Overview – Trust Services Criteria
COSO’s CC8.1 for the component Change Management requires the following “The entity authorizes, designs, develops or acquires, configures, documents, tests, approves, and implements changes to infrastructure, data, software, and procedures to meet its objectives.”
Points of Focus
Below are the points of focus and any related mappings to other frameworks and standards.
| Description | Mapping to other frameworks and standards |
| Manages Changes Throughout the System Lifecycle — A process for managing system changes throughout the lifecycle of the system and its components (infrastructure, data, software and procedures) is used to support system availability and processing integrity. | · NIST CSF – PR.IP-2 – A System Development Life Cycle to manage systems is implemented · NIST CSF – PR.IP-3 – Configuration change control processes are in place · NIST CSF – PR.IP-3 – Configuration change control processes are in place |
| Authorizes Changes — A process is in place to authorize system changes prior to development. | |
| Designs and Develops Changes — A process is in place to design and develop system changes. | |
| Documents Changes — A process is in place to document system changes to support ongoing maintenance of the system and to support system users in performing their responsibilities. | |
| Tracks System Changes — A process is in place to track system changes prior to implementation. | · NIST CSF – PR.MA-1 – Maintenance and repair of organizational assets is performed and logged in a timely manner, with approved and controlled tools · NIST CSF – PR.MA-2 – Remote maintenance of organizational assets is approved, logged, and performed in a manner that prevents unauthorized access |
| Configures Software — A process is in place to select and implement the configuration parameters used to control the functionality of software. | |
| Tests System Changes — A process is in place to test system changes prior to implementation. | NIST CSF – PR.IP-2 – A System Development Life Cycle to manage systems is implemented |
| Approves System Changes — A process is in place to approve system changes prior to implementation. | · NIST CSF – PR.IP-2 – A System Development Life Cycle to manage systems is implemented · NIST CSF – PR.IP-3 – Configuration change control processes are in place · NIST CSF – PR.MA-1 – Maintenance and repair of organizational assets is performed and logged in a timely manner, with approved and controlled tools · NIST CSF – PR.MA-2 – Remote maintenance of organizational assets is approved, logged, and performed in a manner that prevents unauthorized access · NIST CSF – PR.DS-7 – The development and testing environment(s) are separate from the production environment |
| Deploys System Changes — A process is in place to implement system changes. | · NIST CSF – PR.IP-2 – A System Development Life Cycle to manage systems is implemented · NIST CSF – PR.IP-3 – Configuration change control processes are in place |
| Identifies and Evaluates System Changes — Objectives affected by system changes are identified, and the ability of the modified system to meet the objectives is evaluated throughout the system development life cycle. | NIST CSF – PR.IP-2 – A System Development Life Cycle to manage systems is implemented |
| Identifies Changes in Infrastructure, Data, Software, and Procedures Required to Remediate Incidents — Changes in infrastructure, data, software, and procedures required to remediate incidents to continue to meet objectives are identified, and the change process is initiated upon identification. | NIST CSF – PR.IP-2 – A System Development Life Cycle to manage systems is implemented |
| Creates Baseline Configuration of IT Technology — A baseline configuration of IT and control systems is created and maintained. | NIST CSF – PR.IP-2 – A System Development Life Cycle to manage systems is implemented |
| Provides for Changes Necessary in Emergency Situations — A process is in place for authorizing, designing, testing, approving and implementing changes necessary in emergency situations (that is, changes that need to be implemented in an urgent timeframe). | NIST CSF – PR.IP-3 – Configuration change control processes are in place |
| Protects Confidential Information — The entity protects confidential information during system design, development, testing, implementation, and change processes to meet the entity’s objectives related to confidentiality. | NIST CSF – PR.IP-2 – A System Development Life Cycle to manage systems is implemented |
| Protects Personal Information — The entity protects personal information during system design, development, testing, implementation, and change processes to meet the entity’s objectives related to privacy. |
What is the COSO Framework?
COSO means the Committee of Sponsoring Organizations of the Treadway Commission. It is a joint initiative of five private sector organizations and provides thought leadership through the development of frameworks and guidance on enterprise risk management, internal control, and fraud deterrence.
Source: https://us.aicpa.org/interestareas/businessindustryandgovernment/resources/riskmanagmentandinternalcontrol/coso-integrated-framework-project
The COSO Internal Control Framework was developed to help “organizations design and implement internal control in light of the many changes in business and operating environments.” The Treadway Commission designed the framework with SOX in mind, but the framework goes beyond financial reporting controls since it applies to operations, compliance, and reporting (both internal and external). For most public companies, the process of using the COSO Internal Control Framework is an exercise in mapping their SOX controls to the COSO Internal Control Framework and then evaluating the control environment in total against the framework.
The COSO Internal Control Framework is a comprehensive model comprising of the following five (5) integrated Components supported by seventeen (17) Principles. Below are the five (5) Components:
- Control Environment
- Risk Assessment
- Control Activities
- Information and Communication
- Monitoring
Source: https://www.auditboard.com/blog/difference-between-coso-and-sox/
Internal Control Categories
The COSO framework divides internal control objectives into three (3) categories: Operations, Reporting and Compliance.
- Operations objectives, such as performance goals and securing the organization’s assets against fraud, focus on the effectiveness and efficiency of your business operations.
- Reporting objectives, including both internal and external financial reporting as well as non-financial reporting, relate to transparency, timeliness and reliability of the organization’s reporting habits.
- Compliance objectives are internal control goals based around adhering to laws and regulations that the organization must comply with.
Source: https://www.i-sight.com/resources/coso-framework-what-it-is-and-how-to-use-it/