Overview – Trust Services Criteria
COSO’s CC7.2 for the component System Operations requires the following “The entity monitors system components and the operation of those components for anomalies that are indicative of malicious acts, natural disasters, and errors affecting the entity’s ability to meet its objectives; anomalies are analyzed to determine whether they represent security events.”
Points of Focus
Below are the points of focus and any related mappings to other frameworks and standards.
| Description | Mapping to other frameworks and standards |
| Implements Detection Policies, Procedures, and Tools — Detection policies and procedures are defined and implemented, and detection tools are implemented on Infrastructure and software to identify anomalies in the operation or unusual activity on systems. Procedures may include (1) a defined governance process for security event detection and management that includes provision of resources; (2) use of intelligence sources to identify newly discovered threats and vulnerabilities; and (3) logging of unusual system activities. | · NIST CSF – PR.DS-5 – Protections against data leaks are implemented · NIST CSF – PR.PT-1 – Audit/log records are determined, documented, implemented, and reviewed in accordance with policy · NIST CSF – DE.CM-1 – The network is monitored to detect potential cybersecurity events · NIST CSF – DE.DP-1 – Roles and responsibilities for detection are well defined to ensure accountability · NIST CSF – DE.DP-2 – Detection activities comply with all applicable requirements · NIST CSF – DE.DP-4 – Event detection information is communicated to appropriate parties |
| Designs Detection Measures — Detection measures are designed to identify anomalies that could result from actual or attempted (1) compromise of physical barriers; (2) unauthorized actions of authorized personnel; (3) use of compromised identification and authentication credentials; (4) unauthorized access from outside the system boundaries; (5) compromise of authorized external parties; and (6) implementation or connection of unauthorized hardware and software. | · NIST CSF – PR.DS-5 – Protections against data leaks are implemented · NIST CSF – DE.AE-1 – A baseline of network operations and expected data flows for users and systems is established and managed · NIST CSF – DE.CM-1 – The network is monitored to detect potential cybersecurity events · NIST CSF – DE.CM-2 – The physical environment is monitored to detect potential cybersecurity events · NIST CSF – DE.CM-3 – Personnel activity is monitored to detect potential cybersecurity events · NIST CSF – DE.CM-4 – Malicious code is detected · NIST CSF – DE.CM-5 – Unauthorized mobile code is detected · NIST CSF – DE.CM-6 – External service provider activity is monitored to detect potential cybersecurity events · NIST CSF – DE.CM-7 – Monitoring for unauthorized personnel, connections, devices, and software is performed · NIST CSF – DE.CM-8 – Vulnerability scans are performed |
| Implements Filters to Analyze Anomalies — Management has implemented procedures to filter, summarize, and analyze anomalies to identify security events. | · NIST CSF – DE.AE-2 – Detected events are analyzed to understand attack targets and methods · NIST CSF – DE.AE-3 – Event data are aggregated and correlated from multiple sources and sensors · NIST CSF – DE.AE-5 – Incident alert thresholds are established · NIST CSF – DE.DP-4 – Event detection information is communicated to appropriate parties · NIST CSF – RS.AN-4 – Incidents are categorized consistent with response plans |
| Monitors Detection Tools for Effective Operation — Management has implemented processes to monitor the effectiveness of detection tools. | · NIST CSF – DE.DP-3 – Detection processes are tested · NIST CSF – DE.DP-5 – Detection processes are continuously improved |
What is the COSO Framework?
COSO means the Committee of Sponsoring Organizations of the Treadway Commission. It is a joint initiative of five private sector organizations and provides thought leadership through the development of frameworks and guidance on enterprise risk management, internal control, and fraud deterrence.
Source: https://us.aicpa.org/interestareas/businessindustryandgovernment/resources/riskmanagmentandinternalcontrol/coso-integrated-framework-project
The COSO Internal Control Framework was developed to help “organizations design and implement internal control in light of the many changes in business and operating environments.” The Treadway Commission designed the framework with SOX in mind, but the framework goes beyond financial reporting controls since it applies to operations, compliance, and reporting (both internal and external). For most public companies, the process of using the COSO Internal Control Framework is an exercise in mapping their SOX controls to the COSO Internal Control Framework and then evaluating the control environment in total against the framework.
The COSO Internal Control Framework is a comprehensive model comprising of the following five (5) integrated Components supported by seventeen (17) Principles. Below are the five (5) Components:
- Control Environment
- Risk Assessment
- Control Activities
- Information and Communication
- Monitoring
Source: https://www.auditboard.com/blog/difference-between-coso-and-sox/
Internal Control Categories
The COSO framework divides internal control objectives into three (3) categories: Operations, Reporting and Compliance.
- Operations objectives, such as performance goals and securing the organization’s assets against fraud, focus on the effectiveness and efficiency of your business operations.
- Reporting objectives, including both internal and external financial reporting as well as non-financial reporting, relate to transparency, timeliness and reliability of the organization’s reporting habits.
- Compliance objectives are internal control goals based around adhering to laws and regulations that the organization must comply with.
Source: https://www.i-sight.com/resources/coso-framework-what-it-is-and-how-to-use-it/