Skip to Content

SOC 2 Uses of Relevant, Quality Information (Principle 13) (CC2.1)

221  Matthew Burdick September 26, 2022  Communication and Information

Overview:
The entity obtains or generates and uses relevant, quality information to support the functioning of internal control.


Action Items:
1) Create an information security management system (ISMS) manual for in-scope systems and publish on the company intranet for employees to access and review.
2) Create an incident response policy and related procedures and publish on the company intranet for employees to access and review.
3) Create a logging and monitoring policy and related procedures and publish on the company intranet for employees to access and review.
4) Inquire of the senior manager of compliance, or equivalent, regarding policies to determine that policies are in place that establish responsibility and accountability with respect to the quality of information.
5) Inquire of the director of security and engineering operations, or equivalent, regarding security event notifications to determine that security personnel are notified via an internal collaboration platform when security events are identified and identified security events are evaluated to determine whether the event resulted in the unauthorized disclosure of confidential information or PII.
6) Inquire of the senior manager of compliance, or equivalent, regarding monthly service level assessments to determine that monthly service level assessments are performed by the compliance team, and that these assessments include an evaluation of the operation of key controls, assessments are reviews at monthly departmental meetings, and require the development of corrective action plans for control weaknesses.
7) Inquire of the senior manager of compliance, or equivalent, regarding monitoring of emerging technologies and impact of changes to applicable laws or regulations to determine that the entity’s information technology security group monitors the security impact of emerging technologies and the impact of changes to applicable laws or regulations are considered by senior management.
8) Inspect the policies to determine that policies are in place that establish information policies with a clear responsibility and accountability for the quality of information.
9) Inspect the internal collaboration tool and a sample of security incident tickets to determine that security personnel are notified via an internal collaboration platform when security events are identified and identified security events are evaluated to determine whether the event resulted in the unauthorized disclosure of confidential information or PII.
10) Inspect the most recent vulnerability assessment to determine that vulnerability assessments are performed by third-party vendors at least annually to identify the functionality of control activities, and that any critical or high vulnerabilities detected are triaged by the information security team and monitored through resolution.
11) Inspect the ISMS dashboard, or equivalent, to determine that service level assessments are performed by the compliance team, and that these assessments include evaluation of the operation of key controls, assessments are reviewed at monthly departmental meetings, and require the development of corrective action plans for control weaknesses.
12) Inspect the information security management system manual to determine that the entity’s information technology security group monitors the security impact of emerging technologies and the impact of changes to applicable laws or regulations are considered by senior management.


Related Documents:
1) Information security management system (ISMS) manual for in-scope systems
2) Incident response policy
3) Logging and monitoring policy
4) Evidence of security event notifications
5) Sample of recent security incident tickets
6) Sample of recent vulnerability assessments
7) Sample of recent service level assessments

Additional Guidance:
The following points of focus highlight important characteristics related to this criterion:


1) Identifies Information Requirements—A process is in place to identify the information required and expected to support the functioning of the other components of internal control and the achievement of the entity's objectives.
2) Captures Internal and External Sources of Data—Information systems capture internal and external sources of data.
3) Processes Relevant Data Into Information—Information systems process and transform relevant data into information.
4) Maintains Quality Throughout Processing—Information systems produce information that is timely, current, accurate, complete, accessible, protected, verifiable, and retained. Information is reviewed to assess its relevance in supporting the internal control components.

 
Not Rated
Secure Code