"March 3, 2016, 700
current and former Snapchat employees had their personal information stolen
when hackers used a phishing scam to trick an employee into emailing
them the private data."
"September 22, 2016:
Yahoo announced
that a hacker had stolen information from a minimum of 500 million accounts in late
2014. The thief, believed to be working on behalf of a foreign government,
stole email addresses, passwords, full user names, dates of birth, telephone
numbers, and, in some cases, security questions and answers."
According to a 2015 study
conducted by the Ponemon Institute, the frequency of attacks against the cyber
infrastructures of global governments and commercial enterprises continues to
grow. These attacks can include stealing an organization's intellectual
property, confiscating online bank accounts, creating and distributing computer
viruses, posting confidential business information on the Internet, and
disrupting a country's critical national infrastructure. Ultimately, the
cybersecurity has become
the key part of the internal control over the corporation.
Cybersecurity is the set of
processes, best practices, and technology that protects critical infrastructure
such as networks and databases from accidental or intentional damage due to
attacks, unauthorized access, or natural disasters. There are several
types of cybersecurity: operational
security, data security, application security, network security, cloud security,
and payment card industry (PCI) data security.
Especially, the cloud service is the service provided
based upon cloud computing which is a model for enabling convenient, on-demand,
and configurable computing resources such as servers, file storage, applications,
and services and in terms of the cloud security regarding the cloud
service, an organization’s scope and control over the cloud computational
environment depend on the type of cloud service model.
Type of service model
|
Infrastructure-as-a-service
(IaaS)
|
Platform-as-a-service (PaaS)
|
Software-as-a-service (SaaS)
|
Scope
|
A model of service delivery where the basic
computing infrastructure of servers, software, and network equipment is
provided as an on-demand service.
|
A model of service delivery where the
computing platform is provided as an on-demand service upon which
applications can be developed and deployed.
|
A model of service delivery where one or more applications are provided
for use on demand.
|
Control
|
Security provisions beyond the basic
infrastructure are carried out mainly by the cloud consumer.
|
Security provisions are split between the
cloud provider and the cloud consumer.
|
Security is the cloud provider's responsibility, and the cloud consumer
does not control the underlying cloud infrastructure or individual
applications.
|
Cloud
security advantages and disadvantages
Advantages
|
Disadvantages
|
Although there are date security challenges unique to cloud computing, improvements are continuously made, enabling organizations to enjoy security and privacy benefits by transitioning to a public cloud computing environment.
(a) Staff specialization
(b) Platform strength
(c) Resource availability
(d) Backup and recovery
(e) Mobile endpoints
(f) Data concentration
|
Cloud computing has several disadvantages over traditional data centers.
(a) System complexity
(b) Shared multitenant environment
(c) Internet-facing services
(d) Loss of control the organization's direct control.
|
AICPA
Cybersecurity standards
On
April 26, 2017, the AICPA introduced a market‐driven, flexible, and voluntary cybersecurity risk
management reporting framework. The new framework will enable all organizations
in industries worldwide to take a proactive and agile approach to cybersecurity
risk management and to communicate on those activities with stakeholders.
There
are Trust Services Criteria for Security, Availability, Processing Integrity,
Confidentiality, and Privacy:
(1) Established
by the Assurance Services Executive Committee (ASEC) of the AICPA,
(2) May
be used when evaluating the design and operating effectiveness of relevant
controls of one or more systems or type of information processed, and
(3) Organized
consistent with COSO's Internal Control—Integrated Framework (COSO).
Source:
Becker Professional
※ The tax, accounting, or tech business information above
is for your reference, and is not legally binding.
댓글 없음:
댓글 쓰기