S3M2

COSO Framework Overview

  • COSO (Committee of Sponsoring Organizations)

    • An advisory group that provides guidance on internal controls, fraud deterrence, and risk management.

    • Known for the COSO internal control framework, created in 1992.

    • Became an industry-wide benchmark for internal control practices.

    • COSO 2013

    • The most recent version of the framework.

    • Often referred to as the COSO cube, which is a three-dimensional diagram.

    • Illustrates how various elements of an internal control system work together.

Key Components of the COSO Framework

Internal Control Objectives

  • Classified into three groups:

    • Operational Objectives

    • Performance measures to increase protection against cybersecurity threats and fraud.

    • Focus on effectiveness and efficiency of business operations.

    • Reporting Objectives

    • Reporting/communication must be F.A.C.T.: Fair, Accurate, Complete, and Timely.

    • Related to increasing likelihood that cybersecurity controls do not affect financial reporting.

    • Focus on transparency, reliability, timeliness, and trustworthiness.

    • Compliance Objectives

    • Adherence to governmental laws and compliance regulations, including industry standards (e.g., NIST, HIPAA, GDPR).

Five Components of the COSO Internal Control Framework (CRIME)

  1. Control Environment

    • Refers to the ethical values of an organization, often referred to as the tone at the top.

    • Sets a top-down approach to advance the COSO framework throughout an organization.

    • Senior management should act as champions to:

      • Raise awareness of cyber threats.

      • Guide development of IT policies, processes, and procedures.

      • Provide guidance on incident response management.

      • Educate the workforce about safeguarding digital assets.

  2. Risk Assessment

    • Involves evaluating internal and external factors for risk identification.

    • Applies to cyber threats by tailoring the assessment procedures for cyber risks.

    • Assessment provides assurance that organizations manage risks to an acceptable tolerance.

  3. Control Activities

    • Policies and procedures to ensure implementation of control environment are effective at all organizational levels.

    • Ensures day-to-day risk management measures are applied consistently.

  4. Information and Communication

    • Reporting/communication must follow the F.A.C.T. principles.

    • Emphasizes usage of consistent and relevant language for information sharing.

    • Critical to share information about company policies on:

      • Cyber threats.

      • Detecting potential cyber threats.

      • Responding to cybersecurity events.

      • Examples include business impact analysis reports, employee meetings, periodic emails, and mandatory training.

  5. Monitoring Activities

    • Ongoing monitoring of internal controls to identify areas of risk vulnerability and effectiveness.

    • Important in cybersecurity due to the evolution of attacks.

    • Practices include:

      • Penetration testing.

      • Vulnerability scanning and assessments.

      • Periodic phishing reports.

COSO Framework and Cyber Risks

  • Viewing cyber risks through a COSO lens enables management to better communicate:

    • Risk tolerance levels.

    • Business objectives.

  • Clear priorities from management help employees focused on:

    • Assessing risk associated with systems likely to be attacked.

    • Identifying points of potential vulnerability in IT systems.

Security Policies, Standards, and Procedures

Levels of Security Documentation

  1. Security Policies

    • Overview of organization's security needs and strategic implementations.

    • Foundation of the security framework, outlining security measures applied to resources.

    • Provide clear terms, roles, and acceptable risk levels.

  2. Security Standards

    • Benchmarks to accomplish goals defined by the policies.

    • Derived from laws (e.g., GDPR) and industry standards (e.g., PCI DSS).

  3. Standard Operating Procedures (SOPs)

    • Detailed instructions for performing specific security tasks.

    • Should be segmented so that they are not all accessible to a single individual.

Acceptable Use Policy (AUP)

  • A control document to regulate and protect technology resources by:

    • Assigning responsibilities to job roles.

    • Listing acceptable behaviors and specifying violations.

    • Users agree to terms before gaining access to systems.

  • Generally covers:

    • Definition and purpose of policy.

    • Acceptable use of personal devices for business activities.

    • Device maintenance and confidentiality.

    • Monitoring and enforcement of actions on devices.

Mobile Device Security Policies

  • Risks associated with poor management of mobile device use are addressed by strict policies.

  • Mobile device AUPs determine rules for:

    • Password protection and multifactor authentication.

    • Web browsing and application downloads.

Bring-Your-Own-Device (BYOD) Policies

  • Allows employees to use personal devices for work-related activities.

  • Policies govern:

    • Monitoring of personal devices.

    • Ownership of data on personal devices (typically assumed by the company).

    • Personal liability and indemnification.

Security Standards and Operating Procedures

  • Standards define minimum performances and offer implementation recommendations.

  • SOPs offer detailed instructions, often tailored to specific departmental needs.

Network Protection Methods

  • Different methods to protect networks against cyber threats include:

    • Network Segmentation

    • Firewall

    • VPN (Virtual Private Network)

    • WPA (Wi-Fi Protected Access)

  • Each method serves as an additional layer of security against potential threats.

Authentication and Authorization Techniques

Important Concepts

  1. Zero Trust

    • Assumes the network is always at risk; focuses on continuous authentication.

    • Established by the NIST Zero Trust Network Architecture (ZTNA).

  2. Least Privilege

    • Users are granted minimum access necessary to perform their functions.

    • Prevents privilege creep.

  3. Need-to-Know Principle

    • Access to information is limited to what is necessary for job performance.

  4. Allowlisting and Denylisting

    • Only allows specified applications to run on systems (allowlisting) while blocking unauthorized ones (denylisting).

Identification and Authentication

  • Identification is asserting one's identity, while authentication validates that identity claim.

  • Various authentication technologies include:

    • Context-aware Authentication

    • Digital Signatures

    • Single Sign-On (SSO)

    • Multifactor Authentication (MFA)

Vulnerability Management

Definition and Purpose

  • Proactive practice to prevent exploitation of vulnerabilities.

  • Involves identifying, classifying, and fixing vulnerabilities using tools and frameworks (e.g., NIST Cybersecurity Framework).

Common Preventive, Detective, and Corrective Controls

  • Preventive Controls: designed to preempt threats (e.g., strong passwords, encryption).

  • Detective Controls: identify ongoing threats (e.g., IDS, network monitoring).

  • Corrective Controls: rectify vulnerabilities post-incident (e.g., reconfigurations, policy revisions).