Security Security is the category that applies to all engagements and is what the remaining Trust Services Criteria are based on; in a non-privacy SOC 2 engagement, the security category must be included. This category addresses whether a system is protected, both physically and logically, against unauthorized access. The security category consists of the complete set of the common criteria, which integrate with the 2018 COSO Internal Control – Integrated Framework. The common criteria include the following principles: • Control Environment • Does the service organization show a commitment to integrity and ethical values? • Does the service organization’s board of directors demonstrate independence from management and oversee the progress and functionality of internal control? • Does the service organization’s management delegate responsibilities and authorities over the pursuit of business objectives? • Does the service organization show a commitment to attracting, developing, and retaining confident employees that align with business objectives and values? • Does the service organization hold employees accountable for their responsibilities? • Communication and Information • Does the service organization use relevant internal and external data to make information-based decisions about the functionality of internal control? • Does the service organization clearly communicate, both internally and externally, about matters impacting the functionality of internal control? • Risk Assessment • Does the service organization name specific business objectives so that it can identify and assess the risks that those objectives face? • Does the service organization identify risks that threaten the achievement of its objectives, and determine how to manage those risks? • Does the service organization consider how fraud can impact risk? • Does the service organization assess how changes within the organization could impact the system of internal control? • Monitoring Activities • Does the service organization monitor whether all components of internal control are present and functioning? • Does the service organization monitor and communicate internal control flaws in a timely manner and to the appropriate parties?
3
Security
