Overview – Trust Services Criteria
COSO’s CC6.1 for the component Logical And Physical Access Controls requires the following “The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity’s objectives.”
Points of Focus
Below are the points of focus and any related mappings to other frameworks and standards.
| Description | Mapping to other frameworks and standards |
| Identifies and Manages the Inventory of Information Assets — The entity identifies, inventories, classifies, and manages information assets. | · NIST CSF – ID.AM-1 – Physical devices and systems within the organization are inventoried · NIST CSF – ID.AM-2 – Software platforms and applications within the organization are inventoried · NIST CSF – ID.AM-3 – Organizational communication and data flows are mapped · NIST CSF – ID.AM-4 – External information systems are catalogued · NIST CSF – PR.DS-3 – Assets are formally managed throughout removal, transfers, and disposition |
| Restricts Logical Access — Logical access to information assets, including hardware, data (at-rest, during processing, or in transmission), software, administrative authorities, mobile devices, output, and offline system components is restricted through the use of access control software and rule sets. | · NIST CSF – PR.AC-5 – Network integrity is protected, incorporating network segregation where appropriate · NIST CSF – PR.PT-3 – The principle of least functionality is incorporated by configuring systems to provide only essential capabilities · NIST CSF – PR.DS-1 – Data-at-rest is protected · NIST CSF – PR.DS-2 – Data-in-transit is protected · NIST CSF – PR.DS-3 – Assets are formally managed throughout removal, transfers, and disposition · NIST CSF – PR.PT-3 – The principle of least functionality is incorporated by configuring systems to provide only essential capabilities |
| Identifies and Authenticates Users — Persons, infrastructure and software are identified and authenticated prior to accessing information assets, whether locally or remotely. | NIST CSF – PR.AC-6 – Identities are proofed and bound to credentials, and asserted in interactions when appropriate |
| Considers Network Segmentation — Network segmentation permits unrelated portions of the entity’s information system to be isolated from each other. | NIST CSF – PR.AC-5 – Network integrity is protected, incorporating network segregation where appropriate |
| Manages Points of Access — Points of access by outside entities and the types of data that flow through the points of access are identified, inventoried, and managed. The types of individuals and systems using each point of access are identified, documented, and managed. | NIST CSF – PR.AC-5 – Network integrity is protected, incorporating network segregation where appropriate |
| Restricts Access to Information Assets — Combinations of data classification, separate data structures, port restrictions, access protocol restrictions, user identification, and digital certificates are used to establish access control rules for information assets. | |
| Manages Identification and Authentication — Identification and authentication requirements are established, documented, and managed for individuals and systems accessing entity information, infrastructure and software. | |
| Manages Credentials for Infrastructure and Software — New internal and external infrastructure and software are registered, authorized, and documented prior to being granted access credentials and implemented on the network or access point. Credentials are removed and access is disabled when access is no longer required or the infrastructure and software are no longer in use. | NIST CSF – PR.AC-1 – Identities and credentials are issued, managed, revoked, and audited for authorized devices, users, and processes |
| Uses Encryption to Protect Data — The entity uses encryption to supplement other measures used to protect data-at-rest, when such protections are deemed appropriate based on assessed risk. | |
| Protects Encryption Keys — Processes are in place to protect encryption keys during generation, storage, use, and destruction. |
What is the COSO Framework?
COSO means the Committee of Sponsoring Organizations of the Treadway Commission. It is a joint initiative of five private sector organizations and provides thought leadership through the development of frameworks and guidance on enterprise risk management, internal control, and fraud deterrence.
Source: https://us.aicpa.org/interestareas/businessindustryandgovernment/resources/riskmanagmentandinternalcontrol/coso-integrated-framework-project
The COSO Internal Control Framework was developed to help “organizations design and implement internal control in light of the many changes in business and operating environments.” The Treadway Commission designed the framework with SOX in mind, but the framework goes beyond financial reporting controls since it applies to operations, compliance, and reporting (both internal and external). For most public companies, the process of using the COSO Internal Control Framework is an exercise in mapping their SOX controls to the COSO Internal Control Framework and then evaluating the control environment in total against the framework.
The COSO Internal Control Framework is a comprehensive model comprising of the following five (5) integrated Components supported by seventeen (17) Principles. Below are the five (5) Components:
- Control Environment
- Risk Assessment
- Control Activities
- Information and Communication
- Monitoring
Source: https://www.auditboard.com/blog/difference-between-coso-and-sox/
Internal Control Categories
The COSO framework divides internal control objectives into three (3) categories: Operations, Reporting and Compliance.
- Operations objectives, such as performance goals and securing the organization’s assets against fraud, focus on the effectiveness and efficiency of your business operations.
- Reporting objectives, including both internal and external financial reporting as well as non-financial reporting, relate to transparency, timeliness and reliability of the organization’s reporting habits.
- Compliance objectives are internal control goals based around adhering to laws and regulations that the organization must comply with.
Source: https://www.i-sight.com/resources/coso-framework-what-it-is-and-how-to-use-it/