Security Communication and Information
COSO Principle 14: The entity internally communicates information including objectives and responsibilities for internal control necessary to support the functioning of internal control.
Communicates Internal Control Information—A process is in place to communicate required information to enable all personnel to understand and carry out their internal control responsibilities.Communicates With the Board of Directors—Communication exists between management and the board of directors so that both have information needed to fulfill their roles with respect to the entity’s objectives.Provides Separate Communication Lines—Separate communication channels such as whistle-blower hotlines are in place and serve as fail-safe mechanisms to enable anonymous or confidential communication when normal channels are inoperative or ineffective.Selects Relevant Method of Communication—The method of communication considers the timing audience and nature of the information.Communicates Responsibilities—Entity personnel with responsibility for designing developing implementing operating maintaining or monitoring system controls receive communications about their responsibilities including changes in their responsibilities and have the information necessary to carry out those responsibilities. Communicates Information on Reporting Failures Incidents Concerns and Other Matters—Entity personnel are provided with information on how to report systems failures incidents concerns and other complaints to personnel.Communicates Objectives and Changes to Objectives —The entity communicates its objectives and changes to those objectives to personnel in a timely manner. Communicates Information to Improve Security Knowledge and Awareness—The entity communicates information to improve security knowledge and awareness and to model appropriate security behaviors to personnel through a security awareness training program. Communicates Information About System Operation and Boundaries—The entity prepares and communicates information about the design and operation of the system and its boundaries to authorized personnel to enable them to understand their role in the system and the results of system operation.Communicates System Objectives—The entity communicates its objectives to personnel to enable them to carry out their responsibilities. Communicates System Changes—System changes that affect responsibilities or the achievement of the entity’s objectives are communicated in a timely manner.
What is a Cybersecurity Compliance Framework?
You don’t need to clutter your security and privacy programs with an ever-increasing number of tools as they become more sophisticated. The Lionfish platform offers a one-stop solution to track progress and monitor any framework, from custom-built ones to highly-specialized and in-demand top security and privacy frameworks and certifications.
With the Lionfish platform, every framework is supported with guided scoping, policies, controls, automated evidence collection, and continuous monitoring, ensuring efficient preparation for audits or attestation in minimal time.
The Lionfish platform is compatible with a wide range of security and privacy frameworks, including:
- CMMC v2
- NERC CIP-002 through CIP-014 Revision 6
- NIST 800-171
- NIST 800-172
- PCI (Payment Card Industry Security Standard)
- SOC 2
- NIST 800-53
- NIST SP800-161 Supply Chain Risk Management
- CIS Framework Controls V8