期望值。例如,消费者喜欢和欣赏基于电子的交易,而不是亲自交易。当需要交流时,视频和其他电子通信方式将受到青睐。然而,许多中小企业,即使他们有信息安全计划,也没有考虑到新冠疫情造成的相关威胁。尽管许多中小企业高管认识到维护和处理数据所涉及的隐私问题,但他们可能没有意识到需要保护基于视频的信息不断增长的存储量。随着面向工人和供应商的远程解决方案成为新运营模式的一部分,中小企业将面临额外的技术风险。

 

The new environment requires that SMEs strengthen and change their information security management programs to enhance the organization’s resiliency yet protect the assets entrusted to it. These asset protection strategies should include both electronic and physical protection of their people, processes, and technologies. The organization’s viability will significantly rely on the program’s ability to adapt to changing conditions and its effectiveness in helping it achieve desired objectives. That is why, as part of their COVID-19 recovery strategies, many SMEs are revisiting their Information Security Programs, emphasizing both resiliency and facilitation.

 

新环境要求中小企业加强和改变其信息安全管理计划,以增强组织的弹性,同时保护委托给它的资产。这些资产保护策略应包括对其人员、流程和技术的电子和实物保护。组织的生存能力在很大程度上取决于项目适应不断变化的条件的能力及其帮助实现预期目标的有效性。这就是为什么,作为新冠疫情恢复策略的一部分,许多中小企业正在重新审视其信息安全计划,强调弹性和便利性。

 

The program should address efforts to learn where sensitive data exists, where it flows, and with whom it is shared. Unknown data is unprotected data. The potential for regulatory sanction is high, regardless of industry, as regulators can interrupt a business’s operations or halt its growth. Financial professionals should evaluate critical business partners who represent risk and may incur liability or reputational damage.

 

该计划应致力于了解敏感数据在哪里存在、在哪里流动以及与谁共享。未知数据是未受保护的数据。无论行业如何,监管制裁的可能性都很大,监管机构可以中断企业的运营或阻止其增长。金融专业人士应评估代表风险并可能招致责任或声誉损害的关键业务合作伙伴。

 

For an SME to get the most value from investments in security tools, it is vital that any metrics it develops are actionable and provide guidance for investigating and mitigating any identified anomalies. It is also helpful to implement an automated Security Incident Event Monitor (SIEM) to capture and triage the large volume of alerts. Monitoring through SIEM is often outsourced to specialized Managed Security Service Providers (MSSP) who specialize in this area. The MSSP often uses artificial intelligence to learn an organization’s network topology and correctly identify anomalous traffic. Should an SME identify or suspect a potential cyber-incident, the U.S. Department of Justice’s “Best Practices for Victim Response and Reporting of Cyber-Incidents” provides best practices and an incident preparedness checklist to help the SME navigate these problems should they occur.

 

为了让中小企业从安全工具的投资中获得最大价值,至关重要的是开发的度量标准是否都是可操作的,是否能为调查和缓解任何已识别的异常现象提供指导。同时需要有助于实现自动安全事件监视程序(Security Incident Event Monitor, SIEM),以捕获和分类大量警报。通过SIEM进行的监控通常外包给专门从事此领域的专业托管安全服务提供商(Managed Security Service Providers, MSSP)。MSSP通常使用人工智能来学习组织的网络拓扑结构,并正确识别异常流量。如果中小企业发现或怀疑潜在的网络事件,美国司法部的网络事件受害者响应和报告最佳方式 (Best Practices for Victim Response and Reporting of Cyber-Incidents提供了最佳方法和事件准备清单,以帮助中小企业在这些问题发生时应对这些问题。

【AACA协会国际注册会计师ICPA雇主直聘平台】

响应国家战略

搭建企业国际化高端会计人才队伍

加快财会队伍建设与人才转型

近三百家中国知名企业加入AACA认可雇主计划

 世界在新冠疫情下的信息安全管理Information Security Management in a COVID-19 World

(国际注册会计师ICPA证书样本)

原创编辑:ICPA中国办事处


热点资讯