Common Criteria 5.3

Like with many other frameworks, including PCI DSS and HIPAA, policies and procedures are an integral component of achieving SOC 2 compliance. Why? Because during a SOC 2 audit, an auditor will assess an organization’s compliance with the 2017 SOC 2 Trust Services Criteria. As part of that, an auditor will verify whether or not an organization complies with common criteria 5.3, which says, “The entity deploys control activities through policies that establish what is expected and in procedures that put policies into action.” Let’s take a look at how organizations can demonstrate compliance with common criteria 5.3 and what expectations of policies and procedures auditors will have.

Expectations of Policies and Procedures for SOC 2 Compliance

Creating and maintaining policies and procedures is no small task. It’s hard work, time-consuming, and can change your company culture. Creating, implementing, and maintaining effective policies and procedures is also paramount to ensuring an organization’s longevity. Policies lay the foundation of what organizations expect of their personnel, and procedures tell an organization’s personnel how they can meet those expectations. What expectations for policies and procedures will an auditor have? How can an organization meet those expectations of policies and procedures? During a SOC 2 audit, an auditor will verify that an organization does the following:

  • Creates and enforces policies and procedures that support the control activities
  • Establishes a system of accountability and responsibility for control activities in order to ensure that the policies and procedures are adhered to
  • Performs control activities in a timely manner and/or according to the time frame set forth in the policies and procedures
  • Takes corrective action in accordance with the policies and procedures when issues come up as a result of using the control activities
  • Performs control activities using competent personnel
  • Evaluates policies and procedures periodically and adjusts accordingly

While updating policies and procedures on a regular basis may seem like a tedious task, it’s a necessary one. To ensure compliance with the SOC 2 Trust Services Criteria, establishing processes to ensure that the expectations of policies and procedures are met needs to be a top priority. Organizations might consider having their own personnel help with this task or they might seek out a third-party, like KirkpatrickPrice, to develop their policies and procedures. Either way, committing to the process of maintaining effective policies and procedures will only have benefits in the long run and will allow organizations to meet the expectations of policies and procedures during their SOC 2 audit journey.

More SOC 2 Resources

SOC 2 Academy

Understanding Your SOC 2 Report

SOC 2 Compliance Handbook: The 5 Trust Services Criteria

More Policies and Procedures Resources

Style Guide to Creating Good Policies

Style Guide to Writing Good Procedures

Auditor Insights: Policies and Procedures Are Better Than Gold

Why You Need to Document Your Policies and Procedures

[av_toggle_container initial=’1′ mode=’accordion’ sort=” styling=” colors=” font_color=” background_color=” border_color=” custom_class=”]
[av_toggle title=’Video Transcription’ tags=”]

Common criteria 5.3 in the 2017 SOC 2 Trust Services Criteria is a big one. It’s about putting what you expect into policies, so that the organization can look at policies and understand what is expected of them, but you’ve also put procedures in place so that you can put those policies into action. That’s really the difference between policies and procedures: policies set forth what it is that you’re after, and procedures are how you’re going to get there. This really brings everyone down when we have so many things to do, and it’s so hard to keep our policies and procedures up to date and current. I know that we struggle with this. Sometimes I’ll look at a document that we wrote a few years ago to update it, and I’ll realize that it’s something that we did three years ago, and it’s not at all something that we do today. We can get so busy with other things that are going on, but there needs to be a process in place to get your policies and procedures updated. Make sure that your documentation is current and that your employees are using that documentation to understand what is expected and how they should do that. One idea is to take the reverse affect and ask the people who are responsible for their day-to-day actions to update the procedures and provide them to you, so that you can have visibility into what they’re doing, how they’re accomplishing things, and then back into the update in your documentation by using their critical knowledge to do that.

[/av_toggle]

[/av_toggle_container]

Common Criteria 5.2

During a SOC 2 audit engagement, an auditor will validate that an organization complies with the common criteria listed in the 2017 SOC 2 Trust Services Criteria, which means that they will assess an organization’s compliance with common criteria 5.2. Common criteria 5.2 says, “The entity also selects and develops general control activities over technology to support the achievement of objectives.” This means that organizations need to design and develop processes to ensure that the technology being used is effective and helping the organization meet its business objectives. How can organizations go about designing processes for their technology? Let’s discuss.

Implementing Controls Activities Over Technology

Technology is a critical component to the continuity of many organizations. Without it, some business processes might not be able to function, and others might not be able to deliver their services altogether. However, it’s when organizations become too reliant on their technology that it becomes problematic and can pose increased risks for organizations. This is why, in order to comply with SOC 2 common criteria 5.2, organizations must demonstrate that they are designing processes for their technology. Consider if an organization uses an antivirus platform, but they haven’t assigned personnel to monitor updates from that platform. If an alert is missed about a new vulnerability or malware, what would be the impact to the organization? Designing processes for an organization’s technology and implementing control activities over technology would prevent a situation like this from happening, and would help organizations ensure that they are in control over the technology they use and not vice versa.

Designing Processes for Your Technology to Comply with Common Criteria 5.2

While technology can help organizations meet their business objectives, it shouldn’t be an end-all be-all. Designing processes for your technology, including having personnel manually monitor, analyze, and use the information to ensure that the technology is helping the business meet its objectives is key for SOC 2 compliance. How can organizations demonstrate compliance with common criteria 5.2? A few ways include:

  • Management should determine the dependency between the use of technology in business processes and technology general controls.
  • Management should establish relevant technology infrastructure control activities.
  • Management should establish relevant security management process control activities.
  • Management should establish relevant technology acquisition, development, and maintenance process control activities.

More SOC 2 Resources

SOC 2 Academy

Understanding Your SOC 2 Report

SOC 2 Compliance Handbook: The 5 Trust Services Criteria

[av_toggle_container initial=’1′ mode=’accordion’ sort=” styling=” colors=” font_color=” background_color=” border_color=” custom_class=”]
[av_toggle title=’Video Transcription’ tags=”]

When you look at common criteria 5.2 of the 2017 SOC 2 Trust Services Criteria, you’ll notice that it says that you have to design and select general control activities over technology to support your internal control goals. What that means is that you do not just live and die over the technology tool. This is something that we see so often during our audits: technology has been put into place but it is not being used. You really have to add processes to the technology to make sure that it is operating the way you’ve intended for it to operate. An example of this, which is very common, is having a very sophisticated log monitoring tool. Organizations might have monitoring software, but they don’t have a person that’s watching the results from the tool. They’re not using, analyzing, or making decisions from the data. If you do vulnerability scans or you get alerts from your software update server or your antivirus platform, but you don’t take action on it or have processes in place to understand what the tool is telling you and you don’t go and take corrective action, then you’ve really missed the point of common criteria 5.2. Common criteria 5.2 is about developing those general control activities over technology so that you’re in control of the technology and you’re using it for the purpose in which it was intended.

[/av_toggle]

[/av_toggle_container]

Common Criteria 5.1

When an organization undergoes a SOC 2 audit, auditors need to validate that they comply with the common criteria listed in the 2017 SOC 2 Trust Services Criteria. Common criteria 5.1 says, “The entity selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels.” What will an auditor look for when assessing this criterion? What do organizations need to do to show how they are implementing internal controls? Let’s discuss.

Implementing Internal Controls to Mitigate Risk

When an auditor assesses an organization’s compliance with common criteria 5.1 during a SOC 2 audit, they will want to see that the organization has implemented internal controls that assist them in accomplishing their business objectives. But how can organizations demonstrate this? While common criteria 5.1 is a bit ambiguous, it is intended to be broad in order to allow organizations to implement the internal controls that work best for their organization and the goals they need to meet. To demonstrate compliance, an auditor will want organizations to show that they do the following when implementing internal controls to mitigate risks:

  • Integrate with the risk assessment – Are the internal controls effectively mitigating the risks identified in the risk assessment?
  • Consider entity-specific factors – How does the environment, complexity, nature, and scope of an organization affect the selection and development of the internal controls?
  • Determine relevant business processes – What relevant business processes require internal controls?
  • Evaluate a mix of control activity types – What mix of controls will best mitigate the risks identified?
  • Consider at what level activities are applied – What level in the organization are internal controls needed?
  • Address segregation of duties – What does management do to segregate incompatible duties or develop alternative internal controls?

Selecting and Developing Internal Controls

Common criteria 5.1 is all about choosing the right internal controls for your organization, implementing internal controls, and making sure the variety of controls chosen is the right mix so that risk can be reduced altogether. Let’s use physical security as an example. If an organization needs to implement internal controls to mitigate the risk of an unauthorized person entering sensitive areas of an office building, what would those look like? An organization wouldn’t use one internal control to mitigate this risk. Instead, a mix of control activity types would be necessary. This might include a locked front door, a receptionist or security guard, video cameras, access cards, and other individuals throughout the building who would be able to notify the proper personnel if an unauthorized person was on the property. By choosing this variety of controls, an unauthorized person would be far less likely to access a sensitive area than if only one of those internal controls was in place.

More SOC 2 Resources

SOC 2 Academy

Understanding Your SOC 2 Report

SOC 2 Compliance Handbook: The 5 Trust Services Criteria

[av_toggle_container initial=’1′ mode=’accordion’ sort=” styling=” colors=” font_color=” background_color=” border_color=” custom_class=”]
[av_toggle title=’Video Transcription’ tags=”]

You may look at common criteria 5.1 in the SOC 2 Trust Services Criteria and wonder what exactly we’re getting at with it. Common criteria 5.1 is very broad in its intent. It says that the organization selects controls that are designed to mitigate risk. What does that mean exactly? You should put controls into place that help you accomplish what it is that you want to accomplish. I think that we do this naturally. You really want to select controls that will be a mixture of different types of controls to make sure that what you’re expecting as an end result actually occurs. I’ll use physical security as an example. If you’re concerned about unauthorized people getting into a sensitive area, such as a server room or data center, you will very naturally select a variety of controls. You won’t just have one control that you pin your hopes on; you’ll make sure that you have a locked front door, a person sitting at the front who is responsible for monitoring who comes in or out, video cameras, access cards, and other individuals who work inside the building who would be able to recognize if something is wrong if a visitor accesses secure areas. There are multiple controls happening there and any one of them could potentially stop a person from entering the sensitive area. Common criteria 5.1 is all about thinking about your controls, making sure you have the right mix of controls, and making sure that your ultimate goal is met, which is reducing risk.

[/av_toggle]

[/av_toggle_container]

Common Criteria 4.2

When a service organization undergoes a SOC 2 audit, auditors will be looking to validate that they comply with the common criteria listed in the 2017 SOC 2 Trust Services Criteria. Common criteria 4.2 says, “The entity evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the board of directors, as appropriate.” What will an auditor look for when assessing this criterion? What do organizations need to do to comply with this requirement? Let’s discuss.

Communication is Key

Common criteria 2.2 and 2.3 explain the importance of communication during a SOC 2 audit, but common criteria 4.2 takes it a step further. While organizations need to establish clear and effective methods of two-way communication both internally and externally, they also need to establish processes that emphasize the importance of communicating in a timely manner. Critical vulnerabilities could be missed, breach notifications could be delayed, and clients could be put even more at risk if an organization fails to communicate in a timely manner. Because of this, during a SOC 2 audit, an auditor will want to verify that there are established channels for communication so that all parties are able to relay information in a timely manner and are working together to ensure that the internal controls are in place and operating effectively.

Consider it this way: if IT personnel noticed a vulnerability in the network, what processes are in place so that the employee can notify the correct people to mitigate the problem in a timely manner? Is there a chain of command the employee would have to go through? Would they need to contact the person responsible for taking corrective action directly? If an organization’s employees aren’t aware of how to notify their supervisors of internal control deficiencies in a timely manner, an organization could face reputational, organization, and financial damages.

When making the journey toward SOC 2 compliance, it is important that organizations demonstrate that they have the processes in place to ensure the proper functioning of their internal controls, which includes communicating effectively about internal control deficiencies. Before beginning a SOC 2 audit, make sure that your management is assessing the results of evaluations over internal controls, communicating with personnel in a timely manner about internal control deficiencies, and monitoring the corrective action plan so that your organization complies with common criteria 4.2.

More SOC 2 Resources

SOC 2 Academy

Understanding Your SOC 2 Report

SOC 2 Compliance Handbook: The 5 Trust Services Criteria

[av_toggle_container initial=’1′ mode=’accordion’ sort=” styling=” colors=” font_color=” background_color=” border_color=” custom_class=”]
[av_toggle title=’Video Transcription’ tags=”]

The SOC 2 common criteria 4.2 says that your entity has to evaluate and communicate internal control deficiencies in a timely manner. The first step to do this is actually knowing that there is a deficiency. How will you be able to identify that those deficiencies are there so that you can communicate about them in a timely manner? These are things that you have to consider as you design your controls. You’ll also need to ask yourself: does management get their information that they need in a timely way? I remember one time when we identified that the log management server had been turned off at an organization for over six months, but management had no idea. They did not know that the server had been turned off, which indicated to us that the reporting of that particular control and the results and output that came out of that control was not being reported on a regular basis to management, so when it stopped reporting, they weren’t aware and couldn’t deal with it in a timely manner. Being able to communicate about deficiencies, identify them, and having corrective actions is very important. You want to have the type of people who work for you that will tell you about a problem as soon as it’s identified, so that you can deal with it and correct it. Furthermore, you would really like to have the type of people that work for you who will not only tell you about the problem but bring you the corrective action. For example, an employee saying, “The log server went down today, but here’s what we can do to fix it. I am just keeping you informed.” That would be the most ideal way to comply with common criteria 4.2.

[/av_toggle]

[/av_toggle_container]

Establishing methods of effective monitoring is a critical component of SOC 2 compliance. During a SOC 2 audit, an auditor will not only assess whether or not an organization is effectively monitoring their internal controls but also whether or not the proper person is monitoring those internal controls. Why is that? It comes down to the need for checks and balances, so let’s discuss.

Monitoring Internal Controls

When deciding who should be monitoring internal controls, the person selected needs to be someone who is outside of the environment and is not responsible for the internal control. For example, if a network administrator is responsible for ensuring that an internal control over the network they created is functioning correctly, that network administrator could miss critical vulnerabilities because they are working closely with the network on a regular basis. Similarly, having the person who is responsible for the control also monitoring the internal control could pose a potential opportunity for an employee to commit fraudulent behavior.

During the SOC 2 audit process, an auditor will verify that the correct personnel are tasked with monitoring internal controls. Auditors will want to see that organizations are conducting valid, accurate, and above-board evaluations of internal control, and organizations can do this by tasking the correct personnel with oversight. Think of it this way: why do organizations seek out third-party audit firms to conduct audits instead of solely relying on their internal audit team? For organizations who are serious about strengthening their security posture, using third-party audit firms helps them identify and mitigate vulnerabilities that otherwise may have been missed by their internal audit department. This is exactly what happens if a person who has created a network or system component is also responsible for monitoring it. To ensure the continuity of organizations’ security postures, it’s critical that the correct person is monitoring the internal controls.

More SOC 2 Resources

SOC 2 Academy

Understanding Your SOC 2 Report

SOC 2 Compliance Handbook: The 5 Trust Services Criteria

[av_toggle_container initial=’1′ mode=’accordion’ sort=” styling=” colors=” font_color=” background_color=” border_color=” custom_class=”]
[av_toggle title=’Video Transcription’ tags=”]

When we talk about monitoring internal control, it’s very important to ask the question: is the right person monitoring the right thing? For example, if you have an IT function and the only person who is monitoring that IT function is the IT person who implemented it in the first place, then that isn’t a proper way to monitor that control. You have to have some method of evaluating the control and environment that is outside of the one person who is responsible for it. Penetration testing is a great example of this. A lot of times we find that the person who configured and implemented the system is also the person who hires, selects, and monitors the results of the penetration test, but you should ideally keep that separate so that you can have a valid, accurate, and above-board evaluation of a system when you choose to engage in a monitoring activity, such as penetration testing.

[/av_toggle]

[/av_toggle_container]