Famework Subject Matter
Control Environment
The control environment TSC have the following common criteria in place:
TSC ref # | Common Criteria |
CC1.1 | COSO Principle 1: The entity demonstrates a commitment to integrity and ethical values. |
CC1.2 | COSO Principle 2: The board of directors demonstrates independence from management and exercises oversight of the development and performance of internal control. |
CC1.3 | COSO Principle 3: Management establishes, with board oversight, structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives. |
CC1.4 | COSO Principle 4: The entity demonstrates a commitment to attract, develop, and retain competent individuals in alignment with objectives. |
CC1.5 | COSO Principle 5: The entity holds individuals accountable for their internal control responsibilities in the pursuit of objectives. |
A control environment refers to a service organization’s compliance culture and includes everything from organizational structure (and its different departments) to ethical values. This compliance culture, organization structure and ethical values needs to filter down from the top.
Also keep in mind that the points of focus should also be used as guidance:
A process on how ethical values are communicated to the employees and what training is done in this regard.
HR onboarding process of new employees, which includes policies and procedures, screening processes and training programs.
An organizational chart should be developed
Board and management meetings should be taking place and minutes should be kept.
Policies and procedures for various business processes should be implemented e.g. Ethics policy, Security policy, HR policy, IT Policy, Leave policy, Bonus policy, KPC policy etc.
If the service organization has a well-functioning HR department, then compliance with the common criteria related to the Control Environment should be easy. In most SOC 2 audits, there are rarely any pitfalls if any in this TSC.
Communication and Information
The communication and information TSC have the following common criteria in place:
TSC ref # | Common Criteria |
CC2.1 | COSO Principle 13: The entity obtains or generates and uses relevant, quality information to support the functioning of internal control. |
CC2.2 | COSO Principle 14: The entity internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control. |
CC2.3 | COSO Principle 15: The entity communicates with external parties regarding matters affecting the functioning of internal control. |
Quality information and effective communication within a service organization can impact meeting internal control objectives. When the service auditor needs to gain an understanding of the service organization, the first place that they will turn to is the service organizations documentation. While documenting is a tedious job (hopefully digitally), it is a way to bring the service auditor up to speed quickly when they have no other contextual understanding of the service organization or the system.
Keep in mind from an auditor’s eyes, if it isn’t documented, then it didn’t happen (or doesn’t exist). In terms of communication, this includes communication expectations between the Board of Directors, management, and employees, and between the company and external parties. This will also include security awareness training among employees of the service organization.
Also keep in mind that the points of focus should also be used as guidance:
Policies and procedure for various business processes should be implemented e.g. Ethics policy, Security policy, HR policy, IT Policy, Leave policy, Bonus policy, KPC policy etc.
A detailed description of the product architecture and system boundaries is documented and available internally to the company's employees.
A Security Incident Response Policy is developed in order to respond to security incidents and personal data breaches in accordance with applicable regulations.
Website that provides access for customers or other relevant stakeholders.
Service interruptions communication channels are in place between the service organization and the customers.
A support team is available at the service organization. Customers can contact the support team through support email, log a ticket or directly call them.
A monitoring tool is deployed 24/7 to detect anomalies and service disruption.
While it is difficult to cover every specific common criteria requirement related to communication and information, this is a great starting point. If communication between the various internal and external entities of the business are clear, maintained and documented, this section should be an easy pass. Most issues we see here is a lack of maintaining evidence of these control activities, not the lack of control activities themselves.
Risk Assessment
The risk assessment TSC have the following common criteria in place:
TSC ref # | Common Criteria |
CC3.1 | COSO Principle 6: The entity specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives. |
CC3.2 | COSO Principle 7: The entity identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed. |
CC3.3 | COSO Principle 8: The entity considers the potential for fraud in assessing risks to the achievement of objectives. |
CC3.4 | COSO Principle 9: The entity identifies and assesses changes that could significantly impact the system of internal control. |
When the service auditor looks at this TSC, the service organization needs to think about performing risk analysis that includes multiple tasks such as identifying assets, identifying the threats and vulnerabilities related to those assets, determining the likelihood and impact of those risks being realized, mitigating those risks, and dealing with any other issues that occur along the way.
Also keep in mind that the points of focus should also be used as guidance:
A risk assessment register that indicates all the risks identified in the service organization, which includes the rating of these risks as well as the threats and vulnerabilities identified.
A risk assessment policy reviewed annually and signed off.
Regular risk assessment meetings should be held and the minutes of these meetings should be safeguarded.
Vulnerability assessments are performed on the IT environment to identify any It vulnerabilities.
From what we have read above, it is clear that this section of SOC 2 revolves around the risk assessment process. This includes identifying risks, mitigating and relevant risks, and implementing controls to minimize or eliminate those risks. The service organization should have a clear and formal process in place with regards to the risk assessment process. Key documentation will include the risk register/matrix.
Monitoring Activities
The monitoring activities TSC have the following common criteria in place:
TSC ref # | Common Criteria |
CC4.1 | COSO Principle 16: The entity selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning. |
CC4.2 | COSO Principle 17: The entity evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the board of directors, as appropriate. |
Because every organization is different when it comes to monitoring activities, a service auditor will seek to understand what the organization does and how they do it during a SOC 2 audit. Considering this, in order for an organization to demonstrate that they comply with TSC, they’ll need to show that they are conducting evaluations of internal control.
Also keep in mind that the points of focus should also be used as guidance:
An internal audit function should address the common criteria for this TSC.
The internal audit plan will include ongoing evaluations of controls that communicate deficiencies, both internally and externally, when appropriate.
Should an internal audit function not be available, then board and management meetings should be sufficient to cover the elements of internal control.
The Management team should be meeting on a regular basis, in order to evaluate risks and threats and discuss any internal control deficiencies.
Essentially, having effective evaluations of internal control allows organizations to ensure that their internal controls are present and functioning, and if they aren’t, the evaluations of internal control will give insight into the vulnerabilities that need to be remediated. As with the communication and information TSC, the lack of maintaining evidence of monitoring internal control can lead to a pitfall.
Control Activities
The control activities TSC have the following common criteria in place:
TSC ref # | Common Criteria |
CC5.1 | COSO Principle 10: The entity selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels. |
CC5.2 | COSO Principle 11: The entity also selects and develops general control activities over technology to support the achievement of objectives. |
CC5.3 | COSO Principle 12: The entity deploys control activities through policies that establish what is expected and in procedures that put policies into action. |
When the service auditor assesses an organization’s compliance with this TSC during a SOC 2 audit, they will want to see that the organization has implemented internal controls that assist them in accomplishing their business objectives. This TSC can be a bit ambiguous and it is intended to be broad in order to allow organizations to implement the internal controls that work best for their organization and the goals they need to meet.
Also keep in mind that the points of focus should also be used as guidance:
Controls relating to the risk assessment TSC, are found to be the best fit for this TSC.
Board and management meetings also serve as a type of oversight control, ensuring internal control is operating effectively.
The service organization separates duties of individuals by granting users access based on job responsibilities and least privilege and limiting access to only authorized users.
Sensitive permissions (admin/super user access) granted to users should be reviewed by senior personnel (CIO for example).
The control activity TSC is all about management and the lead implementer choosing the right internal controls for the service organization, implementing internal controls, and making sure the variety of controls chosen is the right mix so that risk can be reduced altogether.
Let’s use physical security as an example. If a service organization needs to implement internal controls to mitigate the risk of an unauthorized person entering sensitive areas of an office building, what would those look like?
An organization wouldn’t use one internal control to mitigate this risk. Instead, a mix of control activity types would be necessary. This might include a locked front door, a receptionist or security guard, video cameras, access cards, and other individuals throughout the building who would be able to notify the proper personnel if an unauthorized person was on the property. By choosing this variety of controls, an unauthorized person would be far less likely to access a sensitive area than if only one of those internal controls was in place.
Logical and Physical Access Controls
The logical and physical access controls TSC have the following common criteria in place:
TSC ref # | Common Criteria |
CC6.1 | The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives. |
CC6.2 | Prior to issuing system credentials and granting system access, the entity registers and authorizes new internal and external users whose access is administered by the entity. For those users whose access is administered by the entity, user system credentials are removed when user access is no longer authorized. |
CC6.3 | The entity authorizes, modifies, or removes access to data, software, functions, and other protected information assets based on roles, responsibilities, or the system design and changes, giving consideration to the concepts of least privilege and segregation of duties, to meet the entity’s objectives. |
CC6.4 | The entity restricts physical access to facilities and protected information assets (for example, data center facilities, back-up media storage, and other sensitive locations) to authorized personnel to meet the entity’s objectives. |
CC6.5 | The entity discontinues logical and physical protections over physical assets only after the ability to read or recover data and software from those assets has been diminished and is no longer required to meet the entity’s objectives. |
CC6.6 | The entity implements logical access security measures to protect against threats from sources outside its system boundaries. |
CC6.7 | The entity restricts the transmission, movement, and removal of information to authorized internal and external users and processes, and protects it during transmission, movement, or removal to meet the entity’s objectives. |
CC6.8 | The entity implements controls to prevent or detect and act upon the introduction of unauthorized or malicious software to meet the entity’s objectives. |
This TSC encompasses a variety of controls that relates to access control in the control environment. These controls include safeguards to monitor and restrict access to sensitive data and any devices or networks on which it is stored, transmitted, or processed. Service organizations need to demonstrate that they’re taking physical and virtual measures to protect data privacy, integrity, and confidentiality. Because employees are the weakest link of every organization, the proper measures must be taken to mitigate the risks associated with human error prior to engaging in a SOC 2 audit.
Furthermore, when service organizations assign roles and responsibilities to employees, they implement the concept of “least access necessary” i.e. bare minimum access is given in order for the user to fulfill their job duties.
Similarly, assigning roles and responsibilities assists service organizations in ensuring that there is a segregation of duties so that there are no conflicts of interest within the organization.
While malicious hackers often attack digitally, service organizations must account for the risk that their physical environments could be compromised too. This means that implementing physical security controls in facilities or other locations that hold sensitive information needs to be a top priority for service organizations.
Also keep in mind that the points of focus should also be used as guidance:
A password policy should be in place with parameters complying with best practice.
Access to production should be restricted.
A process should be in place that reviews and approves all user access.
Terminated user accounts should be managed in a timely manner.
User access reviews should be performed on all users on a regular basis.
Physical access should be managed and restricted to authorized personnel only.
End point management – Disk level encryption, passwords and screen lock.
Firewall rules are configured to restrict access to the computing environment and enforce boundaries of computing clusters.
Access to backups are restricted.
TSC aims to ensure that service organizations meet their business objectives by protecting their sensitive assets from malicious internal and external threats – both digitally and by physical means.
More often than not, this TSC produces the most deficiencies, especially on an operating effectiveness level i.e. samples here and there tend to fail.
For example, 10 signed user access forms are requested and only 9 are sign off by the CIO, which produces a deficiency.
System Operations
The system operations TSC have the following common criteria in place:
TSC ref # | Common Criteria |
CC7.1 | To meet its objectives, the entity uses detection and monitoring procedures to identify (1) changes to configurations that result in the introduction of new vulnerabilities, and (2) susceptibilities to newly discovered vulnerabilities. |
CC7.2 | The entity monitors system components and the operation of those components for anomalies that are indicative of malicious acts, natural disasters, and errors affecting the entity's ability to meet its objectives; anomalies are analyzed to determine whether they represent security events. |
CC7.3 | The entity evaluates security events to determine whether they could or have resulted in a failure of the entity to meet its objectives (security incidents) and, if so, takes actions to prevent or address such failures. |
CC7.4 | The entity responds to identified security incidents by executing a defined incident response program to understand, contain, remediate, and communicate security incidents, as appropriate. |
CC7.5 | The entity identifies, develops, and implements activities to recover from identified security incidents. |
During a SOC 2 audit, an auditor will assess that an organization meets the requirements of this TSC by looking for the following:
The entity uses defined configuration standards.
The entity monitors infrastructure and software.
The entity implements change-detection mechanisms.
The entity detects unknown or unauthorized components.
The entity conducts vulnerability scans.
Also keep in mind that the points of focus should also be used as guidance:
Effective firewall configurations and hardening standards should be implemented. Firewall configurations play a critical role in protecting an organization’s assets and hardening standards increase the level of security of an organization’s systems.
Vulnerability scans are performed on the production environment using a dedicated tool in order to identify issues.
Monitoring tool is deployed 24/7 to detect anomalies and service disruption.
Audit logs are continuously monitored for events related to security, availability, and confidentiality threats. Alerts are generated for further investigation.
A Security Incident Response Policy should be in place, in order to respond to security incidents and personal data breaches in accordance with applicable regulations.
These are some examples of ways that the service Organization would detect and monitor changes and new vulnerabilities. Management and the lead implementer needs to think how they would do that in their environment, and specifically think about what their standard is to begin with. What is their goal in how these things should be configured? How tight do they want it to be?
Again, management and the lead implementer should think of things in terms of “default-deny policy”. They should start with nothing installed and only specifically allow the things that are necessary for the system to do what it is they expect it to do, and the software, ports, and services that are necessary for the service Organization. An effectively configured firewall, a monitoring tool and vulnerability scans should allow this TSC to pass.
Change Management
The change management TSC have the following common criteria in place:
TSC ref # | Common Criteria |
CC8.1 | The entity authorizes, designs, develops or acquires, configures, documents, tests, approves, and implements changes to infrastructure, data, software, and procedures to meet its objectives. |
It's especially important that service organizations can demonstrate to the service auditors that they have an effective change management system in place.
Change management systems provide organizations with policies and procedures for making updates to their IT infrastructure, which in turn helps mitigate the potential for overlooking any new vulnerabilities or risks created while changes are taking place.
Service organizations have used a variety of different change management systems, from simple forms to elaborate ticketing systems.
Whichever way an organization chooses to implement their change management system, though, they should end up with a database that allows them to review all of the changes that have been made at their organization, who authorized them, who tested them and who implemented them.
Below are examples of possible control areas that should be mapped to the common criteria table above. Also keep in mind that the points of focus should also be used as guidance:
A change management policy should be in place that details the whole change management process.
All changes need to follow a change management process where changes are tested, reviewed, and approved.
Segregation of duties - Users who have access to the development environment, should not have access to implement changes in the production environment.
Environments should be segregated between, dev, test/QA, and prod.
The best way to pass the TSC is to have a change management policy and procedure in place according to best practice and ensuring whatever is in that document is implemented in the service Organization.
One of the most common deficiency is developers having access to production.
Ensure that the service Organization has a tool in place to manage, track, review, and approve all changes.
That way evidence will be maintained and auditors will be able to audit this TSC with ease.
Risk Mitigation
The risk mitigation TSC have the following common criteria in place:
TSC ref # | Common Criteria |
CC9.1 | The entity identifies, selects, and develops risk mitigation activities for risks arising from potential business disruptions. |
CC9.2 | The entity assesses and manages risks associated with vendors and business partners. |
It’s inevitable that the service Organization will encounter some type of security incident. Whether it’s a big or small incident, organizations who mitigate risks that lead to business disruptions will be better prepared.
For service organizations committed to delivering secure services, they’ll need to demonstrate to the service auditor during a SOC 2 audit that they mitigate risks that lead to business disruptions.
Below are examples of possible control areas that should be mapped to the common criteria table above. Also keep in mind that the points of focus should also be used as guidance:
Implement a business continuity plan and ensure that it is tested at least annually. The testing evidence need to be supplied to the auditors
Purchase business insurance
Risk assessment meetings should take place at least annually and the meeting minutes should be kept as evidence for the auditors.
For this TSC to pass, a well-documented business continuity plan must be in place, along with evidence that it was tested on an annual basis.
Controls documented in the risk assessment TSC can also be used in this TSC, however it is key the service Organization demonstrates to the auditor that all risks in the business are mitigated in some way, especially the risk that the Organization cannot continue to do business because of power, accidents, natural disasters, etc.
Last updated