Overview:
The board of directors demonstrates independence from management and exercises oversight of the development and performance of internal control.
Action Items:
1) Create a formal charter and set of bylaws for the board of directors.
2) Document the roles and responsibilities for the information security program.
3) Inspect the formal charter and set of bylaws to determine that the board of directors has established and maintains a formal charter and set of bylaws which describes their responsibilities and oversight of management’s system of internal control.
4) Inspect the formal charter and set of bylaws and members of the board of directors to determine that the board of directors has sufficient members who are independent from management and are objective in evaluations and decision making.
5) Inspect a recent report of internal control performance metrics provided to the board of directors to determine that management compiles and provides internal control performance metrics to the board of directors on an annual basis.
6) Inspect a recent report of internal control performance metrics to determine that an executive management team comprised of security personnel and executive staff has been established to guide the company in managing security, availability, privacy, processing integrity, and confidentiality risks.
Related Documents:
1) Charter and bylaws for the board of directors
2) Sample report of internal control performance metrics
3) Documented roles and responsibilities for the information security program
Additional Guidance:
The following points of focus highlight important characteristics related to this criterion:
1) Establishes oversight responsibilities: The board of directors identifies and accepts its oversight responsibilities in relation to established requirements and expectations.
2) Applies relevant expertise: The board of directors defines, maintains, and periodically evaluates the skills and expertise needed among its members to enable them to ask probing questions of senior management and take commensurate action.
3) Operates independently: The board of directors has sufficient members who are independent from management and objective in evaluations and decision making.
4) Supplements board expertise: The board of directors supplements its expertise relevant to security, availability, processing integrity, confidentiality, and privacy, as needed, through the use of a subcommittee or consultants.
Article ID: 217
Created: September 26, 2022
Last Updated: September 26, 2022
Author: Matthew Burdick
Online URL: http://www.compliancewiki.org/article/soc-2-board-of-directors-independence-and-oversight-principle-2-cc1-2-217.html