Mind the GAAP: A Lens for Understanding the Importance of the CIS Controls

Image

Given that attacks are only increasing and there needs to be greater efficacy in how companies protect themselves, let us reference how the financial industry has created and relies on a body of standards to address issues in financial accounting as a defined comparison for Information Security.

To support this argument, there is a defined contrast between information security and Generally Accepted Accounting Principles.

We’ll explore this relationship in more detail below. First, we’ll provide an overview of GAAP.

What Are Generally Accepted Accounting Principles?

According to Investopedia, the Generally Accepted Accounting Principles (GAAP) are a set of accounting principles, standards and procedures issued by the Financial Accounting Standards Board (FASB). They provide commonly accepted ways of recording and reporting accounting information. They also seek to standardize and regulate the definitions, assumptions and methods used in accounting across all industries.

Public companies in the United States must follow GAAP when their accountants compile their financial statements.

These 10 general concepts can help you remember the main mission of GAAP:

1. Principle of Regularity: The accountant has adhered to GAAP rules and regulations as a standard.
2. Principle of Consistency: Accountants commit to applying the same standards throughout the reporting process from one period to the next in order to ensure financial comparability between periods. Accountants are expected to fully disclose and explain the reasons behind any changed or updated standards in the footnotes to the financial statements.
3. Principle of Sincerity: The accountant strives to provide an accurate and impartial depiction of a company’s financial situation.
4. Principle of Permanence of Methods: The procedures used in financial reporting should be consistent to allow for a comparison of the company's financial information.
5. Principle of Non-Compensation: Both negatives and positives should be reported with full transparency and without the expectation of debt compensation
6. Principle of Prudence: This emphasizes fact-based financial data representation that is not clouded by speculation.
7. Principle of Continuity: While valuing assets, it should be assumed the business will continue to operate.
8. Principle of Periodicity: Entries should be distributed across the appropriate periods of time. For example, revenue should be reported in its relevant accounting period.
9. Principle of Materiality: Accountants must strive to fully disclose all financial data and accounting information in financial reports.
10. Principle of Utmost Good Faith: Derived from the Latin phrase “uberrimae fidei” that’s used within the insurance industry, this principle presupposes that parties will remain honest in all transactions.

GAAP helps to ensure a company's financial statements are complete, consistent and comparable. In doing so, it creates true meaning in what is being reported because there are specific controls around it. A public company cannot just give numbers to give numbers. It must be able to defend them and stand by them for their quarterly results, for their expectations on Wall Street. This makes it easier for investors to analyze and extract useful information from the company's financial statements including trend data over time.

What Are the CIS Controls?

We don’t just have controls to facilitate transparent financial reporting. We also have very specific controls that we adhere to in terms of what we can do in information security. If something like a data breach happens, organizations can point to those controls as proof that they took proper safeguards to protect their corporate and customer information.

One of the most well-known set of controls in the information security space is the Center for Internet Security’s Critical Security Controls (CIS CSC). These 20 measures can help to prevent most digital attacks by helping organizations focus on security best practices. As an example, here are the first six CIS CSC:

1. Inventory and Control of Hardware Assets: Organizations first need to know what hardware is on their network before they can protect it. That’s why it’s important for them to use active and passive asset discovery tools to build a network map.
2. Inventory and Control of Software Assets: Like the above step, organizations need to have an updated inventory of what software they have installed on their network devices. They can ultimately use that knowledge to root out unapproved software.
3. Continuous Vulnerability Management: Once they have a list of approved assets, organizations can use continuous vulnerability management to prioritize known vulnerabilities and develop a remediation schedule for those weaknesses.
4. Controlled Use of Administrative Privileges: In the wrong hands, admin credentials can allow attackers to gain access to sensitive parts of the network. That’s why organizations need to have an inventory of these details.
5. Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations and Servers: A change in a file or system could be evidence of an ongoing security incident. Organizations therefore need to monitor the configurations for their assets so that they can act on configuration drift and return their tools to their secure baseline states as soon as possible.
6. Maintenance, Monitoring and Analysis of Audit Logs: All network activity shows up in the audit logs. Organizations can use these records to detect suspicious activity while it’s in progress, to perform maintenance on malfunctioning assets and/or to gather evidence after a security incident has occurred.

Fortunately, organizations don’t need to implement these controls on their own. Tripwire recognizes the importance of standards such as GAAP and CIS. That’s why it’s designed its tools to help organizations provide coverage of many of the CIS CSC. Its solutions help organizations to know what they have (in accordance with CSC 1 and 2), maintain secure hardware and software configurations (CSC 5), monitor vulnerability risk and control admin privileges (CSC 3 and 4) as well as collect and retain logs in a centralized repository (CSC 6).

More information on how Tripwire aligns with CIS CSC is available here.