Information is data made useful. There is a great deal of information to consider in respect of the risk management cyber security requires. Access to assurance services is important. In this article…

Cyber security means technology, processes, measures and countermeasures used to mitigate the many known risks that come with digital technology use. Cyber security must be, and is, a multidisciplinary body of knowledge.

What is an assurance service?

Useful information is not the same as reliable information. Many people will know many things — the executive directors, the financial managers, the program directors, the facilities managers, the trustees, the volunteers: all have useful information.

What happens if (when!) they don’t share what they know?

Malicious intent isn’t necessary to consider this question. It’s much more likely that none of them really knows what information someone else needs to make an informed decision.

CPA Canada, the national association of Canadian chartered professional accountants, defines assurance service as a service used to enhance…

…the reliability of information through activities such as internal control, internal and comprehensive auditing as well as through external third-party assurance services such as auditing.

Put more simply? The chartered professional accountant who provides assurance services performs these three services:

Investigation I Investigates who has what information in an organisation
Consulting II Helps determine who can best use the information
Verification III Periodically checks back to ensure the information flows correctly

Cyber Risk

In this article, cyber risk describes financial loss, organisational chaos, or reputational damage that results from any information technology failure.

Our risk management considerations must include IT vendors or staff, not rely upon them. Your community is served also by approachable risk management professionals, such as insurance underwriters, independent insurance agents and brokers, and CPAs. As to IT vendors? This is tricky:

Your principal concern is almost certainly a small office computing network. The supply chains common to many, many IT vendors are often much more concerned about enterprise computing than you are. It’s very hard to generalise. Techopedia puts the matter this way:

Enterprise computing is usually seen as a collection of big business software solutions to common problems such as resource management and streamlining processes.

Are there small office computing vendors with access to enterprise computing expertise? I think it likely. Where to find them? I’ve no idea.

There are certainly more professions one might consider but not, I think, in respect of small-to-medium size social enterprises. Is your organisation likely to require routine penetration testing and cyberthreat vector analysis? No. You risks are more fundamental.