Original format: xlsx
Primary sheet: TS to NIST CSF
CSV companion: TSC_mapping_NIST_CSF.csv
| Unnamed: 0 | Unnamed: 1 | Unnamed: 2 | Unnamed: 3 | Unnamed: 4 |
|---|---|---|---|---|
| TSC REF | Trust Services Criteria | POINTS OF FOCUS | NIST REF | NIST CSF CUB-CATEGORY |
| nan | CONTROL ENVIRONMENT | nan | nan | nan |
| CC 1.1 | COSO Principle 1: The entity demonstrates a commitment to integrity and ethical values. | nan | nan | nan |
| CC 1.1.1 | nan | Sets the Tone at the Top—The board of directors and management, at all levels, demonstrate through their directives, actions, and behavior the importance of integrity and ethical values to support the functioning of the system of internal control. | PR.AT-4 | Senior executives understand roles & responsibilities |
| CC 1.1.2 | nan | Establishes Standards of Conduct—The expectations of the board of directors and senior management concerning integrity and ethical values are defined in the entity’s standards of conduct and understood at all levels of the entity and by outsourced service providers and business partners. | nan | nan |
| CC 1.1.3 | nan | Evaluates Adherence to Standards of Conduct—Processes are in place to evaluate the performance of individuals and teams against the entity’s expected standards of conduct. | nan | nan |
| CC 1.1.4 | nan | Addresses Deviations in a Timely Manner—Deviations from the entity’s expected standards of conduct are identified and remedied in a timely and consistent manner. | nan | nan |
| CC 1.1.5 | nan | Considers Contractors and Vendor Employees in Demonstrating Its Commitment—Management and the board of directors consider the use of contractors and vendor employees in its processes for establishing standards of conduct, evaluating adherence to those standards, and addressing deviations in a timely manner. | nan | nan |
| CC 1.2 | COSO Principle 2: The board of directors demonstrates independence from management and exercises oversight of the development and performance of internal control. | nan | nan | nan |
| CC 1.2.1 | nan | Establishes Oversight Responsibilities—The board of directors identifies and accepts its oversight responsibilities in relation to established requirements and expectations. | nan | nan |
| CC 1.2.2 | nan | Applies Relevant Expertise—The board of directors defines, maintains, and periodically evaluates the skills and expertise needed among its members to enable them to ask probing questions of senior management and take commensurate action. | nan | nan |
| CC 1.2.3 | nan | Operates Independently—The board of directors has sufficient members who are independent from management and objective in evaluations and decision making. | nan | nan |
| CC 1.2.4 | nan | Supplements Board Expertise—The board of directors supplements its expertise relevant to security, availability, processing integrity, confidentiality, and privacy, as needed, through the use of a subcommittee or consultants. | nan | nan |
| CC 1.3 | COSO Principle 3: Management establishes, with board oversight, structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives. | nan | nan | nan |
| CC 1.3.1 | nan | Considers All Structures of the Entity—Management and the board of directors consider the multiple structures used (including operating units, legal entities, geographic distribution, and outsourced service providers) to support the achievement of objectives. | nan | nan |
| CC 1.3.2 | nan | Establishes Reporting Lines—Management designs and evaluates lines of reporting for each entity structure to enable execution of authorities and responsibilities and flow of information to manage the activities of the entity. | nan | nan |
| CC 1.3.3 | nan | Defines, Assigns, and Limits Authorities and Responsibilities—Management and the board of directors delegate authority, define responsibilities, and use appropriate processes and technology to assign responsibility and segregate duties as necessary at the various levels of the organization. | ID.AM-6 | Cybersecurity roles and responsibilities for the entire workforce and third-party stakeholders (e.g., suppliers, customers, partners) are established |
| CC 1.3.4 | nan | Addresses Specific Requirements When Defining Authorities and Responsibilities—Management and the board of directors consider requirements relevant to security, availability, processing integrity, confidentiality, and privacy when defining authorities and responsibilities. | nan | nan |
| CC 1.3.5 | nan | Considers Interactions With External Parties When Establishing Structures, Reporting Lines, Authorities, and Responsibilities—Management and the board of directors consider the need for the entity to interact with and monitor the activities of external parties when establishing structures, reporting lines, authorities, and responsibilities. | nan | nan |
| CC 1.4 | COSO Principle 4: The entity demonstrates a commitment to attract, develop, and retain competent individuals in alignment with objectives. | nan | nan | nan |
| CC 1.4.1 | nan | Establishes Policies and Practices—Policies and practices reflect expectations of competence necessary to support the achievement of objectives. | nan | nan |
| CC 1.4.2 | nan | Evaluates Competence and Addresses Shortcomings—The board of directors and management evaluate competence across the entity and in outsourced service providers in relation to established policies and practices and act as necessary to address shortcomings. | nan | nan |
| CC 1.4.3 | nan | Attracts, Develops, and Retains Individuals—The entity provides the mentoring and training needed to attract, develop, and retain sufficient and competent personnel and outsourced service providers to support the achievement of objectives. | nan | nan |
| CC 1.4.4 | nan | Plans and Prepares for Succession—Senior management and the board of directors develop contingency plans for assignments of responsibility important for internal control. | nan | nan |
| CC 1.4.5 | nan | Considers the Background of Individuals—The entity considers the background of potential and existing personnel, contractors, and vendor employees when determining whether to employ and retain the individuals. | PR.IP-11 | Cybersecurity is included in human resources practices (e.g., deprovisioning, personnel screening) |
| CC 1.4.6 | nan | Considers the Technical Competency of Individuals—The entity considers the technical competency of potential and existing personnel, contractors, and vendor employees when determining whether to employ and retain the individuals. | nan | nan |
| CC 1.4.7 | nan | Provides Training to Maintain Technical Competencies— The entity provides training programs, including continuing education and training, to ensure skill sets and technical competency of existing personnel, contractors, and vendor employees are developed and maintained. | nan | nan |
| CC 1.5 | COSO Principle 5: The entity holds individuals accountable for their internal control responsibilities in the pursuit of objectives. | nan | nan | nan |
| CC 1.5.1 | nan | Enforces Accountability Through Structures, Authorities, and Responsibilities—Management and the board of directors establish the mechanisms to communicate and hold individuals accountable for performance of internal control responsibilities across the entity and implement corrective action as necessary. | nan | nan |
| CC 1.5.2 | nan | Establishes Performance Measures, Incentives, and Rewards—Management and the board of directors establish performance measures, incentives, and other rewards appropriate for responsibilities at all levels of the entity, reflecting appropriate dimensions of performance and expected standards of conduct, and considering the achievement of both short-term and longer-term objectives. | nan | nan |
| CC 1.5.3 | nan | Evaluates Performance Measures, Incentives, and Rewards for Ongoing Relevance—Management and the board of directors align incentives and rewards with the fulfillment of internal control responsibilities in the achievement of objectives. | nan | nan |
| CC 1.5.4 | nan | Considers Excessive Pressures—Management and the board of directors evaluate and adjust pressures associated with the achievement of objectives as they assign responsibilities, develop performance measures, and evaluate performance. | nan | nan |
| CC 1.5.5 | nan | Evaluates Performance and Rewards or Disciplines Individuals—Management and the board of directors evaluate performance of internal control responsibilities, including adherence to standards of conduct and expected levels of competence, and provide rewards or exercise disciplinary action, as appropriate. | nan | nan |
| nan | COMMUNICATION AND INFORMATION | nan | nan | nan |
| CC2.1 | COSO Principle 13: The entity obtains or generates and uses relevant, quality information to support the functioning of internal control. | nan | nan | nan |
| nan | nan | Identifies Information Requirements—A process is in place to identify the information required and expected to support the functioning of the other components of internal control and the achievement of the entity’s objectives. | nan | nan |
| nan | nan | Captures Internal and External Sources of Data—Information systems capture internal and external sources of data. | nan | nan |
| nan | nan | Processes Relevant Data Into Information—Information systems process and transform relevant data into information. | nan | nan |
| nan | nan | Maintains Quality Throughout Processing—Information systems produce information that is timely, current, accurate, complete, accessible, protected, verifiable, and retained. Information is reviewed to assess its relevance in supporting the internal control components. | nan | nan |
| CC2.2 | COSO Principle 14: The entity internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control. | nan | nan | nan |
| nan | nan | Communicates Internal Control Information—A process is in place to communicate required information to enable all personnel to understand and carry out their internal control responsibilities. | PR.AT-1 | All users are informed and trained |
| nan | nan | nan | PR.AT-2 | Privileged users understand roles & responsibilities |
| nan | nan | nan | PR.AT-5 | Physical and information security personnel understand roles & responsibilities |
| nan | nan | Communicates With the Board of Directors—Communication exists between management and the board of directors so that both have information needed to fulfill their roles with respect to the entity’s objectives. | PR.AT-4 | Senior executives understand roles & responsibilities |
| nan | nan | Provides Separate Communication Lines—Separate communication channels, such as whistle-blower hotlines, are in place and serve as fail-safe mechanisms to enable anonymous or confidential communication when normal channels are inoperative or ineffective. | nan | nan |
| nan | nan | Selects Relevant Method of Communication—The method of communication considers the timing, audience, and nature of the information. | nan | nan |
| nan | nan | Communicates Responsibilities—Entity personnel with responsibility for designing, developing, implementing, operating, maintaining, or monitoring system controls receive communications about their responsibilities, including changes in their responsibilities, and have the information necessary to carry out those responsibilities. | PR.AT-1 | All users are informed and trained |
| nan | nan | nan | PR.AT-2 | Privileged users understand roles & responsibilities |
| nan | nan | Communicates Information on Reporting Failures, Incidents, Concerns, and Other Matters—Entity personnel are provided with information on how to report systems failures, incidents, concerns, and other complaints to personnel. | PR.AT-1 | All users are informed and trained |
| nan | nan | Communicates Objectives and Changes to Objectives —The entity communicates its objectives and changes to those objectives to personnel in a timely manner. | nan | nan |