As companies, directors (audit and risk committees), internal audit and independent auditors continue to gear-up for COSO 2013, I am posting the below bullet point outline without discussion primarily for future reference and application. You will note that the COSO 2013 framework remains broad, lacking detail and arguably vague. You can take any category and any principle and ask, “what does that mean” “what are our responsibilities” and “at what point have we satisfied our responsibilities”? For example, look at the Risk Assessment category. Methods or processes of risk assessment certainly have already become more involved. See for example my August 31, 2014 blog post discussion about the NIST Cybersecurity Framework click here and my paper outlining 20 risk management process steps https://directorofficernews.com/wp-content/uploads/2014/07/risk-uncertainty-management-processes-oversight-dave-tate-esq-07052014.pdf.

More to follow.  Dave Tate, CPA, Esq. (San Francisco / California)

COSO 2013 Internal Control Framework & Sarbanes-Oxley Act (SOX) Section 404

Three Categories of Objectives:
-Operations
-Reporting
-Compliance

The Five Integrated Components of Internal Control and Their 17 Principles:

Control Environment
1. Demonstrates commitment to integrity and ethical values
2. Exercises oversight responsibilities
3. Establishes structure, authority and responsibility
4. Demonstrates commitment to competence
5. Enforces accountability

Risk Assessment
6. Specifies suitable objectives
7. Identifies and analyzes risk
8. Assesses fraud risk
9. Identifies and analyzes significant change

Control Activities
10. Selects and develops control activities
11. Selects and develops general controls over technology
12. Deploys through policies and procedures

Information & Communication
13. Uses relevant information
14. Communicates internally
15. Communicates externally

Monitoring Activities
16. Conducts ongoing and/or separate evaluations
17. Evaluates and communicates deficiencies

* * * * * * *

Framework for Improving Critical Infrastructure Cybersecurity, Version 1.0, 2.12.2014

NIST – National Institute of Standards and Technology

-Question: Why is the Framework for Improving Critical Infrastructure Cybersecurity also useful for other risk management areas?

-Answer: Because it is a US Government recognized outline for risk management steps – although the Framework is voluntary for cybersecurity, at least at this time.

The following are the three primary Framework parts: Core, Profile and Implemental Tiers.

See also my prior post about possibly creating a standard of care, click here.

FRAMEWORK CORE

Identify – Develop the organizational understanding to manage cybersecurity risk to systems, assets, data, and capabilities.

Protect – Develop and implement the appropriate safeguards to ensure delivery of critical infrastructure services.

Detect – Develop and implement the appropriate activities to identify the occurrence of a cybersecurity event.

Respond– -Develop and implement the appropriate activities to take action regarding a detected cybersecurity event.

Recover – Develop and implement the appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity event.

FRAMEWORK PROFILE

Step 1:  Prioritize and Scope

The organization identifies its business/mission objectives and high-level organizational priorities. With this information, the organization makes strategic decisions regarding cybersecurity implementations and determines the scope of systems and assets that support the selected business line or process. The Framework can be adapted to support the different business lines or processes within an organization, which may have different business needs and associated risk tolerance.

Step 2: Orient

Once the scope of the cybersecurity program has been determined for the business line or process, the organization identifies related systems and assets, regulatory requirements, and overall risk approach. The organization then identifies threats to, and vulnerabilities of, those systems and assets.

Step 3: Create a Current Profile

The organization develops a Current Profile by indicating which Category and Subcategory outcomes from the Framework Core are currently being achieved.

Step 4: Conduct a Risk Assessment

This assessment could be guided by the organization’s overall risk management process or previous risk assessment activities. The organization analyzes the operational environment in order to discern the likelihood of a cybersecurity event and the impact that the event could have on the organization. It is important that organizations seek to incorporate emerging risks and threat and vulnerability data to facilitate a robust understanding of the likelihood and impact of cybersecurity events.

Step 5: Create a Target Profile

The organization creates a Target Profile that focuses on the assessment of the Framework Categories and Subcategories describing the organization’s desired cybersecurity outcomes. Organizations also may develop their own additional Categories and Subcategories to account for unique organizational risks. The organization may also consider influences and requirements of external stakeholders such as sector entities, customers, and business partners when creating a Target Profile.

Step 6: Determine, Analyze, and Prioritize Gaps

The organization compares the Current Profile and the Target Profile to determine gaps. Next it creates a prioritized action plan to address those gaps that draws upon mission drivers, a cost/benefit analysis, and understanding of risk to achieve the outcomes in the Target Profile. The organization then determines resources necessary to address the gaps. Using Profiles in this manner enables the organization to make informed decisions about cybersecurity activities, supports risk management, and enables the organization to perform cost-effective, targeted improvements.

Step 7: Implement Action Plan

The organization determines which actions to take in regards to the gaps, if any, identified in the previous step. It then monitors its current cybersecurity practices against the Target Profile. For further guidance, the Framework identifies example Informative References regarding the Categories and Subcategories, but organizations should determine which standards, guidelines, and practices, including those that are sector specific, work best for their needs.

“An organization may repeat the steps as needed to continuously assess and improve its cybersecurity. For instance, organizations may find that more frequent repetition of the orient step improves the quality of risk assessments. Furthermore, organizations may monitor progress through iterative updates to the Current Profile, subsequently comparing the Current Profile to the Target Profile. Organizations may also utilize this process to align their cybersecurity program with their desired Framework Implementation Tier.”

FRAMEWORK IMPLEMENTATION TIERS (I.E., THE EXTENT TO WHICH THE ENTITY HAS IMPLEMENTED THE FRAMEWORK)

Tier 1: Partial (first and lowest level of risk management practices) – Risk management practices are not formalized.  Risk is managed on an ad hoc and sometimes reactive manner. There is limited awareness of cybersecurity risk at the organizational level.  An organization may not have the processes in place to participate in coordination or collaboration with other entities.

Tier 2: Risk Informed (second level of risk management practices) – Risk management practices are approved by management but may not be established as organizational wide policy.  The organization knows its role in the larger ecosystem but has not formalized its capabilities to interact and share information externally.

Tier 3: Repeatable (third level of risk management practices) – The organization’s risk management practices are formally approved and expressed as policy. There is an organization-wide approach to manage cybersecurity risk. The organization understands its dependencies and partners and receives information from these partners that enables collaboration and risk-based management decisions within the organization in response to events.

Tier 4: Adaptive (forth and highest level of risk management practices) – The organization adapts its cybersecurity practices based on lessons learned and predictive indicators derived from previous and current cybersecurity activities. There is an organization-wide approach to managing cybersecurity risk that uses risk-informed policies, processes, and procedures to address potential cybersecurity events. Cybersecurity is part of the organizational culture and evolves from an awareness of previous activities, information share by other sources, and continuous awareness of activities on their systems and networks. The organization manages risk and actively shares information with partners to ensure that accurate, current information is being distributed and consumed to improve cybersecurity before a cybersecurity event occurs.

* * * * * * *