Cybersecurity threats, defense layers, COSO framing, and zero-trust concepts.
This chapter introduces the security environment that underlies later privacy, incident-response, and control-testing topics. ISC emphasizes how threats, control objectives, and layered safeguards fit together in a CPA-relevant way.
Cybersecurity questions usually require matching a threat to a control objective. A safeguard is only persuasive when it addresses the attack path, asset sensitivity, trust boundary, or monitoring need in the fact pattern.
| Security issue | What to identify first | Common ISC trap |
|---|---|---|
| Threat actor or vector | Who is attacking, what path is used, and what asset is exposed. | Choosing a control before identifying the risk scenario. |
| Defense in depth | Which preventive, detective, and corrective layers work together. | Treating one strong control as enough for the whole environment. |
| COSO framing | How cyber risk maps to control environment, assessment, activities, information, and monitoring. | Describing technology without connecting it to control objectives. |
| Zero trust | Whether identity, device, access, segmentation, and verification reduce implicit trust. | Using zero-trust language without changing access or monitoring practices. |
| Step | ISC question to ask | Control implication |
|---|---|---|
| 1. Identify the asset and threat | What data, system, process, or service is exposed, and who or what threatens it? | Control selection should begin with the risk scenario, not with a favored tool. |
| 2. Trace the attack path | How could access, exploitation, movement, disclosure, or disruption occur? | The path reveals where preventive and detective safeguards belong. |
| 3. Match layered safeguards | Which administrative, technical, and physical controls work together? | Defense in depth reduces reliance on a single point of failure. |
| 4. Apply trust minimization | Which identities, devices, sessions, and network paths require verification or segmentation? | Zero-trust logic is practical only when it changes access and monitoring behavior. |
| 5. Monitor and adjust | What logging, incident response, and governance feedback show whether the controls work? | Cybersecurity control effectiveness depends on continuing monitoring, not initial design alone. |
| Checkpoint | Ask before selecting a safeguard | Control effect |
|---|---|---|
| Asset sensitivity | What data, system, process, or service needs protection? | The asset determines the seriousness and control objective. |
| Attack path | How could the threat actor gain access, move, disclose data, disrupt service, or evade detection? | Controls should interrupt the actual risk path. |
| Layered response | Which preventive, detective, corrective, administrative, technical, and physical safeguards work together? | Defense in depth avoids dependence on a single control. |
| Trust boundary | Which identities, devices, sessions, networks, and workloads require verification or segmentation? | Zero trust is a design discipline, not just a label. |
| Monitoring evidence | What logs, alerts, incidents, and governance reviews show whether controls remain effective? | Cybersecurity assurance depends on evidence of continuing operation. |