Based on AICPA Trust Service+A25 Criteria (TSC) - TSP Section 100—2017

https://www.aicpa.org/content/dam/aicpa/interestareas/frc/assuranceadvisorys
Category Trust ID Point of Focus
Control Environment CC1.1
Control Environment CC1.1 1
Control Environment CC1.1 2
Control Environment CC1.1 3
Control Environment CC1.1 4
Control Environment CC1.1 5
Control Environment CC1.2
Control Environment CC1.2 1
Control Environment CC1.2 2
Control Environment CC1.2 3
Control Environment CC1.2 4
Control Environment CC1.3
Control Environment CC1.3 1
Control Environment CC1.3 2
Control Environment CC1.3 3
Control Environment CC1.3 4
Control Environment CC1.3 5
Control Environment CC1.4
Control Environment CC1.4 1
Control Environment CC1.4 2
Control Environment CC1.4 3
Control Environment CC1.4 4
Control Environment CC1.4 5
Control Environment CC1.4 6
Control Environment CC1.4 7
Control Environment CC1.5
Control Environment CC1.5 1
Control Environment CC1.5 2
Control Environment CC1.5 3
Control Environment CC1.5 4
Control Environment CC1.5 5
Communication and Information CC2.1
Communication and Information CC2.1 1
Communication and Information CC2.1 2
Communication and Information CC2.1 3
Communication and Information CC2.1 4
Communication and Information CC2.2
Communication and Information CC2.2 1
Communication and Information CC2.2 2
Communication and Information CC2.2 3
Communication and Information CC2.2 4
Communication and Information CC2.2 5
Communication and Information CC2.2 6
Communication and Information CC2.2 7
Communication and Information CC2.2 8
Communication and Information CC2.2 9
Communication and Information CC2.2 10
Communication and Information CC2.2 11
Communication and Information CC2.3
Communication and Information CC2.3 1
Communication and Information CC2.3 2
Communication and Information CC2.3 3
Communication and Information CC2.3 4
Communication and Information CC2.3 5
Communication and Information CC2.3 6
Communication and Information CC2.3 7
Communication and Information CC2.3 8
Communication and Information CC2.3 9
Communication and Information CC2.3 10
Communication and Information CC2.3 11
Risk Assessment CC3.1
Risk Assessment CC3.1 1
Risk Assessment CC3.1 2
Risk Assessment CC3.1 3
Risk Assessment CC3.1 4
Risk Assessment CC3.1 5
Risk Assessment CC3.1 6
Risk Assessment CC3.1 7
Risk Assessment CC3.1 8
Risk Assessment CC3.1 9
Risk Assessment CC3.1 10
Risk Assessment CC3.1 11
Risk Assessment CC3.1 12
Risk Assessment CC3.1 13
Risk Assessment CC3.1 14
Risk Assessment CC3.1 15
Risk Assessment CC3.1 16
Risk Assessment CC3.2
Risk Assessment CC3.2 1
Risk Assessment CC3.2 2
Risk Assessment CC3.2 3
Risk Assessment CC3.2 4
Risk Assessment CC3.2 5
Risk Assessment CC3.2 6
Risk Assessment CC3.2 7
Risk Assessment CC3.2 8
Risk Assessment CC3.3
Risk Assessment CC3.3 1
Risk Assessment CC3.3 2
Risk Assessment CC3.3 3
Risk Assessment CC3.3 4
Risk Assessment CC3.3 5
Risk Assessment CC3.4
Risk Assessment CC3.4 1
Risk Assessment CC3.4 2
Risk Assessment CC3.4 3
Risk Assessment CC3.4 4
Risk Assessment CC3.4 5
Monitoring Activities CC4.1
Monitoring Activities CC4.1 1
Monitoring Activities CC4.1 2
Monitoring Activities CC4.1 3
Monitoring Activities CC4.1 4
Monitoring Activities CC4.1 5
Monitoring Activities CC4.1 6
Monitoring Activities CC4.1 7
Monitoring Activities CC4.1 8
Monitoring Activities CC4.2
Monitoring Activities CC4.2 1
Monitoring Activities CC4.2 2
Monitoring Activities CC4.2 3
Control Activities CC5.1
Control Activities CC5.1 1
Control Activities CC5.1 2
Control Activities CC5.1 3
Control Activities CC5.1 4
Control Activities CC5.1 5
Control Activities CC5.1 6
Control Activities CC5.2
Control Activities CC5.2 1
Control Activities CC5.2 2
Control Activities CC5.2 3
Control Activities CC5.2 4
Control Activities CC5.3
Control Activities CC5.3 1
Control Activities CC5.3 2
Control Activities CC5.3 3
Control Activities CC5.3 4
Control Activities CC5.3 5
Control Activities CC5.3 6
Logical and Physical Access Controls CC6.1
Logical and Physical Access Controls CC6.1 1
Logical and Physical Access Controls CC6.1 2
Logical and Physical Access Controls CC6.1 3
Logical and Physical Access Controls CC6.1 4
Logical and Physical Access Controls CC6.1 5
Logical and Physical Access Controls CC6.1 6
Logical and Physical Access Controls CC6.1 7
Logical and Physical Access Controls CC6.1 8
Logical and Physical Access Controls CC6.1 9
Logical and Physical Access Controls CC6.1 10
Logical and Physical Access Controls CC6.2
Logical and Physical Access Controls CC6.2 1
Logical and Physical Access Controls CC6.2 2
Logical and Physical Access Controls CC6.2 3
Logical and Physical Access Controls CC6.3
Logical and Physical Access Controls CC6.3 1
Logical and Physical Access Controls CC6.3 2
Logical and Physical Access Controls CC6.3 3
Logical and Physical Access Controls CC6.4
Logical and Physical Access Controls CC6.4 1
Logical and Physical Access Controls CC6.4 2
Logical and Physical Access Controls CC6.4 3
Logical and Physical Access Controls CC6.5
Logical and Physical Access Controls CC6.5 1
Logical and Physical Access Controls CC6.5 2
Logical and Physical Access Controls CC6.6
Logical and Physical Access Controls CC6.6 1
Logical and Physical Access Controls CC6.6 2
Logical and Physical Access Controls CC6.6 3
Logical and Physical Access Controls CC6.6 4
Logical and Physical Access Controls CC6.7
Logical and Physical Access Controls CC6.7 1
Logical and Physical Access Controls CC6.7 2
Logical and Physical Access Controls CC6.7 3
Logical and Physical Access Controls CC6.7 4
Logical and Physical Access Controls CC6.8
Logical and Physical Access Controls CC6.8 1
Logical and Physical Access Controls CC6.8 2
Logical and Physical Access Controls CC6.8 3
Logical and Physical Access Controls CC6.8 4
Logical and Physical Access Controls CC6.8 5
System Operations CC7.1
System Operations CC7.1 1
System Operations CC7.1 2
System Operations CC7.1 3
System Operations CC7.1 4
System Operations CC7.1 5
System Operations CC7.2
System Operations CC7.2 1
System Operations CC7.2 2
System Operations CC7.2 3
System Operations CC7.2 4
System Operations CC7.3
System Operations CC7.3 1
System Operations CC7.3 2
System Operations CC7.3 3
System Operations CC7.3 4
System Operations CC7.3 5
System Operations CC7.4
System Operations CC7.4 1
System Operations CC7.4 2
System Operations CC7.4 3
System Operations CC7.4 4
System Operations CC7.4 5
System Operations CC7.4 6
System Operations CC7.4 7
System Operations CC7.4 8
System Operations CC7.4 9
System Operations CC7.4 10
System Operations CC7.4 11
System Operations CC7.4 12
System Operations CC7.4 13
System Operations CC7.5
System Operations CC7.5 1
System Operations CC7.5 2
System Operations CC7.5 3
System Operations CC7.5 4
System Operations CC7.5 5
System Operations CC7.5 6
Change Management CC8.1
Change Management CC8.1 1
Change Management CC8.1 2
Change Management CC8.1 3
Change Management CC8.1 4
Change Management CC8.1 5
Change Management CC8.1 6
Change Management CC8.1 7
Change Management CC8.1 8
Change Management CC8.1 9
Change Management CC8.1 10
Change Management CC8.1 11
Change Management CC8.1 12
Change Management CC8.1 13
Change Management CC8.1 14
Change Management CC8.1 15
Risk Mitigation CC9.1
Risk Mitigation CC9.1 1
Risk Mitigation CC9.1 2
Risk Mitigation CC9.2
Risk Mitigation CC9.2 1
Risk Mitigation CC9.2 2
Risk Mitigation CC9.2 3
Risk Mitigation CC9.2 4
Risk Mitigation CC9.2 5
Risk Mitigation CC9.2 6
Risk Mitigation CC9.2 7
Risk Mitigation CC9.2 8
Risk Mitigation CC9.2 9
Risk Mitigation CC9.2 10
Risk Mitigation CC9.2 11
Risk Mitigation CC9.2 12
Additional Criteria For Availability A1.1
Additional Criteria For Availability A1.1 1
Additional Criteria For Availability A1.1 2
Additional Criteria For Availability A1.1 3
Additional Criteria For Availability A1.2
Additional Criteria For Availability A1.2 1
Additional Criteria For Availability A1.2 2
Additional Criteria For Availability A1.2 3
Additional Criteria For Availability A1.2 4
Additional Criteria For Availability A1.2 5
Additional Criteria For Availability A1.2 6
Additional Criteria For Availability A1.2 7
Additional Criteria For Availability A1.2 8
Additional Criteria For Availability A1.2 9
Additional Criteria For Availability A1.2 10
Additional Criteria For Availability A1.3
Additional Criteria For Availability A1.3 1
Additional Criteria For Availability A1.3 2
Additional Criteria For Confidentiality C1.1
Additional Criteria For Confidentiality C1.1 1
Additional Criteria For Confidentiality C1.1 2
Additional Criteria For Confidentiality C1.2
Additional Criteria For Confidentiality C1.2 1
Additional Criteria For Confidentiality C1.2 2
Additional Criteria For Processing Integr PI1.1
Additional Criteria For Processing Integr PI1.1
Additional Criteria For Processing Integr PI1.1
Additional Criteria For Processing Integr PI1.1
Additional Criteria For Processing Integr PI1.1
Additional Criteria For Processing Integr PI1.1
Additional Criteria For Processing Integr PI1.1
Additional Criteria For Processing Integr PI1.1
Additional Criteria For Processing Integr PI1.1
Additional Criteria For Processing Integr PI1.1
Additional Criteria For Processing Integr PI1.1
Additional Criteria For Processing Integr PI1.1
Additional Criteria For Processing Integr PI1.1
Additional Criteria For Processing Integr PI1.1
Additional Criteria For Processing Integr PI1.1
Additional Criteria For Processing Integr PI1.2
Additional Criteria For Processing Integr PI1.2 1
Additional Criteria For Processing Integr PI1.2 2
Additional Criteria For Processing Integr PI1.2 3
Additional Criteria For Processing Integr PI1.3
Additional Criteria For Processing Integr PI1.3 1
Additional Criteria For Processing Integr PI1.3 2
Additional Criteria For Processing Integr PI1.3 3
Additional Criteria For Processing Integr PI1.3 4
Additional Criteria For Processing Integr PI1.3 5
Additional Criteria For Processing Integr PI1.4
Additional Criteria For Processing Integr PI1.4 1
Additional Criteria For Processing Integr PI1.4 2
Additional Criteria For Processing Integr PI1.4 3
Additional Criteria For Processing Integr PI1.4 4
Additional Criteria For Processing Integr PI1.5
Additional Criteria For Processing Integr PI1.5 1
Additional Criteria For Processing Integr PI1.5 2
Additional Criteria For Processing Integr PI1.5 3
Additional Criteria For Processing Integr PI1.5 4
Additional Criteria For Privacy P1.0
Additional Criteria For Privacy P1.1
Additional Criteria For Privacy
Additional Criteria For Privacy
Additional Criteria For Privacy
Additional Criteria For Privacy
Additional Criteria For Privacy
Additional Criteria For Privacy
Additional Criteria For Privacy
Additional Criteria For Privacy
Additional Criteria For Privacy
Additional Criteria For Privacy
Additional Criteria For Privacy
Additional Criteria For Privacy
Additional Criteria For Privacy
Additional Criteria For Privacy
Additional Criteria For Privacy
Additional Criteria For Privacy P2.0
Additional Criteria For Privacy P2.1
Additional Criteria For Privacy P2.1 1
Additional Criteria For Privacy P2.1 2
Additional Criteria For Privacy P2.1 3
Additional Criteria For Privacy P2.1 4
Additional Criteria For Privacy P2.1 5
Additional Criteria For Privacy P2.1 6
Additional Criteria For Privacy P3.0
Additional Criteria For Privacy P3.1
Additional Criteria For Privacy P3.1 1
Additional Criteria For Privacy P3.1 2
Additional Criteria For Privacy P3.1 3
Additional Criteria For Privacy P3.1 4
Additional Criteria For Privacy P3.2
Additional Criteria For Privacy P3.2 1
Additional Criteria For Privacy P3.2 2
Additional Criteria For Privacy P4.0
Additional Criteria For Privacy P4.1
Additional Criteria For Privacy P4.1 1
Additional Criteria For Privacy P4.2
Additional Criteria For Privacy P4.2 1
Additional Criteria For Privacy P4.2 2
Additional Criteria For Privacy P4.3
Additional Criteria For Privacy P4.3 1
Additional Criteria For Privacy P4.3 2
Additional Criteria For Privacy P4.3 3
Additional Criteria For Privacy P5.0
Additional Criteria For Privacy P5.1
Additional Criteria For Privacy P5.1 1
Additional Criteria For Privacy P5.1 2
Additional Criteria For Privacy P5.1 3
Additional Criteria For Privacy P5.1 4
Additional Criteria For Privacy P5.2
Additional Criteria For Privacy P5.2 1
Additional Criteria For Privacy P5.2 2
Additional Criteria For Privacy P5.2 3
Additional Criteria For Privacy P6.0
Additional Criteria For Privacy P6.1
Additional Criteria For Privacy P6.1 1
Additional Criteria For Privacy P6.1 2
Additional Criteria For Privacy P6.1 3
Additional Criteria For Privacy P6.1 4
Additional Criteria For Privacy P6.2
Additional Criteria For Privacy P6.2 1
Additional Criteria For Privacy P6.3
Additional Criteria For Privacy P6.3 1
Additional Criteria For Privacy P6.4
Additional Criteria For Privacy P6.4 1
Additional Criteria For Privacy P6.4 2
Additional Criteria For Privacy P6.5
Additional Criteria For Privacy P6.5 1
Additional Criteria For Privacy P6.5 2
Additional Criteria For Privacy P6.6
Additional Criteria For Privacy P6.6 1
Additional Criteria For Privacy P6.6 2
Additional Criteria For Privacy P6.7
Additional Criteria For Privacy P6.7 1
Additional Criteria For Privacy P6.7 2
Additional Criteria For Privacy P7.0
Additional Criteria For Privacy P7.1
Additional Criteria For Privacy P7.1 1
Additional Criteria For Privacy P7.1 2
Additional Criteria For Privacy P8.0
Additional Criteria For Privacy P8.1
Additional Criteria For Privacy P8.1 1
Additional Criteria For Privacy P8.1 2
Additional Criteria For Privacy P8.1 3
Additional Criteria For Privacy P8.1 4
Additional Criteria For Privacy P8.1 5
Additional Criteria For Privacy P8.1 6
ervice+A25 Criteria (TSC) - TSP Section 100—2017 Trust Services Criteria
tent/dam/aicpa/interestareas/frc/assuranceadvisoryservices/downloadabledocuments/trust-services-criteria.pdf
Trust
Sets theCriteria
Tone at the Top—The board of directors and management, at all levels, demonstrate through their
COSO Principle
directives,
Establishes 1: The
actions,
Standards andof entity
behavior demonstrates
Conduct—The the importance a commitment
expectations of the to
of integrity andintegrity
board ethical and ethical
values
of directors values.management
to support
and senior the functioning of the
system of internal
concerning integrity control.
and ethical values are defined in the entity’s standards of conduct and understood at all
levels of the
Evaluates entity and
Adherence toby outsourced
Standards service providers andare
of Conduct—Processes business
in placepartners.
to evaluate the performance of individuals
and teams
Considers against
Addresses Contractors the
Deviations inand entity’s
a Timely expected standards
VendorManner—Deviations of
Employees in Demonstrating conduct.
from the entity’s expected standards of conduct
Its Commitment—Management and theare board of
identifiedconsider
directors and remedied the use inof
a timely
contractorsand consistent
and vendor manner.
employees in its processes for establishing standards of
conduct, evaluating
COSO Principle 2: The adherence
board of to those standards,
directors demonstrates and addressing
independence deviations in a timely manner.
from management and exercises
oversight of the development and performance of internal control.
Establishes Oversight Responsibilities—The board of directors identifies and accepts its oversight responsibilities
in relation
Applies to established
Relevant Expertise—Therequirementsboard of anddirectors
expectations.defines, maintains, and periodically evaluates the skills and
expertise Independently—The
Operates needed among its members board oftodirectors
enable them to ask probing
has sufficient members questions
who are of senior management
independent from and take
commensurate
management
Supplements andaction.
Board objective
Expertise—Thein evaluations and decision
board of directors making.
supplements
COSO Principle 3: Management establishes, with board oversight, its expertisereporting
structures, relevant to security,
lines, availability,
and appropriate
processing integrity,
authorities confidentiality,
and responsibilities in theand privacy,
pursuit of as needed, through the use of a subcommittee or consultants.
objectives.
Considers All Structures of the Entity—Management and the board of directors consider the multiple structures
used (including
Establishes operating
Reporting units, legal entities,
Lines—Management geographic
designs distribution,
and evaluates linesand outsourced
of reporting for service
each entityproviders)
structureto to
support
Defines, the
enable execution achievement
Assigns, and of
of authorities objectives.
and responsibilities
Limits Authorities and flow of information and
and Responsibilities—Management to manage
the board theof activities
directors of delegate
the entity.
authority,
Addresses Specific Requirements When Defining Authorities and Responsibilities—Management and theand
define responsibilities, and use appropriate processes and technology to assign responsibility board of
segregate
directors
Considers duties asrequirements
consider
Interactions necessary
With atrelevant
Externalthe various
Partiesto levels of
security,
When the organization.
availability,
Establishing processing
Structures, integrity,
Reporting confidentiality,
Lines, Authorities, and andprivacy
COSO Principle 4: The entity demonstrates a commitment to attract, develop, and retain competent individuals
when defining authorities
Responsibilities—Management and responsibilities.
in alignment with objectives. and the board of directors consider the need for the entity to interact with and
monitor thePolicies
Establishes activities and of Practices—Policies
external parties when andestablishing
practices reflect structures, reporting
expectations lines, authorities,
of competence and to
necessary
responsibilities.
support the achievement ofAddresses
objectives.Shortcomings—The board of directors and management evaluate
Evaluates Competence and
competence
Attracts, Develops, and Retainsand
across the entity in outsourced service
Individuals—The providers
entity provides thein mentoring
relation to and established
training policies
needed and practices
to attract,
and act
develop, asandnecessary
retain to address
sufficient and shortcomings.
competent personnel and outsourced
Plans and Prepares for Succession—Senior management and the board of directors develop contingency plans for service providers to support the
achievement
assignments
Considers theof of objectives.of Individuals—The
responsibility
Background important for internal entitycontrol.
considers the background of potential and existing personnel,
contractors, and vendor employees
Considers the Technical Competency of Individuals—The when determining whether to employthe
entity considers andtechnical
retain the individuals.of potential
competency
and existing
Provides personnel,
Training
COSO Principle 5: toThe contractors,
Maintain Technical
entity holds and vendor employees
Competencies—
individuals accountable when
Theforentity determining
theirprovides whether
internaltraining to
control programs, employincluding
responsibilities andin retain
the the
individuals.
continuing
pursuit education and training, to ensure skill sets and technical competency of existing personnel,
of objectives.
contractors, and vendor Through
Enforces Accountability employees are developed
Structures, and maintained.
Authorities, and Responsibilities—Management and the board of
directors establish
Establishes Performance the mechanisms
Measures, to communicate
Incentives, and hold individuals accountable
and Rewards—Management and the board for performance
of directors of internal
establish
control responsibilities
performance measures, across the
incentives, entity
and and
other implement
rewards corrective
appropriate
Evaluates Performance Measures, Incentives, and Rewards for Ongoing Relevance—Management and the board action
for as necessary.
responsibilities at all levels of the entity,
reflecting
of directors
Considers appropriate
align incentives
Excessive dimensions
Pressures—Management of performance
and rewards with the andboard
andfulfillment
the expectedof standards
of internal
directors of conduct,
control
evaluate and considering
responsibilities
and adjust the
in the associated
pressures
achievement
achievement
with of
of both short-term
objectives. and longer-term objectives.
COSOthe
Evaluates achievement
Principle 13: Theofand
Performance objectives
entity Rewards
obtains asorthey assign responsibilities,
orDisciplines
generates Individuals—Management
and uses relevant, develop performance
quality and measures,
the board
information toofsupportandthe
directors evaluate
evaluate
performance.
performance of internal
functioning of internal control. control responsibilities, including adherence to standards of conduct and expected levels
of competence, and provide rewards or exercise disciplinary action, as appropriate.
Identifies Information Requirements—A process is in place to identify the information required and expected to
support the
Captures functioning
Internal of the other
and External Sources components of internal control
of Data—Information systemsand the achievement
capture internal andof the entity’s
external sources of
objectives.
data.
Processes Relevant Data Into Information—Information systems process and transform relevant data into
information.
Maintains
COSO PrincipleQuality 14:Throughout Processing—Information
The entity internally communicates systems information, produce information
including objectivesthat and
is timely, current, for
responsibilities
accurate, complete, accessible, protected, verifiable,
internal control, necessary to support the functioning of internal control. and retained. Information is reviewed to assess its relevance
in supporting the internal control components.
Communicates Internal Control Information—A process is in place to communicate required information to
enable all personnel
Communicates With to theunderstand and carry out their internalexists
Board of Directors—Communication control responsibilities.
between management and the board of
directors so that both have information needed to
Provides Separate Communication Lines—Separate communication channels, such fulfill their roles with respect to the entity’s objectives.
as whistle-blower hotlines, are
in place and serve as fail-safe mechanisms to enable anonymous
Selects Relevant Method of Communication—The method of communication considers the timing, or confidential communication when normaland
audience,
channels are inoperative
nature of the information.
Communicates or ineffective.
Responsibilities—Entity personnel with responsibility for designing, developing, implementing,
operating, maintaining,
Communicates Information or monitoring
on Reporting system controls
Failures, receive
Incidents, communications
Concerns, and Other about their responsibilities,
Matters—Entity personnel are
including
Communicateschanges
provided with information in their
Objectives and responsibilities,
on howChangesto report and have the
systems failures,
to Objectives information
—The entity incidents, necessary to
concerns, its
communicates carry out those
andobjectives
other responsibilities.
complaints
and to to
changes
personnel.
those objectivesInformation
Communicates to personneltoinImprove a timelySecurity
manner.Knowledge and Awareness—The entity communicates
information
Communicates to improve
Information security
About knowledge and awareness
System Operation and to model appropriate
and Boundaries—The entity preparessecurityandbehaviors
communicates to
personnel through a security awareness training program.
information about the design and operation of the system and its boundaries to authorized personnel to enable
them to understand their role in the system and the results of system operation.
Communicates System Objectives—The entity communicates its objectives to personnel to enable them to carry
out
COSOtheir responsibilities.
Communicates
Principle System
15: TheChanges—System
entity communicates changes
withthat affectparties
external responsibilities
regardingormattersthe achievement of the
affecting the entity's of
functioning
objectives are communicated in a timely manner.
internal control.
Communicates to External Parties—Processes are in place to communicate relevant and timely information to
external parties, including
Enables Inbound shareholders, partners,
Communications—Open owners, channels
communication regulators, customers,
allow input from financial analysts,
customers, and other
consumers,
external parties.
suppliers, external
Communicates With auditors,
the Board regulators, financial analysts,
of Directors—Relevant and others,
information providing
resulting from management
assessmentsand the board
conducted byof
directors
external with
parties relevant
is information.
communicated to the board of directors.
Provides Separate Communication Lines—Separate communication channels, such as whistle-blower hotlines, are
in placeRelevant
Selects and serveMethod as fail-safe mechanisms to enable
of Communication—The anonymous
method or confidential
of communication communication
considers when
the timing, normaland
audience,
channels are
Communicates inoperative
nature of the communication or
Objectives Related ineffective.
and legal, regulatory, and
to Confidentiality and fiduciary
Changes requirements
to Objectives— andThe expectations.
entity communicates, to
external users, vendors, business partners and others whose
Communicates Objectives Related to Privacy and Changes to Objectives—The entity communicates,products and services are part of the system,
to external
objectives
users, and changes to objectives
partners and related
others to confidentiality.
Communicates Information About System Operation and Boundaries—The entity preparessystem,
vendors, business whose products and services are part of the objectives
and communicates
related to privacy
information
Communicates about and
the changes
System design and
Objectives—Theto those
operation objectives.
entity ofcommunicates
the system anditsitssystem boundaries to authorized
objectives external
to appropriate users to
external users.
permit users to understand their role in the system and the results
Communicates System Responsibilities—External users with responsibility for designing, developing, of system operation.
implementing,
COSO Principleoperating,
Communicates Information
6: The entity maintaining,
onspecifies
Reporting and monitoring
System
objectives Failures, system controls
Incidents,
with sufficient receive
Concerns,
clarity to enable communications
and theOther about andtheir users
Matters—External
identification
responsibilities
are provided withand have
informationthe information
assessment of risks relating to objectives. on how to necessary
report to
systems carry out
failures, those responsibilities.
incidents, concerns, and other complaints to
appropriate personnel.
Reflects Management's Choices—Operations objectives reflect management's choices about structure, industry
considerations,
Considers Tolerancesand performance
for Risk—Management of the entity.considers the acceptable levels of variation relative to the
achievement of operations objectives.
Includes Operations and Financial Performance Goals—The organization reflects the desired level of operations
and
Formsfinancial
a Basisperformance
for Committing forof the entity within operations objectives.
Resources—Management uses operations objectives as a basis for allocating
resourcesWith
Complies needed to attainAccounting
Applicable desired operations and financial reporting
Standards—Financial performance. objectives are consistent with accounting
principles suitable and available for that entity. The
Considers Materiality—Management considers materiality in financial statement accounting principles selectedpresentation.
are appropriate in the
circumstances.
Reflects Entity Activities—External reporting reflects the underlying transactions and events to show qualitative
characteristics
Complies With and assertions.
Externally Established Frameworks—Management establishes objectives consistent with laws and
regulations or standards
Considers the Required Level and frameworks of recognized external
of Precision—Management reflectsorganizations.
the required level of precision and accuracy
suitable for
Reflects user
Entity needs and based on
Activities—External criteria reflects
reporting established by third parties
the underlying in nonfinancial
transactions and events reporting.
within a range of
acceptable limits.
Reflects Management's Choices—Internal reporting provides management with accurate and complete
information
Considers the regarding
Requiredmanagement's choices and information
Level of Precision—Management needed
reflects in managing
the required level the entity. and accuracy
of precision
suitable for
Reflects user
Entity needs in nonfinancial
Activities—Internal reporting
reporting objectives
reflects and materiality
the underlying withinand
transactions financial
eventsreporting objectives.
within a range of
acceptable limits.
Reflects External Laws and Regulations—Laws and regulations establish minimum standards of conduct, which
the entity integrates
Considers Tolerancesinto compliance objectives.
for Risk—Management considers the acceptable levels of variation relative to the
achievement
Establishes
COSO Principle of operations
Sub-objectives
7: The entity objectives.
to Support
identifiesObjectives—Management
risks to the achievement identifies sub-objectives
of its objectives across the related to and
entity security,
analyzes
availability, processing
risks as a basis integrity,how
for determining confidentiality,
the risks should and privacy
be managed.to support the achievement of the entity’s objectives
related
IncludestoEntity,
reporting, operations,
Subsidiary, andOperating
Division, compliance. Unit, and Functional Levels—The entity identifies and assesses risk
at the entity, subsidiary, division, operating
Analyzes Internal and External Factors—Risk identification unit, and functional levelsboth
considers relevant to the
internal andachievement
external factorsof objectives.
and their
impact on the achievement of objectives.
Involves Appropriate Levels of Management—The entity puts into place effective risk assessment mechanisms
that involve
Estimates appropriate
Significance of levels of management.
Risks Identified—Identified risks are analyzed through a process that includes estimating
the potential significance of the risk.
Determines How to Respond to Risks—Risk assessment includes considering how the risk should be managed and
whether to
Identifies accept,
and Assessesavoid, reduce,oforInformation
Criticality share the risk. Assets and Identifies Threats and Vulnerabilities—The entity's risk
identification
Analyzes Threats and Vulnerabilities From Vendors,identifying
and assessment process includes (1) information
Business Partners, andassets,
Other including
Parties—The physical
entity'sdevices
risk and
systems,
assessment virtual
processdevices, software,
includes the data
analysis and
of data flows,
potential external
threats and information
vulnerabilities
Considers the Significance of the Risk—The entity’s consideration of the potential significance of the identified systems,
arising and
fromorganizational
vendors roles;
providing
(2) assessing
goods
risks and the
services, criticality
as well of
as those
threats information
and assets;
vulnerabilities (3) identifying
arising from the threats
business to the
partners, assets from
customers, intentional
and others
COSOincludes
Principle (1)8:determining the criticality
The entity considers the of identified
potential forassets
fraud in in meeting
assessingobjectives;
risks to the (2)achievement
assessing theofimpact of
objectives
with access
identified to theand
threats entity's information
vulnerabilities in systems.
meeting objectives; (3) assessing the likelihood of identified threats; and
Considers Various Types of Fraud—The assessment of fraud considers fraudulent reporting, possible loss of
(4) determining
assets, and the riskresulting
corruption associated from with theassets
variousbased
ways on asset criticality, threat impact, and likelihood.
Assesses Incentives and Pressures—The assessment of that
fraudfraud
risksand misconduct
considers can occur.
incentives and pressures.
Assesses Opportunities—The assessment of fraud risk considers opportunities for unauthorized acquisition, use,
or disposal
Assesses of assets,
Attitudes and altering the entity’s reporting
Rationalizations—The records,
assessment ofor committing
fraud other how
risk considers inappropriate
management acts.and other
personnel
Considers might
the
COSO Principle 9:engage
Risks Related
The in or
entity justify
toidentifies
the Use inappropriate
ofandIT and actions.
Access
assesses to Information—The
changes assessment
that could significantly of fraud
impact the risks
system includes
of
consideration
internal control. of threats and vulnerabilities that arise specifically from the use of IT and access to information.
Assesses Changes in the External Environment—The risk identification process considers changes to the
regulatory,
Assesses economic,
Changes in theand physicalModel—The
Business environment in which
entity the entity
considers operates.impacts of new business lines,
the potential
dramatically altered compositions of existing business
Assesses Changes in Leadership—The entity considers changes in management lines, acquired or divestedand business operations
respective attitudes onand
the
system of internal
philosophies on thecontrol,
systemrapid growth,
of internal changing reliance on foreign geographies, and new technologies.
control.
Assess Changes in Systems and Technology—The risk identification process considers changes arising from
changes
COSO in the entity’s
AssessPrinciple
Changes 16: Thesystems
in Vendor entity and changes
and selects,
Business Partner
develops,in theandtechnology
performsenvironment.
Relationships—The risk identification
ongoing and/or separate process considers
evaluations tochanges
ascertainin
vendor and business partner relationships.
whether the components of internal control are present and functioning.
Considers a Mix of Ongoing and Separate Evaluations—Management includes a balance of ongoing and separate
evaluations.
Considers Rate of Change—Management considers the rate of change in business and business processes when
selecting and
Establishes developing
Baseline ongoing and separate
Understanding—The designevaluations.
and current state of an internal control system are used to
establish a baseline for ongoing and separate evaluations.
Uses Knowledgeable Personnel—Evaluators performing ongoing and separate evaluations have sufficient
knowledge
Integrates With to understand what is being evaluated.
Business Processes—Ongoing evaluations are built into the business processes and adjust to
changingScope
Adjusts conditions.
and Frequency—Management varies the scope and frequency of separate evaluations depending
on risk.
Objectively Evaluates—Separate evaluations
COSO Principle 17: The entity evaluates and are performed periodically
communicates internal control to provide objective
deficiencies in afeedback.
timely manner to
Considers
those parties responsible for taking corrective action, including senior management and the of
Different Types of Ongoing and Separate Evaluations—Management uses a variety different
board types of
of directors,
ongoing and
as appropriate. separate evaluations, including penetration testing, independent certification made against
established specifications (for example,
Assesses Results—Management and theISO certifications),
board of directors,and as internal
appropriate,auditassess
assessments.
results of ongoing and
separate evaluations.
Communicates Deficiencies—Deficiencies are communicated to parties responsible for taking corrective action
and
COSO toPrinciple
Monitors senior management
Corrective10: The entityandselects
Action—Managementthe board oftracks
directors,
and develops whetheras appropriate.
control deficiencies
activities that arecontribute
remedied on a timely
to the basis. of risks to
mitigation
the achievement of objectives to acceptable levels
Integrates With Risk Assessment—Control activities help ensure that risk responses that address and mitigate
risks are carried
Considers out.
Entity-Specific Factors—Management considers how the environment, complexity, nature, and scope
of its operations,
Determines Relevant as well as theProcesses—Management
Business specific characteristics of determinesits organization, which affect the selection
relevant business and development
processes require of
control activities.
control activities.
Evaluates a Mix of Control Activity Types—Control activities include a range and variety of controls and may
include
Considers at WhatofLevel
a balance approaches
ActivitiestoAre mitigate risks, considering both
Applied—Management manual
considers and automated
control activities atcontrols, and in the
various levels
preventive
entity.
Addresses and detective
Segregation controls.
COSO Principle 11: Theof Duties—Management
entity also selects and develops segregates incompatible
general duties, and
control activities overwhere such segregation
technology to supportisthe
not practical, management
achievement of objectives. selects and develops alternative control activities.
Determines Dependency Between the Use of Technology in Business Processes and Technology General Controls
—Management
Establishes Relevantunderstands
Technology andInfrastructure
determines the dependency
Control and linkage between
Activities—Management business
selects processes,
and develops control
automated
activities control
over the activities,
technology and technology
infrastructure, general
which arecontrols.
designed and
Establishes Relevant Security Management Process Controls Activities—Management selects and develops implemented to help ensure the
completeness,
control
Establishesactivities accuracy,
Relevant that and
areentity
Technology availability
designed of technology
andcontrol
implemented
Acquisition, Development,toprocessing.
restrict
and technology
Maintenance access rights
Process to authorized
Control users
COSO Principle 12: The deploys activities through policies that establish what isActivities—
expected and in
commensurate
Management
procedures that with
selects their job
and develops
put policies responsibilities and to protect the entity’s assets from
control activities over the acquisition, development, and maintenance of
into action. external threats.
technology and its infrastructure
Establishes Policies and Procedures to to
achieve
Support management’s
Deployment objectives.
of Management ‘s Directives—Management
establishes Responsibility
Establishes control activities andthat are built intofor
Accountability business
Executing processes
Policiesand andemployees’ day-to-day activities
Procedures—Management through
establishes
policies establishing
responsibility and what is
accountabilityexpected
for and
control relevant
activities procedures
with specifying
management
Performs in a Timely Manner—Responsible personnel perform control activities in a timely manner as defined actions.
(or other designated personnel) of theby
business
the policiesunit or
and function
procedures. in which the relevant risks reside.
Takes Corrective Action—Responsible personnel investigate and act on matters identified as a result of executing
control activities.
Performs Using Competent Personnel—Competent personnel with sufficient authority perform control activities
with
The diligence
Reassesses and continuing
Policies
entity implements and logical focus.
Procedures—Management
access security software, periodically reviews and
infrastructure, control activities toover
architectures determine
protected their
continued
information assets to protect themthem
relevance and refreshes fromwhensecurity necessary.
events to meet the entity’s objectives
Identifies and Manages the Inventory of Information Assets—The entity identifies, inventories, classifies, and
manages information
Restricts Logical assets.
Access—Logical access to information assets, including hardware, data (at-rest, during
processing,
Identifies andor Authenticates
in transmission), software, administrative
Users—Persons, infrastructure authorities,
and software mobile aredevices, output,
identified and offline system
and authenticated prior to
components
accessing is restricted
information through
assets, the
whether use of
locally access
or control
remotely. software and
Considers Network Segmentation—Network segmentation permits unrelated portions of the entity's information rule sets.
system
Manages to Points
be isolated from each other.
of Access—Points of access by outside entities and the types of data that flow through the points
of access Access
Restricts are identified, inventoried,
to Information and managed. Theoftypes
Assets—Combinations data of individuals and
classification, systems
separate using
data each point
structures, portof
access are
restrictions, identified,
access documented,
protocol and
restrictions, managed.
user identification, and digital
Manages Identification and Authentication—Identification and authentication requirements are established,certificates are used to establish access
control rules
documented, for
and information
managed assets.
for individuals and systems accessing entity
Manages Credentials for Infrastructure and Software—New internal and external infrastructure and software information, infrastructure and software.
are
Prior to
registered,issuing system
authorized, credentials
andData—The
documented and granting
prioruses system
to being access,
granted the
access entity registers
credentials and authorizes
and implemented new
on theinternal
Uses
and Encryption
external to Protect
userspoint.
whoseCredentials entity
access is administered encryption
by the to
entity. supplement
For other measures used to protect data-
network
at-rest,
Protects or access
when such protections
Encryption Keys—Processes are
are deemedare removed
appropriate
in by
place and access
based ison
disabled
assessed when
risk. access is no longer required orand
the
those users
infrastructure whose
and access
software isare
administered
no longer in theto
use.
protect
entity, encryption
user system keys during
credentials generation,
are removed storage,
when user use,
access
destruction.
is no longer authorized.
Controls Access Credentials to Protected Assets—Information asset access credentials are created based on an
authorization
Removes from the system's assetWhenowner or authorized custodian.
The entityAccess to Protected
authorizes, modifies, Assets
or removes Appropriate—Processes
access to data, software, arefunctions,
in place toand remove
othercredential
protectedaccess when
an individual
Reviews no longer requires
of Accesssuch access.
information assets based on roles, responsibilities, or the system design and changes, givingreviewed
Appropriateness Credentials—The appropriateness of access credentials is on a to
consideration
periodic basis for unnecessary and inappropriate individuals with
the concepts of least privilege and segregation of duties, to meet the entity’s objectives. credentials.
Creates or Modifies Access to Protected Information Assets—Processes are in place to create or modify access to
protected
Removes information assets based on authorization from the asset’s owner.
The entityAccess
restrictsto Protected
physical access Information
to facilitiesAssets—Processes
and protectedare in place
information toassets
remove (foraccess to protected
example, data center
information
Uses Role-Basedassets when
Access an individual
Controls—Role-based no longer requires
access access.
control is
facilities, back-up media storage, and other sensitive locations) to authorized personnel to meet utilized to support segregation of incompatible
the entity’s
functions.
objectives.
Creates or Modifies Physical Access—Processes are in place to create or modify physical access to facilities such as
data centers,
Removes officeAccess—Processes
spaces, and work are areas, basedtoon authorization from the system's asset owner.
The entityPhysical
discontinues logical and physical in place
protectionsremove overaccess
physicalto physical
assets onlyresources
after thewhen an individual
ability to read orno
longer
recover requires
Reviews data
Physical access.
andAccess—Processes
software from those areassets
in place hastobeen
periodically
diminishedreview andphysical accessrequired
is no longer to ensure toconsistency with
meet the entity’s
job responsibilities.
objectives.
Identifies Data and Software for Disposal—Procedures are in place to identify data and software stored on
equipment
Removes
The entityDatato be and
implementsdisposed
Software and
logical to render
From
access Entity such data and software
Control—Procedures
security measures areunreadable.
to protect inagainst
place tothreats
remove datasources
from and software
outsidestored
its on
equipment to
system boundaries. be removed from the physical control of the entity and to render such data and software
unreadable.
Restricts Access—The types of activities that can occur through a communication channel (for example, FTP site,
router
Protects port) are restricted.
Identification and Authentication Credentials—Identification and authentication credentials are
protectedAdditional
Requires during transmission
Authentication outside its system boundaries. authentication information or credentials are
or movement,
Credentials—Additional
The entity restricts the transmission, and removal of information to authorized internal and
required
Implements
external when
users accessing
Boundary
and processes, the
Protection system from
andSystems—Boundary
protects outside
it duringits boundaries.
protection systems
transmission, movement,(for example,
or removal firewalls,
to meet demilitarized
the entity’s
zones, and intrusion detection systems) are implemented to protect external access points from attempts and
objectives.
unauthorized accesstoand
Restricts the Ability are monitored
Perform to detect such
Transmission—Data lossattempts.
prevention processes and technologies are used to
restrict
Uses Encryption Technologies or Secure Communication Channelsand
ability to authorize and execute transmission, movement removalData—Encryption
to Protect of information. technologies or
secured communication channels are used to protect
Protects Removal Media—Encryption technologies and physical asset protections transmission of data and other
arecommunications
used for removable beyond
media
connectivity
(such as
Protects USB
Mobile access
drives points.
and back-up
Devices—Processes tapes),
are as
in appropriate.
place to protect mobile devices (such as laptops, smart phones and
The entity implements controls to prevent or detect and act upon the introduction of unauthorized or malicious
tablets) that serve as information
software to meet the entity’s objectives. assets.
Restricts Application and Software Installation—The ability to install applications and software is restricted to
authorized individuals.Changes to Software and Configuration Parameters—Processes are in place to detect
Detects Unauthorized
changes to
Uses a Defined software
Change andControl
configuration
Process—A parameters that may be indicative
management-defined change control of unauthorized
process is or usedmalicious
for the software.
implementation
Uses Antivirus andof Anti-Malware
software.
To meet its objectives, the entitySoftware—Antivirus
uses detection and monitoring and anti-malware proceduressoftware is implemented
to identify (1) changes andtomaintained
to provide
configurations for
Scans Information the interception
thatAssets
resultfrom in the or detection
Outside and
the Entity
introduction remediation
for Malware
of new of malware.
and Other
vulnerabilities, andUnauthorized
(2) susceptibilitiesSoftware—Procedures
to newly discovered are
in place to scan information assets that have been transferred or returned to the entity’s custody for malware and
vulnerabilities.
other unauthorized
Uses Defined softwareStandards—Management
Configuration and to remove any items has detected
definedprior to its implementation
configuration standards. on the network.
Monitors Infrastructure and Software—The entity monitors infrastructure and software for noncompliance with
the standards,
Implements which could threaten
Change-Detection the achievement
Mechanisms—The of the includes
IT system entity's objectives.
a change-detection mechanism (for example,
file integrity
Detects Unknown monitoring
or systemtools)
Unauthorized to alert personnel
Components—Procedures to unauthorized modifications of critical system files,
The entity
configuration monitors
files, or content components
files. and the operation ofare in place
those to detect
components theanomalies
for introduction thatof are
unknown
or unauthorized
Conducts components.
Vulnerability Scans—The entity conducts vulnerability scans designed
indicative of malicious acts, natural disasters, and errors affecting the entity’s ability to meet its objectives; to identify potential vulnerabilities
or misconfigurations
anomalies are analyzed on atoperiodic
determine basiswhether
and after theyanyrepresent
significantsecurity
changeevents.
in the environment and takes action to
remediate identified deficiencies on a timely basis.
Implements Detection Policies, Procedures, and Tools—Detection policies and procedures are defined and
implemented,
Designs Detection and Measures—Detection
detection tools are implemented measures are on designed
Infrastructure and software
to identify anomalies to identify
that could anomalies
result fromin the
operation or unusual
actual or attempted
Implements Filters to(1) activity on
compromise
Analyze systems. Procedures
of physical barriers; (2)
Anomalies—Management may include (1)
hasunauthorized a defined
implementedactions governance
proceduresof authorized process for security
personnel; (3)
to filter, summarize, anduse
event
of
analyze detection
compromised
anomalies and management
identification
to identify and
security that includes provision
authentication
events. of resources;
credentials; (4) (2) use ofaccess
unauthorized intelligence
from sourcesthe
outside to system
identify
Monitors
The entityDetection
evaluates Tools for Effective
security Operation—Management has implemented processesin a to monitor theentity
boundaries;
effectiveness (5)
of compromise
detection ofevents
tools. authorizedto determine
external whether
parties; and they (6)could or have resulted
implementation or connection failure of the
of unauthorized
to meet its objectives (security incidents) and, if so, takes actions to prevent or address such failures.
Responds to Security Incidents—Procedures are in place for responding to security incidents and evaluating the
effectiveness
Communicates ofand
those policiesDetected
Reviews and procedures
Security on a periodic basis.security events are communicated to and
Events—Detected
reviewed and
Develops by the individualsProcedures
Implements responsibletofor the management
Analyze of the security program
Security Incidents—Procedures are in and actions
place are taken,
to analyze if
security
necessary.
incidents and determine system impact.
Assesses the Impact on Personal Information—Detected security events are evaluated to determine whether they
could or didresponds
Determines
The entity result in to
Personal the unauthorized
Information
identified Used disclosure
security or use
or Disclosed—When
incidents of personal a information
an unauthorized
by executing useand
defined incident whether
responsethere
or disclosure of has been
personal
program to a
failure to
understand, comply
information has with
occurred,
contain, applicable
the affected
remediate, laws or regulations.
information issecurity
and communicate identified.incidents, as appropriate.
Assigns Roles and Responsibilities—Roles and responsibilities for the design, implementation, maintenance, and
executionSecurity
Contains of the incident response program
Incidents—Procedures areare assigned,
in place including
to contain the use
security of external
incidents resources
that actively when necessary.
threaten entity
objectives.
Mitigates Ongoing Security Incidents—Procedures are in place to mitigate the effects of ongoing security
incidents.
Ends Threats Posed by Security Incidents—Procedures are in place to end the threats posed by security incidents
through closure
Restores of the vulnerability,
Operations—Procedures areremoval
in placeoftounauthorized
restore data access, and other
and business remediation
operations to an actions.
interim state that
permits the achievement of entity objectives.
Develops and Implements Communication Protocols for Security Incidents—Protocols for communicating security
incidents and actions taken to affected parties are developed and implemented to meet the entity's objectives.
Obtains Understanding of Nature of Incident and Determines Containment Strategy—An understanding of the
nature
Remediates(for example,
Identifiedthe method by which the incident
Vulnerabilities—Identified occurredare
vulnerabilities andremediated
the affected systemthe
through resources)
development and severity
and
of
Communicates Remediation Activities—Remediation activities are documented and communicated ina accordance
the
executionsecurity
of incident
remediation is obtained
activities. to determine the appropriate containment strategy, including (1)
determination
with the incident of response
the appropriate program. response time frame, and (2) the determination and execution of the
Evaluates the Effectiveness of Incident Response—The design of incident response activities is evaluated for
effectiveness on a periodic
Periodically Evaluates basis.
Incidents—Periodically, management reviews incidents related to security, availability,
processing integrity,
Communicates confidentiality,
Unauthorized Use and and privacy and identifies
Disclosure—Events that the needin
resulted forunauthorized
system changes use or based on incident
disclosure of
patterns
personal and root
information causes.are communicated to the data subjects, legal
Application of Sanctions—The conduct of individuals and organizations operating under the authority of the and regulatory authorities, and others asentity
required.
and involved in the unauthorized use or disclosure of personal information
The entity identifies, develops, and implements activities to recover from identified security incidents. is evaluated and, if appropriate,
sanctioned
Restores theinAffectedaccordance with entity policies
Environment—The and legal
activities andthe
restore regulatory
affectedrequirements.
environment to functional operation by
rebuilding
Communicates Information About the Event—Communications about theconfigurations,
systems, updating software, installing patches, and changing as needed.
nature of the incident, recovery actions
taken, and activities required for the prevention
Determines Root Cause of the Event—The root cause of the event is determined. of future security events are made to management and others as
appropriate (internal and external).
Implements Changes to Prevent and Detect Recurrences—Additional architecture or changes to preventive and
detective
Improves controls,
Responseorand both, are implemented
Recovery Procedures—Lessonsto preventlearned and detect are recurrences
analyzed, and onthea timely
incident basis.response plan and
recovery
Implements procedures
Incident are improved.
Recovery Plan Testing—Incident recovery plan
The entity authorizes, designs, develops or acquires, configures, documents, tests, approves, and implements testing is performed on a periodic basis. The
testing includes (1) development of testing scenarios
changes to infrastructure, data, software, and procedures to meet its objectives. based on threat likelihood and magnitude; (2) consideration
of relevantChanges
Manages system components
Throughout the from acrossLifecycle—A
System the entity that can impair
process availability;
for managing system (3) changes
scenariosthroughout
that consider thethe
potential for
lifecycle of the the lack
system and of availability
its componentsof key personnel;
(infrastructure, and (4) revision
data,changes of
software continuity plans
andtoprocedures) and is used to supporton
systems based
Authorizes Changes—A process is in place to authorize system prior development.
system availability and processing integrity.
Designs and Develops Changes—A process is in place to design and develop system changes.
Documents Changes—A process is in place to document system changes to support ongoing maintenance of the
systemSystem
Tracks and to support
Changes—A system usersisininperforming
process place to track theirsystem
responsibilities.
changes prior to implementation.
Configures Software—A process is in place to select and implement the configuration parameters used to control
the functionality
Tests System Changes—A of software. process is in place to test system changes prior to implementation.
Approves System Changes—A process is in place to approve system changes prior to implementation.
Deploys System Changes—A process is in place to implement system changes.
Identifies and Evaluates System Changes—Objectives affected by system changes are identified, and the ability of
the modified
Identifies system
Changes in to meet the objectives
Infrastructure, is evaluated
Data, Software, andthroughout
Proceduresthe systemtodevelopment
Required life cycle.
Remediate Incidents—Changes in
infrastructure, data, software, and procedures required to remediate
Creates Baseline Configuration of IT Technology—A baseline configuration of IT and control systems incidents to continue to meet objectives
is createdare
identified,
and maintained.
Provides forand the change
Changes process
Necessary is initiated upon
in Emergency identification.
Situations —A process is in place for authorizing, designing, testing,
approving and implementing changes necessary
Protects Confidential Information—The entity protects confidential in emergency situations (that is,during
information changes systemthatdesign,
need to be
implemented
development,
Protects Personal in an
testing, urgent timeframe).
implementation,
Information—The andprotects
entity change processes
personal to meetfor
information the entity’s
during objectives
system design, related to
development,
The entity identifies, selects, and develops risk mitigation activities risks arising from potential business
confidentiality.
testing,
disruptions.implementation, and change processes to meet the entity’s objectives related to privacy.
Considers Mitigation of Risks of Business Disruption—Risk mitigation activities include the development of
planned policies,
Considers the Useprocedures,
of Insurancecommunications,
to Mitigate Financial and alternative
Impact Risks—The processing risksolutions
management to respond to, mitigate,
activities consider and
the
recover
use of from
insurance security
to events
offset the that disrupt
financial business
impact of operations.
loss
The entity assesses and manages risks associated with vendors and business partners. events Those
that wouldpolicies and
otherwise procedures
impair the include
ability monitoring
of the entity
processes
to meet itsand information and communications to meet the entity's objectives during response, mitigation, and
objectives.
Establishes Requirements for Vendor and Business Partner Engagements—The entity establishes specific
requirements
Assesses Vendor for anda vendor
Business andPartner
businessRisks—The
partner engagement
entity assesses, that on includes (1) scope
a periodic basis,oftheservices
risks thatandvendors
product and
specifications,
business partners (2) roles
(and and
those responsibilities,
entities’ vendors (3) compliance
and business requirements,
partners)
Assigns Responsibility and Accountability for Managing Vendors and Business Partners—The entity assigns and
represent (4)toservice
the levels.
achievement of the entity's
objectives.
responsibility
Establishes and accountability
Communication for the
Protocols formanagement
Vendors and of risks associated
Business Partners—The with vendors and business
entity establishes partners.
communication
and resolution protocols for service or product issues related to vendors
Establishes Exception Handling Procedures From Vendors and Business Partners —The entity establishes exception and business partners.
handling procedures
Assesses Vendor and for servicePartner
Business or product issues related toentity
Performance—The vendors and business
periodically assessespartners.
the performance of vendors
and businessProcedures
Implements partners. for Addressing Issues Identified During Vendor and Business Partner Assessments—The
entity implements
Implements Procedures procedures for addressing
for Terminating Vendor issues
andidentified with vendor
Business Partner and business
Relationships — Thepartner
entityrelationships.
implements
procedures for terminating vendor and business partner relationships.
Obtains Confidentiality Commitments from Vendors and Business Partners—The entity obtains confidentiality
commitments
Assesses that areWith
Compliance consistent with theCommitments
Confidentiality entity’s confidentiality
of Vendors commitments
and Businessand requirements
Partners — On afrom vendors
periodic and
and business
as-needed
Obtains Privacy partners
basis, the
Commitmentswho
entity have
assesses
fromaccess to
complianceconfidential
by information.
vendors and business partners with the entity’s confidentiality
The entity
commitments maintains,
and monitors,
requirements. andVendors
evaluates andcurrent
Business Partners—The
processing capacityentity
andobtains privacycomponents
use of system commitments,
consistent
Assesses with
Compliance the entity’s
with privacy
Privacy commitments
Commitments and
of requirements,
Vendors
(infrastructure, data, and software) to manage capacity demand and to enable the implementation and from
Business vendors
Partners— andOn business
a periodic partners who
andofas-needed
have
basis, access
the to
entity personal
assesses information.
compliance
additional capacity to help meet its objectives. by vendors and business partners with the entity’s privacy commitments and
requirements and takes corrective action as necessary.
Measures Current Usage—The use of the system components is measured to establish a baseline for capacity
management
Forecasts and to use when
Capacity—The expected evaluating
averagethe andriskpeakof impaired
use of system availability due to iscapacity
components forecasted constraints.
and compared to
system capacity and associated tolerances. Forecasting considers
Makes Changes Based on Forecasts—The system change management process is initiated when forecasted capacity in the event of the failure of systemusage
components
exceeds that tolerances.
capacity constrain capacity.
The entity authorizes, designs, develops or acquires, implements, operates, approves, maintains, and monitors
environmental protections, software, data back-up processes, and recovery infrastructure to meet its
objectives.
Identifies Environmental Threats—As part of the risk assessment process, management identifies environmental
threats
Designsthat could impair
Detection the availability measures
Measures—Detection of the system, including threats
are implemented resulting
to identify from adverse
anomalies weather,
that could resultfailure
from
of environmental
environmental
Implements control
andthreat systems,
events.
Maintains electrical discharge, fire, and water.
Environmental Protection Mechanisms— Management implements and maintains
environmental
Implements Alerts protection
to Analyze mechanisms to prevent and mitigate
Anomalies—Management implementsagainst environmental
alerts events.
that are communicated to personnel
for analysis
Responds toto identify environmental
Environmental threat events.
Threat Events—Procedures are in place for responding to environmental threat events
and for evaluating
Communicates andthe effectiveness
Reviews DetectedofEnvironmental
those policies and Threatprocedures on a periodic
Events—Detected basis. This includes
environmental automatic
threat events are
mitigation
communicated systemsto and(for example,
reviewed uninterruptable
by the individuals power system
responsible for
Determines Data Requiring Backup—Data is evaluated to determine whether backup is required.and
thegenerator
management back-up
of subsystem).
the system, and actions are
taken,
Performs if necessary.
Data Backup—Procedures are in place for backing up data, monitoring to detect back-up failures, and
initiating corrective action when suchdata
Addresses Offsite Storage—Back-up failures occur.in a location at a distance from its principal storage location
is stored
sufficient
Implements Alternate Processing Infrastructure—Measuresthreat
that the likelihood of a security or environmental event affecting
are implemented both sets of
for migrating data is reduced
processing to to
an appropriate
alternate level.
The entityinfrastructure
tests recoveryinplan the event normalsupporting
procedures processingsystem
infrastructure
recovery becomes
to meetunavailable.
its objectives.
Implements Business Continuity Plan Testing—Business continuity plan testing is performed on a periodic basis.
The
The testing
Tests entity includes
Integrity
identifies (1)
anddevelopment
and Completenessmaintains of testing
of confidential
Back-Up scenarios
Data—The based to on
integrity
information threat
and
meet the likelihood
completeness and magnitude;
of back-up
entity’s objectives (2)
information
related to is
consideration
tested on a
confidentiality. of
periodicsystembasis.components from across the entity that can impair the availability; (3) scenarios that
consider the potential for the lack of availability of key personnel; and (4) revision of continuity plans and systems
Identifies Confidential information—Procedures are in place to identify and designate confidential information
when it isConfidential
Protects received or Information
created and fromto determine the period over which
Destruction—Procedures are inthe confidential
place to protectinformation
confidentialisinformation
to be
retained.
from erasure or destruction during the specified retention period of the information.
The entity disposes of confidential information to meet the entity’s objectives related to confidentiality.
Identifies
The entityConfidential Informationuses,
obtains or generates, for Destruction—Procedures
and communicates relevant, are inquality
place to identify confidential
information regarding information
the objectives
requiring
Destroys destruction
Confidential when the end of
Information—Procedures the retention
are period
in place is
toreached.
erase or otherwise
related to processing, including definitions of data processed and product and service specifications, destroy confidential information
to support
that
the usehasofbeen identified
products and for destruction.
services.
Identifies Information Specifications—The entity identifies information specifications required to support the use
of products
Defines Dataand services.to Support a Product or Service—When data is provided as part of a service or product or
Necessary
as part of a reporting
(1) The definition of the obligation
data is related
available to to
a product
the users orofservice:
the data
(2) The definition of the data includes the following information:
— The population of events or instances included in the data
— The nature of each element (for example, field) of the data (that is, the event or instance to which the data
element
— relates,
Source(s) of for
the example,
data transaction price of a sale of XYZ Corporation stock for the last trade in that stock on
a given day)
— The unit(s) of measurement of data elements (for example, fields)
— The accuracy/correctness/precision of measurement
— The uncertainty or confidence interval inherent in each data element and in the population of those elements
— The date the data was observed or the period of time during which the events relevant to the data occurred
— The factors in addition to the date and period of time used to determine the inclusion and exclusion of items
in
(3)theThedata elements
definition is and populationaccurate.
complete
The entity implements policiesand
and procedures over system inputs, including controls over completeness and
(4) The description
accuracy, to result inofproducts,
the dataservices,
identifiesand anyreporting
information that isthe
to meet necessary to understand each data element and
the population
entity’s in a manner consistent with its definition and intended purpose (meta-data) that has not been
objectives.
included within the data.
Defines Characteristics of Processing Inputs—The characteristics of processing inputs that are necessary to meet
requirements
Evaluates are defined.
Processing Inputs—Processing inputs are evaluated for compliance with defined input requirements.
Creates
The andimplements
entity Maintains Recordspolicies of
andSystem Inputs—Records
procedures over system of processing
system input toactivities
result in are createdservices,
products, and maintained
and
completely
reporting toand meet accurately
the entity’sin a objectives.
timely manner.
Defines Processing Specifications—The processing specifications that are necessary to meet product or service
requirements
Defines Processing are defined.
Activities—Processing activities are defined to result in products or services that meet
specifications.
Detects and Corrects Production Errors—Errors in the production process are detected and corrected in a timely
manner.
Records System Processing Activities—System processing activities are recorded completely and accurately in a
timely
Processes
The manner.
entity Inputs—Inputs
implements policies are processed completely,
and procedures accurately,
to make availableandortimely as output
deliver authorized in accordance
completely, with and
accurately,
definedinprocessing
timely accordance activities.
with specifications to meet the entity’s objectives.
Protects Output—Output is protected when stored or delivered, or both, to prevent theft, destruction, corruption,
or deterioration
Distributes Output thatOnlywould prevent output
to Intended from meeting
Parties—Output specifications.
is distributed or made available only to intended parties.
Distributes Output Completely and Accurately—Procedures are in place to provide for the completeness, accuracy,
and timeliness
Creates of distributed
and Maintains Records output.
of System Output Activities—Records of system output activities are created and
maintained completely and accurately in a timely manner.
The entity implements policies and procedures to store inputs, items in processing, and outputs completely,
accurately, and timely in accordance with system specifications to meet the entity’s objectives.
Protects Stored Items—Stored items are protected to prevent theft, corruption, destruction, or deterioration that
would
Archives prevent output System
and Protects from meeting specifications.
Records—System records are archived, and archives are protected against theft,
corruption,
Stores Datadestruction,
Completely and or deterioration that would prevent
Accurately—Procedures are in placethemtofrom beingforused.
provide the complete, accurate, and timely
The entity
storage of provides notice to data subjects about its privacy practices to meet the entity’s objectives related to
data.
Creates
privacy. and The Maintains Recordsand
notice is updated of System Storage Activities—Records
communicated to data subjects inof systemmanner
a timely storagefor activities
changes aretocreated
the and
maintained
Privacy completely
Criteria Related and
to accurately
Notice and in a timely
Communication manner. of Objectives Related
entity’s privacy practices, including changes in the use of personal information, to meet the entity’s objectives to Privacy
related to privacy.
Communicates to Data Subjects—Notice is provided to data subjects regarding the following:
— Purpose for collecting personal information
— Choice and consent
— Types of personal information collected
— Methods of collection (for example, use of cookies or other tracking techniques)
— Use, retention, and disposal
— Access
— Disclosure to third parties
— Security for privacy
— Quality, including data subjects’ responsibilities for quality
— Monitoring and enforcement
If personal information is collected from sources other than the individual, such sources are described in the
privacy
The
Provides notice.
entity communicates
Notice choices available
to Data Subjects—Notice regardingtothe
is provided datacollection,
subjects use,(1) atretention,
or before disclosure, and disposal of
the time personal
personal
information information
is collected toorthe
as data
soon subjects
as practicaland the consequences,
thereafter, (2) at or if any,
before
Covers Entities and Activities in Notice —An objective description of the entities and activities covered of
the each
entity choice.
changes Explicit
its consent
privacy for the
is notice
included or
collection,
as soon
in theClearas
entity’s use,
practicalretention, disclosure,
thereafter, or (3) and
before disposal
personal of personal
information information
is used for is
newobtained
purposes from not data subjects
previously or
Uses
other andprivacy
authorized
notice.
Conspicuous
persons, ifLanguage—The
required. Such consent entity’s privacy
is obtained notice is conspicuous
only for the intended and uses clearof
purpose language.
the
identified.
Privacy Criteria
information Related
to meet theto Choiceobjectives
entity’s and Consent related to privacy. The entity’s basis for determining implicit
consent for the collection, use, retention, disclosure, and disposal of personal information is documented.
Communicates to Data Subjects—Data subjects are informed (a) about the choices available to them with respect
to the collection,
Communicates use, and disclosure
Consequences of Denyingof personal information
or Withdrawing and (b) that implicit
Consent—When personal or explicit
informationconsent is required
is collected, to
data
collect,
subjects use,
are and disclose
informed of personal
the information,
consequences of unless
refusing ato law or
provide regulation
personal specifically
information
Obtains Implicit or Explicit Consent—Implicit or explicit consent is obtained from data subjects at or before the requires
or or
denying allows
or otherwise.
withdrawing
consent
Documents to use
time personal and personal
Obtains information
information Consent for for
is collected orpurposes
New soon identified
thereafter.
Purposes The
and Uses—If in individual’s
theinformation
notice. preferences
that wasexpressed
previouslyincollected
his or her is to be
consent
used for are confirmed
purposes not and implemented.
previously identified in the privacy notice, the new
Obtains Explicit Consent for Sensitive Information—Explicit consent is obtained directly from the data subjectpurpose is documented, the data subject
is notified,
when
Obtains and personal
sensitive
Consent implicit
for Data orinformation
explicit consent is obtained
is collected,
Transfers—Consent used,prior
is obtained to suchpersonal
or disclosed,
before new useinformation
unless aorlawpurpose.
or regulation specifically
is transferred to or requires
from an
otherwise.
individual’s computer or
Privacy Criteria Related to Collectionother similar device.
Personal information is collected consistent with the entity’s objectives related to privacy.
Limits the Collection of Personal Information—The collection of personal information is limited to that necessary
to meet Information
Collects the entity’s objectives.
by Fair and Lawful Means—Methods of collecting personal information are reviewed by
management
Collects before From
Information they are implemented
Reliable to confirm that confirms
Sources—Management personal thatinformation
third is obtained
parties from (a) fairly,
whom without
personal
For information
intimidation or requiring and
deception, explicit
(b) consent,
lawfully, the entitytocommunicates
adhering all relevant theof
rules need
law, for such
whether consent,
derived as
from well as the
statute or
information
Informs
consequencesDataisSubjects
collected
of a (that
When
failure to is, sources
Additional
provide other than
Information
consent for the
the individual)
Isrequest
Acquired—Datafor are reliable
personalsubjects sources that
are informed
information, and collect
if theinformation
obtains entity
the develops
consent
common
fairly
or andthe
acquires law, relating
lawfully.
additional to the collection of personal information.
prior to collection information about them
of the information to meetfor its
theuse.
entity’s objectives related to privacy.
Obtains Explicit Consent for Sensitive Information—Explicit consent is obtained directly from the data subject
when sensitive
Documents personal
Explicit Consentinformation
to RetainisInformation–Documentation
collected, used, or disclosed,of unless a law
explicit or regulation
consent specifically
for the collection, requires
use, or
otherwise.
disclosure
Privacy of
Criteria sensitive
Related personal
to Use, information
Retention, is
andretained
Disposal in accordance with objectives related to privacy.
The entity limits the use of personal information to the purposes identified in the entity’s objectives related to
privacy.
Uses Personal Information for Intended Purposes—Personal information is used only for the intended purposes for
which it was
The entity collected
retains and only
personal when implicit
information or explicit
consistent withconsent has been
the entity’s obtained
objectives unless
related toaprivacy.
law or regulation
specifically requires otherwise.
Retains Personal Information—Personal information is retained for no longer than necessary to fulfill the stated
purposes, unless aInformation—Policies
Protects Personal law or regulation specifically requires have
and procedures otherwise.
been implemented to protect personal information
from erasure
The entity or destruction
securely disposesduring the specified
of personal informationretention period
to meet theofentity’s
the information.
objectives related to privacy
Captures, Identifies, and Flags Requests for Deletion—Requests for deletion of personal information are captured,
and information
Disposes related
of, Destroys, andtoRedacts
the requests is identified
Personal and flagged for information
Information—Personal destruction to nomeet
longer the entity’sisobjectives
retained anonymized,
related
Destroys to privacy.
disposed Personal
of, or destroyed in a manner that
Information—Policies and prevents
procedures loss, are
theft, misuse, or unauthorized
implemented to erase or otherwise access. destroy personal
information
Privacy Criteria thatRelated
has been to identified
Access for destruction.
The entity grants identified and authenticated data subjects the ability to access their stored personal
information for review and, upon request, provides physical or electronic copies of that information to data
subjects to meet the entity’s objectives related to privacy. If access is denied, data subjects are informed of the
denial and reason for such denial, as required, to meet the entity’s objectives related to privacy.
Authenticates Data Subjects’ Identity—The identity of data subjects who request access to their personal
information
Permits DataisSubjects
authenticated
Accessbefore to Theirthey are given
Personal access to that information.
Information—Data subjects are able to determine whether the
The entity corrects,
entity maintains amends,
personal Personal or appends
information personal
about them information
and, based may
upon request, on information
obtain access provided
to theirisby data subjects
personal
Provides
and Understandable
communicates such information Information
to third Within
parties, Reasonable
as committed Time—Personal
or required, toinformation
meet the provided
entity’s to data
objectives
information.
subjects
Informs in
Dataan understandable
Subjects form, in a reasonable time frame, and at a reasonable cost, if any.
related to privacy. If a Ifrequest
Access for Is Denied—When
correction is denied, data subjects are denied
data subjects access to of
are informed their
thepersonal
denial and information,
reason for
the entity
such denial informs
to meet themtheof the denial
entity’s and therelated
objectives reasontofor the denial in a timely manner, unless prohibited by law or
privacy.
regulation.
Communicates Denial of Access Requests—Data subjects are informed, in writing, of the reason a request for
access
PermitstoDatatheirSubjects
personaltoinformation
Update or Correct was denied,Personal the Information—Data
source of the entity’ssubjects legal right are toabledeny such access,
to update if
or correct
applicable, and
personal information
Communicates the individual’s
Denialheld right,
by the entity.
of Correction if any, to challenge
The entity provides
Requests—Data such
subjectssuch denial,
are updated as specifically
informed,orincorrected permitted
information
writing, about or required
the reason to third by law
parties
a request
or
that
for regulation.
were previously
correction ofRelated provided
personal with the data subject’s personal information consistent with the entity’s objective
Privacy
The Criteria
entity discloses personaltoinformation
Disclosure
information was denied
thirdand
and Notification
to howwith
parties theythe mayexplicit
appeal.consent of data subjects, and such
related to privacy.
consent is obtained prior to disclosure to meet the entity’s objectives related to privacy
Communicates Privacy Policies to Third Parties—Privacy policies or other specific instructions or requirements for
handling
Discloses personal
Personal information
Information are Onlycommunicated to third parties to
When Appropriate—Personal whom personal
information information
is disclosed to thirdis parties
disclosed. only for
the purposes
Discloses for which
Personal it was collected
Information or created and
Only to Appropriate only
Third when implicit or information
Parties—Personal explicit consent has beenonly
is disclosed obtained
to third
from
partiesthewho
Discloses data subject,
have
Information unless
agreements Thirdawithlaw theor for
regulation
entity specifically
toPurposes
protect requires
personal otherwise.
information in a manner isconsistent with the
The entity creates andtoretains Parties
a complete, Newaccurate, andand Uses—Personal
timely record information
of authorized disclosed
disclosures of to third
personal
relevant
parties aspects
for new of the
purposes entity’s
or usesprivacy
only notice
with
information to meet the entity’s objectives related to privacy the or other
prior specific
implicit or instructions
explicit consentor requirements.
of data subjects.The entity has
procedures in place to evaluate that the third parties have effective controls to meet the terms of the agreement,
Creates
The entity andcreates
Retainsand Record
retains of Authorized
a complete,Disclosures—The
accurate, and timely entityrecord
creates ofand maintains
detected a recordunauthorized
or reported of authorized
disclosures
disclosures of personal
(including information
breaches) that
of personalis complete,
information accurate, and
to other
meet the timely.
The entity obtains privacy commitments from vendors and thirdentity’s
partiesobjectives
who haverelated access to to personal
privacy.
Creates and Retains Record of Detected or Reported Unauthorized Disclosures—The
information to meet the entity’s objectives related to privacy. The entity assesses those parties’ compliance entity creates and maintains on
a record of detected or reported unauthorized
a periodic and as-needed basis and takes corrective action, if necessary. disclosures of personal information that is complete, accurate, and
The entity obtains commitments from vendors and other third parties with access to personal information to
timely.
Discloses
notify thePersonal
entity inInformation
the event ofOnly to Appropriate
actual or suspectedThird Parties—Personal
unauthorized disclosures information
of personal is disclosed
information. only Such
to third
parties
Remediateswho have
Misuse agreements
of Personal with the
Information entity
notifications are reported to appropriate personnel and acted on in by to a protect
Third personal
Party —The information
entity takes in a manner
remedial consistent
action in with
response theto
relevant
misuse of aspects
personal of the entity’s
information privacy
by a thirdnotice
party or other
to whom specific
the instructions
entity has
accordance with established incident response procedures to meet the entity’s objectives related to privacy. or requirements.
transferred such The
information. entity has
procedures in place to evaluate that the third parties have effective controls to meet the terms of the agreement,
Remediates Misuse of Personal Information by a Third Party—The entity takes remedial action in response to
misuse
Reports ofActual
The entity personal
provides information
or Suspected
notification byofabreaches
third party
Unauthorized toincidents
Disclosures—A
and whom the toentity
process has data
exists
affected transferred
for obtaining
subjects, such information.
commitments
regulators, andfromothers vendors
to
and other third parties to report
meet the entity’s objectives related to privacy. to the entity actual or suspected unauthorized disclosures of personal
information.
Remediates Misuse of Personal Information by a Third of Party—The entity takes remedial action in response to
The entity provides data subjects with an accounting the personal information held and disclosure of the
misuse
Provides of personal
Notice of information
Breaches and by a third
Incidents—The party to whom
entity hasthea entity
process has
for transferred
data subjects’ personal information, upon the data subjects’ request, to meet the entity’s objectives related toproviding such
notice information.
of breaches and incidents
to affected data subjects, regulators, and others to meet the entity’s objectives related to privacy.
privacy.
Identifies Types of Personal Information and Handling Process—The types of personal information and sensitive
personal
Captures,information
Identifies, and andCommunicates
the related processes,Requestssystems, and third parties involved
for Information—Requests for an in the handling
accounting of such
of personal
information
information
Privacy are
held
Criteria identified.
and
Related disclosures of the data subjects’ personal information are
to Qualityaccurate, up-to-date, complete, and relevant personal information to meet captured, and information related
The entity collects and maintains
to the requests is identified
the entity’s objectives related to privacy and communicated to data subjects to meet the entity’s objectives related to privacy.
Ensures Accuracy and Completeness of Personal Information—Personal information is accurate and complete for
The
the entity implements
purposes for which ita is
process
to be for receiving, addressing, resolving, and communicating the resolution of
used.
Ensures
inquiries,Relevance
complaints, of Personal
and disputes Information—Personal
from data subjectsinformation and othersisand relevant to the purposes
periodically monitors for which it istotomeet
compliance be
used.
Privacy Criteria Related to Monitoring and Enforcement
the entity’s objectives related to privacy. Corrections and other necessary actions related to identified
deficiencies are made or taken in a timely manner.
Communicates to Data Subjects—Data subjects are informed about how to contact the entity with inquiries,
complaints, and disputes.
Addresses Inquiries, Complaints, and Disputes—A process is in place to address inquiries, complaints, and
disputes.
Documents and Communicates Dispute Resolution and Recourse—Each complaint is addressed, and the resolution
is documented
Documents andand communicated
Reports CompliancetoReview the individual.
Results—Compliance with objectives related to privacy are reviewed
and documented, and the results of such
Documents and Reports Instances of Noncompliance—Instances reviews are reported to of management.
noncompliance If problems are identified,
with objectives related to
remediation
privacy are plans
documentedare developed
and and
reported implemented.
and, if needed, corrective
Performs Ongoing Monitoring—Ongoing procedures are performed for monitoring the effectiveness and disciplinary measures are taken of oncontrols
a timely
basis.
over personal information and for taking timely corrective actions when necessary.
Established Internal Controls
Dash Example SOC 2 Security Controls Dash provides cloud security safeguards and internal controls m
Learn more at www.dashsdk.com/soc-2 Below is an small extract of security controls addressed by Dash
Category Trust ID Point of Focus
Control Environment CC1.1
Control Environment CC1.1 1
Control Environment CC1.1 2
Control Environment CC1.1 3
Control Environment CC1.1 4
Control Environment CC1.1 5
Risk Assessment CC3.1
Risk Assessment CC3.1 1
Risk Assessment CC3.1 2
Risk Assessment CC3.1 3
Risk Assessment CC3.1 4
Risk Assessment CC3.1 5
Risk Assessment CC3.1 6
Risk Assessment CC3.1 7
Risk Assessment CC3.1 8
Risk Assessment CC3.1 9
Risk Assessment CC3.1 10
Risk Assessment CC3.1 11
Risk Assessment CC3.1 12
Risk Assessment CC3.1 13
Risk Assessment CC3.1 14
Risk Assessment CC3.1 15
Risk Assessment CC3.1 16
Logical and Physical Access Controls CC6.1
Logical and Physical Access Controls CC6.1 1
Logical and Physical Access Controls CC6.1 2
Logical and Physical Access Controls CC6.1 3
Logical and Physical Access Controls CC6.1 4
Logical and Physical Access Controls CC6.1 5
Logical and Physical Access Controls CC6.1 6
Logical and Physical Access Controls CC6.1 7
Logical and Physical Access Controls CC6.1 8
Logical and Physical Access Controls CC6.1 9
Logical and Physical Access Controls CC6.1 10
Logical and Physical Access Controls CC6.6
Logical and Physical Access Controls CC6.6 1
Logical and Physical Access Controls CC6.6 2
Logical and Physical Access Controls CC6.6 3
Logical and Physical Access Controls CC6.6 4
System Operations CC7.1
System Operations CC7.1 1
System Operations CC7.1 2
System Operations CC7.1 3
System Operations CC7.1 4
System Operations CC7.1 5
Additional Criteria For Availability A1.2
Additional Criteria For Availability A1.2 1
Additional Criteria For Availability A1.2 2
Additional Criteria For Availability A1.2 3
Additional Criteria For Availability A1.2 4
Additional Criteria For Availability A1.2 5
Additional Criteria For Availability A1.2 6
Additional Criteria For Availability A1.2 7
Additional Criteria For Availability A1.2 8
Additional Criteria For Availability A1.2 9
Additional Criteria For Availability A1.2 10
Additional Criteria For Processing Integr PI1.5
Additional Criteria For Processing Integr PI1.5 1
Additional Criteria For Processing Integr PI1.5 2
Additional Criteria For Processing Integr PI1.5 3
Additional Criteria For Processing Integr PI1.5 4
ovides cloud security safeguards and internal controls mapped to SOC 2 standards.
an small extract of security controls addressed by Dash ComplyOps.
Trust
Sets theCriteria
Tone at the Top—The board of expectations
directors andofmanagement,
Establishes Standards of Conduct—The the board of at all levels,
directors anddemonstrate
senior
COSO
through Principle
their 1: The
directives, entity demonstrates
actions, and behavior a commitment
the importance
management concerning integrity and ethical values are defined in the entity’s standards to integrity
of integrityand ethical
and values.
ethical values
of to
support the functioning of the system of internal control.
conduct and understood at all levels of the entity and by outsourced service providers and
business
Evaluates partners. to Standards of Conduct—Processes are in place to evaluate the
Considers Adherence
Contractors and Vendor Employees in Demonstrating Its Commitment—Management
performance
Addresses
and the board ofofindividuals
Deviations directors and teams
in a Timely
consider theagainst
use of the
Manner—Deviations entity’s
contractorsfrom expected
andthevendor standards
entity’s expected
employees of conduct.
standards of
in its processes
conduct are identified and remedied in a timely and consistent
for establishing standards of conduct, evaluating adherence to those standards, and addressing manner.
deviations
COSO Principle in a timely
6: Themanner.
entity specifies objectives with sufficient clarity to enable the
identification and assessment of risks relating to objectives.
Reflects Management's Choices—Operations objectives reflect management's choices about
structure, Tolerances
Considers industry considerations,
for Risk—Management and performance considers of the
the entity.
acceptable levels of variation relative
to the achievement of operations objectives.
Includes Operations and Financial Performance Goals—The organization reflects the desired
level ofaoperations
Forms and financial
Basis for Committing performance for the entityuses
of Resources—Management within operations
operations objectives.
objectives as a basis
for allocating resources needed to attain desired operations
Complies With Applicable Accounting Standards—Financial reporting objectives are consistent and financial performance.
with accounting
Considers principles suitable and
Materiality—Management availablemateriality
considers for that entity. The accounting
in financial statementprinciples
presentation.
selected are appropriate in the circumstances.
Reflects Entity Activities—External reporting reflects the underlying transactions and events to
show qualitative
Complies characteristics
With Externally and assertions.
Established Frameworks—Management establishes objectives
consistent with laws and regulations
Considers the Required Level of Precision—Management or standards and frameworks reflects the of required
recognized external
level of precision
organizations.
and accuracy
Reflects Entitysuitable for user needs
Activities—External and based
reporting on criteria
reflects established
the underlying by third parties
transactions in
and events
nonfinancial
within a range reporting.
of acceptable limits.
Reflects Management's Choices—Internal reporting provides management with accurate and
complete information
Considers the Requiredregarding management's choices and
Level of Precision—Management information
reflects needed
the required in managing
level the
of precision
entity.
and accuracy suitable for user needs in nonfinancial reporting
Reflects Entity Activities—Internal reporting reflects the underlying transactions and events objectives and materiality within
financial
within reporting
Reflectsa External
range objectives.
of Laws
acceptable limits.
and Regulations—Laws and regulations establish minimum standards of
conduct, which
Considers the entity integrates into compliance objectives.
The entity implements logical access security software,the
Tolerances for Risk—Management considers acceptable levels
infrastructure, of variation relative
and architectures over
to the achievement
Establishesinformation
protected Sub-objectivesof operations
to Support
assets objectives.
to protect Objectives—Management
them from security events identifies
to meet sub-objectives
the entity’s related
to security, availability, processing integrity, confidentiality, and privacy to support the
objectives
achievement
Identifies andof the entity’s
Manages the objectives
Inventory of related to reporting,
Information Assets—Theoperations,entityand compliance.
identifies, inventories,
classifies, and manages information assets.
Restricts Logical Access—Logical access to information assets, including hardware, data (at-rest,
during processing,
Identifies or in transmission),
and Authenticates Users—Persons, software, administrative
infrastructure andauthorities,
software are mobile devices,
identified and
output, and
authenticated offline
prior system
to components
accessing is
information restricted
assets, through
whether
Considers Network Segmentation—Network segmentation permits unrelated portions of the the use
locally of
or access
remotely. control software
and ruleinformation
entity's sets. system to be isolated from
Manages Points of Access—Points of access by each
outsideother.
entities and the types of data that flow
through the
Restricts points
Access of access areAssets—Combinations
to Information identified, inventoried,ofand data managed. The types
classification, of individuals
separate data
and systems
structures, using
port each point
restrictions, of
access access are
protocol identified,
restrictions, documented,
user
Manages Identification and Authentication—Identification and authentication requirements are and
identification, managed.
and digital
certificates
established, are
Manages Credentials used toforestablish
documented, access and
and managed
Infrastructure control rules forand
for Software—New
individuals information
systems assets.
internal accessing
and external entity information,
infrastructure
infrastructure
and software
Uses Encryption and software.
aretoregistered,
Protect Data—The authorized, anduses
entity documented
encryption prior to being granted
to supplement other access
measures used
credentials
to protect
Protects and
Encryption implemented
data-at-rest, when
Keys—Processes on
such the network
protections
are in placeor access
are deemed point.
to protect Credentials
appropriate
encryption are
based removed
on
keys threats and risk.
assessed
during generation,
The entity
access is implements
disabled when logical
access access
is no security
longer measures
required or thetoinfrastructure
protect against and softwarefrom sources
are no
storage,its
outside use, and destruction.
system boundaries.
Restricts Access—The types of activities that can occur through a communication channel (for
example, FTP site, router
Protects Identification andport) are restricted.
Authentication Credentials—Identification and authentication
credentials
Requires are protected
Additional during transmission
Authentication or outside its system
Credentials—Additional boundaries. information or
authentication
To meet its objectives, the entity uses detection and monitoring procedures to identify (1)
credentials
Implements
changes are required
Boundary Protection
to configurations when accessing
that result the
Systems—Boundary system
in the introduction from outside
protection its
of new systems boundaries.
(for example,
vulnerabilities, and (2)firewalls,
demilitarized zones, and intrusion detection
susceptibilities to newly discovered vulnerabilities. systems) are implemented to protect external access
points from attempts
Uses Defined and unauthorized
Configuration access and arehas
Standards—Management monitored
defined to detect such standards.
configuration attempts.
Monitors Infrastructure and Software—The entity monitors infrastructure and software for
noncompliance
Implements with the standards,
Change-Detection which could threaten
Mechanisms—The IT system theincludes
achievement of the entity's
a change-detection
objectives.
mechanism
Detects (for example,
Unknown or file integrity
Unauthorized monitoring tools) to alert
Components—Procedures personnel
are in place todetect
to unauthorized
the
The entity authorizes,
modifications of critical designs,
system develops
files, or acquires,
configuration implements,
files, or content operates, approves,
files.
introduction
Conducts of unknown
maintains,Vulnerability
and monitors or unauthorized
Scans—The
environmental components.
entity protections,
conducts vulnerability
software, scans designedprocesses,
data back-up to identifyand
potential infrastructure
recovery vulnerabilities or to misconfigurations
meet its objectives. on a periodic basis and after any significant change
in the environment and takes action to remediate identified deficiencies on a timely basis.
Identifies Environmental Threats—As part of the risk assessment process, management identifies
environmental
Designs Detection threats that could impair the
Measures—Detection availability
measures of the system,
are implemented toincluding threats resulting
identify anomalies that
from
could adverse
result weather,
from failure
environmental of environmental
threat events. control systems,
Implements and Maintains Environmental Protection Mechanisms— Management implementselectrical discharge, fire, and
water.
and maintains environmental protection mechanisms to prevent and alerts
mitigate
Implements Alerts to Analyze Anomalies—Management implements thatagainst
are
environmental
communicated events.
to personnel for analysis to identify environmental
Responds to Environmental Threat Events—Procedures are in place for responding to threat events.
environmental threat
Communicates eventsDetected
and Reviews and for evaluating the effectiveness
Environmental of those policies
Threat Events—Detected and
environmental
procedures
threat eventson a
are periodic basis.
communicated This
to includes
and automatic
reviewed by the mitigation
individuals
Determines Data Requiring Backup—Data is evaluated to determine whether backup systems (for
responsible example,
for theis required.
uninterruptable
management of power
the system
system, andand generator
actions are back-up
taken, if subsystem).
necessary.
Performs Data Backup—Procedures are in place for backing up data, monitoring to detect back-
up failures,Offsite
Addresses and initiating corrective action
Storage—Back-up data iswhen
stored suchafailures occur.
The entity implements policies and procedures to in
store location
inputs,atitems
a distance from its and
in processing, principal
storage location
Implements
outputs sufficient that
Alternateaccurately,
completely, the
Processingand likelihood of a security
Infrastructure—Measures
timely in accordance with or environmental
are implemented threat event
for migrating
system specifications to meet
affecting
processing both
the entity’s sets of data
toobjectives.
alternate is reduced to
infrastructure in an
theappropriate
event normal level.
processing infrastructure becomes
unavailable.
Protects Stored Items—Stored items are protected to prevent theft, corruption, destruction, or
deterioration that would
Archives and Protects prevent
System output from meeting
Records—System recordsspecifications.
are archived, and archives are protected
againstData
Stores theft,Completely
corruption,and destruction, or deteriorationare
Accurately—Procedures that wouldto
in place prevent
providethem from
for the being used.
complete,
accurate, and timely storage of data.
Creates and Maintains Records of System Storage Activities—Records of system storage activities
are created and maintained completely and accurately in a timely manner.
Dash Provided Internal Controls

Policy Control - Employee Policy

Policy Control - Employee Policy
Policy Control - Employee Policy
Policy Control - Employee Policy
Policy Control - Employee Policy

Policy Control - Risk Management Policy

Policy Control - Risk Management Policy
Policy Control - Risk Management Policy
Policy Control - Risk Management Policy
Policy Control - Risk Management Policy
Policy Control - Risk Management Policy
Policy Control - Risk Management Policy
Policy Control - Risk Management Policy
Policy Control - Risk Management Policy
Policy Control - Risk Management Policy
Policy Control - Risk Management Policy
Policy Control - Risk Management Policy
Policy Control - Risk Management Policy
Policy Control - Risk Management Policy
Policy Control - Risk Management Policy
Policy Control - Risk Management Policy

Policy Control - System Access Policy

Policy Control - System Access Policy
Policy Control - System Access Policy
Policy Control - System Access Policy
Policy Control - System Access Policy
Policy Control - System Access Policy
Policy Control - System Access Policy
Policy Control - System Access Policy
Policy Control - Data Integrity Policy
Policy Control - Data Integrity Policy

Policy Control - System Access Policy

Policy Control - System Access Policy
Policy Control - System Access Policy
Policy Control - System Access Policy

Policy Control - Configuration Management Policy

Policy Control - Configuration Management Policy
Policy Control - Configuration Management Policy
Policy Control - Configuration Management Policy
Policy Control - Intrusion Detection System (IDS) Polic
Policy Control - Facility Access Policy
Policy Control - Disaster Recovery Policy
Policy Control - Facility Access Policy
Policy Control - Disaster Recovery Policy
Policy Control - Facility Access Policy + Disaster Recovery Policy
Policy Control - Facility Access Policy + Disaster Recovery Policy
Policy Control - Disaster Recovery Policy
Policy Control - Disaster Recovery Policy
Policy Control - Disaster Recovery Policy
Policy Control - Disaster Recovery Policy

Policy Control - Disaster Recovery Policy

Policy Control - Disaster Recovery Policy
Policy Control - Disaster Recovery Policy
Policy Control - Disaster Recovery Policy
Compliance Scanning - Detect access control issues across cloud services
Compliance Scanning - Detect unrestricted cloud resources and open ports
Compliance Scanning - Detect cloud user, role, and permission issues
Compliance Scanning - Determine network and resource security rule issues
Compliance Scanning - Determine network and resource security rule issues
Compliance Scanning - Determine network and resource security rule issues
Compliance Scanning - Detect user password and access key rotation and issues
Compliance Scanning - Detect insecure or unrotated access keys, weak password standards
Compliance Scanning - Detect cloud resource encryption "at-rest" and "in-transit"
Compliance Scanning - Detect cloud resource encryption issues

Compliance Scanning - Detect unrestricted cloud resources and open ports

Compliance Scanning - Detect access control issues across cloud services
Compliance Scanning - Detect access control issues across cloud services
Compliance Scanning - Detect access control issues across cloud services

Compliance Scanning - Dash Continuous Compliance Monitoring Standards

Compliance Scanning - Dash Continuous Compliance Monitoring
Compliance Scanning - Detect when audit logging is not enabled across cloud resources
Compliance Scanning - Detect cloud service anomalies
Compliance Scanning - Dash Continuous Compliance Monitoring
 Compliance Scanning - Detect inadequate cloud service backup settings
Compliance Scanning - Detect inadequate cloud service backup settings

Compliance Scanning - Detect audit logging settings and issues

aster Recovery Policy
aster Recovery Policy
Compliance Scanning - Detect inadequate cloud service backup settings
Compliance Scanning - Detect inadequate cloud service backup settings

Compliance Scanning - Detect cloud service access and backup settings

Compliance Scanning - Detect cloud service access and backup settings
Compliance Scanning - Detect cloud service availability and backup settings