1. 1 SOname
SSAE 16 Service Organization Control Report
startDate to endDate
ABC, Inc.
Type II Service Organization
Control Report (SOC 2)
Independent Report on a Description of a
Service Organization’s System and the
Suitability of the Design and Operating
Effectiveness of the Controls to meet the
criteria for the security, availability, and
confidentiality principles for the period of
February 1, 2017 through January 31, 2018.
2. i ABC, Inc.
SOC 2 Service Organization Control Report
February 1, 2017 to January 31, 2018
TABLE OF CONTENTS
MANAGEMENT OF ABC, INC.’S ASSERTION REGARDING ITS CUSTOMER SUCCESS
SOFTWARE SYSTEM THROUGHOUT THE PERIOD FEBRUARY 1, 2017 TO JANUARY 31, 20181
INDEPENDENT SERVICE AUDITOR’S REPORT ..................................................................................4
Independent Service Auditor’s Report........................................................................................ 5
ABC, INC.’S DESCRIPTION OF ITS CUSTOMER SUCCESS SOFTWARE SYSTEM THROUGHOUT
THE PERIOD FEBRUARY 1, 2017 TO JANUARY 31, 2018 ...................................................................8
System Overview........................................................................................................................ 9
Background............................................................................................................................. 9
Infrastructure............................................................................................................................. 10
Software................................................................................................................................ 10
People.................................................................................................................................... 10
Procedures............................................................................................................................. 10
Data....................................................................................................................................... 10
Relevant Aspects of the Control Environment, Risk Assessment Process, Information and
Communication Systems, and Monitoring of Controls ............................................................ 11
Control Environment ............................................................................................................ 11
Management Philosophy................................................................................................... 11
Security, Availability, and Confidentiality Management ................................................. 11
Security, Availability, and Confidentiality Policies ......................................................... 11
Controls Related to Personnel........................................................................................... 11
Security Policies.................................................................................................................... 12
Physical Security and Environmental Controls ................................................................ 12
Change Management ........................................................................................................ 12
System Monitoring............................................................................................................ 12
Problem Management ....................................................................................................... 13
Data Backup and Recovery............................................................................................... 13
System Account Management .......................................................................................... 13
Risk Assessment Process...................................................................................................... 13
Information and Communication Systems............................................................................ 13
Monitoring Controls.............................................................................................................. 14
Trust Services Criteria and Related Controls............................................................................ 15
Complementary User-Entity Controls ...................................................................................... 16
3. ii ABC, Inc.
SOC 2 Service Organization Control Report
February 1, 2017 to January 31, 2018
TRUST SERVICES SECURITY, AVAILABILITY, AND CONFIDENTIALITY PRINCIPLES,
CRITERIA, RELATED CONTROLS, AND TESTS OF CONTROLS ....................................................18
Criteria Common to All Security, Availability, and Confidentiality Principles................... 19
CC1.0 Common Criteria Related to Organization and Management ........................... 19
CC2.0 Common Criteria Related to Communications ................................................. 23
CC3.0 Common Criteria Related to Risk Management and Design and Implementation
of Controls ........................................................................................................................ 27
CC4.0 Common Criteria Related to Monitoring of Controls ....................................... 29
CC5.0 Common Criteria Related to Logical and Physical Access Controls ................ 30
CC6.0 Common Criteria Related to System Operations .............................................. 35
CC7.0 Common Criteria Related to Change Management........................................... 37
Additional Criteria for Availability ...................................................................................... 40
Additional Criteria for Confidentiality ................................................................................. 42
4. MANAGEMENT OF ABC, INC.’S ASSERTION
REGARDING ITS CUSTOMER SUCCESS SOFTWARE
SYSTEM THROUGHOUT THE PERIOD FEBRUARY 1,
2017 TO JANUARY 31, 2018
5. 2 ABC, Inc.
SOC 2 Service Organization Control Report
February 1, 2017 to January 31, 2018
ABC, INC.’S ASSERTION
We have prepared the attached description titled “Description of ABC, Inc.’s Customer Success
Software System Throughout the Period February 1, 2017 to January 31, 2018” (the description),
based on the criteria in items (a)(i)-(ii) below, which are the criteria for a description of a service
organization’s system in paragraphs 1.26 – 1.27 of the AICPA Guide Reporting on Controls at a
Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or
Privacy (SOC 2SM
) (the description criteria). The description is intended to provide users with
information about the customer success software system, particularly system controls intended to
meet the criteria for the security, availability, and confidentiality principles set forth in TSP section
100, Trust Services Principles, Criteria, and Illustrations for Security, Availability, Processing
Integrity, Confidentiality, and Privacy (AICPA, Technical Practice Aids) (applicable trust services
criteria). We confirm, to the best of our knowledge and belief, that
a) The description fairly presents the customer success software system throughout the period
February 1, 2017 to January 31, 2018, based on the following description criteria:
i. The description contains the following information:
1. The type of services provided
2. The components of the system used to provide the services, which are the following:
• Infrastructure. The physical and hardware components of a system (facilities,
equipment, and networks).
• Software. The programs and operating software of a system (systems, applications,
and utilities).
• People. The personnel involved in the operation and use of a system (developers,
operators, users, and managers).
• Procedures. The automated and manual procedures involved in the operation of a
system.
• Data. The information used and supported by a system (transaction streams, files,
databases, and tables).
3. The boundaries or aspects of the system covered by the description
4. How the system captures and addresses significant events and conditions, other than
transactions.
5. The process used to prepare reports or other information provided to user entities of the
system.
6. If information is provided to, or received from, subservice organizations or other
parties, how such information is provided or received; the role of the subservice
organization or other parties; and the procedures performed to determine that such
information and its processing, maintenance, and storage are subject to appropriate
controls
7. For each principle being reported on, the applicable trust services criteria and the
related controls designed to meet those criteria, including, as applicable,
complementary user-entity controls contemplated in the design of the service
organization’s system
8. For subservice organizations presented using the carve-out method, the nature of the
services provided by the subservice organization; each of the applicable trust services
6. 3 ABC, Inc.
SOC 2 Service Organization Control Report
February 1, 2017 to January 31, 2018
criteria that are intended to be met by controls at the subservice organization, alone or
in combination with controls at the service organization, and the types of controls
expected to be implemented at carved-out subservice organizations to meet those
criteria
9. Any applicable trust services criteria that are not addressed by a control at the service
organization or a subservice organization and the reasons therefore
10. Other aspects of the service organization’s control environment, risk assessment
process, information and communication systems, and monitoring of controls that are
relevant to the services provided and the applicable trust services criteria
11. Relevant details of changes to the service organization’s system during the period
covered by the description
ii. The description does not omit or distort information relevant to the service organization’s
system while acknowledging that the description is prepared to meet the common needs of
a broad range of users and may not, therefore, include every aspect of the system that each
individual user may consider important to his or her own particular needs.
b) The controls stated in the description were suitably designed throughout the specified period
to meet the applicable trust services criteria.
c) The controls stated in the description operated effectively throughout the specified period to
meet the applicable trust services criteria.
7. INDEPENDENT SERVICE AUDITOR’S REPORT
on a Description of a Service Organization’s System and the
Suitability of the Design and Operating Effectiveness of the Controls
8. 5 ABC, Inc.
SOC 2 Service Organization Control Report
February 1, 2017 to January 31, 2018
INDEPENDENT SERVICE AUDITOR’S REPORT
Jane Doe
CEO
ABC, Inc.
100 St.
Washington
Scope
We have examined the attached description titled “Description of ABC, Inc.’s Customer Success
Software System Throughout the Period February 1, 2017 to January 31, 2018” (the description)
and the suitability of the design and operating effectiveness of controls to meet the criteria for the
security, availability, and confidentiality principles set forth in TSP section 100, Trust Services
Principles, Criteria, and Illustrations for Security, Availability, Processing Integrity,
Confidentiality, and Privacy (AICPA, Technical Practice Aids) (applicable trust services
principles criteria), throughout the period February 1, 2017 to January 31, 2018. The description
indicates that certain applicable trust services criteria specified in the description can be achieved
only if complementary user-entity controls contemplated in the design of ABC, Inc.’s controls are
suitable designed and operating effectively, along with related controls at the service organization.
We have not evaluated the suitability of the design or operating effectiveness of such
complementary user-entity controls.
ABC, Inc. uses XYZ, Inc. to perform cloud computing services. The description indicates that
certain applicable trust services criteria can only be met if controls at the subservice organization
are suitably designed and operating effectively. The description presents ABC, Inc.’s system; its
controls relevant to the applicable trust services criteria; and the types of controls that the service
organization expects to be implemented, suitably designed, and operating effectively at the
subservice organization to meet certain applicable trust services criteria. The description does not
include any of the controls implemented at the subservice organization. Our examination did not
extend to the services provided by the subservice organization or the subservice organization’s
compliance with the commitments in its statement of privacy practices.
Service Organization’s Responsibilities
ABC, Inc. has provided the attached assertion titled “Management of ABC, Inc.’s Assertion
Regarding Its Customer Success Software System Throughout the Period February 1, 2017 to
January 31, 2018,” which is based on the criteria identified in management’s assertion. ABC, Inc.
is responsible for (1) preparing the description and assertion; (2) the completeness, accuracy, and
method of presentation of the description and assertions; (3) providing the services covered by the
description; (4) specifying the controls that meet the applicable trust services criteria and stating
them in the description; and (5) designing, implementing, and documenting the controls to meet
the applicable trust services criteria.
Service Auditor’s Responsibilities
Our responsibility is to express an opinion on the fairness of the presentation of the description
based on the description criteria set forth in ABC, Inc.’s assertion and on the suitability of the
9. 6 ABC, Inc.
SOC 2 Service Organization Control Report
February 1, 2017 to January 31, 2018
design and operating effectiveness of the controls to meet the applicable trust services criteria,
based on our examination. We conducted our examination in accordance with attestation standards
established by the American Institute of Certified Public Accountants. Those standards require
that we plan and perform our examination to obtain reasonable assurance about whether, in all
material respects, (1) the description is fairly presented based on the description criteria, and (2)
the controls were suitably designed and operating effectively to meet the applicable trust services
criteria throughout the period February 1, 2017 to January 31, 2018.
Our examination involved performing procedures to obtain evidence about the fairness of the
presentation of the description based on the description criteria and the suitability of the design
and operating effectiveness of those controls to meet the applicable trust services criteria. Our
procedures include assessing the risks that the description is not fairly presented and that the
controls were not suitably designed or operating effectively to meet the applicable trust services
criteria. Our procedures also included testing the operating effectiveness of those controls that we
consider necessary to provide reasonable assurance that the applicable trust services criteria were
met. Our examination also included evaluating the overall presentation of the description. We
believe that the evidence we obtained is sufficient and appropriate to provide a reasonable basis
for our opinion.
Inherent Limitations
Because of their nature and inherent limitations, controls at a service organization may not always
operate effectively to meet the applicable trust services criteria. Also, the projection to the future
of any evaluation of the fairness of the presentation of the description or conclusions about the
suitability of the design or operating effectiveness of the controls to meet the applicable trust
services criteria is subject to the risks that the system may change or that controls at a service
organization may become inadequate or fail.
Opinion
In our opinion, in all material respects, based on the criteria identified in ABC, Inc.’s assertion and
the applicable trust services criteria
a) the description fairly presents the system that was designed and implemented throughout
the period February 1, 2017 to January 31, 2018.
b) the controls of ABC, Inc. stated in the description were suitably designed to provide
reasonable assurance that the applicable trust services criteria would be met if the controls
operated effectively throughout the period February 1, 2017 to January 31, 2018, and user
entities applied the complementary user-entity controls contemplated in the design of ABC,
Inc.’s controls throughout the period February 1, 2017 to January 31, 2018, and XYZ, Inc.
applied, throughout the period February 1, 2017 to January 31, 2018 the types of controls
expected to be implemented at XYZ, Inc. and incorporated in the design of the system.
c) the controls of ABC, Inc. tested, which together with the complementary user-entity
controls referred to in the scope paragraph of this report, and together with the types of
controls expected to be implemented at XYZ, Inc. and incorporated in the design of the
system, if operating effectively, were those necessary to provide reasonable assurance that
10. 7 ABC, Inc.
SOC 2 Service Organization Control Report
February 1, 2017 to January 31, 2018
the applicable trust services criteria were met, operated effectively throughout the period
February 1, 2017 to January 31, 2018.
Description of Tests of Controls
The specific controls we tested and the nature, timing, and results of our tests are presented in the
section of our report titled “Description of Test of Controls and Results Thereof.”
Restricted Use
This report, including the description of tests of controls and results thereof are intended solely for
the information and use of ABC, Inc.; user entities of ABC, Inc.’s during some or all of the period
February 1, 2017 to January 31, 2018; and prospective user entities, independent auditors and
practitioners providing services to such user entities, and regulators who have sufficient knowledge
and understanding of the following:
• The nature of the service provided by the service organization
• How the service organization’s system interacts with user entities, subservice
organizations, or other parties
• Internal control and its limitations
• Complementary user-entity controls and how they interact with related controls at the
service organization to meet the applicable trust services criteria
• The applicable trust services criteria
• The risks that may threaten the achievement of the applicable trust services criteria and
how controls address those risks
This report is not intended to be and should not be used by anyone other than these specified
parties.
Damon Sullivan, CPA
KirkpatrickPrice, LLC
1228 East 7th
Ave. Suite 200
Tampa, FL 33605
May 1, 2018
11. 8 ABC, Inc.
SOC 2 Service Organization Control Report
February 1, 2017 to January 31, 2018
ABC, INC.’S DESCRIPTION OF ITS CUSTOMER
SUCCESS SOFTWARE SYSTEM THROUGHOUT THE
PERIOD FEBRUARY 1, 2017 TO JANUARY 31, 2018
12. 9 ABC, Inc.
SOC 2 Service Organization Control Report
February 1, 2017 to January 31, 2018
SYSTEM OVERVIEW
Background
ABC, Inc. is a complete customer success software solution that is designed to help businesses
reduce churn, increase upsell, and drive customer success. The company’s SaaS application allows
organizations to focus on business strategy while ABC, Inc. focuses on infrastructure management,
scaling, and security. ABC, Inc. applies security best practices in managing platform security to
allow customers to focus on their business. The platform is designed to protect customers from
threats by applying security controls at various layers.
13. 10 ABC, Inc.
SOC 2 Service Organization Control Report
February 1, 2017 to January 31, 2018
INFRASTRUCTURE
Software
ABC, Inc. maintains an inventory list of critical software; the inventory list and the application
lifecycle is managed by the IT Department.
People
ABC, Inc. maintains a hierarchical organizational structure. An Organization Chart is maintained
that illustrates the separation of duties, reporting lines, and the appropriate levels of oversight.
Procedures
ABC, Inc. conducts daily, weekly, and monthly procedures that relate to its internal security
processes. Security team members complete daily security procedures that include checking emails
and looking for alerts from service providers.
Data
ABC, Inc. has business requirements for retaining data that the customers set in their contract with
the organization.
The transmission, movement, and removal of information is restricted to authorized internal and
external users and processes. The organization has implemented a process for transmitting or
receiving data across open, public networks. Encryption is used throughout the environment when
transferring sensitive customer data over the internet, and industry best practices underpin its
encryption methods.
14. 11 ABC, Inc.
SOC 2 Service Organization Control Report
February 1, 2017 to January 31, 2018
RELEVANT ASPECTS OF THE CONTROL ENVIRONMENT, RISK ASSESSMENT PROCESS,
INFORMATION AND COMMUNICATION SYSTEMS, AND MONITORING OF CONTROLS
Control Environment
Management Philosophy
ABC, Inc.’s management communicates and oversees the implementation of the Code of
Conduct, Integrity, and Ethics by making the Employee Handbooks available on ABC, Inc.’s
intranet.
Security, Availability, and Confidentiality Management
To set the tone and direction for the organization, management sends out weekly emails to
communicate recent events and provide company-wide feedback. Managers also communicate
daily and weekly updates to their teams through meetings.
Security, Availability, and Confidentiality Policies
Management has a process for creating, approving, and maintaining the organization’s policies.
The policies have a revision table present that details the revision notes, who authored the
revisions, who approved the revisions, and the date the revisions were implemented.
Management team reviews all policies at least once annually or following any industry changes.
Controls Related to Personnel
The organization has a formally documented Employee Handbook in place that is distributed to
all employees. The handbook covers:
• Code of Conduct
• Statement on Ethics
• Information Confidentiality
• Background and Reference Checks
• Progressive Discipline
ABC, Inc. formally documents job descriptions for critical functions in the organization; the
description includes job and security function. These responsibilities are communicated to the
employees.
ABC, Inc. uses onboarding and termination checklists during the hiring and termination
processes. An onboarding checklist is used for each employee during the onboarding process to
ensure that all important steps of the process are covered. This includes providing new hires with
the appropriate acknowledgements, forms, and documents during the onboarding process.
Additionally, all new hires are required to undergo a background check, which consists of an
SSN Trace, a criminal search, and a search on the National Sex Offender Registry.
All new hires are required to undergo training programs, such as security awareness training,
and they receive daily on-the-job training.
15. 12 ABC, Inc.
SOC 2 Service Organization Control Report
February 1, 2017 to January 31, 2018
Security Policies
Physical Security and Environmental Controls
The organization has physical security controls in place to protect secure areas, including locked
doors, use of card key access at doors, visitor access control procedures, and video surveillance.
The facility is equipped with an emergency power generator, and it maintains an onsite supply
of fuel to ensure continued electrical support in the event of a loss of utility power. Additionally,
networking equipment and critical infrastructure are equipped with UPS battery backups and
dedicated cooling units. The facility is furnished with smoke detectors and fire suppression
equipment.
To protect secure areas, the facility’s access points are secured and restricted by magnetic locks.
They are also equipped with card readers that limit access to authorized onsite personnel; data
from the card readers is retained for a minimum of 90 days.
ABC, Inc. relies on XYZ, Inc. for physical and environmental controls within the production
environment, including media destruction.
Change Management
ABC, Inc. maintains its documented configuration and hardening standards to configure and
manage its systems. Industry-accepted practices are used in the development of the
organization’s system configuration standards. The IT department is responsible for reviewing
configuration and hardening standards biannually. Personnel with system configuration
responsibilities stay knowledgeable of the appropriate ways to securely configure the
organization’s systems through industry/vendor alerts and vulnerability scans, announcements,
internal meetings and reviews, and security newsletters and reports from trusted sources.
ABC, Inc. sends email alerts to clients and company users prior to changes being implemented
that may affect system availability and/or security.
The organization’s firewall is configured to filter data and monitor traffic entering the system.
System Monitoring
ABC, Inc. uses system monitoring tools to oversee system capacity, plan for future requirements,
and monitor alerts.
The Technical Operations team holds routine meetings to review system capacity and
environment health.
The organization requires that antivirus software must remain updated. This ensures that all
critical components are covered by an antivirus solution, antivirus configurations define when
periodic scans are performed, and antivirus definitions are current according to documented
schedule.
16. 13 ABC, Inc.
SOC 2 Service Organization Control Report
February 1, 2017 to January 31, 2018
Problem Management
The organization has a formally documented Incident Response Plan. The plan outlines the roles
and responsibilities of all teams in the organization, detailing how they should handle security
incidents. The plan also defines incident levels and outlines the differences between various
security events.
Formalized security-breach responsibilities are implemented, and all personnel are trained to
report security incidents to those with these responsibilities.
Data Backup and Recovery
ABC, Inc. has implemented a Backup Retention Policy, which contains information about the
different types of data managed and how it is backed up and retained. A Business Continuity
Plan is also in place to restore operations and ensure availability of information following
interruption to, or failure of, critical business processes. The policy requires that restorations are
completed annually.
System Account Management
ABC, Inc. mandates that access rights are granted on the principle of least privilege, and any
additional privileges require approval. The organization considers this when implementing user
IDs.
An access control system is used to control access to the internal business applications. Part of
its function is to ensure that a unique user ID is assigned to each user before he or she allowed
access to system components. The access control system is also configured to enforce the
organization’s password requirements.
The organization’s Information Security Policy requires the use of two-factor authentication for
any interface that allows access to stored customer data, receives interactive logins, and faces
the open internet.
ABC, Inc. mandates that access for terminated/separated employees must promptly be revoked.
The HR department oversees the exit workflow process for terminated/separated employees to
ensure that access to all accounts and systems are disabled.
Clients are able to register and deregister for online access to the company’s services via ABC,
Inc.’s online portal.
Risk Assessment Process
The Information Security Policy mandates that a risk assessment be conducted annually. The risk
assessment includes risks, likelihood, impact, existing controls, and possible further risk
treatments. The results of the assessment are documented in an annual report that is reviewed by a
member of leadership with security responsibilities.
Information and Communication Systems
ABC, Inc. has a formally documented Information Security Policy, which employees can access
on the company intranet. The policy outlines the core security principles of the company, which
17. 14 ABC, Inc.
SOC 2 Service Organization Control Report
February 1, 2017 to January 31, 2018
apply to all company employees, service providers, and partners. The security roles of all
employees are defined within the policy. All new hires are required to sign an acknowledgement
of the Information Security Policy.
The Information Security Policy is reviewed and updated at least annually.
ABC, Inc. has contractual and marketing materials in place that describe its scope of services to
clients, including its company website and its Master Service Agreements.
ABC, Inc. also has privacy policies in place that govern how to collect and handle sensitive
information; these policies outline the industry standard precautions to ensure that confidential
information is protected.
Monitoring Controls
ABC, Inc. has monitoring tools and practices in place to ensure operational quality and control.
These include gathering audit reports from third parties to monitor the vendors’ service delivery
and compliance status.
18. 15 ABC, Inc.
SOC 2 Service Organization Control Report
February 1, 2017 to January 31, 2018
TRUST SERVICES CRITERIA AND RELATED CONTROLS
Although the trust services criteria and related controls are presented in section 4, “Trust
Services Security, Availability, and Confidentiality Principles, Criteria, Related Controls, and
Tests of Controls,” they are an integral part of ABC, Inc.’s system description.
19. 16 ABC, Inc.
SOC 2 Service Organization Control Report
February 1, 2017 to January 31, 2018
COMPLEMENTARY USER-ENTITY CONTROLS
ABC, Inc.’s services are designed with the assumption that certain controls would be implemented
by user organizations. In certain situations, the application of specific controls at the user
organization is necessary to achieve control objectives included in this report. ABC, Inc.’s
management makes control recommendations to user organizations and provides the means to
implement these controls in many instances. ABC, Inc. also provides best practice guidance to
clients regarding control element outside the sphere of ABC, Inc. responsibility.
This section describes additional controls that should be in operation at user organizations to
complement the ABC, Inc. controls. Client Consideration recommendations include:
• User organizations should implement sound and consistent internal controls regarding
general IT system access and system usage appropriateness for all internal user
organization components associated with ABC, Inc.
• User organizations should practice removal of user accounts for any users who have been
terminated and were previously involved in any material functions or activities associated
with ABC, Inc.’s services.
• Transactions for user organizations relating to ABC, Inc.’s services should be appropriately
authorized, and transactions should be secure, timely, and complete.
• For user organizations sending data to ABC, Inc., data should be protected by appropriate
methods to ensure confidentiality, privacy, integrity, availability, and non-repudiation.
• User organizations should implement controls requiring additional approval procedures for
critical transactions relating to ABC, Inc.’s services.
• User organizations should report to ABC, Inc. in a timely manner any material changes to
their overall control environment that may adversely affect services being performed by
ABC, Inc.
• User organizations are responsible for notifying ABC, Inc in a timely manner of any
changes to personnel directly involved with services performed by ABC, Inc. These
personnel may be involved in financial, technical or ancillary administrative functions
directly associated with services provided by ABC, Inc.
• User organizations are responsible for adhering to the terms and conditions stated within
their contracts with ABC, Inc.
• User organizations are responsible for developing, and if necessary, implementing a
business continuity and disaster recovery plan (BCDRP) that will aid in the continuation
of services provided by ABC, Inc.
20. 17 ABC, Inc.
SOC 2 Service Organization Control Report
February 1, 2017 to January 31, 2018
The list of user organization control considerations presented above and those presented with
certain specified control objectives do not represent a comprehensive set of all the controls that
should be employed by user organizations. Other controls may be required at user organizations.
Therefore, each client’s system of internal controls must be evaluated in conjunction with the
internal control structure described in this report.
21. 18 ABC, Inc.
SOC 2 Service Organization Control Report
February 1, 2017 to January 31, 2018
TRUST SERVICES SECURITY, AVAILABILITY, AND
CONFIDENTIALITY PRINCIPLES, CRITERIA, RELATED
CONTROLS, AND TESTS OF CONTROLS
22. 19 ABC, Inc.
SOC 2 Service Organization Control Report
February 1, 2017 to January 31, 2018
Criteria Common to All Security, Availability, and Confidentiality
Principles
CC1.0 Common Criteria Related to Organization and Management
Ctrl # Control Activity Testing of Operating Effectiveness Test Results
CC1.1
The entity has defined organizational structures, reporting lines, authorities, and
responsibilities for the design, development, implementation, operation,
maintenance, and monitoring of the system enabling it to meet its commitments
and system requirements as they relate to security, availability, and confidentiality.
CC1.1.1
The organization’s structure is
documented in its Organization
Chart.
Reviewed the Organization Chart
to verify that it illustrates the
levels of oversight and
segregation of duties
Interviewed the Office Manager
to verify that the CEO leads the
organization
No
Relevant
Exceptions
Noted
CC1.2
Responsibility and accountability for designing, developing, implementing,
operating, maintaining, monitoring, and approving the entity’s system controls and
other risk mitigation strategies are assigned to individuals within the entity with
authority to ensure policies and other system requirements are effectively
promulgated and implemented to meet the entity’s commitments and system
requirements as they relate to security, availability, and confidentiality.
CC1.2.1
The organization uses
monitoring tools to ensure
operational quality and control.
Reviewed screenshots for the
organization’s helpdesk system
Interviewed the Office Manager
to verify the use of tools and
helpdesk system
Observed the monitoring system
tools and the ticketing system
No
Relevant
Exceptions
Noted
CC1.2.2
Management has a method of
creating, approving, and
maintaining the organization’s
policies.
Interviewed the Office Manager
to verify the change and approval
tables in all the documents
Observed the company intranet
where all policies are stored
Observed the metadata showing
recent revisions to verify that all
policies are current
No
Relevant
Exceptions
Noted
23. 20 ABC, Inc.
SOC 2 Service Organization Control Report
February 1, 2017 to January 31, 2018
CC1.3
The entity has established procedures to evaluate the competency of personnel
responsible for designing, developing, implementing, operating, maintaining, and
monitoring the system affecting security, availability, and confidentiality and
provides resources necessary for personnel to fulfill their responsibilities.
CC1.3.1
Personnel with system
configuration responsibilities
stay knowledgeable of the
appropriate ways to securely
configure the organization’s
systems through industry alerts,
security reports, vulnerability
scans, and meetings.
Reviewed the System
Configuration Standards
Interviewed the Technical
Operations Manager to verify
that team members stay up to
date on configuration standards
and best practices
Observed daily stands, RSS
feeds, weekly meetings, and
knowledge transfer sessions to
verify that they are captured and
stored for later review
No
Relevant
Exceptions
Noted
CC1.3.2
The organization conducts an
onboarding training program for
all new hires.
Reviewed the onboarding
program documentation
Interviewed the Office Manager
to verify that all employees are
required to attend the onboarding
program at the corporate office,
including security awareness
training
Observed the formally
documented agenda and training
requirements
Observed all the new hires
completed the course
No
Relevant
Exceptions
Noted
CC1.4
The entity has established workforce conduct standards, implemented workforce
candidate background screening procedures, and conducts enforcement procedures
to enable it to meet its commitments and system requirements as they relate to
security, availability, and confidentiality.
24. 21 ABC, Inc.
SOC 2 Service Organization Control Report
February 1, 2017 to January 31, 2018
CC1.4.1
The organization has a formally
documented employee
handbook in place.
Reviewed the Employee
Handbook (dated X) to verify
that topics such as conduct,
ethics, confidentiality,
background/reference checks,
and progressive discipline
Interviewed the Office Manager
Observed new employee records
to verify that new hires are
required to sign an
acknowledgement of the
Employee Handbook
No
Relevant
Exceptions
Noted
CC1.4.2
The organization uses hiring and
termination checklists as part of
its onboarding and offboarding
processes for employees and
contractors.
Reviewed the onboarding and
offboarding checklists
Interviewed the Office Manager
to verify that a background check
is required prior to employment
Interviewed the Office Manager
to verify that the organization
uses checklists during the hiring
and termination processes
Observed the records for a
sample of new hires in the audit
period to verify that all activities
on the new hire checklist were
completed
Observed the records for a
sample of terminated employees
to verify that all activities on the
termination checklist were
completed
No
Relevant
Exceptions
Noted
25. 22 ABC, Inc.
SOC 2 Service Organization Control Report
February 1, 2017 to January 31, 2018
CC1.4.3
The organization provides new
hires with the appropriate
acknowledgements, forms, and
documents during the
onboarding process.
Reviewed the Information
Security Policy (dated X), the
Employee Benefits Plan (dated
X), the Employee Handbook
(dated X), and the background
check authorization form
Observed new hire records to
verify that they had signed the
necessary forms and
acknowledgements
No
Relevant
Exceptions
Noted
CC1.4.4
The organization conducts
background checks as part of the
onboarding process.
Reviewed the background check
authorization form
Interviewed the Office Manager
to verify that all new hires
complete a background check as
part of the onboarding process
Observed a sample of new hires
to verify that background checks
were conducted
No
Relevant
Exceptions
Noted
26. 23 ABC, Inc.
SOC 2 Service Organization Control Report
February 1, 2017 to January 31, 2018
Criteria Common to All Security, Availability, and Confidentiality
Principles
CC2.0 Common Criteria Related to Communications
Ctrl # Control Activity Testing of Operation Effectiveness Test Results
CC2.1
Information regarding the design and operation of the system and its boundaries
has been prepared and communicated to authorized internal and external users of
the system to permit users to understand their role in the system and the results of
system operation.
CC2.1.1
The organization has materials
in place that describe its scope
of services to clients.
Reviewed the organization’s
website and Master Services
Agreements (dated X)
No
Relevant
Exceptions
Noted
CC2.2
The entity’s security, availability, and confidentiality commitments are
communicated to external users, as appropriate, and those commitments and the
associated system requirements are communicated to internal users to enable them
to carry out their responsibilities.
CC2.2.1
The organization’s Information
Security Policy define security
responsibilities for personnel.
Reviewed the Information
Security Policy (dated X)
Interviewed the Security Analyst
Observed that security
responsibilities are defined in the
Information Security Policy
Observed the use of the company
intranet to distribute the policy
No
Relevant
Exceptions
Noted
CC2.2.2
The organization has
promotional materials in place
that describe its scope of
services to clients.
Reviewed the organization’s
website and Master Services
Agreements (dated X)
No
Relevant
Exceptions
Noted
CC2.3
The responsibilities of internal and external users and others whose roles affect
system operation are communicated to those parties.
CC2.3.1
The organization formally
documents job descriptions for
critical functions in the
organization.
Reviewed job descriptions
Observed that the job and
security functions are formally
defined, and that the
responsibilities are
communicated to employees
No
Relevant
Exceptions
Noted
27. 24 ABC, Inc.
SOC 2 Service Organization Control Report
February 1, 2017 to January 31, 2018
CC2.4
Information necessary for designing, developing, implementing, operating,
maintaining, and monitoring controls, relevant to the security, availability, and
confidentiality of the system, is provided to personnel to carry out their
responsibilities.
CC2.4.1
Personnel with system
configuration responsibilities
stay knowledgeable of the
appropriate ways to securely
configure the organization’s
systems through industry alerts,
security reports, vulnerability
scans, and meetings.
Reviewed Security
Communication and
System Configuration Standards
Interviewed the Technical
Operations Manager to verify
that team members stay up to
date with configuration standards
and best practices through
industry/vendor alerts and
announcements, security
newsletters and reports from
trusted sources, vulnerability
scans, and internal meetings and
reviews
Observed daily stands, weekly
meetings, and knowledge transfer
sessions, which are recorded and
made available for later review
No
Relevant
Exceptions
Noted
CC2.4.2
The organization conducts an
onboarding training program for
all new hires.
Reviewed the Security
Awareness Training Onboarding
Program documentation
Interviewed the Office Manager
to verify that all employees are
required to attend the onboarding
program
Observed the formally
documented agenda and training
requirements
Observed that all the new hires
completed the course
No
Relevant
Exceptions
Noted
CC2.5
Internal and external users have been provided with information on how to report
security, availability, and confidentiality failures, incidents, concerns, and other
complaints to appropriate personnel.
28. 25 ABC, Inc.
SOC 2 Service Organization Control Report
February 1, 2017 to January 31, 2018
CC2.5.1
The organization has
implemented an incident
response procedure.
Reviewed the Incident Response
Management documentation
Observed the storage of the
incident response documentation
on the company intranet
No
Relevant
Exceptions
Noted
CC2.5.2
The organization has a process
in place for training personnel
with security incident
responsibilities.
Interviewed the Security Analyst
to verify that a security response
team is trained and always
prepared to respond to incidents
and alerts
No
Relevant
Exceptions
Noted
CC2.5.3
There is a process for users to
alert the organization about
potential breaches.
Interviewed the Security Analyst
to verify that general users report
security incidents to security
personnel
Observed examples of incident
reports during the audit period
No
Relevant
Exceptions
Noted
CC2.6
System changes that affect internal and external users’ responsibilities or the
entity’s commitments and system requirements relevant to security, availability,
and confidentiality are communicated to those users in a timely manner.
CC2.6.1
The organization has a formally
documented change
management policy in place.
Reviewed the Change
Management Policy (dated X) to
verify that it addresses
appropriate topics such as roles
and responsibilities, the risk
analysis of the change request,
the tests prior to implementation,
and back-out plans
Interviewed the Technical
Operations Engineer
Observed a sample of changes to
verify that the changes are
appropriately tracked with tickets
No
Relevant
Exceptions
Noted
29. 26 ABC, Inc.
SOC 2 Service Organization Control Report
February 1, 2017 to January 31, 2018
CC2.6.2
The organization uses email to
communicate changes in system
availability and security.
Reviewed the Change
Management Policy (dated X)
Interviewed the Technical
Operations Engineer to verify
that the organization emails users
and clients about changes that
may affect system availability
and security
No
Relevant
Exceptions
Noted
30. 27 ABC, Inc.
SOC 2 Service Organization Control Report
February 1, 2017 to January 31, 2018
Criteria Common to All Security, Availability, and Confidentiality
Principles
CC3.0 Common Criteria Related to Risk Management and Design and
Implementation of Controls
Ctrl # Control Activity Testing of Operation Effectiveness Test Results
CC3.1
The entity (1) identifies potential threats that could impair system security,
availability, and confidentiality commitments and system requirements (including
threats arising from the use of vendors and other third parties providing goods and
services, as well as threats arising from customer personnel and others with access
to the system), (2) analyzes the significance of risks associated with the identified
threats, (3) determines mitigation strategies for those risks (including
implementation of controls, assessment and monitoring of vendors and other third
parties providing goods or services, as well as their activities, and other mitigation
strategies), (4) identifies and assesses changes (for example, environmental,
regulatory, and technological changes and results of the assessment and monitoring
of controls) that could significantly affect the system of internal control, and (5)
reassesses, and revises, as necessary, risk assessments and mitigation strategies
based on the identified changes.
CC3.1.1
The organization conducts an
annual risk assessment.
Reviewed the Risk Assessment
(dated X)
Interviewed the Senior Security
Manager to verify that a Risk
Assessment must be conducted
annually, and the results of that
Risk Assessment are presented in
an annual report
Observed that the risk assessment
considers the likelihood and
impact as well as relevant
compensating controls and
further actions
Observed that the risk assessment
is updated annually
No
Relevant
Exceptions
Noted
CC3.2
The entity designs, develops, implements, and operates controls, including policies
and procedures, to implement its risk mitigation strategy; reassesses the suitability
of the design and implementation of control activities based on the operation and
monitoring of those activities; and updates the controls, as necessary.
31. 28 ABC, Inc.
SOC 2 Service Organization Control Report
February 1, 2017 to January 31, 2018
CC3.2.1
The organization has a formally
documented Information
Security Policy.
Reviewed the Information
Security Policy (dated X)
Interviewed the Security Analyst
to verify that the Information
Security Policy is available on
the company’s intranet
Observed the signed
acknowledgments for new hires
during the audit period
No
Relevant
Exceptions
Noted
32. 29 ABC, Inc.
SOC 2 Service Organization Control Report
February 1, 2017 to January 31, 2018
Criteria Common to All Security, Availability, and Confidentiality
Principles
CC4.0 Common Criteria Related to Monitoring of Controls
Ctrl # Control Activity Testing of Operation Effectiveness Test Results
CC4.1
The design and operating effectiveness of controls are periodically evaluated
against the entity’s commitments and system requirements as the relate to security,
availability, and confidentiality, and corrections and other necessary actions
relating to identified deficiencies are taken in a timely manner.
CC4.1.1
The organization conducts daily,
weekly, and monthly procedures
that relate to its internal security
processes.
Reviewed tickets from the
organization’s ticket tracking
system
Interviewed the Security Analyst
to verify that security personnel
conduct daily security
procedures
No
Relevant
Exceptions
Noted
CC4.1.2
The organization conducts an
annual risk assessment.
Reviewed risk assessment
documentation (dated X)
Interviewed the Senior Security
Manager to verify that the
Information Security Policy
mandates that a risk assessment
must be conducted annually
Observed the formally
documented risk assessments and
relevant controls that were
developed based on the
assessments of personnel,
technology, and business risks
Observed that the risk
assessment considers the
likelihood and impact as well as
relevant compensating controls
and further actions
Observed that the risk
assessment is updated annually
No
Relevant
Exceptions
Noted
33. 30 ABC, Inc.
SOC 2 Service Organization Control Report
February 1, 2017 to January 31, 2018
Criteria Common to All Security, Availability, and Confidentiality
Principles
CC5.0 Common Criteria Related to Logical and Physical Access Controls
Ctrl # Control Activity Testing of Operating Effectiveness Test Results
CC5.1
Logical access security software, infrastructure, and architectures have been
implemented to support (1) identification and authentication of authorized internal
and external users; (2) restriction of authorized internal and external user access to
system components, or portions thereof, authorized by management, including
hardware, data, software, mobile devices, output, and offline elements; and (3)
prevention and detection of unauthorized access to meet the entity’s commitments
and system requirements as they relate to security, availability, and confidentiality.
CC5.1.1
The organization has an
automated access control system
in place.
Interviewed the Security Analyst
to verify that the automated
access control system controls
access to the internal business
applications
No
Relevant
Exceptions
Noted
CC5.2
New internal and external users, whose access is administered by the entity, are
registered and authorized prior to being issued system credentials and granted the
ability to access the system to meet the entity’s commitments and system
requirements as they relate to security, availability, and confidentiality. For those
users whose access is administered by the entity, user system credentials are
removed when user access is no longer authorized.
CC5.2.1
The organization has a process
in place for implementing user
IDs.
Interviewed the Office Manager
to verify that the organization
follows the least privilege
principle for logical access
Observed there is a formally
documented procedure for
centralized provisioning
No
Relevant
Exceptions
Noted
CC5.2.2
The organization’s Information
Security Policy mandates access
for terminated/separated
employees must immediately be
revoked.
Reviewed the Information
Security Policy
Interviewed the Security Analyst
to verify that the Information
Security Policy states that access
must be promptly revoked for
any person terminated/separated
from the organization
No
Relevant
Exceptions
Noted
34. 31 ABC, Inc.
SOC 2 Service Organization Control Report
February 1, 2017 to January 31, 2018
CC5.2.3
The organization uses an exit
workflow process to ensure that
access is revoked for
terminated/separated employees.
Reviewed the exit checklist
Interviewed Security Analyst to
verify that the HR department
oversees the offboarding process
for terminated/separated
employees
No
Relevant
Exceptions
Noted
CC5.2.4
Management must approve a
user prior to access.
Reviewed the Information
Security Policy (dated X)
Interviewed the Security Analyst
to verify that manager approval
is needed for prior to obtaining
access
No
Relevant
Exceptions
Noted
CC5.2.5
The organization maintains
domain, group, and user
policies.
Reviewed screenshots of user
groups and password settings
Observed that the organization
uses its automated access control
system to implement its account
login and password settings
No
Relevant
Exceptions
Noted
CC5.2.6
The organization has a process
for registering/deregistering
clients for online access.
Interviewed the Program
Manager to verify that clients can
register and deregister for online
access via the company portal
No
Relevant
Exceptions
Noted
CC5.3
Internal and external users are identified and authenticated when accessing the
system components (for example, infrastructure, software, and data) to meet the
entity’s commitments and system requirements as they relate to security,
availability, and confidentiality.
CC5.3.1
The organization ensures that a
unique user ID is assigned
before being allowed access to
system components.
Reviewed the Information
Security Policy (dated X)
Interviewed the Security Analyst
to verify all users are required to
have a unique user ID
Observed that the organization
uses automated access control
systems to enforce the
requirement that all users have a
unique ID
No
Relevant
Exceptions
Noted
35. 32 ABC, Inc.
SOC 2 Service Organization Control Report
February 1, 2017 to January 31, 2018
CC5.4
Access to data, software, functions, and other IT resources is authorized and is
modified or removed based on roles, responsibilities, or the system design and
changes to meet the entity’s commitments and system requirements as they relate
to security, availability, and confidentiality.
CC5.4.1
The organization’s Information
Security Policy mandates that
access rights are granted on the
principle of least privilege.
Reviewed the Information
Security Policy (dated X) to
verify that it addresses the
principle of least privilege
Interviewed the Security Analyst
to verify that the Information
Security Policy states that
privileges are assigned based on
least privilege, and additional
privileges require approvals
based on least privilege,
workflows, and approval
processes
No
Relevant
Exceptions
Noted
CC5.5
Physical access to facilities housing the system (for example, data centers, backup
media storage, and other sensitive locations, as well as sensitive system
components within those locations) is restricted to authorized personnel to meet the
entity’s commitments and system requirements as they relate to security,
availability, and confidentiality.
CC5.5.1
The organization has physical
controls in place for protecting
secure areas.
Interviewed the Security Analyst
Observed that the security
countermeasures include badge
readers, visitor access controls,
locked doors, and security
cameras
No
Relevant
Exceptions
Noted
CC5.5.2
The organization relies on
security controls for where
backup media is stored.
Reviewed the XYZ, Inc. SOC
reports to verify that a third-party
provides backup media storage
No
Relevant
Exceptions
Noted
CC5.6
Logical access security measures have been implemented to protect against
security, availability, and confidentiality threats from sources outside the
boundaries of the system to meet the entity’s commitments and system
requirements.
36. 33 ABC, Inc.
SOC 2 Service Organization Control Report
February 1, 2017 to January 31, 2018
CC5.6.1
The organization’s firewall is
configured to filter data.
Reviewed the firewall
configuration files
Interviewed the Security Analyst
and the Technical Operations
Manager verify that firewalls are
used to block incoming traffic
and filter outgoing connections
Observed how the security
groups are configured to create
restricted data flow
No
Relevant
Exceptions
Noted
CC5.6.2
The organization’s Information
Security Policy requires the use
of two-factor authentication.
Reviewed the Information
Security Policy (dated X) to
verify that two-factor
authentication is required for
remote network access
Observed the implementation of
two-factor authentication onsite
to verify it is in place and
operating effectively
No
Relevant
Exceptions
Noted
CC5.7
The transmission, movement, and removal of information is restricted to authorized
internal and external users and processes and is protected during transmission,
movement, or removal, enabling the entity to meet its commitments and system
requirements as they relate to security, availability, and confidentiality.
CC5.7.1
The organization uses industry
recommendations/best practices
to underpin encryption methods.
Reviewed the formally
documented standards and
compliance encryption best
practices
Interviewed the Security Analyst
to verify that the organization
uses industry recommendations
and best practices to underpin the
organization’s encryption
methods
No
Relevant
Exceptions
Noted
37. 34 ABC, Inc.
SOC 2 Service Organization Control Report
February 1, 2017 to January 31, 2018
CC5.7.2
The organization has methods in
place to protect information
during transactions.
Reviewed the protocol details in
to verify that the organization
provides components to protect
confidential data in transit from
unauthorized disclosure
Reviewed the organization’s
standard operating procedures to
verify that they outline errors that
could occur during transmission
and processing
Observed error report queues that
are reviewed and monitored to
ensure operational quality
No
Relevant
Exceptions
Noted
CC5.8
Controls have been implemented to prevent or detect and act upon the introduction
of unauthorized or malicious software to meet the entity’s commitments and
system requirements as they relate to security, availability, and confidentiality.
CC5.8.1
The organization requires that
antivirus software remain
updated.
Interviewed the Security Analyst
to verify the presence of antivirus
software on all computers
Observed that updates occur
every half hour
No
Relevant
Exceptions
Noted
38. 35 ABC, Inc.
SOC 2 Service Organization Control Report
February 1, 2017 to January 31, 2018
Criteria Common to All Security, Availability, and Confidentiality
Principles
CC6.0 Common Criteria Related to System Operations
Ctrl # Control Activity Testing of Operation Effectiveness Test Results
CC6.1
Vulnerabilities of system components to security, availability, and confidentiality
breaches and incidents due to malicious acts, natural disasters, or errors are
identified, monitored, and evaluated, and countermeasures are designed,
implemented, and operated to compensate for known and newly identified
vulnerabilities to meet the entity’s commitments and system requirements as they
relate to security, availability, and confidentiality.
CC6.1.1
The organization has
implemented an incident
response procedure.
Reviewed the Incident Response
Program (dated X)
Observed that the Incident
Response Program is available
on the company intranet
No
Relevant
Exceptions
Noted
CC6.1.2
The organization tracks security
incidents via a ticketing system.
Reviewed the full listing of
incidents
Interviewed the Program
Manager to verify that all
security related incidents are
tracked using tickets
Observed a sample of a recently
responded security incident as
they are tracked in tickets
No
Relevant
Exceptions
Noted
CC6.1.3
The organization has a system in
place for monitoring alerts.
Interviewed the Security Analyst
to verify the organization uses
system tools to monitor its
environment
Observed alerts onsite to verify
that alerts from intrusion-
detection/intrusion-prevention,
alerts from file-integrity
monitoring systems, and
detection of unauthorized
wireless access points are
monitored
No
Relevant
Exceptions
Noted
39. 36 ABC, Inc.
SOC 2 Service Organization Control Report
February 1, 2017 to January 31, 2018
CC6.1.4
The organization has intrusion
detection systems in place.
Interviewed the Technical
Operations Engineer to verify
that the intrusion-detection
systems are operating effectively
Observed the use of security
groups for network traffic in an
IDS fashion
No
Relevant
Exceptions
Noted
CC6.2
Security, availability, and confidentiality incidents, including logical and physical
security breaches, failures, and identified vulnerabilities, are identified and reported
to appropriate personnel and acted on in accordance with established incident
response procedures to meet the entity’s commitments and system requirements.
CC6.2.1
The organization has
implemented an incident
response procedure.
Reviewed the Incident Response
Management documentation
Observed the storage of the
formally documented Incident
Response Plan on the company’s
intranet
No
Relevant
Exceptions
Noted
CC6.2.2
The organization tracks security
incidents via tickets.
Reviewed the full listing of
incidents
Interviewed the Program
Manager to verify that all
security related incidents are
tracked in tickets, which allows
the organization to add root
cause, assign ownership, track
efforts and capture lessons
learned
Observed a sample of a recently
responded to security incident as
they are tracked in tickets
No
Relevant
Exceptions
Noted
40. 37 ABC, Inc.
SOC 2 Service Organization Control Report
February 1, 2017 to January 31, 2018
Criteria Common to All Security, Availability, and Confidentiality
Principles
CC7.0 Common Criteria Related to Change Management
Ctrl # Control Activity Testing of Operating Effectiveness Test Results
CC7.1
The entity’s commitments and system requirements, as they relate to security,
availability, and confidentiality, are addressed during the system development
lifecycle, including the authorization, design, acquisition, implementation,
configuration, testing, modification, approval, and maintenance of system
components.
CC7.1.1
The organization uses industry-
accepted practices for the basis
of the organization’s system
configuration standards.
Interviewed the Technical
Operations Engineer to verify
that servers are hardened using
internal hardening scripts and
checklists, which are based on
industry best practices
Observed that documents
containing baselines and
hardening guidelines are
available on the company
intranet
No
Relevant
Exceptions
Noted
CC7.1.2
The organization has a formally
documented change
management policy in place.
Reviewed the Change
Management Policy (dated X)
Observed a sample of changes to
verify that the changes are
covered with tickets
No
Relevant
Exceptions
Noted
CC7.2
Infrastructure, data, software, and policies and procedures are updated as necessary
to remain consistent with the entity’s commitments and system requirements as
they relate to security, availability, and confidentiality.
CC7.2.1
The organization has
documented system
configuration standards.
Reviewed the documented
system configuration standards
Reviewed the patch levels for the
relevant systems to verify that
standards are configured and
managed by ABC, Inc. through
the formally documented
standards for configuration and
hardening
No
Relevant
Exceptions
Noted
41. 38 ABC, Inc.
SOC 2 Service Organization Control Report
February 1, 2017 to January 31, 2018
CC7.2.2
The organization has a process
for reviewing and updating
system configuration standards.
Reviewed the review/revision
tables for System Configuration
Standards
Interviewed the Technical
Operations Engineer to verify
that IT is responsible for
reviewing configuration and
hardening standards
Observed that configuration
requirements are formally
documented and shared on the
organization's intranet site for all
relevant personnel
No
Relevant
Exceptions
Noted
CC7.2.3
The organization has a formally
documented change
management policy in place.
Reviewed the Change
Management Policy (dated X)
Interviewed the Technical
Operations Engineer
Observed a sample of changes to
verify that the changes are
appropriately covered with
tickets
No
Relevant
Exceptions
Noted
CC7.2.4
The organization’s Information
Security Policy is updated at
least annually.
Reviewed the Information
Security Policy (dated X)
Interviewed the Security Analyst
to verify that the Information
Security Policy is reviewed and
updated at least annually
Observed the revision history of
evidence that this is current and
updated accordingly
Observed that the policy was
signed by the VP, demonstrating
executive level management
oversight
No
Relevant
Exceptions
Noted
42. 39 ABC, Inc.
SOC 2 Service Organization Control Report
February 1, 2017 to January 31, 2018
CC7.3
Change management processes are initiated when deficiencies in the design or
operating effectiveness of controls are identified during system operation and are
monitored to meet the entity’s commitments and system requirements as they relate
to security, availability, and confidentiality.
CC7.3.1
The organization has a formally
documented change
management policy in place.
Reviewed the Change
Management Policy (dated X)
Interviewed the Technical
Operations Engineer
Observed and reviewed onsite a
sample of changes to verify that
the changes are appropriately
covered with the tickets
No
Relevant
Exceptions
Noted
CC7.4
Changes to system components are authorized, designed, developed, configured,
documented, tested, approved, and implemented to meet the entity’s security,
availability, and confidentiality commitments and system requirements.
CC7.4.1
The organization has a formally
documented change
management policy in place.
Reviewed the Change
Management Policy (dated X)
Interviewed the Technical
Operations Engineer
Observed and reviewed onsite a
sample of changes to verify that
the changes are appropriately
covered with tickets
No
Relevant
Exceptions
Noted
43. 40 ABC, Inc.
SOC 2 Service Organization Control Report
February 1, 2017 to January 31, 2018
Additional Criteria for Availability
Ctrl # Control Activity Test of Operation Effectiveness Test Results
A1.1
Current processing capacity and usage are maintained, monitored, and evaluated to
manage capacity demand and to enable the implementation of additional capacity to
help meet the entity’s availability commitments and system requirements.
A1.1.1
The organization uses system
monitoring tools to oversee
system capacity.
Reviewed system monitoring files
Interviewed the Technical
Operations Engineer to verify the
organization uses tools for
monitoring and capacity planning
No
Relevant
Exceptions
Noted
A1.2
Environmental protections, software, data backup processes, and recovery
infrastructure are authorized, designed, developed, implemented, operated, approved,
maintained, and monitored to meet the entity’s availability commitments and system
requirements.
A1.2.1
The organization has a business
continuity plan in place to restore
operations and ensure availability
of information following
interruption to, or failure of,
critical business processes.
Reviewed the Business Continuity
Plan (dated X)
Interviewed the Technical
Operations Engineer to verify that
restoration tests are conducted at
least twice a year
No
Relevant
Exceptions
Noted
A1.2.2
The organization has physical
controls in place to protect
against external and
environmental hazards.
Interviewed the Technical
Operations Engineer to verify that
physical controls are in place
Observed that the corporate office
includes a standard HVAC and
fire detection/suppression controls
Observed that networking
equipment and critical
infrastructure are equipped with
UPS battery backups and
dedicated cooling units
Observed that the office is
equipped with an emergency
power generator and an onsite
supply of fuel
No
Relevant
Exceptions
Noted
44. 41 ABC, Inc.
SOC 2 Service Organization Control Report
February 1, 2017 to January 31, 2018
A1.3
Recovery plan procedures supporting system recovery are tested to help meet the
entity’s availability commitments and system requirements.
A1.3.1
The organization has a business
continuity plan in place to restore
operations and ensure availability
of information following
interruption to, or failure of,
critical business processes.
Reviewed the Business Continuity
Plan (dated X)
Interviewed the Technical
Operations Engineer to verify that
restoration tests are conducted at
least twice a year
No
Relevant
Exceptions
Noted
A1.3.2
The organization has
implemented a data backup
policy.
Reviewed the Backup Retention
Policy (dated X)
Interviewed the Technical
Operations Engineer to verify that
the details in the organization’s
backup/retention policy contains
information about the different
types of data managed
Observed that data restore jobs
are run annually
No
Relevant
Exceptions
Noted
45. 42 ABC, Inc.
SOC 2 Service Organization Control Report
February 1, 2017 to January 31, 2018
Additional Criteria for Confidentiality
Ctrl # Control Activity Test of Operation Effectiveness Test Results
C1.1
Confidential information is protected during the system design, development, testing,
implementation, and change processes to meet the entity’s confidentiality
commitments and system requirements.
C1.1.1
The organization’s Information
Security Policy and job
descriptions define security
responsibilities for personnel.
Reviewed the Information
Security Policy (dated X)
Observed that security
responsibilities are defined in the
Information Security Policy and
in the relevant job descriptions
Observed the use of the company
intranet to disseminate this
information
No
Relevant
Exceptions
Noted
C1.2
Confidential information within the boundaries of the system is protected against
unauthorized access, use, and disclosure during input, processing, retention, output,
and disposition to meet the entity’s confidentiality commitments and system
requirements.
C1.2.1
The organization provides new
hires with the appropriate
acknowledgements, forms, and
documents during the onboarding
process.
Reviewed the onboarding
documents
Observed that management sets
the appropriate tone at the top and
employee expectations during the
onboarding process
No
Relevant
Exceptions
Noted
C1.2.2
The organization has a Privacy
Policy in place that details how
personal information is to be
handled.
Reviewed the Privacy Policy
(dated X)
Interviewed the Program Manager
to verify that ABC, Inc. has
established a Privacy Policy
Observed that the Privacy Policy
is on the organization’s website
and governs how it handles
sensitive and personal information
No
Relevant
Exceptions
Noted
46. 43 ABC, Inc.
SOC 2 Service Organization Control Report
February 1, 2017 to January 31, 2018
C1.3
Access to confidential information from outside the boundaries of the system and
disclosure of confidential information is restricted to authorized parties to meet the
entity’s confidentiality commitments and system requirements.
C1.3.1
The organization has
implemented a process for
transmitting or receiving data
across open, public networks.
Reviewed the documented
protocol details
Interviewed Security Analyst to
verify that the organization uses
the most recent version of TLS
when transferring sensitive
customer data over the internet
No
Relevant
Exceptions
Noted
C1.4
The entity obtains confidentiality commitments that are consistent with the entity’s
confidentiality system requirements from vendors and other third parties whose
products and services are part of the system and have access to confidential
information.
C1.4.1
The organization requires that
third-parties sign a
Confidentiality and Non-
Disclosure Agreement prior to
sharing information.
Reviewed the Master Service
Agreement (dated X) and the
Non-Disclosure Agreement (dated
X)
Interviewed the Security Analyst
to verify that the organization
implements an NDA and MSA
Observed the MSA and NDAs
onsite to verify they were in place
No
Relevant
Exceptions
Noted
C1.5
Compliance with the entity’s confidentiality commitments and system requirements
by vendors and other third parties whose products and services are part of the system
is assessed on a periodic and as-needed basis, and corrective action is taken, if
necessary.
C1.5.1
The organization completes a risk
assessment and reviews
compliance reports to monitor
vendors’ service delivery and
compliance status.
Reviewed vendor compliance
reports
Interviewed the Technical
Operations Engineer to verify that
all vendor relationships begin
with a security risk assessment
and a review of compliance
reports
No
Relevant
Exceptions
Noted
C1.6
Changes to the entity’s confidentiality commitments and system requirements are
communicated to internal and external users, vendors, and other third parties whose
products and services are part of the system.
47. 44 ABC, Inc.
SOC 2 Service Organization Control Report
February 1, 2017 to January 31, 2018
C1.6.1
The organization uses its intranet
to distribute its Information
Security Policy to personnel.
Observed that the Information
Security Policy is available via the
corporate intranet
No
Relevant
Exceptions
Noted
C1.7
The entity retains confidential information to meet the entity’s confidentiality
commitments and system requirements.
C1.7.1
The organization has business
requirements for retaining and
deleting data.
Reviewed Backup Details (dated
X)
Interviewed the Security Analyst
to verify that data retention is
driven the contract with the client
No
Relevant
Exceptions
Noted
C1.8
The entity disposes of confidential information to meet the entity’s confidentiality
commitments and system requirements.
C1.8.1
The organization relies on third
parties for media destruction
purposes.
Interviewed the Technical
Operations Engineer to verify that
equipment and media is destroyed
by a third party
No
Relevant
Exceptions
Noted