COSO Framework for Service Organizations and SOC Reporting (Part 3 of 3)

Jamie Kilcoyne, Managing Director Coalfire Controls

COSO Framework for Service Organizations and SOC Reporting (Part 3 of 3)
In part 1 of this series, we discussed the recent changes to the COSO framework and the overall impact that the updated framework has on service organizations that receive Service Organization Controls (SOC) reports.  Three of the differences that were identified between the 1992 and 2013 Framework that impact service organizations are as follows:

  1. ​​Emphasis on understanding and evaluating controls of outsourced service providers (OSPs).
  2. Emphasis on risk assessment and fraud risk assessment.
  3. Emphasis on IT controls.

In the first 2 posts, we discussed items #1 and 2 above.  The objective of this post is to discuss the increased emphasis on IT controls.
One of the most significant changes that businesses have experienced between the release of COSO’s 1992 and 2013 frameworks is the automation of processes and controls and the increased reliance on IT.  While COSO’s 1992 framework included very general and high level information about IT controls, the 2013 framework includes much more specific guidance.
The 2013 framework classifies the key IT General Controls (ITGCs) as follows:

  • Technology infrastructure
  • Security management processes
  • Technology acquisition, development and maintenance processes
 For purposes of this blog post, I would like to comment on the relevance of security management to service organizations who receive a SOC 1 or SOC 2 report.  One of the trends I have noticed lately on SOC engagements (for both large and small organizations) is that most companies have established strong controls over access to their data, operating system, network, application and physical layers.  They make significant investments in controlling their perimeter with sophisticated devices and technology. They are doing all of the right things with regards to technical controls, but don’t pay enough attention to basic security awareness training for their employees.  This training can be invaluable for protecting companies from hackers and limiting the damage companies could suffer if cybercriminals attack.

The 2015 Data Breach Investigations Report released recently by Verizon Enterprise Solutions includes some very interesting information that should motivate companies to focus more heavily on security awareness training.  For example, most hacker attacks in 2014 started when someone responded to a phishing email that allowed hackers access into the system.  Verizon found that 23% of all recipients of phishing scams still open such emails and 11% click on the attachments!
During SOC engagements, many of our clients ask me what an effective security awareness training program looks like.  My response will vary depending on the nature of the company’s business and the type of data that they store or process.  In most cases, however, I recommend that, at a minimum, each and every employee attend a 1-2 hour annual security awareness training course that explains the latest vulnerabilities that are being exploited by hackers and cybercriminals and instruction on how to recognize and avoid them.  This will empower employees to be the first line of defense against hackers and reduce the risk of being hacked.  Security awareness training is arguably one of the most valuable investments that companies can make.
Thanks for reading!

Jamie Kilcoyne


Jamie Kilcoyne — Managing Director Coalfire Controls

Recent Posts

Post Topics



Accounting Agency AICPA Assessment assessments ASV audit AWS AWS Certified Cloud Practitioner AWS Certs AWS Summit bitcoin Black Hat Black Hat 2017 blockchain Blueborne Breach BSides BSidesLV Burp BYOD California Consumer Privacy Act careers CCPA Chertoff CISO cloud CMMC CoalfireOne Compliance Covid-19 credit cards C-Store Culture Cyber cyber attacks Cyber Engineering cyber incident Cyber Risk cyber threats cyberchrime cyberinsurance cybersecurity danger Dangers Data DDoS DevOps DevSecOps DFARS DFARS 7012 diacap diarmf Digital Forensics DoD DRG DSS e-banking Education encryption engineering ePHI Equifax Europe EU-US Privacy Shield federal FedRAMP financial services FISMA Foglight forensics Gartner Report GDPR Google Cloud NEXT '18 government GRC hack hacker hacking Halloween Health Healthcare heartbleed Higher Education HIMSS HIPAA HITECH HITRUST HITRUST CSF Horror Incident Response interview IoT ISO IT JAB JSON keylogging Kubernetes Vulnerability labs LAN law firms leadership legal legislation merchant mobile NESA News NH-ISAC NIST NIST 800-171 NIST SP 800-171 NotPetya NRF NYCCR O365 OCR of P2PE PA DSS PA-DSS password passwords Payments PCI PCI DSS penetration Penetration Testing pentesting Petya/NotPetya PHI Phishing Phising policy POODLE PowerShell Presidential Executive Order Privacy program Ransomware Retail Risk RSA RSA 2019 Safe Harbor Scanning Scans scary security security. SOC SOC 2 social social engineering Spectre Splunk Spooky Spraying Attack SSAE State Stories Story test Testing theft Virtualization Visa vulnerability Vulnerability management web Wifi women XSS