SOC 2 Internal Communications (Principle 14) (CC2.2)

Overview:
The entity internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control.

Action Items:
1) Create an employee training and security awareness policy and related procedures and publish on the company intranet for employees to access and review.
2) Create an escalation procedure and publish to the company intranet for employees to access and review.
3) Create a standard confidentiality statement that all employees are required to sign during their new-hire onboarding process that requires them not to disclose proprietary or confidential information.
4) Create, document, and maintain position descriptions for all employment positions in the company.
5) Inquire of the director of compliance, or the equivalent, to determine that employees are required to sign and acknowledge a confidentiality statement agreeing not to disclose proprietary or confidential information, including client information, to unauthorized parties.
6) Inspect the policies to determine that documented policies and procedures are in place to guide personnel in the entity's security, availability, privacy, processing integrity, and confidentiality commitments and the associated system requirements, and that the policies and procedures are communicated to internal personnel via the company intranet.
7) Inspect completed training documentation for a sample of new and current employees to determine that employees are required to complete security awareness training on an annual basis to understand their obligations and responsibilities to comply with the corporate and business unit security policies.
8) Inspect completed training documentation for a sample of new and current employees to determine that the information security team provides annual security training, as well as quarterly security compliance updates, to its employees.
9) Inspect the meeting minutes from the most recent annual company-wide strategy meeting to determine that the information security team provides annual security training, as well as quarterly security compliance updates, to its employees.
10) Inspect the documented position descriptions for a sample of employment positions to determine that documented position descriptions are in place for each employment position sampled to define the skills and knowledge levels required for the competence levels of particular jobs.
11) Inspect meeting minutes from a sample of bi-weekly meetings to determine that departmental meetings are held on a biweekly basis to communicate departmental performance and addresses operational problems.
12) Inspect the escalation procedure to determine that documented escalation procedures for reporting security incidents are in place to guide employees in identifying, reporting, and acting upon system security breaches and other incidents.
13) Inspect the security policy to determine that a security channel was accessible by internal users to report incidents, concerns, and complaints, and that reports of concerns are reviewed by the information security team as issues are reported.
14) Inspect the most recent strategy meeting minute notes to determine that management formally documents an organization strategy and performance policy and updates it on an annual basis to align internal control responsibilities, performance measures and incentives with company business objectives.
15) Inspect the meeting minutes from the most recent annual company-wide strategy meeting to determine that management holds an annual company-wide strategy meeting that discusses and aligns internal control responsibilities, performance measures and incentives with company business objectives.
16) Inspect the training documentation for a sample of employees hired during the review period to determine that each employee sampled was required to sign a confidentiality statement agreeing not to disclose proprietary or confidential information, including client information, to unauthorized parties.

Related Documents:
1) Employee training and security awareness policy
2) Documented escalation procedure
3) Signed confidentiality statements by new employees
4) Documented employment descriptions
5) Completed employee training documentation
6) Board of directors strategy meeting minutes
7) Company-wide strategy meeting minutes

Additional Guidance:
The following points of focus highlight important characteristics related to this criterion:

1) Communicates Internal Control Information—A process is in place to communicate required information to enable all personnel to understand and carry out their internal control responsibilities.
2) Communicates With the Board of Directors—Communication exists between management and the board of directors so that both have information needed to fulfill their roles with respect to the entity's objectives.
3) Provides Separate Communication Lines—Separate communication channels, such as whistle-blower hotlines, are in place and serve as fail-safe mechanisms to enable anonymous or confidential communication when normal channels are inoperative or ineffective.
4) Selects Relevant Method of Communication—The method of communication considers the timing, audience, and nature of the information.
5) Communicates Responsibilities—Entity personnel with responsibility for designing, developing, implementing, operating, maintaining, or monitoring system controls receive communications about their responsibilities, including changes in their responsibilities, and have the information necessary to carry out those responsibilities.
6) Communicates Information on Reporting Failures, Incidents, Concerns, and Other Matters—Entity personnel are provided with information on how to report systems failures, incidents, concerns, and other complaints to personnel.
7) Communicates Objectives and Changes to Objectives —The entity communicates its objectives and changes to those objectives to personnel in a timely manner.
8) Communicates Information to Improve Security Knowledge and Awareness—The entity communicates information to improve security knowledge and awareness and to model appropriate security behaviors to personnel through a security awareness training program.
9) Communicates Information About System Operation and Boundaries—The entity prepares and communicates information about the design and operation of the system and its boundaries to authorized personnel to enable them to understand their role in the system and the results of system operation.
10) Communicates System Objectives—The entity communicates its objectives to personnel to enable them to carry out their responsibilities.
11) Communicates System Changes—System changes that affect responsibilities or the achievement of the entity’s objectives are communicated in a timely manner.