1 / 19

SOC 2 Type 2 Checklist - Part 1 - V2

Looking for answers related to SOC? Here's a ud835udc12ud835udc0eud835udc02 ud835udfd0 ud835udc13ud835udc32ud835udc29ud835udc1e ud835udfd0 ud835udc02ud835udc21ud835udc1eud835udc1cud835udc24ud835udc25ud835udc22ud835udc2cud835udc2d to help you keep an eye out for these critical aspects in your #SOC. Don't forget to save this checklist for your SOC compliance journey!

infosectrain1
Télécharger la présentation

SOC 2 Type 2 Checklist - Part 1 - V2

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. CHECK LIST SOC 2 (Security Operation Center) Type 2 Checklist Part - 1 www.infosectrain.com

  2. CC 1.0 Control Environment CC1.1: Demonstrates Commitment to Integrity & Ethical Values COSO Principle 1: The entity demonstrates a commitment to integrity and ethical values. Control Control Activity Specified by Organization Test Applied by Auditor Test Results Contractor agreements must include a Code of Business Conduct and a reference to the corporate Code of Conduct, and they must be posted on the corporate intranet for all employees to access. Examine the code of conduct for business and ensure that it is accessible via the corporate intranet. CC1.1.1 Examine the code of conduct for business and ensure that there are recorded enforcement processes that included disciplinary action. At the time of hire, the corporation requires new hires to acknowledge a code of conduct. Disciplinary actions are taken against employees who break the code of conduct in accordance with the policy. CC1.1.2 Examine and verify the documented information on employ background is accurate. The business mandates that prospective hires undergo background checks. CC1.1.3 At the time of hiring, the business demands that employees & contractors sign a confidentiality agreement. Examine and ensure that employees and contractors sign a confidentiality agreement at the time of engagement. CC1.1.4 Performance reviews for direct reports must be completed by firm management at least once a year. Examine and ensure that company performs evaluation for all employees annually. CC1.1.5 www.infosectrain.com CC 1.0 Control Environment

  3. CC1.2: Exercises Oversight Responsibility COSO Principle 2: The board of directors demonstrates independence from management & exercises oversight of the development and performance of internal control. Control Control Activity Specified by Organization Test Applied by Auditor Test Results All corporate policies are reviewed and approved yearly by the board of directors of the firm or a pertinent subcommittee, such as senior management. Examine the corporate rules and ensure that they have undergone evaluation and senior management approval. CC1.2.1 Examine and ensure that the information security controls have been created, implemented, reviewed and approved by proper authorities. The board members of the organisation are qualified to oversee management's capacity to create, put into place, and run information security controls. CC1.2.2 The board of directors of the corporation holds formal meetings at least once a year and keeps minutes of those meetings. Directors who are not affiliated with the company are on the board. Ensure independent directors were present, proper meeting minutes were taken, and observe board sessions were held at least twice a year. CC1.2.3 Examine and ensure that each employee's organisational chart has undergone evaluation and senior management's approval. The Organisational Chart for all personnel is reviewed and approved annually by the entity's Senior Management. CC1.2.4 The management of the organisation exhibits a dedication to morality and ethical behaviour. Examine the ethical management document and ensure that the company management demonstrates a commitment to integrity and ethical values. CC1.2.5 www.infosectrain.com CC 1.0 Control Environment

  4. CC1.3: Establishes Structure, Authority, and Responsibility COSO Principle 3: Management establishes, with board oversight, structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives. Control Control Activity Specified by Organization Test Applied by Auditor Test Results To oversee the development and application of information security controls, the firm management established clear roles and responsibilities. Examine and ensure that the management of the organisation has created clear roles and responsibilities to oversee the development and application of information security controls. CC1.3.1 Examine and ensure that the roles and responsibilities of the board of directors are outlined in the bylaws. The board of directors of the corporation has a written charter outlining its internal control monitoring obligations. CC1.3.2 The business keeps an organisational layout that details the hierarchical framework and reporting structure. Examine and ensure that the most recent organisation chart for the company accurately reflects the hierarchical framework and reporting structure. CC1.3.3 Examine and ensure that the job description improves the operational performance of employees. To improve the operational performance of employees within the organisation; the business maintains job descriptions for client-facing IT and engineering positions. CC1.3.4 Roles and Responsibilities policy formally allocate roles and responsibilities for the design, development, implementation, operation, maintenance, and monitoring of information security controls. Examine the Roles and Responsibilities policy for the design, implementation, operation, maintenance, and monitoring of information security measures. CC1.3.5 www.infosectrain.com CC 1.0 Control Environment

  5. CC1.4: Demonstrates Commitment to Competence COSO Principle 4: The entity demonstrates a commitment to attract, develop, and retain competent individuals in alignment with objectives. Control Control Activity Specified by Organization Test Applied by Auditor Test Results The businesses must make sure that new personnel have undergone a thorough evaluation of their abilities to perform the duties of their positions. Examine and ensure the new hires' competence assessment. CC1.4.1 The business runs background checks on new hires. Examine the onboarding process and make sure that new hires' backgrounds are checked. CC1.4.2 Examine the performance evaluation and performance review policy to confirm that annual performance evaluations are carried out. Performance reviews for direct reports must be completed by firm management at least once a year. CC1.4.3 Roles and Responsibilities policy formally allocate roles and responsibilities for the design, development, implementation, operation, maintenance, and monitoring of information security controls. Examine the Roles and Responsibilities policy for the design, implementation, operation, maintenance, and monitoring of information security measures. CC1.4.4 Employees must undergo security awareness training within 30 days of hire and at least once a year after that. Examine the Information Security Policy and ensure that employees undergo security training at the time of hire and on an annual basis after that. CC1.4.5 www.infosectrain.com CC 1.0 Control Environment

  6. CC1.5: Enforces Accountability COSO Principle 5: The entity holds individuals accountable for their internal control responsibilities in the pursuit of objectives. Control Control Activity Specified by Organization Test Applied by Auditor Test Results All personnel in client-facing, IT, engineering, and information security professions are required to undergo quarterly evaluations addressing their job responsibilities. Examine and ensure that job responsibilities are routinely evaluated. CC1.5.1 Examine the code of conduct for business and ensure that there are recorded enforcement processes that included disciplinary action. At the time of hire, the corporation requires new hires to acknowledge a code of conduct. Disciplinary actions are taken against employees who break the code of conduct in accordance with the policy. CC1.5.2 Examine the data on information security awareness and ensure that all employees have access to the contents via the business intranet. Business has implemented information security awareness training, and the firm intranet makes the training resources accessible to all employees. CC1.5.3 The organisation mandates that all staff members complete information security awareness training once upon hire as well as once a year for all employees. Examine the training records for information security awareness. CC1.5.4 Every year, the business mandates that all employees review and acknowledge the company's policies. Examine the firm policies to ensure that all employees have read and agreed to them. CC1.5.5 www.infosectrain.com CC 1.0 Control Environment

  7. CC2.0 Communication and Information CC2.1: Quality Information COSO Principle 13: The entity obtains or generates and uses relevant, quality information to support the functioning of internal control. Control Control Activity Specified by Organization Test Applied by Auditor Test Results The information generated by the organization's systems undergoes assessment and analysis to identify its effects on the operation of internal controls. Examine the operation of internal controls, ensuring they have been reviewed and evaluated within the system. CC2.1.1 Corporation conducts annual control self-assessments to confirm effective control presence and operation, implementing corrective actions based on findings. Examine yearly control self-assessments to ensure that crucial policies are annually reviewed for the effectiveness of control presence and operation. Additionally, implement necessary corrective actions based on identified findings. CC2.1.2 Examine that the log management tool effectively identifies events that could impact security objectives. The organization employs a log management tool to identify events that could potentially compromise the corporation's ability to accomplish its security goals. CC2.1.3 To ensure customer accessibility, the corporation prominently presents up-to-date information regarding its services on its website. Examine whether the corporation effectively presents current information about its services on its website to ensure customer accessibility. CC2.1.4 Corporation conducts host-based vulnerability scans on its external-facing systems quarterly. These scans identify critical and high vulnerabilities, which are then closely monitored and promptly addressed for remediation. Examine quarterly host-based vulnerability scans to detect critical and high vulnerabilities and then closely monitor and take proactive measures to address these vulnerabilities, ensuring effective mitigation. CC2.1.5 www.infosectrain.com CC2.0 Communication and Information

  8. CC2.2: Internal Communication for Effective Control COSO Principle 14: The entity internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control. Control Control Activity Specified by Organization Test Applied by Auditor Test Results The Code of Business Conduct, established by the company, contains guidelines for appropriate conduct. All employees have access to this code via the company intranet, ensuring everyone knows it's ethical guidelines. Examine established behavioral standards in the Code of Business Conduct and verify their accessibility to all staff through the company's intranet platform. CC2.2.1 Examine security policies and ensure that organization management has designated roles and responsibilities for supervising the design and implementation of information security controls. The organization's management has established specific roles and responsibilities to ensure information security controls are designed and implemented. CC2.2.2 Review documents to ensure that the company's comprehensive descriptions of its goods and services for internal and external users are clear and aligned with needs. To understand what the company offers and how it can meet the needs of its various audiences, organization provides comprehensive descriptions of its products and services, catering to its internal employees and external users such as customers, partners, and stakeholders. CC2.2.3 The firm maintains documented information security policies and procedures subject to an annual review, ensuring their continued relevance and effectiveness in safeguarding sensitive information and assets. Examine the company's information security policies and procedures, confirming their documentation, yearly review, and acknowledgment by new employees. CC2.2.4 The company ensures that authorized internal users are promptly informed of system changes. Examine internal communication practices and ensure that the company effectively informs authorized internal users about system updates. CC2.2.5 www.infosectrain.com CC2.0 Communication and Information

  9. CC2.3: Communication with External Parties COSO Principle 15: The entity communicates with external parties regarding matters affecting the functioning of internal control. Control Control Activity Specified by Organization Test Applied by Auditor Test Results The firm implements an external-facing support system that enables users to report information about system failures, incidents, concerns, and other complaints to the relevant personnel. Examine the CodeSee Website and ensure a support email is available for users to report system issues and references to the right personnel. CC2.3.1 Examine the Master Service Agreement to ensure that customers know the company's commitments and promises. The company informs customers about its security commitments through agreements known as Master Service Agreements (MSA) or Terms of Service (TOS). CC2.3.2 The company establishes contractual agreements with vendors and affiliated third parties, incorporating confidentiality and privacy commitments relevant to the firm. Examine a sample of a Signed Non-Disclosure Agreement to verify the presence of confidentiality and privacy agreements with contractors and third parties. CC2.3.3 Examine the CodeSee Website and verify the presence of a product description intended for communication to both internal and external users. The company comprehensively describes its products and services to its internal and external users. CC2.3.4 The company informs customers about significant system changes that could impact their processing operations. Examine the company website to ensure that customers are informed about significant system changes that could affect their processing activities. CC2.3.5 www.infosectrain.com CC2.0 Communication and Information

  10. CC3.0 Risk Assessment CC3.1: Specification of Objectives COSO Principle 6: The entity specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives. Control Control Activity Specified by Organization Test Applied by Auditor Test Results The company maintains a documented risk management program, which guides identifying potential threats, assessing the significance of associated risks, and outlining mitigation strategies. Examine the Risk Assessment Policy, find documented steps for identifying and managing risks, and observe in Secureframe a maintained list of risks with assigned ratings and tracked actions for improvement. CC3.1.1 Examine the documentation containing records of the annual formal risk assessment exercise. The company performs annual risk assessments, identifying threats and changes to service commitments and evaluating risks, including the potential for fraud and its impact on objectives. CC3.1.2 Examine Secureframe for vendor list with ratings, security, privacy, and reviews; also examined Vendor Management Policy encompassing contract reviews, annual assessments, risk evaluation, and due diligence procedures. The company has an established vendor management program comprising components such as critical third-party vendor inventory, vendor security and privacy requirements, and annual reviews of critical third-party vendors. CC3.1.3 The company maintains a documented Business Continuity/Disaster Recovery (BC/DR) plan and conducts annual testing of the plan's effectiveness. Examine the company's BC/DR plan to ensure its presence, approval, and yearly testing. CC3.1.4 www.infosectrain.com CC3.0 Risk Assessment

  11. CC3.2: Risk Identification and Analysis COSO Principle 7: The entity identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed. Control Control Activity Specified by Organization Test Applied by Auditor Test Results The firm performs an annual formal risk assessment, outlined in the Risk Assessment and Management Policy, to identify potential threats that could affect its systems' security commitments and requirements. Examine records documenting the annual formal risk assessment exercise. CC3.2.1 Examine how each risk is evaluated based on likelihood and impact on platform security, availability, and confidentiality and ensure that risks are linked to actions that reduce their effects. Each risk undergoes assessment and receives a risk score considering its likelihood of occurrence and impact on the security, availability, and confidentiality of the company's platform. Risks are then associated with mitigating factors that address relevant aspects of the risk. CC3.2.2 During onboarding, the firm mandates new staff members to review and acknowledge company policies, ensuring an understanding of responsibilities and commitment to compliance. Examine the company's policies and confirm that new staff members have duly reviewed and acknowledged these policies, ensuring their knowledge and commitment. CC3.2.3 Examine Risk Assessment and Treatment Policy for documented risk management processes and verify Secureframe the existence of a maintained risk registry with identified vulnerabilities, severity ratings, and tracked remediation actions. The organization establishes a documented risk management program that encompasses instructions for identifying potential threats, assessing the significance of risks related to these threats, and formulating strategies to mitigate these risks. CC3.2.4 The company implements a vendor management program that includes maintaining a list of critical third-party vendors, setting security & privacy requirements for vendors, & performing annual reviews of these vendors. Examine the company's vendor management program to ensure it has a process for documenting and overseeing vendor relationships. CC3.2.5 www.infosectrain.com CC3.0 Risk Assessment

  12. CC3.3: Fraud Consideration in Risk Assessment COSO Principle 8: The entity considers the potential for fraud in assessing risks to the achievement of objectives. Control Control Activity Specified by Organization Test Applied by Auditor Test Results The company performs annual risk assessments that involve identifying threats, changes to service commitments, formal risk assessments, and considering fraud's potential impact on objectives. Examine the company's risk assessment documentation, confirming the yearly format of assessments, identifying threats and commitment modifications, formal risk assessment, and considering the impact of fraud on objectives. CC3.3.1 Examine the risk management program to ensure it offers guidance for identifying potential threats and suggesting strategies to mitigate these threats. The company establishes a documented risk management program that provides instructions for identifying potential threats, evaluating the significance of risks linked to those threats, and developing strategies to mitigate those risks. CC3.3.2 www.infosectrain.com CC3.0 Risk Assessment

  13. CC3.4: Identifying Changes COSO Principle 9: The entity identifies and assesses changes that could significantly impact the system of internal control. Control Control Activity Specified by Organization Test Applied by Auditor Test Results Each year, the company conducts a formal risk assessment exercise in accordance with the Risk Assessment and Management Policy. The goal is to identify potential threats that could compromise the security commitments and requirements of the systems. Review the records of the annual formal risk assessment exercise and examine the Assessment and Management Policy. CC3.4.1 Evaluate the company's configuration management procedure to validate its implementation, ensuring the constant deployment of system configurations across the entirety of the environment. The company implements a configuration management procedure to ensure consistent deployment of system configurations throughout the environment. CC3.4.2 Examine risk mitigating factors related to risk evaluation The firm evaluates risks and scores based on their likelihood and potential impact on platform security, availability, and confidentiality. They are then linked to mitigating factors, wholly or partially addressing the risks. CC3.4.3 The company conducts penetration testing, develops a remediation plan, and implements changes to address vulnerabilities by SLAs. Examine the company's penetration testing, verifying its annual execution. CC3.4.4 www.infosectrain.com CC3.0 Risk Assessment

  14. CC4.0 Monitoring Activities CC4.1: Continuous Evaluation COSO Principle 16: The entity selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning. Control Control Activity Specified by Organization Test Applied by Auditor Test Results The senior management of the firm designates an Information Security Officer tasked with planning, evaluating, implementing, and overseeing the internal control environment. Examine the coordination of planning, assessment, and implementation within the internal control environment. CC4.1.1 The organization designates an Infrastructure owner responsible for all assets listed in the inventory. Examine the Infra Operations Person document, confirming their responsibility for overseeing all holdings within the inventory. CC4.1.2 The organization utilizes Sprinto, a continuous monitoring system, to track and report the information security program's status to the Information Security Officer and other stakeholders. Examine the ongoing monitoring and reporting activities of the Sprinto tool, which ensures the health of the information security program is communicated to the Information Security Officer and other stakeholders. CC4.1.3 Examine the yearly company policy, which has undergone review and received approval from Senior Management. The senior management of the entity annually reviews and grants approval for all company policies. CC4.1.4 The firm conducts regular reviews and assessments of all subservice organizations to verify their ability to fulfill customer commitments. Examine the subservice organizations outlined in the system and note that they have undergone review and evaluation by the firm. CC4.1.5 www.infosectrain.com CC4.0 Monitoring Activities

  15. CC4.2: Reporting of Control Deficiencies COSO Principle 17: The entity evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the board of directors, as appropriate. Control Control Activity Specified by Organization Test Applied by Auditor Test Results The company conducts annual control self-assessments to ensure controls' presence and effective functioning, followed by appropriate corrective actions in response to identified findings. Examine the Secureframe platform to verify recent policy reviews and publications. Additionally, examine the Information Security Policy to confirm its annual review and updates, reinforcing security control effectiveness. CC4.2.1 Examine Information Security Policy to ensure employees understand how to report system problems. The company informs employees through the Information Security Policy about how to report problems, failures, incidents, or concerns related to the services or systems they provide. CC4.2.2 Examine the sprinto system and ensure it constantly tracks, monitors, and reports the information security program's position to the security officer and stakeholders. The entity utilizes Sprinto, a continuous monitoring system, to monitor and provide updates to the information security officer and other relevant stakeholders about the status of the information security program. CC4.2.3 Examine the firm policies and ensure that Senior Management has examined and supported them. Every year, Senior Management of the firm evaluates and approves all corporate policies. CC4.2.4 Each year, senior management of the entity evaluates and approves the program's status for information security. Examine the report on the internal audit assessment and ensure that Senior Management has examined and given their approval. CC4.2.5 www.infosectrain.com CC4.0 Monitoring Activities

  16. CC5.0 Control Activities CC5.1: Risk Mitigating COSO Principle 10: The entity selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels. Control Control Activity Specified by Organization Test Applied by Auditor Test Results The firm establishes a set of guidelines that outline acceptable behavior about the firm's regulatory framework. Examine the policies for the control environment. CC5.1.1 The firm possesses a well-defined Acceptable Usage Policy accessible to all employees through the firm's intranet. Examine the Acceptable Usage Policy and ensure it is accessible to all employees via the company's intranet. CC5.1.2 Examine and ensure that the firm's senior management has separate Roles and Responsibilities to minimize risks to the services provided to its clients. Senior Management of the firm separates Roles and Responsibilities to reduce risks to the services offered to its clients. CC5.1.3 The company maintains a documented risk management program outlining procedures for identifying potential threats, assessing their significance, and implementing mitigation strategies for associated risks. Examine the risk management program to verify its provision of guidance in identifying potential hazards, evaluating risk significance, and formulating mitigation strategies. CC5.1.4 www.infosectrain.com CC5.0 Control Activities

  17. CC5.2: Establishment of Technology Control Activities COSO Principle 11: The entity also selects and develops general control activities over technology to support the achievement of objectives. Control Control Activity Specified by Organization Test Applied by Auditor Test Results The firm employs Sprinto, a continuous monitoring system, to track and report to the information security officer and other stakeholders on the state of the information security program. Examine the ongoing monitoring capabilities of the Sprinto software, which tracks, records, and updates the information security officer and stakeholders on the program's status. CC5.2.1 Examine the internal audit assessment report and ensure it subsequently receives examination and approval from Senior Management. Each year, senior management of the firm evaluates and approves the program's status for information security. CC5.2.2 Examine the organizational staff chart and ensure it is subsequently examined and approved by Senior Management. The structure of operations for all personnel is reviewed and approved annually by the firm's Senior Management. CC5.2.3 Every subservice firm is routinely reviewed and evaluated by the firm to make sure obligations to the firm's clients can be maintained. Examine that the system's subservice organizations undergo regular reviews and evaluations. CC5.2.4 The organization establishes policies detailing acceptable behavior concerning the company's control environment. Examine the guidelines for the control environment. CC5.2.5 www.infosectrain.com CC5.0 Control Activities

  18. CC5.3: Implementing Control Policies COSO Principle 12: The entity deploys control activities through policies that establish what is expected and in procedures that put policies into action. Control Control Activity Specified by Organization Test Applied by Auditor Test Results The organization provides all employees access to policies and procedures through the corporate intranet. Examine the company's policies and practices and ensure they are accessible to all employees through the corporate intranet. CC5.3.1 Every year, the organization mandates that all employees review and acknowledge the company's policies. Examine the company's policies and ensure that every employee has reviewed and approved them. CC5.3.2 Examine the duties assigned to new employees in the system and ensure each employee has reviewed and approved them. During onboarding, new employees must read and acknowledge the company's policies, ensuring their awareness and preparedness to meet their obligations. CC5.3.3 Examine system policies related to the control environment. The organization creates a set of policies that outline acceptable conduct about the control environment at the organization. CC5.3.4 The organization defines its objectives to simplify the identification and assessment of risks associated with them. Examine the Risk Assessment and Treatment Policy to ensure that risk categories have been specified to aid in identifying and evaluating risk related to objectives. CC5.3.5 www.infosectrain.com CC5.0 Control Activities

  19. Found this useful? To Get More Insights Through ourFREE Course | Workshops | eBooks | White Paper Checklists | Mock Tests Press the Icon & www.infosectrain.com

More Related