Despite the operational challenges resulting from COVID-19, information security’s prime objective remains enabling an organization to achieve its goals within its risk appetite. Today, organizations of all types are reconfiguring their service and product delivery strategies to both serve customers safely and obtain cost savings. Through this transition, SMEs must continue to mitigate the risks that existed before the arrival of COVID-19. For SMEs in regulated industries, this also includes the continued adherence to regulatory requirements. Those organizations accepting electronic payments, including credit cards, must also comply with applicable rules, including the Payment Card Industry Standard.

盡管新冠疫情為世界帶來了運(yùn)營(yíng)挑戰(zhàn)，但信息安全的首要任務(wù)仍然是使組織能夠在其風(fēng)險(xiǎn)承受能力范圍內(nèi)實(shí)現(xiàn)其目標(biāo)。今天，各種類型的組織都在重新配置他們的服務(wù)和產(chǎn)品交付策略，既能安全地為客戶服務(wù)，又能節(jié)省成本。通過這一轉(zhuǎn)變，中小企業(yè)必須繼續(xù)減輕在新冠疫情到來之前存在的風(fēng)險(xiǎn)。對(duì)于受管制行業(yè)的中小企業(yè)來說，這還包括繼續(xù)遵守監(jiān)管要求。接受電子支付（包括信用卡）的組織也必須遵守適用的規(guī)則，包括支付卡行業(yè)標(biāo)準(zhǔn)。

To survive, many organizations will need to alter their methodologies. Many SMEs already faced challenges in responding to the increasing use of emerging technologies confronting traditional business models and services. These developments impacted the expectations of employees, customers, and suppliers. Unfortunately, they will need to adopt emerging technologies and change their service models more rapidly. At a minimum, this would include reconsidering the effectiveness of existing technology investments and the ability of stakeholders to use existing assets to drive value for the organization.

為了生存，許多組織需要改變他們的方法。許多中小企業(yè)在應(yīng)對(duì)傳統(tǒng)商業(yè)模式和服務(wù)日益增加的新興技術(shù)使用方面已經(jīng)面臨挑戰(zhàn)。這些發(fā)展影響了員工、客戶和供應(yīng)商的期望。不幸的是，他們將需要采用新興技術(shù)并更快地改變服務(wù)模式。至少，這將包括重新考慮現(xiàn)有技術(shù)投資的有效性以及利益相關(guān)者利用現(xiàn)有資產(chǎn)為本組織創(chuàng)造價(jià)值的能力。

These developments necessitate the calibration of risk strategies and even risk tolerances with the reality of different customer expectations in the new environment. For example, consumers prize and appreciate electronic-based transactions rather than in-person transactions. When in-person interaction is required, video and other electronic modes of communication will be favored. Yet many SMEs, even if they did have an information security program, did not consider the relevant threats that have resulted from COVID-19. Although many SME executives recognize the privacy implications of maintaining and transacting data, they may not realize the need to protect the ever-growing storage of video-based information. SMEs will face additional technology risk as remote solutions for workers and vendors become part of the new mode of operation.

這些發(fā)展需要校準(zhǔn)風(fēng)險(xiǎn)策略，甚至風(fēng)險(xiǎn)容忍度，以適應(yīng)新環(huán)境中不同的客戶期望值。例如，消費(fèi)者喜歡和欣賞基于電子的交易，而不是親自交易。當(dāng)需要交流時(shí)，視頻和其他電子通信方式將受到青睞。然而，許多中小企業(yè)，即使他們有信息安全計(jì)劃，也沒有考慮到新冠疫情造成的相關(guān)威脅。盡管許多中小企業(yè)高管認(rèn)識(shí)到維護(hù)和處理數(shù)據(jù)所涉及的隱私問題，但他們可能沒有意識(shí)到需要保護(hù)基于視頻的信息不斷增長(zhǎng)的存儲(chǔ)量。隨著面向工人和供應(yīng)商的遠(yuǎn)程解決方案成為新運(yùn)營(yíng)模式的一部分，中小企業(yè)將面臨額外的技術(shù)風(fēng)險(xiǎn)。

The new environment requires that SMEs strengthen and change their information security management programs to enhance the organization’s resiliency yet protect the assets entrusted to it. These asset protection strategies should include both electronic and physical protection of their people, processes, and technologies. The organization’s viability will significantly rely on the program’s ability to adapt to changing conditions and its effectiveness in helping it achieve desired objectives. That is why, as part of their COVID-19 recovery strategies, many SMEs are revisiting their Information Security Programs, emphasizing both resiliency and facilitation.

新環(huán)境要求中小企業(yè)加強(qiáng)和改變其信息安全管理計(jì)劃，以增強(qiáng)組織的彈性，同時(shí)保護(hù)委托給它的資產(chǎn)。這些資產(chǎn)保護(hù)策略應(yīng)包括對(duì)其人員、流程和技術(shù)的電子和實(shí)物保護(hù)。組織的生存能力在很大程度上取決于項(xiàng)目適應(yīng)不斷變化的條件的能力及其幫助實(shí)現(xiàn)預(yù)期目標(biāo)的有效性。這就是為什么，作為新冠疫情恢復(fù)策略的一部分，許多中小企業(yè)正在重新審視其信息安全計(jì)劃，強(qiáng)調(diào)彈性和便利性。

The program should address efforts to learn where sensitive data exists, where it flows, and with whom it is shared. Unknown data is unprotected data. The potential for regulatory sanction is high, regardless of industry, as regulators can interrupt a business’s operations or halt its growth. Financial professionals should evaluate critical business partners who represent risk and may incur liability or reputational damage.

該計(jì)劃應(yīng)致力于了解敏感數(shù)據(jù)在哪里存在、在哪里流動(dòng)以及與誰共享。未知數(shù)據(jù)是未受保護(hù)的數(shù)據(jù)。無論行業(yè)如何，監(jiān)管制裁的可能性都很大，監(jiān)管機(jī)構(gòu)可以中斷企業(yè)的運(yùn)營(yíng)或阻止其增長(zhǎng)。金融專業(yè)人士應(yīng)評(píng)估代表風(fēng)險(xiǎn)并可能招致責(zé)任或聲譽(yù)損害的關(guān)鍵業(yè)務(wù)合作伙伴。

For an SME to get the most value from investments in security tools, it is vital that any metrics it develops are actionable and provide guidance for investigating and mitigating any identified anomalies. It is also helpful to implement an automated Security Incident Event Monitor (SIEM) to capture and triage the large volume of alerts. Monitoring through SIEM is often outsourced to specialized Managed Security Service Providers (MSSP) who specialize in this area. The MSSP often uses artificial intelligence to learn an organization’s network topology and correctly identify anomalous traffic. Should an SME identify or suspect a potential cyber-incident, the U.S. Department of Justice’s “Best Practices for Victim Response and Reporting of Cyber-Incidents” provides best practices and an incident preparedness checklist to help the SME navigate these problems should they occur.

為了讓中小企業(yè)從安全工具的投資中獲得#大價(jià)值，至關(guān)重要的是開發(fā)的度量標(biāo)準(zhǔn)是否都是可操作的，是否能為調(diào)查和緩解任何已識(shí)別的異?，F(xiàn)象提供指導(dǎo)。同時(shí)需要有助于實(shí)現(xiàn)自動(dòng)安全事件監(jiān)視程序（Security Incident Event Monitor, SIEM），以捕獲和分類大量警報(bào)。通過SIEM進(jìn)行的監(jiān)控通常外包給專門從事此領(lǐng)域的專業(yè)托管安全服務(wù)提供商（Managed Security Service Providers, MSSP）。MSSP通常使用人工智能來學(xué)習(xí)組織的網(wǎng)絡(luò)拓?fù)浣Y(jié)構(gòu)，并正確識(shí)別異常流量。如果中小企業(yè)發(fā)現(xiàn)或懷疑潛在的網(wǎng)絡(luò)事件，美國(guó)司法部的“網(wǎng)絡(luò)事件受害者響應(yīng)和報(bào)告#佳方式 （Best Practices for Victim Response and Reporting of Cyber-Incidents）”提供了#佳方法和事件準(zhǔn)備清單，以幫助中小企業(yè)在這些問題發(fā)生時(shí)應(yīng)對(duì)這些問題。

【AACA協(xié)會(huì)國(guó)際注冊(cè)會(huì)計(jì)師ICPA雇主直聘平臺(tái)】

響應(yīng)國(guó)家戰(zhàn)略

搭建企業(yè)國(guó)際化高端會(huì)計(jì)人才隊(duì)伍

加快財(cái)會(huì)隊(duì)伍建設(shè)與人才轉(zhuǎn)型

近三百家中國(guó)知名企業(yè)加入AACA認(rèn)可雇主計(jì)劃

（國(guó)際注冊(cè)會(huì)計(jì)師ICPA證書樣本）

原創(chuàng)編輯：ICPA中國(guó)辦事處