Uploaded byJosephKirkpatrickCPA
2,549 views

Sample SOC2 report of a security audit firm

This document provides an overview of ABC Inc.'s Customer Success Software System for the period of February 1, 2017 through January 31, 2018. It describes the system's infrastructure, software, people, procedures, and data. It also outlines ABC's control environment, risk assessment process, information and communication systems, and monitoring controls. The document is intended to describe ABC's system and controls in place to meet the Trust Services criteria for security, availability, and confidentiality.

Embed presentation

Downloaded 76 times
1 SOname SSAE 16 Service Organization Control Report startDate to endDate ABC, Inc. Type II Service Organization Control Report (SOC 2) Independent Report on a Description of a Service Organization’s System and the Suitability of the Design and Operating Effectiveness of the Controls to meet the criteria for the security, availability, and confidentiality principles for the period of February 1, 2017 through January 31, 2018.
i ABC, Inc. SOC 2 Service Organization Control Report February 1, 2017 to January 31, 2018 TABLE OF CONTENTS MANAGEMENT OF ABC, INC.’S ASSERTION REGARDING ITS CUSTOMER SUCCESS SOFTWARE SYSTEM THROUGHOUT THE PERIOD FEBRUARY 1, 2017 TO JANUARY 31, 20181 INDEPENDENT SERVICE AUDITOR’S REPORT ..................................................................................4 Independent Service Auditor’s Report........................................................................................ 5 ABC, INC.’S DESCRIPTION OF ITS CUSTOMER SUCCESS SOFTWARE SYSTEM THROUGHOUT THE PERIOD FEBRUARY 1, 2017 TO JANUARY 31, 2018 ...................................................................8 System Overview........................................................................................................................ 9 Background............................................................................................................................. 9 Infrastructure............................................................................................................................. 10 Software................................................................................................................................ 10 People.................................................................................................................................... 10 Procedures............................................................................................................................. 10 Data....................................................................................................................................... 10 Relevant Aspects of the Control Environment, Risk Assessment Process, Information and Communication Systems, and Monitoring of Controls ............................................................ 11 Control Environment ............................................................................................................ 11 Management Philosophy................................................................................................... 11 Security, Availability, and Confidentiality Management ................................................. 11 Security, Availability, and Confidentiality Policies ......................................................... 11 Controls Related to Personnel........................................................................................... 11 Security Policies.................................................................................................................... 12 Physical Security and Environmental Controls ................................................................ 12 Change Management ........................................................................................................ 12 System Monitoring............................................................................................................ 12 Problem Management ....................................................................................................... 13 Data Backup and Recovery............................................................................................... 13 System Account Management .......................................................................................... 13 Risk Assessment Process...................................................................................................... 13 Information and Communication Systems............................................................................ 13 Monitoring Controls.............................................................................................................. 14 Trust Services Criteria and Related Controls............................................................................ 15 Complementary User-Entity Controls ...................................................................................... 16
ii ABC, Inc. SOC 2 Service Organization Control Report February 1, 2017 to January 31, 2018 TRUST SERVICES SECURITY, AVAILABILITY, AND CONFIDENTIALITY PRINCIPLES, CRITERIA, RELATED CONTROLS, AND TESTS OF CONTROLS ....................................................18 Criteria Common to All Security, Availability, and Confidentiality Principles................... 19 CC1.0 Common Criteria Related to Organization and Management ........................... 19 CC2.0 Common Criteria Related to Communications ................................................. 23 CC3.0 Common Criteria Related to Risk Management and Design and Implementation of Controls ........................................................................................................................ 27 CC4.0 Common Criteria Related to Monitoring of Controls ....................................... 29 CC5.0 Common Criteria Related to Logical and Physical Access Controls ................ 30 CC6.0 Common Criteria Related to System Operations .............................................. 35 CC7.0 Common Criteria Related to Change Management........................................... 37 Additional Criteria for Availability ...................................................................................... 40 Additional Criteria for Confidentiality ................................................................................. 42
MANAGEMENT OF ABC, INC.’S ASSERTION REGARDING ITS CUSTOMER SUCCESS SOFTWARE SYSTEM THROUGHOUT THE PERIOD FEBRUARY 1, 2017 TO JANUARY 31, 2018
2 ABC, Inc. SOC 2 Service Organization Control Report February 1, 2017 to January 31, 2018 ABC, INC.’S ASSERTION We have prepared the attached description titled “Description of ABC, Inc.’s Customer Success Software System Throughout the Period February 1, 2017 to January 31, 2018” (the description), based on the criteria in items (a)(i)-(ii) below, which are the criteria for a description of a service organization’s system in paragraphs 1.26 – 1.27 of the AICPA Guide Reporting on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC 2SM ) (the description criteria). The description is intended to provide users with information about the customer success software system, particularly system controls intended to meet the criteria for the security, availability, and confidentiality principles set forth in TSP section 100, Trust Services Principles, Criteria, and Illustrations for Security, Availability, Processing Integrity, Confidentiality, and Privacy (AICPA, Technical Practice Aids) (applicable trust services criteria). We confirm, to the best of our knowledge and belief, that a) The description fairly presents the customer success software system throughout the period February 1, 2017 to January 31, 2018, based on the following description criteria: i. The description contains the following information: 1. The type of services provided 2. The components of the system used to provide the services, which are the following: • Infrastructure. The physical and hardware components of a system (facilities, equipment, and networks). • Software. The programs and operating software of a system (systems, applications, and utilities). • People. The personnel involved in the operation and use of a system (developers, operators, users, and managers). • Procedures. The automated and manual procedures involved in the operation of a system. • Data. The information used and supported by a system (transaction streams, files, databases, and tables). 3. The boundaries or aspects of the system covered by the description 4. How the system captures and addresses significant events and conditions, other than transactions. 5. The process used to prepare reports or other information provided to user entities of the system. 6. If information is provided to, or received from, subservice organizations or other parties, how such information is provided or received; the role of the subservice organization or other parties; and the procedures performed to determine that such information and its processing, maintenance, and storage are subject to appropriate controls 7. For each principle being reported on, the applicable trust services criteria and the related controls designed to meet those criteria, including, as applicable, complementary user-entity controls contemplated in the design of the service organization’s system 8. For subservice organizations presented using the carve-out method, the nature of the services provided by the subservice organization; each of the applicable trust services
3 ABC, Inc. SOC 2 Service Organization Control Report February 1, 2017 to January 31, 2018 criteria that are intended to be met by controls at the subservice organization, alone or in combination with controls at the service organization, and the types of controls expected to be implemented at carved-out subservice organizations to meet those criteria 9. Any applicable trust services criteria that are not addressed by a control at the service organization or a subservice organization and the reasons therefore 10. Other aspects of the service organization’s control environment, risk assessment process, information and communication systems, and monitoring of controls that are relevant to the services provided and the applicable trust services criteria 11. Relevant details of changes to the service organization’s system during the period covered by the description ii. The description does not omit or distort information relevant to the service organization’s system while acknowledging that the description is prepared to meet the common needs of a broad range of users and may not, therefore, include every aspect of the system that each individual user may consider important to his or her own particular needs. b) The controls stated in the description were suitably designed throughout the specified period to meet the applicable trust services criteria. c) The controls stated in the description operated effectively throughout the specified period to meet the applicable trust services criteria.
INDEPENDENT SERVICE AUDITOR’S REPORT on a Description of a Service Organization’s System and the Suitability of the Design and Operating Effectiveness of the Controls
5 ABC, Inc. SOC 2 Service Organization Control Report February 1, 2017 to January 31, 2018 INDEPENDENT SERVICE AUDITOR’S REPORT Jane Doe CEO ABC, Inc. 100 St. Washington Scope We have examined the attached description titled “Description of ABC, Inc.’s Customer Success Software System Throughout the Period February 1, 2017 to January 31, 2018” (the description) and the suitability of the design and operating effectiveness of controls to meet the criteria for the security, availability, and confidentiality principles set forth in TSP section 100, Trust Services Principles, Criteria, and Illustrations for Security, Availability, Processing Integrity, Confidentiality, and Privacy (AICPA, Technical Practice Aids) (applicable trust services principles criteria), throughout the period February 1, 2017 to January 31, 2018. The description indicates that certain applicable trust services criteria specified in the description can be achieved only if complementary user-entity controls contemplated in the design of ABC, Inc.’s controls are suitable designed and operating effectively, along with related controls at the service organization. We have not evaluated the suitability of the design or operating effectiveness of such complementary user-entity controls. ABC, Inc. uses XYZ, Inc. to perform cloud computing services. The description indicates that certain applicable trust services criteria can only be met if controls at the subservice organization are suitably designed and operating effectively. The description presents ABC, Inc.’s system; its controls relevant to the applicable trust services criteria; and the types of controls that the service organization expects to be implemented, suitably designed, and operating effectively at the subservice organization to meet certain applicable trust services criteria. The description does not include any of the controls implemented at the subservice organization. Our examination did not extend to the services provided by the subservice organization or the subservice organization’s compliance with the commitments in its statement of privacy practices. Service Organization’s Responsibilities ABC, Inc. has provided the attached assertion titled “Management of ABC, Inc.’s Assertion Regarding Its Customer Success Software System Throughout the Period February 1, 2017 to January 31, 2018,” which is based on the criteria identified in management’s assertion. ABC, Inc. is responsible for (1) preparing the description and assertion; (2) the completeness, accuracy, and method of presentation of the description and assertions; (3) providing the services covered by the description; (4) specifying the controls that meet the applicable trust services criteria and stating them in the description; and (5) designing, implementing, and documenting the controls to meet the applicable trust services criteria. Service Auditor’s Responsibilities Our responsibility is to express an opinion on the fairness of the presentation of the description based on the description criteria set forth in ABC, Inc.’s assertion and on the suitability of the
6 ABC, Inc. SOC 2 Service Organization Control Report February 1, 2017 to January 31, 2018 design and operating effectiveness of the controls to meet the applicable trust services criteria, based on our examination. We conducted our examination in accordance with attestation standards established by the American Institute of Certified Public Accountants. Those standards require that we plan and perform our examination to obtain reasonable assurance about whether, in all material respects, (1) the description is fairly presented based on the description criteria, and (2) the controls were suitably designed and operating effectively to meet the applicable trust services criteria throughout the period February 1, 2017 to January 31, 2018. Our examination involved performing procedures to obtain evidence about the fairness of the presentation of the description based on the description criteria and the suitability of the design and operating effectiveness of those controls to meet the applicable trust services criteria. Our procedures include assessing the risks that the description is not fairly presented and that the controls were not suitably designed or operating effectively to meet the applicable trust services criteria. Our procedures also included testing the operating effectiveness of those controls that we consider necessary to provide reasonable assurance that the applicable trust services criteria were met. Our examination also included evaluating the overall presentation of the description. We believe that the evidence we obtained is sufficient and appropriate to provide a reasonable basis for our opinion. Inherent Limitations Because of their nature and inherent limitations, controls at a service organization may not always operate effectively to meet the applicable trust services criteria. Also, the projection to the future of any evaluation of the fairness of the presentation of the description or conclusions about the suitability of the design or operating effectiveness of the controls to meet the applicable trust services criteria is subject to the risks that the system may change or that controls at a service organization may become inadequate or fail. Opinion In our opinion, in all material respects, based on the criteria identified in ABC, Inc.’s assertion and the applicable trust services criteria a) the description fairly presents the system that was designed and implemented throughout the period February 1, 2017 to January 31, 2018. b) the controls of ABC, Inc. stated in the description were suitably designed to provide reasonable assurance that the applicable trust services criteria would be met if the controls operated effectively throughout the period February 1, 2017 to January 31, 2018, and user entities applied the complementary user-entity controls contemplated in the design of ABC, Inc.’s controls throughout the period February 1, 2017 to January 31, 2018, and XYZ, Inc. applied, throughout the period February 1, 2017 to January 31, 2018 the types of controls expected to be implemented at XYZ, Inc. and incorporated in the design of the system. c) the controls of ABC, Inc. tested, which together with the complementary user-entity controls referred to in the scope paragraph of this report, and together with the types of controls expected to be implemented at XYZ, Inc. and incorporated in the design of the system, if operating effectively, were those necessary to provide reasonable assurance that
7 ABC, Inc. SOC 2 Service Organization Control Report February 1, 2017 to January 31, 2018 the applicable trust services criteria were met, operated effectively throughout the period February 1, 2017 to January 31, 2018. Description of Tests of Controls The specific controls we tested and the nature, timing, and results of our tests are presented in the section of our report titled “Description of Test of Controls and Results Thereof.” Restricted Use This report, including the description of tests of controls and results thereof are intended solely for the information and use of ABC, Inc.; user entities of ABC, Inc.’s during some or all of the period February 1, 2017 to January 31, 2018; and prospective user entities, independent auditors and practitioners providing services to such user entities, and regulators who have sufficient knowledge and understanding of the following: • The nature of the service provided by the service organization • How the service organization’s system interacts with user entities, subservice organizations, or other parties • Internal control and its limitations • Complementary user-entity controls and how they interact with related controls at the service organization to meet the applicable trust services criteria • The applicable trust services criteria • The risks that may threaten the achievement of the applicable trust services criteria and how controls address those risks This report is not intended to be and should not be used by anyone other than these specified parties. Damon Sullivan, CPA KirkpatrickPrice, LLC 1228 East 7th Ave. Suite 200 Tampa, FL 33605 May 1, 2018
8 ABC, Inc. SOC 2 Service Organization Control Report February 1, 2017 to January 31, 2018 ABC, INC.’S DESCRIPTION OF ITS CUSTOMER SUCCESS SOFTWARE SYSTEM THROUGHOUT THE PERIOD FEBRUARY 1, 2017 TO JANUARY 31, 2018
9 ABC, Inc. SOC 2 Service Organization Control Report February 1, 2017 to January 31, 2018 SYSTEM OVERVIEW Background ABC, Inc. is a complete customer success software solution that is designed to help businesses reduce churn, increase upsell, and drive customer success. The company’s SaaS application allows organizations to focus on business strategy while ABC, Inc. focuses on infrastructure management, scaling, and security. ABC, Inc. applies security best practices in managing platform security to allow customers to focus on their business. The platform is designed to protect customers from threats by applying security controls at various layers.
10 ABC, Inc. SOC 2 Service Organization Control Report February 1, 2017 to January 31, 2018 INFRASTRUCTURE Software ABC, Inc. maintains an inventory list of critical software; the inventory list and the application lifecycle is managed by the IT Department. People ABC, Inc. maintains a hierarchical organizational structure. An Organization Chart is maintained that illustrates the separation of duties, reporting lines, and the appropriate levels of oversight. Procedures ABC, Inc. conducts daily, weekly, and monthly procedures that relate to its internal security processes. Security team members complete daily security procedures that include checking emails and looking for alerts from service providers. Data ABC, Inc. has business requirements for retaining data that the customers set in their contract with the organization. The transmission, movement, and removal of information is restricted to authorized internal and external users and processes. The organization has implemented a process for transmitting or receiving data across open, public networks. Encryption is used throughout the environment when transferring sensitive customer data over the internet, and industry best practices underpin its encryption methods.
11 ABC, Inc. SOC 2 Service Organization Control Report February 1, 2017 to January 31, 2018 RELEVANT ASPECTS OF THE CONTROL ENVIRONMENT, RISK ASSESSMENT PROCESS, INFORMATION AND COMMUNICATION SYSTEMS, AND MONITORING OF CONTROLS Control Environment Management Philosophy ABC, Inc.’s management communicates and oversees the implementation of the Code of Conduct, Integrity, and Ethics by making the Employee Handbooks available on ABC, Inc.’s intranet. Security, Availability, and Confidentiality Management To set the tone and direction for the organization, management sends out weekly emails to communicate recent events and provide company-wide feedback. Managers also communicate daily and weekly updates to their teams through meetings. Security, Availability, and Confidentiality Policies Management has a process for creating, approving, and maintaining the organization’s policies. The policies have a revision table present that details the revision notes, who authored the revisions, who approved the revisions, and the date the revisions were implemented. Management team reviews all policies at least once annually or following any industry changes. Controls Related to Personnel The organization has a formally documented Employee Handbook in place that is distributed to all employees. The handbook covers: • Code of Conduct • Statement on Ethics • Information Confidentiality • Background and Reference Checks • Progressive Discipline ABC, Inc. formally documents job descriptions for critical functions in the organization; the description includes job and security function. These responsibilities are communicated to the employees. ABC, Inc. uses onboarding and termination checklists during the hiring and termination processes. An onboarding checklist is used for each employee during the onboarding process to ensure that all important steps of the process are covered. This includes providing new hires with the appropriate acknowledgements, forms, and documents during the onboarding process. Additionally, all new hires are required to undergo a background check, which consists of an SSN Trace, a criminal search, and a search on the National Sex Offender Registry. All new hires are required to undergo training programs, such as security awareness training, and they receive daily on-the-job training.
12 ABC, Inc. SOC 2 Service Organization Control Report February 1, 2017 to January 31, 2018 Security Policies Physical Security and Environmental Controls The organization has physical security controls in place to protect secure areas, including locked doors, use of card key access at doors, visitor access control procedures, and video surveillance. The facility is equipped with an emergency power generator, and it maintains an onsite supply of fuel to ensure continued electrical support in the event of a loss of utility power. Additionally, networking equipment and critical infrastructure are equipped with UPS battery backups and dedicated cooling units. The facility is furnished with smoke detectors and fire suppression equipment. To protect secure areas, the facility’s access points are secured and restricted by magnetic locks. They are also equipped with card readers that limit access to authorized onsite personnel; data from the card readers is retained for a minimum of 90 days. ABC, Inc. relies on XYZ, Inc. for physical and environmental controls within the production environment, including media destruction. Change Management ABC, Inc. maintains its documented configuration and hardening standards to configure and manage its systems. Industry-accepted practices are used in the development of the organization’s system configuration standards. The IT department is responsible for reviewing configuration and hardening standards biannually. Personnel with system configuration responsibilities stay knowledgeable of the appropriate ways to securely configure the organization’s systems through industry/vendor alerts and vulnerability scans, announcements, internal meetings and reviews, and security newsletters and reports from trusted sources. ABC, Inc. sends email alerts to clients and company users prior to changes being implemented that may affect system availability and/or security. The organization’s firewall is configured to filter data and monitor traffic entering the system. System Monitoring ABC, Inc. uses system monitoring tools to oversee system capacity, plan for future requirements, and monitor alerts. The Technical Operations team holds routine meetings to review system capacity and environment health. The organization requires that antivirus software must remain updated. This ensures that all critical components are covered by an antivirus solution, antivirus configurations define when periodic scans are performed, and antivirus definitions are current according to documented schedule.
13 ABC, Inc. SOC 2 Service Organization Control Report February 1, 2017 to January 31, 2018 Problem Management The organization has a formally documented Incident Response Plan. The plan outlines the roles and responsibilities of all teams in the organization, detailing how they should handle security incidents. The plan also defines incident levels and outlines the differences between various security events. Formalized security-breach responsibilities are implemented, and all personnel are trained to report security incidents to those with these responsibilities. Data Backup and Recovery ABC, Inc. has implemented a Backup Retention Policy, which contains information about the different types of data managed and how it is backed up and retained. A Business Continuity Plan is also in place to restore operations and ensure availability of information following interruption to, or failure of, critical business processes. The policy requires that restorations are completed annually. System Account Management ABC, Inc. mandates that access rights are granted on the principle of least privilege, and any additional privileges require approval. The organization considers this when implementing user IDs. An access control system is used to control access to the internal business applications. Part of its function is to ensure that a unique user ID is assigned to each user before he or she allowed access to system components. The access control system is also configured to enforce the organization’s password requirements. The organization’s Information Security Policy requires the use of two-factor authentication for any interface that allows access to stored customer data, receives interactive logins, and faces the open internet. ABC, Inc. mandates that access for terminated/separated employees must promptly be revoked. The HR department oversees the exit workflow process for terminated/separated employees to ensure that access to all accounts and systems are disabled. Clients are able to register and deregister for online access to the company’s services via ABC, Inc.’s online portal. Risk Assessment Process The Information Security Policy mandates that a risk assessment be conducted annually. The risk assessment includes risks, likelihood, impact, existing controls, and possible further risk treatments. The results of the assessment are documented in an annual report that is reviewed by a member of leadership with security responsibilities. Information and Communication Systems ABC, Inc. has a formally documented Information Security Policy, which employees can access on the company intranet. The policy outlines the core security principles of the company, which
14 ABC, Inc. SOC 2 Service Organization Control Report February 1, 2017 to January 31, 2018 apply to all company employees, service providers, and partners. The security roles of all employees are defined within the policy. All new hires are required to sign an acknowledgement of the Information Security Policy. The Information Security Policy is reviewed and updated at least annually. ABC, Inc. has contractual and marketing materials in place that describe its scope of services to clients, including its company website and its Master Service Agreements. ABC, Inc. also has privacy policies in place that govern how to collect and handle sensitive information; these policies outline the industry standard precautions to ensure that confidential information is protected. Monitoring Controls ABC, Inc. has monitoring tools and practices in place to ensure operational quality and control. These include gathering audit reports from third parties to monitor the vendors’ service delivery and compliance status.
15 ABC, Inc. SOC 2 Service Organization Control Report February 1, 2017 to January 31, 2018 TRUST SERVICES CRITERIA AND RELATED CONTROLS Although the trust services criteria and related controls are presented in section 4, “Trust Services Security, Availability, and Confidentiality Principles, Criteria, Related Controls, and Tests of Controls,” they are an integral part of ABC, Inc.’s system description.
16 ABC, Inc. SOC 2 Service Organization Control Report February 1, 2017 to January 31, 2018 COMPLEMENTARY USER-ENTITY CONTROLS ABC, Inc.’s services are designed with the assumption that certain controls would be implemented by user organizations. In certain situations, the application of specific controls at the user organization is necessary to achieve control objectives included in this report. ABC, Inc.’s management makes control recommendations to user organizations and provides the means to implement these controls in many instances. ABC, Inc. also provides best practice guidance to clients regarding control element outside the sphere of ABC, Inc. responsibility. This section describes additional controls that should be in operation at user organizations to complement the ABC, Inc. controls. Client Consideration recommendations include: • User organizations should implement sound and consistent internal controls regarding general IT system access and system usage appropriateness for all internal user organization components associated with ABC, Inc. • User organizations should practice removal of user accounts for any users who have been terminated and were previously involved in any material functions or activities associated with ABC, Inc.’s services. • Transactions for user organizations relating to ABC, Inc.’s services should be appropriately authorized, and transactions should be secure, timely, and complete. • For user organizations sending data to ABC, Inc., data should be protected by appropriate methods to ensure confidentiality, privacy, integrity, availability, and non-repudiation. • User organizations should implement controls requiring additional approval procedures for critical transactions relating to ABC, Inc.’s services. • User organizations should report to ABC, Inc. in a timely manner any material changes to their overall control environment that may adversely affect services being performed by ABC, Inc. • User organizations are responsible for notifying ABC, Inc in a timely manner of any changes to personnel directly involved with services performed by ABC, Inc. These personnel may be involved in financial, technical or ancillary administrative functions directly associated with services provided by ABC, Inc. • User organizations are responsible for adhering to the terms and conditions stated within their contracts with ABC, Inc. • User organizations are responsible for developing, and if necessary, implementing a business continuity and disaster recovery plan (BCDRP) that will aid in the continuation of services provided by ABC, Inc.
17 ABC, Inc. SOC 2 Service Organization Control Report February 1, 2017 to January 31, 2018 The list of user organization control considerations presented above and those presented with certain specified control objectives do not represent a comprehensive set of all the controls that should be employed by user organizations. Other controls may be required at user organizations. Therefore, each client’s system of internal controls must be evaluated in conjunction with the internal control structure described in this report.
18 ABC, Inc. SOC 2 Service Organization Control Report February 1, 2017 to January 31, 2018 TRUST SERVICES SECURITY, AVAILABILITY, AND CONFIDENTIALITY PRINCIPLES, CRITERIA, RELATED CONTROLS, AND TESTS OF CONTROLS
19 ABC, Inc. SOC 2 Service Organization Control Report February 1, 2017 to January 31, 2018 Criteria Common to All Security, Availability, and Confidentiality Principles CC1.0 Common Criteria Related to Organization and Management Ctrl # Control Activity Testing of Operating Effectiveness Test Results CC1.1 The entity has defined organizational structures, reporting lines, authorities, and responsibilities for the design, development, implementation, operation, maintenance, and monitoring of the system enabling it to meet its commitments and system requirements as they relate to security, availability, and confidentiality. CC1.1.1 The organization’s structure is documented in its Organization Chart. Reviewed the Organization Chart to verify that it illustrates the levels of oversight and segregation of duties Interviewed the Office Manager to verify that the CEO leads the organization No Relevant Exceptions Noted CC1.2 Responsibility and accountability for designing, developing, implementing, operating, maintaining, monitoring, and approving the entity’s system controls and other risk mitigation strategies are assigned to individuals within the entity with authority to ensure policies and other system requirements are effectively promulgated and implemented to meet the entity’s commitments and system requirements as they relate to security, availability, and confidentiality. CC1.2.1 The organization uses monitoring tools to ensure operational quality and control. Reviewed screenshots for the organization’s helpdesk system Interviewed the Office Manager to verify the use of tools and helpdesk system Observed the monitoring system tools and the ticketing system No Relevant Exceptions Noted CC1.2.2 Management has a method of creating, approving, and maintaining the organization’s policies. Interviewed the Office Manager to verify the change and approval tables in all the documents Observed the company intranet where all policies are stored Observed the metadata showing recent revisions to verify that all policies are current No Relevant Exceptions Noted
20 ABC, Inc. SOC 2 Service Organization Control Report February 1, 2017 to January 31, 2018 CC1.3 The entity has established procedures to evaluate the competency of personnel responsible for designing, developing, implementing, operating, maintaining, and monitoring the system affecting security, availability, and confidentiality and provides resources necessary for personnel to fulfill their responsibilities. CC1.3.1 Personnel with system configuration responsibilities stay knowledgeable of the appropriate ways to securely configure the organization’s systems through industry alerts, security reports, vulnerability scans, and meetings. Reviewed the System Configuration Standards Interviewed the Technical Operations Manager to verify that team members stay up to date on configuration standards and best practices Observed daily stands, RSS feeds, weekly meetings, and knowledge transfer sessions to verify that they are captured and stored for later review No Relevant Exceptions Noted CC1.3.2 The organization conducts an onboarding training program for all new hires. Reviewed the onboarding program documentation Interviewed the Office Manager to verify that all employees are required to attend the onboarding program at the corporate office, including security awareness training Observed the formally documented agenda and training requirements Observed all the new hires completed the course No Relevant Exceptions Noted CC1.4 The entity has established workforce conduct standards, implemented workforce candidate background screening procedures, and conducts enforcement procedures to enable it to meet its commitments and system requirements as they relate to security, availability, and confidentiality.
21 ABC, Inc. SOC 2 Service Organization Control Report February 1, 2017 to January 31, 2018 CC1.4.1 The organization has a formally documented employee handbook in place. Reviewed the Employee Handbook (dated X) to verify that topics such as conduct, ethics, confidentiality, background/reference checks, and progressive discipline Interviewed the Office Manager Observed new employee records to verify that new hires are required to sign an acknowledgement of the Employee Handbook No Relevant Exceptions Noted CC1.4.2 The organization uses hiring and termination checklists as part of its onboarding and offboarding processes for employees and contractors. Reviewed the onboarding and offboarding checklists Interviewed the Office Manager to verify that a background check is required prior to employment Interviewed the Office Manager to verify that the organization uses checklists during the hiring and termination processes Observed the records for a sample of new hires in the audit period to verify that all activities on the new hire checklist were completed Observed the records for a sample of terminated employees to verify that all activities on the termination checklist were completed No Relevant Exceptions Noted
22 ABC, Inc. SOC 2 Service Organization Control Report February 1, 2017 to January 31, 2018 CC1.4.3 The organization provides new hires with the appropriate acknowledgements, forms, and documents during the onboarding process. Reviewed the Information Security Policy (dated X), the Employee Benefits Plan (dated X), the Employee Handbook (dated X), and the background check authorization form Observed new hire records to verify that they had signed the necessary forms and acknowledgements No Relevant Exceptions Noted CC1.4.4 The organization conducts background checks as part of the onboarding process. Reviewed the background check authorization form Interviewed the Office Manager to verify that all new hires complete a background check as part of the onboarding process Observed a sample of new hires to verify that background checks were conducted No Relevant Exceptions Noted
23 ABC, Inc. SOC 2 Service Organization Control Report February 1, 2017 to January 31, 2018 Criteria Common to All Security, Availability, and Confidentiality Principles CC2.0 Common Criteria Related to Communications Ctrl # Control Activity Testing of Operation Effectiveness Test Results CC2.1 Information regarding the design and operation of the system and its boundaries has been prepared and communicated to authorized internal and external users of the system to permit users to understand their role in the system and the results of system operation. CC2.1.1 The organization has materials in place that describe its scope of services to clients. Reviewed the organization’s website and Master Services Agreements (dated X) No Relevant Exceptions Noted CC2.2 The entity’s security, availability, and confidentiality commitments are communicated to external users, as appropriate, and those commitments and the associated system requirements are communicated to internal users to enable them to carry out their responsibilities. CC2.2.1 The organization’s Information Security Policy define security responsibilities for personnel. Reviewed the Information Security Policy (dated X) Interviewed the Security Analyst Observed that security responsibilities are defined in the Information Security Policy Observed the use of the company intranet to distribute the policy No Relevant Exceptions Noted CC2.2.2 The organization has promotional materials in place that describe its scope of services to clients. Reviewed the organization’s website and Master Services Agreements (dated X) No Relevant Exceptions Noted CC2.3 The responsibilities of internal and external users and others whose roles affect system operation are communicated to those parties. CC2.3.1 The organization formally documents job descriptions for critical functions in the organization. Reviewed job descriptions Observed that the job and security functions are formally defined, and that the responsibilities are communicated to employees No Relevant Exceptions Noted
24 ABC, Inc. SOC 2 Service Organization Control Report February 1, 2017 to January 31, 2018 CC2.4 Information necessary for designing, developing, implementing, operating, maintaining, and monitoring controls, relevant to the security, availability, and confidentiality of the system, is provided to personnel to carry out their responsibilities. CC2.4.1 Personnel with system configuration responsibilities stay knowledgeable of the appropriate ways to securely configure the organization’s systems through industry alerts, security reports, vulnerability scans, and meetings. Reviewed Security Communication and System Configuration Standards Interviewed the Technical Operations Manager to verify that team members stay up to date with configuration standards and best practices through industry/vendor alerts and announcements, security newsletters and reports from trusted sources, vulnerability scans, and internal meetings and reviews Observed daily stands, weekly meetings, and knowledge transfer sessions, which are recorded and made available for later review No Relevant Exceptions Noted CC2.4.2 The organization conducts an onboarding training program for all new hires. Reviewed the Security Awareness Training Onboarding Program documentation Interviewed the Office Manager to verify that all employees are required to attend the onboarding program Observed the formally documented agenda and training requirements Observed that all the new hires completed the course No Relevant Exceptions Noted CC2.5 Internal and external users have been provided with information on how to report security, availability, and confidentiality failures, incidents, concerns, and other complaints to appropriate personnel.
25 ABC, Inc. SOC 2 Service Organization Control Report February 1, 2017 to January 31, 2018 CC2.5.1 The organization has implemented an incident response procedure. Reviewed the Incident Response Management documentation Observed the storage of the incident response documentation on the company intranet No Relevant Exceptions Noted CC2.5.2 The organization has a process in place for training personnel with security incident responsibilities. Interviewed the Security Analyst to verify that a security response team is trained and always prepared to respond to incidents and alerts No Relevant Exceptions Noted CC2.5.3 There is a process for users to alert the organization about potential breaches. Interviewed the Security Analyst to verify that general users report security incidents to security personnel Observed examples of incident reports during the audit period No Relevant Exceptions Noted CC2.6 System changes that affect internal and external users’ responsibilities or the entity’s commitments and system requirements relevant to security, availability, and confidentiality are communicated to those users in a timely manner. CC2.6.1 The organization has a formally documented change management policy in place. Reviewed the Change Management Policy (dated X) to verify that it addresses appropriate topics such as roles and responsibilities, the risk analysis of the change request, the tests prior to implementation, and back-out plans Interviewed the Technical Operations Engineer Observed a sample of changes to verify that the changes are appropriately tracked with tickets No Relevant Exceptions Noted
26 ABC, Inc. SOC 2 Service Organization Control Report February 1, 2017 to January 31, 2018 CC2.6.2 The organization uses email to communicate changes in system availability and security. Reviewed the Change Management Policy (dated X) Interviewed the Technical Operations Engineer to verify that the organization emails users and clients about changes that may affect system availability and security No Relevant Exceptions Noted
27 ABC, Inc. SOC 2 Service Organization Control Report February 1, 2017 to January 31, 2018 Criteria Common to All Security, Availability, and Confidentiality Principles CC3.0 Common Criteria Related to Risk Management and Design and Implementation of Controls Ctrl # Control Activity Testing of Operation Effectiveness Test Results CC3.1 The entity (1) identifies potential threats that could impair system security, availability, and confidentiality commitments and system requirements (including threats arising from the use of vendors and other third parties providing goods and services, as well as threats arising from customer personnel and others with access to the system), (2) analyzes the significance of risks associated with the identified threats, (3) determines mitigation strategies for those risks (including implementation of controls, assessment and monitoring of vendors and other third parties providing goods or services, as well as their activities, and other mitigation strategies), (4) identifies and assesses changes (for example, environmental, regulatory, and technological changes and results of the assessment and monitoring of controls) that could significantly affect the system of internal control, and (5) reassesses, and revises, as necessary, risk assessments and mitigation strategies based on the identified changes. CC3.1.1 The organization conducts an annual risk assessment. Reviewed the Risk Assessment (dated X) Interviewed the Senior Security Manager to verify that a Risk Assessment must be conducted annually, and the results of that Risk Assessment are presented in an annual report Observed that the risk assessment considers the likelihood and impact as well as relevant compensating controls and further actions Observed that the risk assessment is updated annually No Relevant Exceptions Noted CC3.2 The entity designs, develops, implements, and operates controls, including policies and procedures, to implement its risk mitigation strategy; reassesses the suitability of the design and implementation of control activities based on the operation and monitoring of those activities; and updates the controls, as necessary.
28 ABC, Inc. SOC 2 Service Organization Control Report February 1, 2017 to January 31, 2018 CC3.2.1 The organization has a formally documented Information Security Policy. Reviewed the Information Security Policy (dated X) Interviewed the Security Analyst to verify that the Information Security Policy is available on the company’s intranet Observed the signed acknowledgments for new hires during the audit period No Relevant Exceptions Noted
29 ABC, Inc. SOC 2 Service Organization Control Report February 1, 2017 to January 31, 2018 Criteria Common to All Security, Availability, and Confidentiality Principles CC4.0 Common Criteria Related to Monitoring of Controls Ctrl # Control Activity Testing of Operation Effectiveness Test Results CC4.1 The design and operating effectiveness of controls are periodically evaluated against the entity’s commitments and system requirements as the relate to security, availability, and confidentiality, and corrections and other necessary actions relating to identified deficiencies are taken in a timely manner. CC4.1.1 The organization conducts daily, weekly, and monthly procedures that relate to its internal security processes. Reviewed tickets from the organization’s ticket tracking system Interviewed the Security Analyst to verify that security personnel conduct daily security procedures No Relevant Exceptions Noted CC4.1.2 The organization conducts an annual risk assessment. Reviewed risk assessment documentation (dated X) Interviewed the Senior Security Manager to verify that the Information Security Policy mandates that a risk assessment must be conducted annually Observed the formally documented risk assessments and relevant controls that were developed based on the assessments of personnel, technology, and business risks Observed that the risk assessment considers the likelihood and impact as well as relevant compensating controls and further actions Observed that the risk assessment is updated annually No Relevant Exceptions Noted
30 ABC, Inc. SOC 2 Service Organization Control Report February 1, 2017 to January 31, 2018 Criteria Common to All Security, Availability, and Confidentiality Principles CC5.0 Common Criteria Related to Logical and Physical Access Controls Ctrl # Control Activity Testing of Operating Effectiveness Test Results CC5.1 Logical access security software, infrastructure, and architectures have been implemented to support (1) identification and authentication of authorized internal and external users; (2) restriction of authorized internal and external user access to system components, or portions thereof, authorized by management, including hardware, data, software, mobile devices, output, and offline elements; and (3) prevention and detection of unauthorized access to meet the entity’s commitments and system requirements as they relate to security, availability, and confidentiality. CC5.1.1 The organization has an automated access control system in place. Interviewed the Security Analyst to verify that the automated access control system controls access to the internal business applications No Relevant Exceptions Noted CC5.2 New internal and external users, whose access is administered by the entity, are registered and authorized prior to being issued system credentials and granted the ability to access the system to meet the entity’s commitments and system requirements as they relate to security, availability, and confidentiality. For those users whose access is administered by the entity, user system credentials are removed when user access is no longer authorized. CC5.2.1 The organization has a process in place for implementing user IDs. Interviewed the Office Manager to verify that the organization follows the least privilege principle for logical access Observed there is a formally documented procedure for centralized provisioning No Relevant Exceptions Noted CC5.2.2 The organization’s Information Security Policy mandates access for terminated/separated employees must immediately be revoked. Reviewed the Information Security Policy Interviewed the Security Analyst to verify that the Information Security Policy states that access must be promptly revoked for any person terminated/separated from the organization No Relevant Exceptions Noted
31 ABC, Inc. SOC 2 Service Organization Control Report February 1, 2017 to January 31, 2018 CC5.2.3 The organization uses an exit workflow process to ensure that access is revoked for terminated/separated employees. Reviewed the exit checklist Interviewed Security Analyst to verify that the HR department oversees the offboarding process for terminated/separated employees No Relevant Exceptions Noted CC5.2.4 Management must approve a user prior to access. Reviewed the Information Security Policy (dated X) Interviewed the Security Analyst to verify that manager approval is needed for prior to obtaining access No Relevant Exceptions Noted CC5.2.5 The organization maintains domain, group, and user policies. Reviewed screenshots of user groups and password settings Observed that the organization uses its automated access control system to implement its account login and password settings No Relevant Exceptions Noted CC5.2.6 The organization has a process for registering/deregistering clients for online access. Interviewed the Program Manager to verify that clients can register and deregister for online access via the company portal No Relevant Exceptions Noted CC5.3 Internal and external users are identified and authenticated when accessing the system components (for example, infrastructure, software, and data) to meet the entity’s commitments and system requirements as they relate to security, availability, and confidentiality. CC5.3.1 The organization ensures that a unique user ID is assigned before being allowed access to system components. Reviewed the Information Security Policy (dated X) Interviewed the Security Analyst to verify all users are required to have a unique user ID Observed that the organization uses automated access control systems to enforce the requirement that all users have a unique ID No Relevant Exceptions Noted
32 ABC, Inc. SOC 2 Service Organization Control Report February 1, 2017 to January 31, 2018 CC5.4 Access to data, software, functions, and other IT resources is authorized and is modified or removed based on roles, responsibilities, or the system design and changes to meet the entity’s commitments and system requirements as they relate to security, availability, and confidentiality. CC5.4.1 The organization’s Information Security Policy mandates that access rights are granted on the principle of least privilege. Reviewed the Information Security Policy (dated X) to verify that it addresses the principle of least privilege Interviewed the Security Analyst to verify that the Information Security Policy states that privileges are assigned based on least privilege, and additional privileges require approvals based on least privilege, workflows, and approval processes No Relevant Exceptions Noted CC5.5 Physical access to facilities housing the system (for example, data centers, backup media storage, and other sensitive locations, as well as sensitive system components within those locations) is restricted to authorized personnel to meet the entity’s commitments and system requirements as they relate to security, availability, and confidentiality. CC5.5.1 The organization has physical controls in place for protecting secure areas. Interviewed the Security Analyst Observed that the security countermeasures include badge readers, visitor access controls, locked doors, and security cameras No Relevant Exceptions Noted CC5.5.2 The organization relies on security controls for where backup media is stored. Reviewed the XYZ, Inc. SOC reports to verify that a third-party provides backup media storage No Relevant Exceptions Noted CC5.6 Logical access security measures have been implemented to protect against security, availability, and confidentiality threats from sources outside the boundaries of the system to meet the entity’s commitments and system requirements.
33 ABC, Inc. SOC 2 Service Organization Control Report February 1, 2017 to January 31, 2018 CC5.6.1 The organization’s firewall is configured to filter data. Reviewed the firewall configuration files Interviewed the Security Analyst and the Technical Operations Manager verify that firewalls are used to block incoming traffic and filter outgoing connections Observed how the security groups are configured to create restricted data flow No Relevant Exceptions Noted CC5.6.2 The organization’s Information Security Policy requires the use of two-factor authentication. Reviewed the Information Security Policy (dated X) to verify that two-factor authentication is required for remote network access Observed the implementation of two-factor authentication onsite to verify it is in place and operating effectively No Relevant Exceptions Noted CC5.7 The transmission, movement, and removal of information is restricted to authorized internal and external users and processes and is protected during transmission, movement, or removal, enabling the entity to meet its commitments and system requirements as they relate to security, availability, and confidentiality. CC5.7.1 The organization uses industry recommendations/best practices to underpin encryption methods. Reviewed the formally documented standards and compliance encryption best practices Interviewed the Security Analyst to verify that the organization uses industry recommendations and best practices to underpin the organization’s encryption methods No Relevant Exceptions Noted
34 ABC, Inc. SOC 2 Service Organization Control Report February 1, 2017 to January 31, 2018 CC5.7.2 The organization has methods in place to protect information during transactions. Reviewed the protocol details in to verify that the organization provides components to protect confidential data in transit from unauthorized disclosure Reviewed the organization’s standard operating procedures to verify that they outline errors that could occur during transmission and processing Observed error report queues that are reviewed and monitored to ensure operational quality No Relevant Exceptions Noted CC5.8 Controls have been implemented to prevent or detect and act upon the introduction of unauthorized or malicious software to meet the entity’s commitments and system requirements as they relate to security, availability, and confidentiality. CC5.8.1 The organization requires that antivirus software remain updated. Interviewed the Security Analyst to verify the presence of antivirus software on all computers Observed that updates occur every half hour No Relevant Exceptions Noted
35 ABC, Inc. SOC 2 Service Organization Control Report February 1, 2017 to January 31, 2018 Criteria Common to All Security, Availability, and Confidentiality Principles CC6.0 Common Criteria Related to System Operations Ctrl # Control Activity Testing of Operation Effectiveness Test Results CC6.1 Vulnerabilities of system components to security, availability, and confidentiality breaches and incidents due to malicious acts, natural disasters, or errors are identified, monitored, and evaluated, and countermeasures are designed, implemented, and operated to compensate for known and newly identified vulnerabilities to meet the entity’s commitments and system requirements as they relate to security, availability, and confidentiality. CC6.1.1 The organization has implemented an incident response procedure. Reviewed the Incident Response Program (dated X) Observed that the Incident Response Program is available on the company intranet No Relevant Exceptions Noted CC6.1.2 The organization tracks security incidents via a ticketing system. Reviewed the full listing of incidents Interviewed the Program Manager to verify that all security related incidents are tracked using tickets Observed a sample of a recently responded security incident as they are tracked in tickets No Relevant Exceptions Noted CC6.1.3 The organization has a system in place for monitoring alerts. Interviewed the Security Analyst to verify the organization uses system tools to monitor its environment Observed alerts onsite to verify that alerts from intrusion- detection/intrusion-prevention, alerts from file-integrity monitoring systems, and detection of unauthorized wireless access points are monitored No Relevant Exceptions Noted
36 ABC, Inc. SOC 2 Service Organization Control Report February 1, 2017 to January 31, 2018 CC6.1.4 The organization has intrusion detection systems in place. Interviewed the Technical Operations Engineer to verify that the intrusion-detection systems are operating effectively Observed the use of security groups for network traffic in an IDS fashion No Relevant Exceptions Noted CC6.2 Security, availability, and confidentiality incidents, including logical and physical security breaches, failures, and identified vulnerabilities, are identified and reported to appropriate personnel and acted on in accordance with established incident response procedures to meet the entity’s commitments and system requirements. CC6.2.1 The organization has implemented an incident response procedure. Reviewed the Incident Response Management documentation Observed the storage of the formally documented Incident Response Plan on the company’s intranet No Relevant Exceptions Noted CC6.2.2 The organization tracks security incidents via tickets. Reviewed the full listing of incidents Interviewed the Program Manager to verify that all security related incidents are tracked in tickets, which allows the organization to add root cause, assign ownership, track efforts and capture lessons learned Observed a sample of a recently responded to security incident as they are tracked in tickets No Relevant Exceptions Noted
37 ABC, Inc. SOC 2 Service Organization Control Report February 1, 2017 to January 31, 2018 Criteria Common to All Security, Availability, and Confidentiality Principles CC7.0 Common Criteria Related to Change Management Ctrl # Control Activity Testing of Operating Effectiveness Test Results CC7.1 The entity’s commitments and system requirements, as they relate to security, availability, and confidentiality, are addressed during the system development lifecycle, including the authorization, design, acquisition, implementation, configuration, testing, modification, approval, and maintenance of system components. CC7.1.1 The organization uses industry- accepted practices for the basis of the organization’s system configuration standards. Interviewed the Technical Operations Engineer to verify that servers are hardened using internal hardening scripts and checklists, which are based on industry best practices Observed that documents containing baselines and hardening guidelines are available on the company intranet No Relevant Exceptions Noted CC7.1.2 The organization has a formally documented change management policy in place. Reviewed the Change Management Policy (dated X) Observed a sample of changes to verify that the changes are covered with tickets No Relevant Exceptions Noted CC7.2 Infrastructure, data, software, and policies and procedures are updated as necessary to remain consistent with the entity’s commitments and system requirements as they relate to security, availability, and confidentiality. CC7.2.1 The organization has documented system configuration standards. Reviewed the documented system configuration standards Reviewed the patch levels for the relevant systems to verify that standards are configured and managed by ABC, Inc. through the formally documented standards for configuration and hardening No Relevant Exceptions Noted
38 ABC, Inc. SOC 2 Service Organization Control Report February 1, 2017 to January 31, 2018 CC7.2.2 The organization has a process for reviewing and updating system configuration standards. Reviewed the review/revision tables for System Configuration Standards Interviewed the Technical Operations Engineer to verify that IT is responsible for reviewing configuration and hardening standards Observed that configuration requirements are formally documented and shared on the organization's intranet site for all relevant personnel No Relevant Exceptions Noted CC7.2.3 The organization has a formally documented change management policy in place. Reviewed the Change Management Policy (dated X) Interviewed the Technical Operations Engineer Observed a sample of changes to verify that the changes are appropriately covered with tickets No Relevant Exceptions Noted CC7.2.4 The organization’s Information Security Policy is updated at least annually. Reviewed the Information Security Policy (dated X) Interviewed the Security Analyst to verify that the Information Security Policy is reviewed and updated at least annually Observed the revision history of evidence that this is current and updated accordingly Observed that the policy was signed by the VP, demonstrating executive level management oversight No Relevant Exceptions Noted
39 ABC, Inc. SOC 2 Service Organization Control Report February 1, 2017 to January 31, 2018 CC7.3 Change management processes are initiated when deficiencies in the design or operating effectiveness of controls are identified during system operation and are monitored to meet the entity’s commitments and system requirements as they relate to security, availability, and confidentiality. CC7.3.1 The organization has a formally documented change management policy in place. Reviewed the Change Management Policy (dated X) Interviewed the Technical Operations Engineer Observed and reviewed onsite a sample of changes to verify that the changes are appropriately covered with the tickets No Relevant Exceptions Noted CC7.4 Changes to system components are authorized, designed, developed, configured, documented, tested, approved, and implemented to meet the entity’s security, availability, and confidentiality commitments and system requirements. CC7.4.1 The organization has a formally documented change management policy in place. Reviewed the Change Management Policy (dated X) Interviewed the Technical Operations Engineer Observed and reviewed onsite a sample of changes to verify that the changes are appropriately covered with tickets No Relevant Exceptions Noted
40 ABC, Inc. SOC 2 Service Organization Control Report February 1, 2017 to January 31, 2018 Additional Criteria for Availability Ctrl # Control Activity Test of Operation Effectiveness Test Results A1.1 Current processing capacity and usage are maintained, monitored, and evaluated to manage capacity demand and to enable the implementation of additional capacity to help meet the entity’s availability commitments and system requirements. A1.1.1 The organization uses system monitoring tools to oversee system capacity. Reviewed system monitoring files Interviewed the Technical Operations Engineer to verify the organization uses tools for monitoring and capacity planning No Relevant Exceptions Noted A1.2 Environmental protections, software, data backup processes, and recovery infrastructure are authorized, designed, developed, implemented, operated, approved, maintained, and monitored to meet the entity’s availability commitments and system requirements. A1.2.1 The organization has a business continuity plan in place to restore operations and ensure availability of information following interruption to, or failure of, critical business processes. Reviewed the Business Continuity Plan (dated X) Interviewed the Technical Operations Engineer to verify that restoration tests are conducted at least twice a year No Relevant Exceptions Noted A1.2.2 The organization has physical controls in place to protect against external and environmental hazards. Interviewed the Technical Operations Engineer to verify that physical controls are in place Observed that the corporate office includes a standard HVAC and fire detection/suppression controls Observed that networking equipment and critical infrastructure are equipped with UPS battery backups and dedicated cooling units Observed that the office is equipped with an emergency power generator and an onsite supply of fuel No Relevant Exceptions Noted
41 ABC, Inc. SOC 2 Service Organization Control Report February 1, 2017 to January 31, 2018 A1.3 Recovery plan procedures supporting system recovery are tested to help meet the entity’s availability commitments and system requirements. A1.3.1 The organization has a business continuity plan in place to restore operations and ensure availability of information following interruption to, or failure of, critical business processes. Reviewed the Business Continuity Plan (dated X) Interviewed the Technical Operations Engineer to verify that restoration tests are conducted at least twice a year No Relevant Exceptions Noted A1.3.2 The organization has implemented a data backup policy. Reviewed the Backup Retention Policy (dated X) Interviewed the Technical Operations Engineer to verify that the details in the organization’s backup/retention policy contains information about the different types of data managed Observed that data restore jobs are run annually No Relevant Exceptions Noted
42 ABC, Inc. SOC 2 Service Organization Control Report February 1, 2017 to January 31, 2018 Additional Criteria for Confidentiality Ctrl # Control Activity Test of Operation Effectiveness Test Results C1.1 Confidential information is protected during the system design, development, testing, implementation, and change processes to meet the entity’s confidentiality commitments and system requirements. C1.1.1 The organization’s Information Security Policy and job descriptions define security responsibilities for personnel. Reviewed the Information Security Policy (dated X) Observed that security responsibilities are defined in the Information Security Policy and in the relevant job descriptions Observed the use of the company intranet to disseminate this information No Relevant Exceptions Noted C1.2 Confidential information within the boundaries of the system is protected against unauthorized access, use, and disclosure during input, processing, retention, output, and disposition to meet the entity’s confidentiality commitments and system requirements. C1.2.1 The organization provides new hires with the appropriate acknowledgements, forms, and documents during the onboarding process. Reviewed the onboarding documents Observed that management sets the appropriate tone at the top and employee expectations during the onboarding process No Relevant Exceptions Noted C1.2.2 The organization has a Privacy Policy in place that details how personal information is to be handled. Reviewed the Privacy Policy (dated X) Interviewed the Program Manager to verify that ABC, Inc. has established a Privacy Policy Observed that the Privacy Policy is on the organization’s website and governs how it handles sensitive and personal information No Relevant Exceptions Noted
43 ABC, Inc. SOC 2 Service Organization Control Report February 1, 2017 to January 31, 2018 C1.3 Access to confidential information from outside the boundaries of the system and disclosure of confidential information is restricted to authorized parties to meet the entity’s confidentiality commitments and system requirements. C1.3.1 The organization has implemented a process for transmitting or receiving data across open, public networks. Reviewed the documented protocol details Interviewed Security Analyst to verify that the organization uses the most recent version of TLS when transferring sensitive customer data over the internet No Relevant Exceptions Noted C1.4 The entity obtains confidentiality commitments that are consistent with the entity’s confidentiality system requirements from vendors and other third parties whose products and services are part of the system and have access to confidential information. C1.4.1 The organization requires that third-parties sign a Confidentiality and Non- Disclosure Agreement prior to sharing information. Reviewed the Master Service Agreement (dated X) and the Non-Disclosure Agreement (dated X) Interviewed the Security Analyst to verify that the organization implements an NDA and MSA Observed the MSA and NDAs onsite to verify they were in place No Relevant Exceptions Noted C1.5 Compliance with the entity’s confidentiality commitments and system requirements by vendors and other third parties whose products and services are part of the system is assessed on a periodic and as-needed basis, and corrective action is taken, if necessary. C1.5.1 The organization completes a risk assessment and reviews compliance reports to monitor vendors’ service delivery and compliance status. Reviewed vendor compliance reports Interviewed the Technical Operations Engineer to verify that all vendor relationships begin with a security risk assessment and a review of compliance reports No Relevant Exceptions Noted C1.6 Changes to the entity’s confidentiality commitments and system requirements are communicated to internal and external users, vendors, and other third parties whose products and services are part of the system.
44 ABC, Inc. SOC 2 Service Organization Control Report February 1, 2017 to January 31, 2018 C1.6.1 The organization uses its intranet to distribute its Information Security Policy to personnel. Observed that the Information Security Policy is available via the corporate intranet No Relevant Exceptions Noted C1.7 The entity retains confidential information to meet the entity’s confidentiality commitments and system requirements. C1.7.1 The organization has business requirements for retaining and deleting data. Reviewed Backup Details (dated X) Interviewed the Security Analyst to verify that data retention is driven the contract with the client No Relevant Exceptions Noted C1.8 The entity disposes of confidential information to meet the entity’s confidentiality commitments and system requirements. C1.8.1 The organization relies on third parties for media destruction purposes. Interviewed the Technical Operations Engineer to verify that equipment and media is destroyed by a third party No Relevant Exceptions Noted

More Related Content

PPTX
SOC 2 presentation. Overview of SOC 2 assessment
byModu9
 
PPTX
FedRAMP Certification & FedRAMP Marketplace
byControlCase
 
PDF
SOC 2 (Service Organization Control) Type 2 Checklist Part - 2.pdf
byinfosecTrain
 
PDF
SOC-2 Compliance Status Report sample v10.0
byMark S. Mahre
 
PDF
Third-party information security assessment checklist.pdf
bypriyanshamadhwal2
 
PDF
SOC Certification Runbook Template
byMark S. Mahre
 
PDF
Navigating Compliance for MSPs From First Audit to Monetization
byControlCase
 
PPTX
english_bok_ismp_202306.pptx
byssuser00d6eb
 
SOC 2 presentation. Overview of SOC 2 assessment
byModu9
 
FedRAMP Certification & FedRAMP Marketplace
byControlCase
 
SOC 2 (Service Organization Control) Type 2 Checklist Part - 2.pdf
byinfosecTrain
 
SOC-2 Compliance Status Report sample v10.0
byMark S. Mahre
 
Third-party information security assessment checklist.pdf
bypriyanshamadhwal2
 
SOC Certification Runbook Template
byMark S. Mahre
 
Navigating Compliance for MSPs From First Audit to Monetization
byControlCase
 
english_bok_ismp_202306.pptx
byssuser00d6eb
 

What's hot

PPTX
Language Translations for Custom Scoped Applications in ServiceNow
byLon Landry
 
PPTX
Presentation on iso 27001-2013, Internal Auditing and BCM
byShantanu Rai
 
PPTX
Information Security Metrics - Practical Security Metrics
byJack Nichelson
 
PPTX
Salesforce Overview For Beginners/Students
bySujesh Ramachandran
 
PDF
ISO/IEC 27001:2022 Transition Arragements
byISONIKELtd
 
PPTX
Standards of Internal Audit
byKaran Puri
 
PDF
SOC 2 Type 2 Checklist - Part 1 - V2_final.pdf
byinfosecTrain
 
PPTX
Intelligent Process Automation in Audit
by10xDS - Exponential Digital Solutions
 
PDF
Zero Trust Model Presentation
byGowdhaman Jothilingam
 
PPTX
Salesforce Service Cloud - An overview
byAjay Balakrishnan
 
PPT
The information security audit
byDhani Ahmad
 
PPT
Vendor Management - Compliance Checklist Manifesto Series
byContinuity Control
 
PDF
NIST Cybersecurity Framework - Mindmap
byWAJAHAT IQBAL
 
PDF
Velocity Presentation - Unified Monitoring with AppDynamics
byAppDynamics
 
PPT
3c 2 Information Systems Audit
byRajeswaran Muthu Venkatachalam
 
PDF
SOC 2 and You
bySchellman & Company
 
PPTX
Microsoft Threat Protection
byThierry DEMAN
 
PDF
Infosec Audit Lecture_4
byObrina Candra, CISA, ISMS-LA
 
PDF
Cybersecurity roadmap : Global healthcare security architecture
byPriyanka Aash
 
PPTX
MS. Cybersecurity Reference Architecture
byangelohammond
 
Language Translations for Custom Scoped Applications in ServiceNow
byLon Landry
 
Presentation on iso 27001-2013, Internal Auditing and BCM
byShantanu Rai
 
Information Security Metrics - Practical Security Metrics
byJack Nichelson
 
Salesforce Overview For Beginners/Students
bySujesh Ramachandran
 
ISO/IEC 27001:2022 Transition Arragements
byISONIKELtd
 
Standards of Internal Audit
byKaran Puri
 
SOC 2 Type 2 Checklist - Part 1 - V2_final.pdf
byinfosecTrain
 
Intelligent Process Automation in Audit
by10xDS - Exponential Digital Solutions
 
Zero Trust Model Presentation
byGowdhaman Jothilingam
 
Salesforce Service Cloud - An overview
byAjay Balakrishnan
 
The information security audit
byDhani Ahmad
 
Vendor Management - Compliance Checklist Manifesto Series
byContinuity Control
 
NIST Cybersecurity Framework - Mindmap
byWAJAHAT IQBAL
 
Velocity Presentation - Unified Monitoring with AppDynamics
byAppDynamics
 
3c 2 Information Systems Audit
byRajeswaran Muthu Venkatachalam
 
SOC 2 and You
bySchellman & Company
 
Microsoft Threat Protection
byThierry DEMAN
 
Infosec Audit Lecture_4
byObrina Candra, CISA, ISMS-LA
 
Cybersecurity roadmap : Global healthcare security architecture
byPriyanka Aash
 
MS. Cybersecurity Reference Architecture
byangelohammond
 

Similar to Sample SOC2 report of a security audit firm

PDF
SSAE 16 Transitions Overview
byJeffrey Paulette
 
PDF
Soc Compliance Overview
byFabio Ferrari
 
PPTX
Lets talk about soc2s, baby! BSidesLV 2021
byWendy Knox Everette
 
DOCX
Risk Assessment
byjenito21
 
DOCX
R.a 1
byjenito21
 
PDF
Soc 2 Compliance.pdf
byroguelogics
 
PDF
Soc 2 Compliance.pdf
byroguelogics
 
PPTX
Navigating the new Trust Services Criteria
byMcKonly & Asbury, LLP
 
DOCX
Sample - Corporate Report
byMichael Shinskie
 
PDF
Ensuring SOC 2 Compliance A Comp Checklist.pdf
bysocurely
 
PDF
Evaluating Service Organization Control Reports
byJay Crossland
 
PDF
Is3 Capabilities Brief
bymageeb
 
DOCX
Why should I do SOC2?
byVISTA InfoSec
 
DOCX
Untitled document (4).docx
bymconsult141
 
PDF
CISSP Domain 06 Security Assessment and Testing.pdf
bygealehegn
 
PPSX
4 Operations Security
byAlfred Ouyang
 
PDF
Security review using SABSA
byMaganathin Veeraragaloo
 
PPTX
Service Organizational Control (SOC 2) Compliance - Kloudlearn
byKloudLearn
 
PDF
Internal Control Certification – It’s Not Just an Accounting Thing (Credit Un...
byNAFCU Services Corporation
 
PDF
SOC Standards - Nonprofit organizations
byTate Tryon CPAs
 
SSAE 16 Transitions Overview
byJeffrey Paulette
 
Soc Compliance Overview
byFabio Ferrari
 
Lets talk about soc2s, baby! BSidesLV 2021
byWendy Knox Everette
 
Risk Assessment
byjenito21
 
R.a 1
byjenito21
 
Soc 2 Compliance.pdf
byroguelogics
 
Soc 2 Compliance.pdf
byroguelogics
 
Navigating the new Trust Services Criteria
byMcKonly & Asbury, LLP
 
Sample - Corporate Report
byMichael Shinskie
 
Ensuring SOC 2 Compliance A Comp Checklist.pdf
bysocurely
 
Evaluating Service Organization Control Reports
byJay Crossland
 
Is3 Capabilities Brief
bymageeb
 
Why should I do SOC2?
byVISTA InfoSec
 
Untitled document (4).docx
bymconsult141
 
CISSP Domain 06 Security Assessment and Testing.pdf
bygealehegn
 
4 Operations Security
byAlfred Ouyang
 
Security review using SABSA
byMaganathin Veeraragaloo
 
Service Organizational Control (SOC 2) Compliance - Kloudlearn
byKloudLearn
 
Internal Control Certification – It’s Not Just an Accounting Thing (Credit Un...
byNAFCU Services Corporation
 
SOC Standards - Nonprofit organizations
byTate Tryon CPAs
 

Recently uploaded

PPTX
Coded Agents – with UiPath SDK + LangGraph [Virtual Hands-on Workshop]
byUiPathCommunity
 
PDF
Is It Possible to Have Wi-Fi Without an Internet Provider
bySidra Jefferi
 
PDF
The major tech developments for 2026 by Pluralsight, a research and training ...
byChris Skinner
 
PPTX
cybercrime in Information security .pptx
byismaeelsahib032
 
PDF
Unser Jahresrückblick – MarvelClient in 2025
bypanagenda
 
PDF
The year in review - MarvelClient in 2025
bypanagenda
 
PPTX
Building Cyber Resilience for 2026: Best Practices for a Secure, AI-Driven Bu...
byYasir Naveed Riaz
 
PPTX
Unit-4-ARTIFICIAL NEURAL NETWORKS.pptx ANN ppt Artificial neural network
byssuserd4481a
 
PPTX
Protecting Data in an AI Driven World - Cybersecurity in 2026
byYasir Naveed Riaz
 
PDF
Day 5 - Red Team + Blue Team in the Cloud - 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 
PDF
Day 3 - Data and Application Security - 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 
PDF
Dev Dives: AI that builds with you - UiPath Autopilot for effortless RPA & AP...
byUiPathCommunity
 
PDF
Day 1 - Cloud Security Strategy and Planning ~ 2nd Sight Lab ~ Cloud Security...
by2nd Sight Lab
 
PPTX
THIS IS CYBER SECURITY NOTES USED IN CLASS ON VARIOUS TOPICS USED IN CYBERSEC...
byMelissaGblinwon
 
PPTX
Chapter 3 Introduction to number system.pptx
byGetachewAbera9
 
PDF
Making Sense of Raster: From Bit Depth to Better Workflows
bySafe Software
 
PDF
Decoding the DNA: The Digital Networks Act, the Open Internet, and IP interco...
byCSUC - Consorci de Serveis Universitaris de Catalunya
 
PDF
API-First Architecture in Financial Systems
bycyy111112
 
PDF
Our Digital Tribe_ Cultivating Connection and Growth in Our Slack Community 🌿...
bysanjeetmishra30
 
PDF
Internet_of_Things_IoT_for_Next_Generation_Smart_Systems_Utilizing.pdf
byRoshanSyed12
 
Coded Agents – with UiPath SDK + LangGraph [Virtual Hands-on Workshop]
byUiPathCommunity
 
Is It Possible to Have Wi-Fi Without an Internet Provider
bySidra Jefferi
 
The major tech developments for 2026 by Pluralsight, a research and training ...
byChris Skinner
 
cybercrime in Information security .pptx
byismaeelsahib032
 
Unser Jahresrückblick – MarvelClient in 2025
bypanagenda
 
The year in review - MarvelClient in 2025
bypanagenda
 
Building Cyber Resilience for 2026: Best Practices for a Secure, AI-Driven Bu...
byYasir Naveed Riaz
 
Unit-4-ARTIFICIAL NEURAL NETWORKS.pptx ANN ppt Artificial neural network
byssuserd4481a
 
Protecting Data in an AI Driven World - Cybersecurity in 2026
byYasir Naveed Riaz
 
Day 5 - Red Team + Blue Team in the Cloud - 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 
Day 3 - Data and Application Security - 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 
Dev Dives: AI that builds with you - UiPath Autopilot for effortless RPA & AP...
byUiPathCommunity
 
Day 1 - Cloud Security Strategy and Planning ~ 2nd Sight Lab ~ Cloud Security...
by2nd Sight Lab
 
THIS IS CYBER SECURITY NOTES USED IN CLASS ON VARIOUS TOPICS USED IN CYBERSEC...
byMelissaGblinwon
 
Chapter 3 Introduction to number system.pptx
byGetachewAbera9
 
Making Sense of Raster: From Bit Depth to Better Workflows
bySafe Software
 
Decoding the DNA: The Digital Networks Act, the Open Internet, and IP interco...
byCSUC - Consorci de Serveis Universitaris de Catalunya
 
API-First Architecture in Financial Systems
bycyy111112
 
Our Digital Tribe_ Cultivating Connection and Growth in Our Slack Community 🌿...
bysanjeetmishra30
 
Internet_of_Things_IoT_for_Next_Generation_Smart_Systems_Utilizing.pdf
byRoshanSyed12
 

Sample SOC2 report of a security audit firm

  • 1.
    1 SOname SSAE 16Service Organization Control Report startDate to endDate ABC, Inc. Type II Service Organization Control Report (SOC 2) Independent Report on a Description of a Service Organization’s System and the Suitability of the Design and Operating Effectiveness of the Controls to meet the criteria for the security, availability, and confidentiality principles for the period of February 1, 2017 through January 31, 2018.
  • 2.
    i ABC, Inc. SOC2 Service Organization Control Report February 1, 2017 to January 31, 2018 TABLE OF CONTENTS MANAGEMENT OF ABC, INC.’S ASSERTION REGARDING ITS CUSTOMER SUCCESS SOFTWARE SYSTEM THROUGHOUT THE PERIOD FEBRUARY 1, 2017 TO JANUARY 31, 20181 INDEPENDENT SERVICE AUDITOR’S REPORT ..................................................................................4 Independent Service Auditor’s Report........................................................................................ 5 ABC, INC.’S DESCRIPTION OF ITS CUSTOMER SUCCESS SOFTWARE SYSTEM THROUGHOUT THE PERIOD FEBRUARY 1, 2017 TO JANUARY 31, 2018 ...................................................................8 System Overview........................................................................................................................ 9 Background............................................................................................................................. 9 Infrastructure............................................................................................................................. 10 Software................................................................................................................................ 10 People.................................................................................................................................... 10 Procedures............................................................................................................................. 10 Data....................................................................................................................................... 10 Relevant Aspects of the Control Environment, Risk Assessment Process, Information and Communication Systems, and Monitoring of Controls ............................................................ 11 Control Environment ............................................................................................................ 11 Management Philosophy................................................................................................... 11 Security, Availability, and Confidentiality Management ................................................. 11 Security, Availability, and Confidentiality Policies ......................................................... 11 Controls Related to Personnel........................................................................................... 11 Security Policies.................................................................................................................... 12 Physical Security and Environmental Controls ................................................................ 12 Change Management ........................................................................................................ 12 System Monitoring............................................................................................................ 12 Problem Management ....................................................................................................... 13 Data Backup and Recovery............................................................................................... 13 System Account Management .......................................................................................... 13 Risk Assessment Process...................................................................................................... 13 Information and Communication Systems............................................................................ 13 Monitoring Controls.............................................................................................................. 14 Trust Services Criteria and Related Controls............................................................................ 15 Complementary User-Entity Controls ...................................................................................... 16
  • 3.
    ii ABC, Inc. SOC2 Service Organization Control Report February 1, 2017 to January 31, 2018 TRUST SERVICES SECURITY, AVAILABILITY, AND CONFIDENTIALITY PRINCIPLES, CRITERIA, RELATED CONTROLS, AND TESTS OF CONTROLS ....................................................18 Criteria Common to All Security, Availability, and Confidentiality Principles................... 19 CC1.0 Common Criteria Related to Organization and Management ........................... 19 CC2.0 Common Criteria Related to Communications ................................................. 23 CC3.0 Common Criteria Related to Risk Management and Design and Implementation of Controls ........................................................................................................................ 27 CC4.0 Common Criteria Related to Monitoring of Controls ....................................... 29 CC5.0 Common Criteria Related to Logical and Physical Access Controls ................ 30 CC6.0 Common Criteria Related to System Operations .............................................. 35 CC7.0 Common Criteria Related to Change Management........................................... 37 Additional Criteria for Availability ...................................................................................... 40 Additional Criteria for Confidentiality ................................................................................. 42
  • 4.
    MANAGEMENT OF ABC,INC.’S ASSERTION REGARDING ITS CUSTOMER SUCCESS SOFTWARE SYSTEM THROUGHOUT THE PERIOD FEBRUARY 1, 2017 TO JANUARY 31, 2018
  • 5.
    2 ABC, Inc. SOC2 Service Organization Control Report February 1, 2017 to January 31, 2018 ABC, INC.’S ASSERTION We have prepared the attached description titled “Description of ABC, Inc.’s Customer Success Software System Throughout the Period February 1, 2017 to January 31, 2018” (the description), based on the criteria in items (a)(i)-(ii) below, which are the criteria for a description of a service organization’s system in paragraphs 1.26 – 1.27 of the AICPA Guide Reporting on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC 2SM ) (the description criteria). The description is intended to provide users with information about the customer success software system, particularly system controls intended to meet the criteria for the security, availability, and confidentiality principles set forth in TSP section 100, Trust Services Principles, Criteria, and Illustrations for Security, Availability, Processing Integrity, Confidentiality, and Privacy (AICPA, Technical Practice Aids) (applicable trust services criteria). We confirm, to the best of our knowledge and belief, that a) The description fairly presents the customer success software system throughout the period February 1, 2017 to January 31, 2018, based on the following description criteria: i. The description contains the following information: 1. The type of services provided 2. The components of the system used to provide the services, which are the following: • Infrastructure. The physical and hardware components of a system (facilities, equipment, and networks). • Software. The programs and operating software of a system (systems, applications, and utilities). • People. The personnel involved in the operation and use of a system (developers, operators, users, and managers). • Procedures. The automated and manual procedures involved in the operation of a system. • Data. The information used and supported by a system (transaction streams, files, databases, and tables). 3. The boundaries or aspects of the system covered by the description 4. How the system captures and addresses significant events and conditions, other than transactions. 5. The process used to prepare reports or other information provided to user entities of the system. 6. If information is provided to, or received from, subservice organizations or other parties, how such information is provided or received; the role of the subservice organization or other parties; and the procedures performed to determine that such information and its processing, maintenance, and storage are subject to appropriate controls 7. For each principle being reported on, the applicable trust services criteria and the related controls designed to meet those criteria, including, as applicable, complementary user-entity controls contemplated in the design of the service organization’s system 8. For subservice organizations presented using the carve-out method, the nature of the services provided by the subservice organization; each of the applicable trust services
  • 6.
    3 ABC, Inc. SOC2 Service Organization Control Report February 1, 2017 to January 31, 2018 criteria that are intended to be met by controls at the subservice organization, alone or in combination with controls at the service organization, and the types of controls expected to be implemented at carved-out subservice organizations to meet those criteria 9. Any applicable trust services criteria that are not addressed by a control at the service organization or a subservice organization and the reasons therefore 10. Other aspects of the service organization’s control environment, risk assessment process, information and communication systems, and monitoring of controls that are relevant to the services provided and the applicable trust services criteria 11. Relevant details of changes to the service organization’s system during the period covered by the description ii. The description does not omit or distort information relevant to the service organization’s system while acknowledging that the description is prepared to meet the common needs of a broad range of users and may not, therefore, include every aspect of the system that each individual user may consider important to his or her own particular needs. b) The controls stated in the description were suitably designed throughout the specified period to meet the applicable trust services criteria. c) The controls stated in the description operated effectively throughout the specified period to meet the applicable trust services criteria.
  • 7.
    INDEPENDENT SERVICE AUDITOR’SREPORT on a Description of a Service Organization’s System and the Suitability of the Design and Operating Effectiveness of the Controls
  • 8.
    5 ABC, Inc. SOC2 Service Organization Control Report February 1, 2017 to January 31, 2018 INDEPENDENT SERVICE AUDITOR’S REPORT Jane Doe CEO ABC, Inc. 100 St. Washington Scope We have examined the attached description titled “Description of ABC, Inc.’s Customer Success Software System Throughout the Period February 1, 2017 to January 31, 2018” (the description) and the suitability of the design and operating effectiveness of controls to meet the criteria for the security, availability, and confidentiality principles set forth in TSP section 100, Trust Services Principles, Criteria, and Illustrations for Security, Availability, Processing Integrity, Confidentiality, and Privacy (AICPA, Technical Practice Aids) (applicable trust services principles criteria), throughout the period February 1, 2017 to January 31, 2018. The description indicates that certain applicable trust services criteria specified in the description can be achieved only if complementary user-entity controls contemplated in the design of ABC, Inc.’s controls are suitable designed and operating effectively, along with related controls at the service organization. We have not evaluated the suitability of the design or operating effectiveness of such complementary user-entity controls. ABC, Inc. uses XYZ, Inc. to perform cloud computing services. The description indicates that certain applicable trust services criteria can only be met if controls at the subservice organization are suitably designed and operating effectively. The description presents ABC, Inc.’s system; its controls relevant to the applicable trust services criteria; and the types of controls that the service organization expects to be implemented, suitably designed, and operating effectively at the subservice organization to meet certain applicable trust services criteria. The description does not include any of the controls implemented at the subservice organization. Our examination did not extend to the services provided by the subservice organization or the subservice organization’s compliance with the commitments in its statement of privacy practices. Service Organization’s Responsibilities ABC, Inc. has provided the attached assertion titled “Management of ABC, Inc.’s Assertion Regarding Its Customer Success Software System Throughout the Period February 1, 2017 to January 31, 2018,” which is based on the criteria identified in management’s assertion. ABC, Inc. is responsible for (1) preparing the description and assertion; (2) the completeness, accuracy, and method of presentation of the description and assertions; (3) providing the services covered by the description; (4) specifying the controls that meet the applicable trust services criteria and stating them in the description; and (5) designing, implementing, and documenting the controls to meet the applicable trust services criteria. Service Auditor’s Responsibilities Our responsibility is to express an opinion on the fairness of the presentation of the description based on the description criteria set forth in ABC, Inc.’s assertion and on the suitability of the
  • 9.
    6 ABC, Inc. SOC2 Service Organization Control Report February 1, 2017 to January 31, 2018 design and operating effectiveness of the controls to meet the applicable trust services criteria, based on our examination. We conducted our examination in accordance with attestation standards established by the American Institute of Certified Public Accountants. Those standards require that we plan and perform our examination to obtain reasonable assurance about whether, in all material respects, (1) the description is fairly presented based on the description criteria, and (2) the controls were suitably designed and operating effectively to meet the applicable trust services criteria throughout the period February 1, 2017 to January 31, 2018. Our examination involved performing procedures to obtain evidence about the fairness of the presentation of the description based on the description criteria and the suitability of the design and operating effectiveness of those controls to meet the applicable trust services criteria. Our procedures include assessing the risks that the description is not fairly presented and that the controls were not suitably designed or operating effectively to meet the applicable trust services criteria. Our procedures also included testing the operating effectiveness of those controls that we consider necessary to provide reasonable assurance that the applicable trust services criteria were met. Our examination also included evaluating the overall presentation of the description. We believe that the evidence we obtained is sufficient and appropriate to provide a reasonable basis for our opinion. Inherent Limitations Because of their nature and inherent limitations, controls at a service organization may not always operate effectively to meet the applicable trust services criteria. Also, the projection to the future of any evaluation of the fairness of the presentation of the description or conclusions about the suitability of the design or operating effectiveness of the controls to meet the applicable trust services criteria is subject to the risks that the system may change or that controls at a service organization may become inadequate or fail. Opinion In our opinion, in all material respects, based on the criteria identified in ABC, Inc.’s assertion and the applicable trust services criteria a) the description fairly presents the system that was designed and implemented throughout the period February 1, 2017 to January 31, 2018. b) the controls of ABC, Inc. stated in the description were suitably designed to provide reasonable assurance that the applicable trust services criteria would be met if the controls operated effectively throughout the period February 1, 2017 to January 31, 2018, and user entities applied the complementary user-entity controls contemplated in the design of ABC, Inc.’s controls throughout the period February 1, 2017 to January 31, 2018, and XYZ, Inc. applied, throughout the period February 1, 2017 to January 31, 2018 the types of controls expected to be implemented at XYZ, Inc. and incorporated in the design of the system. c) the controls of ABC, Inc. tested, which together with the complementary user-entity controls referred to in the scope paragraph of this report, and together with the types of controls expected to be implemented at XYZ, Inc. and incorporated in the design of the system, if operating effectively, were those necessary to provide reasonable assurance that
  • 10.
    7 ABC, Inc. SOC2 Service Organization Control Report February 1, 2017 to January 31, 2018 the applicable trust services criteria were met, operated effectively throughout the period February 1, 2017 to January 31, 2018. Description of Tests of Controls The specific controls we tested and the nature, timing, and results of our tests are presented in the section of our report titled “Description of Test of Controls and Results Thereof.” Restricted Use This report, including the description of tests of controls and results thereof are intended solely for the information and use of ABC, Inc.; user entities of ABC, Inc.’s during some or all of the period February 1, 2017 to January 31, 2018; and prospective user entities, independent auditors and practitioners providing services to such user entities, and regulators who have sufficient knowledge and understanding of the following: • The nature of the service provided by the service organization • How the service organization’s system interacts with user entities, subservice organizations, or other parties • Internal control and its limitations • Complementary user-entity controls and how they interact with related controls at the service organization to meet the applicable trust services criteria • The applicable trust services criteria • The risks that may threaten the achievement of the applicable trust services criteria and how controls address those risks This report is not intended to be and should not be used by anyone other than these specified parties. Damon Sullivan, CPA KirkpatrickPrice, LLC 1228 East 7th Ave. Suite 200 Tampa, FL 33605 May 1, 2018
  • 11.
    8 ABC, Inc. SOC2 Service Organization Control Report February 1, 2017 to January 31, 2018 ABC, INC.’S DESCRIPTION OF ITS CUSTOMER SUCCESS SOFTWARE SYSTEM THROUGHOUT THE PERIOD FEBRUARY 1, 2017 TO JANUARY 31, 2018
  • 12.
    9 ABC, Inc. SOC2 Service Organization Control Report February 1, 2017 to January 31, 2018 SYSTEM OVERVIEW Background ABC, Inc. is a complete customer success software solution that is designed to help businesses reduce churn, increase upsell, and drive customer success. The company’s SaaS application allows organizations to focus on business strategy while ABC, Inc. focuses on infrastructure management, scaling, and security. ABC, Inc. applies security best practices in managing platform security to allow customers to focus on their business. The platform is designed to protect customers from threats by applying security controls at various layers.
  • 13.
    10 ABC, Inc. SOC2 Service Organization Control Report February 1, 2017 to January 31, 2018 INFRASTRUCTURE Software ABC, Inc. maintains an inventory list of critical software; the inventory list and the application lifecycle is managed by the IT Department. People ABC, Inc. maintains a hierarchical organizational structure. An Organization Chart is maintained that illustrates the separation of duties, reporting lines, and the appropriate levels of oversight. Procedures ABC, Inc. conducts daily, weekly, and monthly procedures that relate to its internal security processes. Security team members complete daily security procedures that include checking emails and looking for alerts from service providers. Data ABC, Inc. has business requirements for retaining data that the customers set in their contract with the organization. The transmission, movement, and removal of information is restricted to authorized internal and external users and processes. The organization has implemented a process for transmitting or receiving data across open, public networks. Encryption is used throughout the environment when transferring sensitive customer data over the internet, and industry best practices underpin its encryption methods.
  • 14.
    11 ABC, Inc. SOC2 Service Organization Control Report February 1, 2017 to January 31, 2018 RELEVANT ASPECTS OF THE CONTROL ENVIRONMENT, RISK ASSESSMENT PROCESS, INFORMATION AND COMMUNICATION SYSTEMS, AND MONITORING OF CONTROLS Control Environment Management Philosophy ABC, Inc.’s management communicates and oversees the implementation of the Code of Conduct, Integrity, and Ethics by making the Employee Handbooks available on ABC, Inc.’s intranet. Security, Availability, and Confidentiality Management To set the tone and direction for the organization, management sends out weekly emails to communicate recent events and provide company-wide feedback. Managers also communicate daily and weekly updates to their teams through meetings. Security, Availability, and Confidentiality Policies Management has a process for creating, approving, and maintaining the organization’s policies. The policies have a revision table present that details the revision notes, who authored the revisions, who approved the revisions, and the date the revisions were implemented. Management team reviews all policies at least once annually or following any industry changes. Controls Related to Personnel The organization has a formally documented Employee Handbook in place that is distributed to all employees. The handbook covers: • Code of Conduct • Statement on Ethics • Information Confidentiality • Background and Reference Checks • Progressive Discipline ABC, Inc. formally documents job descriptions for critical functions in the organization; the description includes job and security function. These responsibilities are communicated to the employees. ABC, Inc. uses onboarding and termination checklists during the hiring and termination processes. An onboarding checklist is used for each employee during the onboarding process to ensure that all important steps of the process are covered. This includes providing new hires with the appropriate acknowledgements, forms, and documents during the onboarding process. Additionally, all new hires are required to undergo a background check, which consists of an SSN Trace, a criminal search, and a search on the National Sex Offender Registry. All new hires are required to undergo training programs, such as security awareness training, and they receive daily on-the-job training.
  • 15.
    12 ABC, Inc. SOC2 Service Organization Control Report February 1, 2017 to January 31, 2018 Security Policies Physical Security and Environmental Controls The organization has physical security controls in place to protect secure areas, including locked doors, use of card key access at doors, visitor access control procedures, and video surveillance. The facility is equipped with an emergency power generator, and it maintains an onsite supply of fuel to ensure continued electrical support in the event of a loss of utility power. Additionally, networking equipment and critical infrastructure are equipped with UPS battery backups and dedicated cooling units. The facility is furnished with smoke detectors and fire suppression equipment. To protect secure areas, the facility’s access points are secured and restricted by magnetic locks. They are also equipped with card readers that limit access to authorized onsite personnel; data from the card readers is retained for a minimum of 90 days. ABC, Inc. relies on XYZ, Inc. for physical and environmental controls within the production environment, including media destruction. Change Management ABC, Inc. maintains its documented configuration and hardening standards to configure and manage its systems. Industry-accepted practices are used in the development of the organization’s system configuration standards. The IT department is responsible for reviewing configuration and hardening standards biannually. Personnel with system configuration responsibilities stay knowledgeable of the appropriate ways to securely configure the organization’s systems through industry/vendor alerts and vulnerability scans, announcements, internal meetings and reviews, and security newsletters and reports from trusted sources. ABC, Inc. sends email alerts to clients and company users prior to changes being implemented that may affect system availability and/or security. The organization’s firewall is configured to filter data and monitor traffic entering the system. System Monitoring ABC, Inc. uses system monitoring tools to oversee system capacity, plan for future requirements, and monitor alerts. The Technical Operations team holds routine meetings to review system capacity and environment health. The organization requires that antivirus software must remain updated. This ensures that all critical components are covered by an antivirus solution, antivirus configurations define when periodic scans are performed, and antivirus definitions are current according to documented schedule.
  • 16.
    13 ABC, Inc. SOC2 Service Organization Control Report February 1, 2017 to January 31, 2018 Problem Management The organization has a formally documented Incident Response Plan. The plan outlines the roles and responsibilities of all teams in the organization, detailing how they should handle security incidents. The plan also defines incident levels and outlines the differences between various security events. Formalized security-breach responsibilities are implemented, and all personnel are trained to report security incidents to those with these responsibilities. Data Backup and Recovery ABC, Inc. has implemented a Backup Retention Policy, which contains information about the different types of data managed and how it is backed up and retained. A Business Continuity Plan is also in place to restore operations and ensure availability of information following interruption to, or failure of, critical business processes. The policy requires that restorations are completed annually. System Account Management ABC, Inc. mandates that access rights are granted on the principle of least privilege, and any additional privileges require approval. The organization considers this when implementing user IDs. An access control system is used to control access to the internal business applications. Part of its function is to ensure that a unique user ID is assigned to each user before he or she allowed access to system components. The access control system is also configured to enforce the organization’s password requirements. The organization’s Information Security Policy requires the use of two-factor authentication for any interface that allows access to stored customer data, receives interactive logins, and faces the open internet. ABC, Inc. mandates that access for terminated/separated employees must promptly be revoked. The HR department oversees the exit workflow process for terminated/separated employees to ensure that access to all accounts and systems are disabled. Clients are able to register and deregister for online access to the company’s services via ABC, Inc.’s online portal. Risk Assessment Process The Information Security Policy mandates that a risk assessment be conducted annually. The risk assessment includes risks, likelihood, impact, existing controls, and possible further risk treatments. The results of the assessment are documented in an annual report that is reviewed by a member of leadership with security responsibilities. Information and Communication Systems ABC, Inc. has a formally documented Information Security Policy, which employees can access on the company intranet. The policy outlines the core security principles of the company, which
  • 17.
    14 ABC, Inc. SOC2 Service Organization Control Report February 1, 2017 to January 31, 2018 apply to all company employees, service providers, and partners. The security roles of all employees are defined within the policy. All new hires are required to sign an acknowledgement of the Information Security Policy. The Information Security Policy is reviewed and updated at least annually. ABC, Inc. has contractual and marketing materials in place that describe its scope of services to clients, including its company website and its Master Service Agreements. ABC, Inc. also has privacy policies in place that govern how to collect and handle sensitive information; these policies outline the industry standard precautions to ensure that confidential information is protected. Monitoring Controls ABC, Inc. has monitoring tools and practices in place to ensure operational quality and control. These include gathering audit reports from third parties to monitor the vendors’ service delivery and compliance status.
  • 18.
    15 ABC, Inc. SOC2 Service Organization Control Report February 1, 2017 to January 31, 2018 TRUST SERVICES CRITERIA AND RELATED CONTROLS Although the trust services criteria and related controls are presented in section 4, “Trust Services Security, Availability, and Confidentiality Principles, Criteria, Related Controls, and Tests of Controls,” they are an integral part of ABC, Inc.’s system description.
  • 19.
    16 ABC, Inc. SOC2 Service Organization Control Report February 1, 2017 to January 31, 2018 COMPLEMENTARY USER-ENTITY CONTROLS ABC, Inc.’s services are designed with the assumption that certain controls would be implemented by user organizations. In certain situations, the application of specific controls at the user organization is necessary to achieve control objectives included in this report. ABC, Inc.’s management makes control recommendations to user organizations and provides the means to implement these controls in many instances. ABC, Inc. also provides best practice guidance to clients regarding control element outside the sphere of ABC, Inc. responsibility. This section describes additional controls that should be in operation at user organizations to complement the ABC, Inc. controls. Client Consideration recommendations include: • User organizations should implement sound and consistent internal controls regarding general IT system access and system usage appropriateness for all internal user organization components associated with ABC, Inc. • User organizations should practice removal of user accounts for any users who have been terminated and were previously involved in any material functions or activities associated with ABC, Inc.’s services. • Transactions for user organizations relating to ABC, Inc.’s services should be appropriately authorized, and transactions should be secure, timely, and complete. • For user organizations sending data to ABC, Inc., data should be protected by appropriate methods to ensure confidentiality, privacy, integrity, availability, and non-repudiation. • User organizations should implement controls requiring additional approval procedures for critical transactions relating to ABC, Inc.’s services. • User organizations should report to ABC, Inc. in a timely manner any material changes to their overall control environment that may adversely affect services being performed by ABC, Inc. • User organizations are responsible for notifying ABC, Inc in a timely manner of any changes to personnel directly involved with services performed by ABC, Inc. These personnel may be involved in financial, technical or ancillary administrative functions directly associated with services provided by ABC, Inc. • User organizations are responsible for adhering to the terms and conditions stated within their contracts with ABC, Inc. • User organizations are responsible for developing, and if necessary, implementing a business continuity and disaster recovery plan (BCDRP) that will aid in the continuation of services provided by ABC, Inc.
  • 20.
    17 ABC, Inc. SOC2 Service Organization Control Report February 1, 2017 to January 31, 2018 The list of user organization control considerations presented above and those presented with certain specified control objectives do not represent a comprehensive set of all the controls that should be employed by user organizations. Other controls may be required at user organizations. Therefore, each client’s system of internal controls must be evaluated in conjunction with the internal control structure described in this report.
  • 21.
    18 ABC, Inc. SOC2 Service Organization Control Report February 1, 2017 to January 31, 2018 TRUST SERVICES SECURITY, AVAILABILITY, AND CONFIDENTIALITY PRINCIPLES, CRITERIA, RELATED CONTROLS, AND TESTS OF CONTROLS
  • 22.
    19 ABC, Inc. SOC2 Service Organization Control Report February 1, 2017 to January 31, 2018 Criteria Common to All Security, Availability, and Confidentiality Principles CC1.0 Common Criteria Related to Organization and Management Ctrl # Control Activity Testing of Operating Effectiveness Test Results CC1.1 The entity has defined organizational structures, reporting lines, authorities, and responsibilities for the design, development, implementation, operation, maintenance, and monitoring of the system enabling it to meet its commitments and system requirements as they relate to security, availability, and confidentiality. CC1.1.1 The organization’s structure is documented in its Organization Chart. Reviewed the Organization Chart to verify that it illustrates the levels of oversight and segregation of duties Interviewed the Office Manager to verify that the CEO leads the organization No Relevant Exceptions Noted CC1.2 Responsibility and accountability for designing, developing, implementing, operating, maintaining, monitoring, and approving the entity’s system controls and other risk mitigation strategies are assigned to individuals within the entity with authority to ensure policies and other system requirements are effectively promulgated and implemented to meet the entity’s commitments and system requirements as they relate to security, availability, and confidentiality. CC1.2.1 The organization uses monitoring tools to ensure operational quality and control. Reviewed screenshots for the organization’s helpdesk system Interviewed the Office Manager to verify the use of tools and helpdesk system Observed the monitoring system tools and the ticketing system No Relevant Exceptions Noted CC1.2.2 Management has a method of creating, approving, and maintaining the organization’s policies. Interviewed the Office Manager to verify the change and approval tables in all the documents Observed the company intranet where all policies are stored Observed the metadata showing recent revisions to verify that all policies are current No Relevant Exceptions Noted
  • 23.
    20 ABC, Inc. SOC2 Service Organization Control Report February 1, 2017 to January 31, 2018 CC1.3 The entity has established procedures to evaluate the competency of personnel responsible for designing, developing, implementing, operating, maintaining, and monitoring the system affecting security, availability, and confidentiality and provides resources necessary for personnel to fulfill their responsibilities. CC1.3.1 Personnel with system configuration responsibilities stay knowledgeable of the appropriate ways to securely configure the organization’s systems through industry alerts, security reports, vulnerability scans, and meetings. Reviewed the System Configuration Standards Interviewed the Technical Operations Manager to verify that team members stay up to date on configuration standards and best practices Observed daily stands, RSS feeds, weekly meetings, and knowledge transfer sessions to verify that they are captured and stored for later review No Relevant Exceptions Noted CC1.3.2 The organization conducts an onboarding training program for all new hires. Reviewed the onboarding program documentation Interviewed the Office Manager to verify that all employees are required to attend the onboarding program at the corporate office, including security awareness training Observed the formally documented agenda and training requirements Observed all the new hires completed the course No Relevant Exceptions Noted CC1.4 The entity has established workforce conduct standards, implemented workforce candidate background screening procedures, and conducts enforcement procedures to enable it to meet its commitments and system requirements as they relate to security, availability, and confidentiality.
  • 24.
    21 ABC, Inc. SOC2 Service Organization Control Report February 1, 2017 to January 31, 2018 CC1.4.1 The organization has a formally documented employee handbook in place. Reviewed the Employee Handbook (dated X) to verify that topics such as conduct, ethics, confidentiality, background/reference checks, and progressive discipline Interviewed the Office Manager Observed new employee records to verify that new hires are required to sign an acknowledgement of the Employee Handbook No Relevant Exceptions Noted CC1.4.2 The organization uses hiring and termination checklists as part of its onboarding and offboarding processes for employees and contractors. Reviewed the onboarding and offboarding checklists Interviewed the Office Manager to verify that a background check is required prior to employment Interviewed the Office Manager to verify that the organization uses checklists during the hiring and termination processes Observed the records for a sample of new hires in the audit period to verify that all activities on the new hire checklist were completed Observed the records for a sample of terminated employees to verify that all activities on the termination checklist were completed No Relevant Exceptions Noted
  • 25.
    22 ABC, Inc. SOC2 Service Organization Control Report February 1, 2017 to January 31, 2018 CC1.4.3 The organization provides new hires with the appropriate acknowledgements, forms, and documents during the onboarding process. Reviewed the Information Security Policy (dated X), the Employee Benefits Plan (dated X), the Employee Handbook (dated X), and the background check authorization form Observed new hire records to verify that they had signed the necessary forms and acknowledgements No Relevant Exceptions Noted CC1.4.4 The organization conducts background checks as part of the onboarding process. Reviewed the background check authorization form Interviewed the Office Manager to verify that all new hires complete a background check as part of the onboarding process Observed a sample of new hires to verify that background checks were conducted No Relevant Exceptions Noted
  • 26.
    23 ABC, Inc. SOC2 Service Organization Control Report February 1, 2017 to January 31, 2018 Criteria Common to All Security, Availability, and Confidentiality Principles CC2.0 Common Criteria Related to Communications Ctrl # Control Activity Testing of Operation Effectiveness Test Results CC2.1 Information regarding the design and operation of the system and its boundaries has been prepared and communicated to authorized internal and external users of the system to permit users to understand their role in the system and the results of system operation. CC2.1.1 The organization has materials in place that describe its scope of services to clients. Reviewed the organization’s website and Master Services Agreements (dated X) No Relevant Exceptions Noted CC2.2 The entity’s security, availability, and confidentiality commitments are communicated to external users, as appropriate, and those commitments and the associated system requirements are communicated to internal users to enable them to carry out their responsibilities. CC2.2.1 The organization’s Information Security Policy define security responsibilities for personnel. Reviewed the Information Security Policy (dated X) Interviewed the Security Analyst Observed that security responsibilities are defined in the Information Security Policy Observed the use of the company intranet to distribute the policy No Relevant Exceptions Noted CC2.2.2 The organization has promotional materials in place that describe its scope of services to clients. Reviewed the organization’s website and Master Services Agreements (dated X) No Relevant Exceptions Noted CC2.3 The responsibilities of internal and external users and others whose roles affect system operation are communicated to those parties. CC2.3.1 The organization formally documents job descriptions for critical functions in the organization. Reviewed job descriptions Observed that the job and security functions are formally defined, and that the responsibilities are communicated to employees No Relevant Exceptions Noted
  • 27.
    24 ABC, Inc. SOC2 Service Organization Control Report February 1, 2017 to January 31, 2018 CC2.4 Information necessary for designing, developing, implementing, operating, maintaining, and monitoring controls, relevant to the security, availability, and confidentiality of the system, is provided to personnel to carry out their responsibilities. CC2.4.1 Personnel with system configuration responsibilities stay knowledgeable of the appropriate ways to securely configure the organization’s systems through industry alerts, security reports, vulnerability scans, and meetings. Reviewed Security Communication and System Configuration Standards Interviewed the Technical Operations Manager to verify that team members stay up to date with configuration standards and best practices through industry/vendor alerts and announcements, security newsletters and reports from trusted sources, vulnerability scans, and internal meetings and reviews Observed daily stands, weekly meetings, and knowledge transfer sessions, which are recorded and made available for later review No Relevant Exceptions Noted CC2.4.2 The organization conducts an onboarding training program for all new hires. Reviewed the Security Awareness Training Onboarding Program documentation Interviewed the Office Manager to verify that all employees are required to attend the onboarding program Observed the formally documented agenda and training requirements Observed that all the new hires completed the course No Relevant Exceptions Noted CC2.5 Internal and external users have been provided with information on how to report security, availability, and confidentiality failures, incidents, concerns, and other complaints to appropriate personnel.
  • 28.
    25 ABC, Inc. SOC2 Service Organization Control Report February 1, 2017 to January 31, 2018 CC2.5.1 The organization has implemented an incident response procedure. Reviewed the Incident Response Management documentation Observed the storage of the incident response documentation on the company intranet No Relevant Exceptions Noted CC2.5.2 The organization has a process in place for training personnel with security incident responsibilities. Interviewed the Security Analyst to verify that a security response team is trained and always prepared to respond to incidents and alerts No Relevant Exceptions Noted CC2.5.3 There is a process for users to alert the organization about potential breaches. Interviewed the Security Analyst to verify that general users report security incidents to security personnel Observed examples of incident reports during the audit period No Relevant Exceptions Noted CC2.6 System changes that affect internal and external users’ responsibilities or the entity’s commitments and system requirements relevant to security, availability, and confidentiality are communicated to those users in a timely manner. CC2.6.1 The organization has a formally documented change management policy in place. Reviewed the Change Management Policy (dated X) to verify that it addresses appropriate topics such as roles and responsibilities, the risk analysis of the change request, the tests prior to implementation, and back-out plans Interviewed the Technical Operations Engineer Observed a sample of changes to verify that the changes are appropriately tracked with tickets No Relevant Exceptions Noted
  • 29.
    26 ABC, Inc. SOC2 Service Organization Control Report February 1, 2017 to January 31, 2018 CC2.6.2 The organization uses email to communicate changes in system availability and security. Reviewed the Change Management Policy (dated X) Interviewed the Technical Operations Engineer to verify that the organization emails users and clients about changes that may affect system availability and security No Relevant Exceptions Noted
  • 30.
    27 ABC, Inc. SOC2 Service Organization Control Report February 1, 2017 to January 31, 2018 Criteria Common to All Security, Availability, and Confidentiality Principles CC3.0 Common Criteria Related to Risk Management and Design and Implementation of Controls Ctrl # Control Activity Testing of Operation Effectiveness Test Results CC3.1 The entity (1) identifies potential threats that could impair system security, availability, and confidentiality commitments and system requirements (including threats arising from the use of vendors and other third parties providing goods and services, as well as threats arising from customer personnel and others with access to the system), (2) analyzes the significance of risks associated with the identified threats, (3) determines mitigation strategies for those risks (including implementation of controls, assessment and monitoring of vendors and other third parties providing goods or services, as well as their activities, and other mitigation strategies), (4) identifies and assesses changes (for example, environmental, regulatory, and technological changes and results of the assessment and monitoring of controls) that could significantly affect the system of internal control, and (5) reassesses, and revises, as necessary, risk assessments and mitigation strategies based on the identified changes. CC3.1.1 The organization conducts an annual risk assessment. Reviewed the Risk Assessment (dated X) Interviewed the Senior Security Manager to verify that a Risk Assessment must be conducted annually, and the results of that Risk Assessment are presented in an annual report Observed that the risk assessment considers the likelihood and impact as well as relevant compensating controls and further actions Observed that the risk assessment is updated annually No Relevant Exceptions Noted CC3.2 The entity designs, develops, implements, and operates controls, including policies and procedures, to implement its risk mitigation strategy; reassesses the suitability of the design and implementation of control activities based on the operation and monitoring of those activities; and updates the controls, as necessary.
  • 31.
    28 ABC, Inc. SOC2 Service Organization Control Report February 1, 2017 to January 31, 2018 CC3.2.1 The organization has a formally documented Information Security Policy. Reviewed the Information Security Policy (dated X) Interviewed the Security Analyst to verify that the Information Security Policy is available on the company’s intranet Observed the signed acknowledgments for new hires during the audit period No Relevant Exceptions Noted
  • 32.
    29 ABC, Inc. SOC2 Service Organization Control Report February 1, 2017 to January 31, 2018 Criteria Common to All Security, Availability, and Confidentiality Principles CC4.0 Common Criteria Related to Monitoring of Controls Ctrl # Control Activity Testing of Operation Effectiveness Test Results CC4.1 The design and operating effectiveness of controls are periodically evaluated against the entity’s commitments and system requirements as the relate to security, availability, and confidentiality, and corrections and other necessary actions relating to identified deficiencies are taken in a timely manner. CC4.1.1 The organization conducts daily, weekly, and monthly procedures that relate to its internal security processes. Reviewed tickets from the organization’s ticket tracking system Interviewed the Security Analyst to verify that security personnel conduct daily security procedures No Relevant Exceptions Noted CC4.1.2 The organization conducts an annual risk assessment. Reviewed risk assessment documentation (dated X) Interviewed the Senior Security Manager to verify that the Information Security Policy mandates that a risk assessment must be conducted annually Observed the formally documented risk assessments and relevant controls that were developed based on the assessments of personnel, technology, and business risks Observed that the risk assessment considers the likelihood and impact as well as relevant compensating controls and further actions Observed that the risk assessment is updated annually No Relevant Exceptions Noted
  • 33.
    30 ABC, Inc. SOC2 Service Organization Control Report February 1, 2017 to January 31, 2018 Criteria Common to All Security, Availability, and Confidentiality Principles CC5.0 Common Criteria Related to Logical and Physical Access Controls Ctrl # Control Activity Testing of Operating Effectiveness Test Results CC5.1 Logical access security software, infrastructure, and architectures have been implemented to support (1) identification and authentication of authorized internal and external users; (2) restriction of authorized internal and external user access to system components, or portions thereof, authorized by management, including hardware, data, software, mobile devices, output, and offline elements; and (3) prevention and detection of unauthorized access to meet the entity’s commitments and system requirements as they relate to security, availability, and confidentiality. CC5.1.1 The organization has an automated access control system in place. Interviewed the Security Analyst to verify that the automated access control system controls access to the internal business applications No Relevant Exceptions Noted CC5.2 New internal and external users, whose access is administered by the entity, are registered and authorized prior to being issued system credentials and granted the ability to access the system to meet the entity’s commitments and system requirements as they relate to security, availability, and confidentiality. For those users whose access is administered by the entity, user system credentials are removed when user access is no longer authorized. CC5.2.1 The organization has a process in place for implementing user IDs. Interviewed the Office Manager to verify that the organization follows the least privilege principle for logical access Observed there is a formally documented procedure for centralized provisioning No Relevant Exceptions Noted CC5.2.2 The organization’s Information Security Policy mandates access for terminated/separated employees must immediately be revoked. Reviewed the Information Security Policy Interviewed the Security Analyst to verify that the Information Security Policy states that access must be promptly revoked for any person terminated/separated from the organization No Relevant Exceptions Noted
  • 34.
    31 ABC, Inc. SOC2 Service Organization Control Report February 1, 2017 to January 31, 2018 CC5.2.3 The organization uses an exit workflow process to ensure that access is revoked for terminated/separated employees. Reviewed the exit checklist Interviewed Security Analyst to verify that the HR department oversees the offboarding process for terminated/separated employees No Relevant Exceptions Noted CC5.2.4 Management must approve a user prior to access. Reviewed the Information Security Policy (dated X) Interviewed the Security Analyst to verify that manager approval is needed for prior to obtaining access No Relevant Exceptions Noted CC5.2.5 The organization maintains domain, group, and user policies. Reviewed screenshots of user groups and password settings Observed that the organization uses its automated access control system to implement its account login and password settings No Relevant Exceptions Noted CC5.2.6 The organization has a process for registering/deregistering clients for online access. Interviewed the Program Manager to verify that clients can register and deregister for online access via the company portal No Relevant Exceptions Noted CC5.3 Internal and external users are identified and authenticated when accessing the system components (for example, infrastructure, software, and data) to meet the entity’s commitments and system requirements as they relate to security, availability, and confidentiality. CC5.3.1 The organization ensures that a unique user ID is assigned before being allowed access to system components. Reviewed the Information Security Policy (dated X) Interviewed the Security Analyst to verify all users are required to have a unique user ID Observed that the organization uses automated access control systems to enforce the requirement that all users have a unique ID No Relevant Exceptions Noted
  • 35.
    32 ABC, Inc. SOC2 Service Organization Control Report February 1, 2017 to January 31, 2018 CC5.4 Access to data, software, functions, and other IT resources is authorized and is modified or removed based on roles, responsibilities, or the system design and changes to meet the entity’s commitments and system requirements as they relate to security, availability, and confidentiality. CC5.4.1 The organization’s Information Security Policy mandates that access rights are granted on the principle of least privilege. Reviewed the Information Security Policy (dated X) to verify that it addresses the principle of least privilege Interviewed the Security Analyst to verify that the Information Security Policy states that privileges are assigned based on least privilege, and additional privileges require approvals based on least privilege, workflows, and approval processes No Relevant Exceptions Noted CC5.5 Physical access to facilities housing the system (for example, data centers, backup media storage, and other sensitive locations, as well as sensitive system components within those locations) is restricted to authorized personnel to meet the entity’s commitments and system requirements as they relate to security, availability, and confidentiality. CC5.5.1 The organization has physical controls in place for protecting secure areas. Interviewed the Security Analyst Observed that the security countermeasures include badge readers, visitor access controls, locked doors, and security cameras No Relevant Exceptions Noted CC5.5.2 The organization relies on security controls for where backup media is stored. Reviewed the XYZ, Inc. SOC reports to verify that a third-party provides backup media storage No Relevant Exceptions Noted CC5.6 Logical access security measures have been implemented to protect against security, availability, and confidentiality threats from sources outside the boundaries of the system to meet the entity’s commitments and system requirements.
  • 36.
    33 ABC, Inc. SOC2 Service Organization Control Report February 1, 2017 to January 31, 2018 CC5.6.1 The organization’s firewall is configured to filter data. Reviewed the firewall configuration files Interviewed the Security Analyst and the Technical Operations Manager verify that firewalls are used to block incoming traffic and filter outgoing connections Observed how the security groups are configured to create restricted data flow No Relevant Exceptions Noted CC5.6.2 The organization’s Information Security Policy requires the use of two-factor authentication. Reviewed the Information Security Policy (dated X) to verify that two-factor authentication is required for remote network access Observed the implementation of two-factor authentication onsite to verify it is in place and operating effectively No Relevant Exceptions Noted CC5.7 The transmission, movement, and removal of information is restricted to authorized internal and external users and processes and is protected during transmission, movement, or removal, enabling the entity to meet its commitments and system requirements as they relate to security, availability, and confidentiality. CC5.7.1 The organization uses industry recommendations/best practices to underpin encryption methods. Reviewed the formally documented standards and compliance encryption best practices Interviewed the Security Analyst to verify that the organization uses industry recommendations and best practices to underpin the organization’s encryption methods No Relevant Exceptions Noted
  • 37.
    34 ABC, Inc. SOC2 Service Organization Control Report February 1, 2017 to January 31, 2018 CC5.7.2 The organization has methods in place to protect information during transactions. Reviewed the protocol details in to verify that the organization provides components to protect confidential data in transit from unauthorized disclosure Reviewed the organization’s standard operating procedures to verify that they outline errors that could occur during transmission and processing Observed error report queues that are reviewed and monitored to ensure operational quality No Relevant Exceptions Noted CC5.8 Controls have been implemented to prevent or detect and act upon the introduction of unauthorized or malicious software to meet the entity’s commitments and system requirements as they relate to security, availability, and confidentiality. CC5.8.1 The organization requires that antivirus software remain updated. Interviewed the Security Analyst to verify the presence of antivirus software on all computers Observed that updates occur every half hour No Relevant Exceptions Noted
  • 38.
    35 ABC, Inc. SOC2 Service Organization Control Report February 1, 2017 to January 31, 2018 Criteria Common to All Security, Availability, and Confidentiality Principles CC6.0 Common Criteria Related to System Operations Ctrl # Control Activity Testing of Operation Effectiveness Test Results CC6.1 Vulnerabilities of system components to security, availability, and confidentiality breaches and incidents due to malicious acts, natural disasters, or errors are identified, monitored, and evaluated, and countermeasures are designed, implemented, and operated to compensate for known and newly identified vulnerabilities to meet the entity’s commitments and system requirements as they relate to security, availability, and confidentiality. CC6.1.1 The organization has implemented an incident response procedure. Reviewed the Incident Response Program (dated X) Observed that the Incident Response Program is available on the company intranet No Relevant Exceptions Noted CC6.1.2 The organization tracks security incidents via a ticketing system. Reviewed the full listing of incidents Interviewed the Program Manager to verify that all security related incidents are tracked using tickets Observed a sample of a recently responded security incident as they are tracked in tickets No Relevant Exceptions Noted CC6.1.3 The organization has a system in place for monitoring alerts. Interviewed the Security Analyst to verify the organization uses system tools to monitor its environment Observed alerts onsite to verify that alerts from intrusion- detection/intrusion-prevention, alerts from file-integrity monitoring systems, and detection of unauthorized wireless access points are monitored No Relevant Exceptions Noted
  • 39.
    36 ABC, Inc. SOC2 Service Organization Control Report February 1, 2017 to January 31, 2018 CC6.1.4 The organization has intrusion detection systems in place. Interviewed the Technical Operations Engineer to verify that the intrusion-detection systems are operating effectively Observed the use of security groups for network traffic in an IDS fashion No Relevant Exceptions Noted CC6.2 Security, availability, and confidentiality incidents, including logical and physical security breaches, failures, and identified vulnerabilities, are identified and reported to appropriate personnel and acted on in accordance with established incident response procedures to meet the entity’s commitments and system requirements. CC6.2.1 The organization has implemented an incident response procedure. Reviewed the Incident Response Management documentation Observed the storage of the formally documented Incident Response Plan on the company’s intranet No Relevant Exceptions Noted CC6.2.2 The organization tracks security incidents via tickets. Reviewed the full listing of incidents Interviewed the Program Manager to verify that all security related incidents are tracked in tickets, which allows the organization to add root cause, assign ownership, track efforts and capture lessons learned Observed a sample of a recently responded to security incident as they are tracked in tickets No Relevant Exceptions Noted
  • 40.
    37 ABC, Inc. SOC2 Service Organization Control Report February 1, 2017 to January 31, 2018 Criteria Common to All Security, Availability, and Confidentiality Principles CC7.0 Common Criteria Related to Change Management Ctrl # Control Activity Testing of Operating Effectiveness Test Results CC7.1 The entity’s commitments and system requirements, as they relate to security, availability, and confidentiality, are addressed during the system development lifecycle, including the authorization, design, acquisition, implementation, configuration, testing, modification, approval, and maintenance of system components. CC7.1.1 The organization uses industry- accepted practices for the basis of the organization’s system configuration standards. Interviewed the Technical Operations Engineer to verify that servers are hardened using internal hardening scripts and checklists, which are based on industry best practices Observed that documents containing baselines and hardening guidelines are available on the company intranet No Relevant Exceptions Noted CC7.1.2 The organization has a formally documented change management policy in place. Reviewed the Change Management Policy (dated X) Observed a sample of changes to verify that the changes are covered with tickets No Relevant Exceptions Noted CC7.2 Infrastructure, data, software, and policies and procedures are updated as necessary to remain consistent with the entity’s commitments and system requirements as they relate to security, availability, and confidentiality. CC7.2.1 The organization has documented system configuration standards. Reviewed the documented system configuration standards Reviewed the patch levels for the relevant systems to verify that standards are configured and managed by ABC, Inc. through the formally documented standards for configuration and hardening No Relevant Exceptions Noted
  • 41.
    38 ABC, Inc. SOC2 Service Organization Control Report February 1, 2017 to January 31, 2018 CC7.2.2 The organization has a process for reviewing and updating system configuration standards. Reviewed the review/revision tables for System Configuration Standards Interviewed the Technical Operations Engineer to verify that IT is responsible for reviewing configuration and hardening standards Observed that configuration requirements are formally documented and shared on the organization's intranet site for all relevant personnel No Relevant Exceptions Noted CC7.2.3 The organization has a formally documented change management policy in place. Reviewed the Change Management Policy (dated X) Interviewed the Technical Operations Engineer Observed a sample of changes to verify that the changes are appropriately covered with tickets No Relevant Exceptions Noted CC7.2.4 The organization’s Information Security Policy is updated at least annually. Reviewed the Information Security Policy (dated X) Interviewed the Security Analyst to verify that the Information Security Policy is reviewed and updated at least annually Observed the revision history of evidence that this is current and updated accordingly Observed that the policy was signed by the VP, demonstrating executive level management oversight No Relevant Exceptions Noted
  • 42.
    39 ABC, Inc. SOC2 Service Organization Control Report February 1, 2017 to January 31, 2018 CC7.3 Change management processes are initiated when deficiencies in the design or operating effectiveness of controls are identified during system operation and are monitored to meet the entity’s commitments and system requirements as they relate to security, availability, and confidentiality. CC7.3.1 The organization has a formally documented change management policy in place. Reviewed the Change Management Policy (dated X) Interviewed the Technical Operations Engineer Observed and reviewed onsite a sample of changes to verify that the changes are appropriately covered with the tickets No Relevant Exceptions Noted CC7.4 Changes to system components are authorized, designed, developed, configured, documented, tested, approved, and implemented to meet the entity’s security, availability, and confidentiality commitments and system requirements. CC7.4.1 The organization has a formally documented change management policy in place. Reviewed the Change Management Policy (dated X) Interviewed the Technical Operations Engineer Observed and reviewed onsite a sample of changes to verify that the changes are appropriately covered with tickets No Relevant Exceptions Noted
  • 43.
    40 ABC, Inc. SOC2 Service Organization Control Report February 1, 2017 to January 31, 2018 Additional Criteria for Availability Ctrl # Control Activity Test of Operation Effectiveness Test Results A1.1 Current processing capacity and usage are maintained, monitored, and evaluated to manage capacity demand and to enable the implementation of additional capacity to help meet the entity’s availability commitments and system requirements. A1.1.1 The organization uses system monitoring tools to oversee system capacity. Reviewed system monitoring files Interviewed the Technical Operations Engineer to verify the organization uses tools for monitoring and capacity planning No Relevant Exceptions Noted A1.2 Environmental protections, software, data backup processes, and recovery infrastructure are authorized, designed, developed, implemented, operated, approved, maintained, and monitored to meet the entity’s availability commitments and system requirements. A1.2.1 The organization has a business continuity plan in place to restore operations and ensure availability of information following interruption to, or failure of, critical business processes. Reviewed the Business Continuity Plan (dated X) Interviewed the Technical Operations Engineer to verify that restoration tests are conducted at least twice a year No Relevant Exceptions Noted A1.2.2 The organization has physical controls in place to protect against external and environmental hazards. Interviewed the Technical Operations Engineer to verify that physical controls are in place Observed that the corporate office includes a standard HVAC and fire detection/suppression controls Observed that networking equipment and critical infrastructure are equipped with UPS battery backups and dedicated cooling units Observed that the office is equipped with an emergency power generator and an onsite supply of fuel No Relevant Exceptions Noted
  • 44.
    41 ABC, Inc. SOC2 Service Organization Control Report February 1, 2017 to January 31, 2018 A1.3 Recovery plan procedures supporting system recovery are tested to help meet the entity’s availability commitments and system requirements. A1.3.1 The organization has a business continuity plan in place to restore operations and ensure availability of information following interruption to, or failure of, critical business processes. Reviewed the Business Continuity Plan (dated X) Interviewed the Technical Operations Engineer to verify that restoration tests are conducted at least twice a year No Relevant Exceptions Noted A1.3.2 The organization has implemented a data backup policy. Reviewed the Backup Retention Policy (dated X) Interviewed the Technical Operations Engineer to verify that the details in the organization’s backup/retention policy contains information about the different types of data managed Observed that data restore jobs are run annually No Relevant Exceptions Noted
  • 45.
    42 ABC, Inc. SOC2 Service Organization Control Report February 1, 2017 to January 31, 2018 Additional Criteria for Confidentiality Ctrl # Control Activity Test of Operation Effectiveness Test Results C1.1 Confidential information is protected during the system design, development, testing, implementation, and change processes to meet the entity’s confidentiality commitments and system requirements. C1.1.1 The organization’s Information Security Policy and job descriptions define security responsibilities for personnel. Reviewed the Information Security Policy (dated X) Observed that security responsibilities are defined in the Information Security Policy and in the relevant job descriptions Observed the use of the company intranet to disseminate this information No Relevant Exceptions Noted C1.2 Confidential information within the boundaries of the system is protected against unauthorized access, use, and disclosure during input, processing, retention, output, and disposition to meet the entity’s confidentiality commitments and system requirements. C1.2.1 The organization provides new hires with the appropriate acknowledgements, forms, and documents during the onboarding process. Reviewed the onboarding documents Observed that management sets the appropriate tone at the top and employee expectations during the onboarding process No Relevant Exceptions Noted C1.2.2 The organization has a Privacy Policy in place that details how personal information is to be handled. Reviewed the Privacy Policy (dated X) Interviewed the Program Manager to verify that ABC, Inc. has established a Privacy Policy Observed that the Privacy Policy is on the organization’s website and governs how it handles sensitive and personal information No Relevant Exceptions Noted
  • 46.
    43 ABC, Inc. SOC2 Service Organization Control Report February 1, 2017 to January 31, 2018 C1.3 Access to confidential information from outside the boundaries of the system and disclosure of confidential information is restricted to authorized parties to meet the entity’s confidentiality commitments and system requirements. C1.3.1 The organization has implemented a process for transmitting or receiving data across open, public networks. Reviewed the documented protocol details Interviewed Security Analyst to verify that the organization uses the most recent version of TLS when transferring sensitive customer data over the internet No Relevant Exceptions Noted C1.4 The entity obtains confidentiality commitments that are consistent with the entity’s confidentiality system requirements from vendors and other third parties whose products and services are part of the system and have access to confidential information. C1.4.1 The organization requires that third-parties sign a Confidentiality and Non- Disclosure Agreement prior to sharing information. Reviewed the Master Service Agreement (dated X) and the Non-Disclosure Agreement (dated X) Interviewed the Security Analyst to verify that the organization implements an NDA and MSA Observed the MSA and NDAs onsite to verify they were in place No Relevant Exceptions Noted C1.5 Compliance with the entity’s confidentiality commitments and system requirements by vendors and other third parties whose products and services are part of the system is assessed on a periodic and as-needed basis, and corrective action is taken, if necessary. C1.5.1 The organization completes a risk assessment and reviews compliance reports to monitor vendors’ service delivery and compliance status. Reviewed vendor compliance reports Interviewed the Technical Operations Engineer to verify that all vendor relationships begin with a security risk assessment and a review of compliance reports No Relevant Exceptions Noted C1.6 Changes to the entity’s confidentiality commitments and system requirements are communicated to internal and external users, vendors, and other third parties whose products and services are part of the system.
  • 47.
    44 ABC, Inc. SOC2 Service Organization Control Report February 1, 2017 to January 31, 2018 C1.6.1 The organization uses its intranet to distribute its Information Security Policy to personnel. Observed that the Information Security Policy is available via the corporate intranet No Relevant Exceptions Noted C1.7 The entity retains confidential information to meet the entity’s confidentiality commitments and system requirements. C1.7.1 The organization has business requirements for retaining and deleting data. Reviewed Backup Details (dated X) Interviewed the Security Analyst to verify that data retention is driven the contract with the client No Relevant Exceptions Noted C1.8 The entity disposes of confidential information to meet the entity’s confidentiality commitments and system requirements. C1.8.1 The organization relies on third parties for media destruction purposes. Interviewed the Technical Operations Engineer to verify that equipment and media is destroyed by a third party No Relevant Exceptions Noted