Common Criteria 5.2
During a SOC 2 audit engagement, an auditor will validate that an organization complies with the common criteria listed in the 2017 SOC 2 Trust Services Criteria, which means that they will assess an organization’s compliance with common criteria 5.2. Common criteria 5.2 says, “The entity also selects and develops general control activities over technology to support the achievement of objectives.” This means that organizations need to design and develop processes to ensure that the technology being used is effective and helping the organization meet its business objectives. How can organizations go about designing processes for their technology? Let’s discuss.
Implementing Controls Activities Over Technology
Technology is a critical component to the continuity of many organizations. Without it, some business processes might not be able to function, and others might not be able to deliver their services altogether. However, it’s when organizations become too reliant on their technology that it becomes problematic and can pose increased risks for organizations. This is why, in order to comply with SOC 2 common criteria 5.2, organizations must demonstrate that they are designing processes for their technology. Consider if an organization uses an antivirus platform, but they haven’t assigned personnel to monitor updates from that platform. If an alert is missed about a new vulnerability or malware, what would be the impact to the organization? Designing processes for an organization’s technology and implementing control activities over technology would prevent a situation like this from happening, and would help organizations ensure that they are in control over the technology they use and not vice versa.
Designing Processes for Your Technology to Comply with Common Criteria 5.2
While technology can help organizations meet their business objectives, it shouldn’t be an end-all be-all. Designing processes for your technology, including having personnel manually monitor, analyze, and use the information to ensure that the technology is helping the business meet its objectives is key for SOC 2 compliance. How can organizations demonstrate compliance with common criteria 5.2? A few ways include:
- Management should determine the dependency between the use of technology in business processes and technology general controls.
- Management should establish relevant technology infrastructure control activities.
- Management should establish relevant security management process control activities.
- Management should establish relevant technology acquisition, development, and maintenance process control activities.
More SOC 2 Resources
When you look at common criteria 5.2 of the 2017 SOC 2 Trust Services Criteria, you’ll notice that it says that you have to design and select general control activities over technology to support your internal control goals. What that means is that you do not just live and die over the technology tool. This is something that we see so often during our audits: technology has been put into place but it is not being used. You really have to add processes to the technology to make sure that it is operating the way you’ve intended for it to operate. An example of this, which is very common, is having a very sophisticated log monitoring tool. Organizations might have monitoring software, but they don’t have a person that’s watching the results from the tool. They’re not using, analyzing, or making decisions from the data. If you do vulnerability scans or you get alerts from your software update server or your antivirus platform, but you don’t take action on it or have processes in place to understand what the tool is telling you and you don’t go and take corrective action, then you’ve really missed the point of common criteria 5.2. Common criteria 5.2 is about developing those general control activities over technology so that you’re in control of the technology and you’re using it for the purpose in which it was intended.