Professional Documents
Culture Documents
2017 Trust Services Criteria
2017 Trust Services Criteria
COSO Point Sets the Tone at the Top—The board of directors and management, at all
of Focus for levels, demonstrate through their directives, actions, and behavior the
CC1.1 importance of integrity and ethical values to support the functioning of the
system of internal control.
2017 Trust Services Criteria
COSO Point Establishes Standards of Conduct—The expectations of the board of
of Focus for directors and senior management concerning integrity and ethical values
CC1.1 are defined in the entity’s standards of conduct and understood at all
levels of the entity and by outsourced service providers and business
partners.
COSO Point Attracts, Develops, and Retains Individuals—The entity provides the
of Focus for mentoring and training needed to attract, develop, and retain sufficient
CC1.4 and competent personnel and outsourced service providers to support
the achievement of objectives.
2017 Trust Services Criteria
COSO Point Plans and Prepares for Succession—Senior management and the board
of Focus for of directors develop contingency plans for assignments of responsibility
CC1.4 important for internal control.
Additional Considers the Background of Individuals—The entity considers the
TSC Point of background of potential and existing personnel, contractors, and vendor
Focus for employees when determining whether to employ and retain the
CC1.4 individuals.
CC1.5 COSO Principle 5: The entity holds individuals accountable for their
internal control responsibilities in the pursuit of objectives.
2017 Trust Services Criteria
COSO Point Enforces Accountability Through Structures, Authorities, and
of Focus for Responsibilities—Management and the board of directors establish the
CC1.5 mechanisms to communicate and hold individuals accountable for
performance of internal control responsibilities across the entity and
implement corrective action as necessary.
COSO Point Evaluates Performance Measures, Incentives, and Rewards for Ongoing
of Focus for Relevance—Management and the board of directors align incentives and
CC1.5 rewards with the fulfillment of internal control responsibilities in the
achievement of objectives.
Operations Ojectives
COSO Point Reflects Management's Choices—Operations objectives reflect
of Focus for management's choices about structure, industry considerations, and
CC3.1 performance of the entity.
COSO Point Considers Tolerances for Risk—Management considers the acceptable
of Focus for levels of variation relative to the achievement of operations objectives.
CC3.1
2017 Trust Services Criteria
COSO Point Includes Operations and Financial Performance Goals—The organization
of Focus for reflects the desired level of operations and financial performance for the
CC3.1 entity within operations objectives.
COSO Point Includes Entity, Subsidiary, Division, Operating Unit, and Functional
of Focus for Levels—The entity identifies and assesses risk at the entity, subsidiary,
CC3.2 division, operating unit, and functional levels relevant to the achievement
of objectives.
2017 Trust Services Criteria
COSO Point Analyzes Internal and External Factors—Risk identification considers
of Focus for both internal and external factors and their impact on the achievement of
CC3.2 objectives.
COSO Point Involves Appropriate Levels of Management—The entity puts into place
of Focus for effective risk assessment mechanisms that involve appropriate levels of
CC3.2 management.
2017 Trust Services Criteria
COSO Point Estimates Significance of Risks Identified—Identified risks are analyzed
of Focus for through a process that includes estimating the potential significance of
CC3.2 the risk.
CC3.3 COSO Principle 8: The entity considers the potential for fraud in
assessing risks to the achievement of objectives.
2017 Trust Services Criteria
COSO Point Considers Various Types of Fraud—The assessment of fraud considers
of Focus for fraudulent reporting, possible loss of assets, and corruption resulting from
CC3.3 the various ways that fraud and misconduct can occur.
CC3.4 COSO Principle 9: The entity identifies and assesses changes that could
significantly impact the system of internal control.
2017 Trust Services Criteria
COSO Point Integrates With Business Processes—Ongoing evaluations are built into
of Focus for the business processes and adjust to changing conditions.
CC4.1
2017 Trust Services Criteria
COSO Point Adjusts Scope and Frequency—Management varies the scope and
of Focus for frequency of separate evaluations depending on risk.
CC4.1
CC4.2 COSO Principle 17: The entity evaluates and communicates internal
control deficiencies in a timely manner to those parties responsible for
taking corrective action, including senior management and the board of
directors, as appropriate.
2017 Trust Services Criteria
COSO Point Assesses Results—Management and the board of directors, as
of Focus for appropriate, assess results of ongoing and separate evaluations.
CC4.2
TSC Point of Identifies and Manages the Inventory of Information Assets—The entity
Focus for identifies, inventories, classifies, and manages information assets.
CC6.1
TSC Point of Manages Points of Access—Points of access by outside entities and the
Focus for types of data that flow through the points of access are identified,
CC6.1 inventoried, and managed. The types of individuals and systems using
each point of access are identified, documented, and managed.
TSC Point of Manages Credentials for Infrastructure and Software—New internal and
Focus for external infrastructure and software are registered, authorized, and
CC6.1 documented prior to being granted access credentials and implemented
on the network or access point. Credentials are removed and access is
disabled when access is no longer required or the infrastructure and
software are no longer in use.
CC6.2 Prior to issuing system credentials and granting system access, the
entity registers and authorizes new internal and external users
whose access is administered by the entity. For those users whose
access is administered by the entity, user system credentials are
removed when user access is no longer authorized.
2017 Trust Services Criteria
TSC Point of Controls Access Credentials to Protected Assets—Information asset
Focus for access credentials are created based on an authorization from the
CC6.2 system's asset owner or authorized custodian.
TSC Point of Removes Data and Software From Entity Control—Procedures are in
Focus for place to remove data and software stored on equipment to be removed
CC6.5 from the physical control of the entity and to render such data and
software unreadable.
CC6.8 The entity implements controls to prevent or detect and act upon the
introduction of unauthorized or malicious software to meet the
entity’s objectives.
2017 Trust Services Criteria
TSC Point of Restricts Application and Software Installation—The ability to install
Focus for applications and software is restricted to authorized individuals.
CC6.8
CC7.2 The entity monitors system components and the operation of those
components for anomalies that are indicative of malicious acts,
natural disasters, and errors affecting the entity's ability to meet its
objectives; anomalies are analyzed to determine whether they
represent security events.
TSC Point of Assigns Roles and Responsibilities—Roles and responsibilities for the
Focus for design, implementation, maintenance, and execution of the incident
CC7.4 response program are assigned, including the use of external resources
when necessary.
TSC Point of Contains Security Incidents—Procedures are in place to contain security
Focus for incidents that actively threaten entity objectives.
CC7.4
TSC Point of Restores the Affected Environment—The activities restore the affected
Focus for environment to functional operation by rebuilding systems, updating
CC7.5 software, installing patches, and changing configurations, as needed.
2017 Trust Services Criteria
TSC Point of Communicates Information About the Event—Communications about the
Focus for nature of the incident, recovery actions taken, and activities required for
CC7.5 the prevention of future security events are made to management and
others as appropriate (internal and external).
TSC Point of Determines Root Cause of the Event—The root cause of the event is
Focus for determined.
CC7.5
TSC Point of Manages Changes Throughout the System Lifecycle—A process for
Focus for managing system changes throughout the lifecycle of the system and its
CC8.1 components (infrastructure, data, software and procedures) is used to
support system availability and processing integrity.
2017 Trust Services Criteria
TSC Point of Authorizes Changes—A process is in place to authorize system changes
Focus for prior to development.
CC8.1
TSC Point of Designs and Develops Changes—A process is in place to design and
Focus for develop system changes.
CC8.1
2017 Trust Services Criteria
TSC Point of Documents Changes—A process is in place to document system
Focus for changes to support ongoing maintenance of the system and to support
CC8.1 system users in performing their responsibilities.
TSC Point of Tracks System Changes—A process is in place to track system changes
Focus for prior to implementation.
CC8.1
2017 Trust Services Criteria
TSC Point of Configures Software—A process is in place to select and implement the
Focus for configuration parameters used to control the functionality of software.
CC8.1
TSC Point of Tests System Changes—A process is in place to test system changes
Focus for prior to implementation.
CC8.1
2017 Trust Services Criteria
TSC Point of Approves System Changes—A process is in place to approve system
Focus for changes prior to implementation.
CC8.1
TSC Point of Considers the Use of Insurance to Mitigate Financial Impact Risks—The
Focus for risk management activities consider the use of insurance to offset the
CC9.1 financial impact of loss events that would otherwise impair the ability of
the entity to meet its objectives.
CC9.2 The entity assesses and manages risks associated with vendors and
business partners.
2017 Trust Services Criteria
TSC Point of Establishes Requirements for Vendor and Business Partner
Focus for Engagements—The entity establishes specific requirements for a vendor
CC9.2 and business partner engagement that includes (1) scope of services and
product specifications, (2) roles and responsibilities, (3) compliance
requirements, and (4) service levels.
TSC Point of Assesses Vendor and Business Partner Risks—The entity assesses, on a
Focus for periodic basis, the risks that vendors and business partners (and those
CC9.2 entities’ vendors and business partners) represent to the achievement of
the entity's objectives.
TSC Point of Assigns Responsibility and Accountability for Managing Vendors and
Focus for Business Partners—The entity assigns responsibility and accountability
CC9.2 for the management of risks associated with vendors and business
partners.
2017 Trust Services Criteria
TSC Point of Establishes Communication Protocols for Vendors and Business Partners
Focus for —The entity establishes communication and resolution protocols for
CC9.2 service or product issues related to vendors and business partners.
TSC Point of Establishes Exception Handling Procedures From Vendors and Business
Focus for Partners —The entity establishes exception handling procedures for
CC9.2 service or product issues related to vendors and business partners.
TSC Point of Implements Procedures for Terminating Vendor and Business Partner
Focus for Relationships — The entity implements procedures for terminating vendor
CC9.2 and business partner relationships.
TSC Point of Obtains Privacy Commitments from Vendors and Business Partners—
Focus for The entity obtains privacy commitments, consistent with the entity’s
CC9.2 privacy commitments and requirements, from vendors and business
partners who have access to personal information.
TSC Point of Forecasts Capacity—The expected average and peak use of system
Focus for components is forecasted and compared to system capacity and
A1.1 associated tolerances. Forecasting considers capacity in the event of the
failure of system components that constrain capacity.
TSC Point of Performs Data Backup—Procedures are in place for backing up data,
Focus for monitoring to detect back-up failures, and initiating corrective action when
A1.2 such failures occur.
TSC Point of Tests Integrity and Completeness of Back-Up Data—The integrity and
Focus for completeness of back-up information is tested on a periodic basis.
A1.3