Overview – Trust Services Criteria
COSO’s CC7.4 for the component System Operations requires the following “The entity responds to identified security incidents by executing a defined incident response program to understand, contain, remediate, and communicate security incidents, as appropriate.”
Points of Focus
Below are the points of focus and any related mappings to other frameworks and standards.
| Description | Mapping to other frameworks and standards |
| Assigns Roles and Responsibilities — Roles and responsibilities for the design, implementation, maintenance, and execution of the incident response program are assigned, including the use of external resources when necessary. | NIST CSF – RS.CO-1 – Personnel know their roles and order of operations when a response is needed |
| Contains Security Incidents — Procedures are in place to contain security incidents that actively threaten entity objectives. | NIST CSF – RS.RP-1 – Response plan is executed during or after an event NIST CSF – RS.MI-1 – Incidents are contained |
| Mitigates Ongoing Security Incidents — Procedures are in place to mitigate the effects of ongoing security incidents. | NIST CSF – RS.MI-2 – Incidents are mitigated |
| Ends Threats Posed by Security Incidents — Procedures are in place to end the threats posed by security incidents through closure of the vulnerability, removal of unauthorized access, and other remediation actions. | NIST CSF – PR.IP-12 – A vulnerability management plan is developed and implemented |
| Restores Operations — Procedures are in place to restore data and business operations to an interim state that permits the achievement of entity objectives. | NIST CSF – RS.RP-1 – Response plan is executed during or after an event |
| Develops and Implements Communication Protocols for Security Incidents — Protocols for communicating security incidents and actions taken to affected parties are developed and implemented to meet the entity’s objectives. | NIST CSF – RS.CO-3 – Information is shared consistent with response plans |
| NIST CSF – RS.CO-4 – Coordination with stakeholders occurs consistent with response plans | |
| NIST CSF – RS.CO-5 – Voluntary information sharing occurs with external stakeholders to achieve broader cybersecurity situational awareness | |
| Obtains Understanding of Nature of Incident and Determines Containment Strategy — An understanding of the nature (for example, the method by which the incident occurred and the affected system resources) and severity of the security incident is obtained to determine the appropriate containment strategy, including (1) a determination of the appropriate response time frame, and (2) the determination and execution of the containment approach. | |
| Remediates Identified Vulnerabilities — Identified vulnerabilities are remediated through the development and execution of remediation activities. | NIST CSF – RS.MI-3 – Newly identified vulnerabilities are mitigated or documented as accepted risks |
| Communicates Remediation Activities — Remediation activities are documented and communicated in accordance with the incident response program. | NIST CSF – RC.CO-1 – Public relations are managed |
| Evaluates the Effectiveness of Incident Response — The design of incident response activities is evaluated for effectiveness on a periodic basis. | NIST CSF – RC.CO-3 – Recovery activities are communicated to internal stakeholders and executive and management teams |
| Periodically Evaluates Incidents — Periodically, management reviews incidents related to security, availability, processing integrity, confidentiality, and privacy and identifies the need for system changes based on incident patterns and root causes. | |
| Communicates Unauthorized Use and Disclosure — Events that resulted in unauthorized use or disclosure of personal information are communicated to the data subjects, legal and regulatory authorities, and others as required. | |
| Application of Sanctions — The conduct of individuals and organizations operating under the authority of the entity and involved in the unauthorized use or disclosure of personal information is evaluated and, if appropriate, sanctioned in accordance with entity policies and legal and regulatory requirements. |
What is the COSO Framework?
COSO means the Committee of Sponsoring Organizations of the Treadway Commission. It is a joint initiative of five private sector organizations and provides thought leadership through the development of frameworks and guidance on enterprise risk management, internal control, and fraud deterrence.
Source: https://us.aicpa.org/interestareas/businessindustryandgovernment/resources/riskmanagmentandinternalcontrol/coso-integrated-framework-project
The COSO Internal Control Framework was developed to help “organizations design and implement internal control in light of the many changes in business and operating environments.” The Treadway Commission designed the framework with SOX in mind, but the framework goes beyond financial reporting controls since it applies to operations, compliance, and reporting (both internal and external). For most public companies, the process of using the COSO Internal Control Framework is an exercise in mapping their SOX controls to the COSO Internal Control Framework and then evaluating the control environment in total against the framework.
The COSO Internal Control Framework is a comprehensive model comprising of the following five (5) integrated Components supported by seventeen (17) Principles. Below are the five (5) Components:
- Control Environment
- Risk Assessment
- Control Activities
- Information and Communication
- Monitoring
Source: https://www.auditboard.com/blog/difference-between-coso-and-sox/
Internal Control Categories
The COSO framework divides internal control objectives into three (3) categories: Operations, Reporting and Compliance.
- Operations objectives, such as performance goals and securing the organization’s assets against fraud, focus on the effectiveness and efficiency of your business operations.
- Reporting objectives, including both internal and external financial reporting as well as non-financial reporting, relate to transparency, timeliness and reliability of the organization’s reporting habits.
- Compliance objectives are internal control goals based around adhering to laws and regulations that the organization must comply with.
Source: https://www.i-sight.com/resources/coso-framework-what-it-is-and-how-to-use-it/