3 minute read
Security
Security is the category that applies to all engagements and is what the remaining Trust Services Criteria are based on; in a non-privacy SOC 2 engagement, the security category must be included. This category addresses whether a system is protected, both physically and logically, against unauthorized access.
The security category consists of the complete set of the common criteria, which integrate with the 2018 COSO Internal Control – Integrated Framework. The common criteria include the following principles:
Advertisement
• Control Environment • Does the service organization show a commitment to integrity and ethical values? • Does the service organization’s board of directors demonstrate independence from management and oversee the progress and functionality of internal control? • Does the service organization’s management delegate responsibilities and authorities over the pursuit of business objectives? • Does the service organization show a commitment to attracting, developing, and retaining confident employees that align with business objectives and values? • Does the service organization hold employees accountable for their responsibilities? • Communication and Information • Does the service organization use relevant internal and external data to make information-based decisions about the functionality of internal control? • Does the service organization clearly communicate, both internally and externally, about matters impacting the functionality of internal control? • Risk Assessment • Does the service organization name specific business objectives so that it can identify and assess the risks that those objectives face? • Does the service organization identify risks that threaten the achievement of its objectives, and determine how to manage those risks? • Does the service organization consider how fraud can impact risk? • Does the service organization assess how changes within the organization could impact the system of internal control? • Monitoring Activities • Does the service organization monitor whether all components of internal control are present and functioning? • Does the service organization monitor and communicate internal control flaws in a timely manner and to the appropriate parties?
Security
• Control Activities • Does the service organization implement control activities that mitigate risks? • Does the service organization implement control activities over technology that supports business objectives? • Does the service organization implement control activities through policies and procedures? • Logical and Physical Access Controls • Does the service organization protect information assets through logical and physical access controls? • Does the service organization register and authorize all new internal and external users before issuing system credentials? • Does the service organization remove system credentials when the user’s access is no longer authorized? • Does the service organization use the concepts of least privileges and segregation of duties when authorizing access to information assets? • Does the service organization only allow authorized personnel to enter sensitive locations that hold information assets? • Does the service organization have policies and procedures in place for data and software disposal? • Does the service organization implement security measures that protect against external threats? • Does the service organization protect data in transmission, movement, and removal? • Does the service organization implement controls that prevent and detect malicious or unauthorized software? • System Operations • Does the service organization detect and monitor changes to its system operations in order to identify new vulnerabilities? • Does the service organization monitor system components in order to identify anomalies that indicate malicious acts or errors? • Does the service organization evaluate security incidents? • Does the service organization have and use a defined incident response program? • Does the service organization implement recovery activities after a security incident? • Change Management • Does the service organization design, develop, configure, document, test, authorize, and implement any changes to its infrastructure, data, software, or policies and procedures? • Risk Mitigation • Does the service organization select or develop specific risk mitigation activities? • Does the service organization assess and manage risks coming from vendors or business partners?
