Overview – Trust Services Criteria
COSO’s A1.2 for the component Additional Criteria For Availability requires the following “The entity authorizes, designs, develops or acquires, implements, operates, approves, maintains, and monitors environmental protections, software, data back-up processes, and recovery infrastructure to meet its objectives.”
Points of Focus
Below are the points of focus and any related mappings to other frameworks and standards.
| Description | Mapping to other frameworks and standards |
| Identifies Environmental Threats — As part of the risk assessment process, management identifies environmental threats that could impair the availability of the system, including threats resulting from adverse weather, failure of environmental control systems, electrical discharge, fire, and water. | NIST CSF – PR.IP-5 – Policy and regulations regarding the physical operating environment for organizational assets are met |
| Designs Detection Measures — Detection measures are implemented to identify anomalies that could result from environmental threat events. | |
| Implements and Maintains Environmental Protection Mechanisms — Management implements and maintains environmental protection mechanisms to prevent and mitigate against environmental events. | |
| Implements Alerts to Analyze Anomalies — Management implements alerts that are communicated to personnel for analysis to identify environmental threat events. | |
| Responds to Environmental Threat Events — Procedures are in place for responding to environmental threat events and for evaluating the effectiveness of those policies and procedures on a periodic basis. This includes automatic mitigation systems (for example, uninterruptable power system and generator back-up subsystem). | NIST CSF – PR.PT-5 – Systems operate in pre-defined functional states to achieve availability (e.g. under duress, under attack, during recovery, normal operations). |
| Communicates and Reviews Detected Environmental Threat Events — Detected environmental threat events are communicated to and reviewed by the individuals responsible for the management of the system, and actions are taken, if necessary. | |
| Determines Data Requiring Backup — Data is evaluated to determine whether backup is required. | NIST CSF – PR.IP-4 – Backups of information are conducted, maintained, and tested periodically |
| Performs Data Backup — Procedures are in place for backing up data, monitoring to detect back-up failures, and initiating corrective action when such failures occur. | · NIST CSF – PR.IP-4 – Backups of information are conducted, maintained, and tested periodically · NIST CSF – PR.IP-4 – Backups of information are conducted, maintained, and tested periodically |
| Addresses Offsite Storage — Back-up data is stored in a location at a distance from its principal storage location sufficient that the likelihood of a security or environmental threat event affecting both sets of data is reduced to an appropriate level. | NIST CSF – PR.IP-4 – Backups of information are conducted, maintained, and tested periodically |
| Implements Alternate Processing Infrastructure — Measures are implemented for migrating processing to alternate infrastructure in the event normal processing infrastructure becomes unavailable. | NIST CSF – PR.PT-5 – Systems operate in pre-defined functional states to achieve availability (e.g. under duress, under attack, during recovery, normal operations). |
What is the COSO Framework?
COSO means the Committee of Sponsoring Organizations of the Treadway Commission. It is a joint initiative of five private sector organizations and provides thought leadership through the development of frameworks and guidance on enterprise risk management, internal control, and fraud deterrence.
Source: https://us.aicpa.org/interestareas/businessindustryandgovernment/resources/riskmanagmentandinternalcontrol/coso-integrated-framework-project
The COSO Internal Control Framework was developed to help “organizations design and implement internal control in light of the many changes in business and operating environments.” The Treadway Commission designed the framework with SOX in mind, but the framework goes beyond financial reporting controls since it applies to operations, compliance, and reporting (both internal and external). For most public companies, the process of using the COSO Internal Control Framework is an exercise in mapping their SOX controls to the COSO Internal Control Framework and then evaluating the control environment in total against the framework.
The COSO Internal Control Framework is a comprehensive model comprising of the following five (5) integrated Components supported by seventeen (17) Principles. Below are the five (5) Components:
- Control Environment
- Risk Assessment
- Control Activities
- Information and Communication
- Monitoring
Source: https://www.auditboard.com/blog/difference-between-coso-and-sox/
Internal Control Categories
The COSO framework divides internal control objectives into three (3) categories: Operations, Reporting and Compliance.
- Operations objectives, such as performance goals and securing the organization’s assets against fraud, focus on the effectiveness and efficiency of your business operations.
- Reporting objectives, including both internal and external financial reporting as well as non-financial reporting, relate to transparency, timeliness and reliability of the organization’s reporting habits.
- Compliance objectives are internal control goals based around adhering to laws and regulations that the organization must comply with.
Source: https://www.i-sight.com/resources/coso-framework-what-it-is-and-how-to-use-it/