Overview:
The entity selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning.
Action Items:
1) Create a threat and vulnerability management policy and related procedures and publish to the company intranet for employees to access and review.
2) Create a standard, documented internal audit procedure that is used to guide all internal audit assessments and activities.
3) Create a capacity planning policy and related procedures and publish on the company intranet for employees to access to access and review.
4) Create a change management policy and related procedures and publish on the company intranet for employees to access and review.
5) Create a logging and monitoring policy and related procedures and publish on the company intranet for employees to access and review.
6) Inquire of the senior manager of compliance, or equivalent, regarding the audit plan to determine that audit schedules are based on results from pervious reviews and changes to the business.
7) Inquire of the senior manager of compliance, or equivalent, regarding security assessments to determine that assessments are conducted internally and by an accredited independent third-party assessor on an annual basis, and the results of the audits are reviewed by management and the board of directors annually.
8) Inquire of the director of security and engineering operations, or equivalent, regarding security event notifications to determine that security personnel are notified via an internal collaboration platform when security events are identified and identified security events are evaluated to determine whether the event resulted in the unauthorized disclosure of confidential information or PII.
9) Inquire of the senior manager of compliance, or equivalent, regarding monitoring applications to determine that monitoring applications are utilized to monitor system performance and are configured to send automated alerts to IT personnel when predefined thresholds have been exceeded.
10) Inquire of the director of security and engineering operations, or equivalent, regarding security event notification to determine that security personnel are notified via an internal collaboration platform when security events are identified and identified security events are evaluated to determine whether the event resulted in the unauthorized disclosure of confidential information or PII.
11) Inspect the most recent vulnerability assessment to determine that vulnerability assessments are performed by third-party vendors at least annually to identify the functionality of control activities, and that any critical or high vulnerabilities detected are triaged by the information security team and monitored through resolution.
12) Inspect the most recent internal audit report and internal audit procedures to determine that an audit plan is compiled on an annual basis that defined the audit criteria and scope for each audit, audit schedule based on results from previous reviews and changes to the business.
13) Inspect the most recent board of directors presentation to determine that assessments are conducted internally and by an accredited independent third-party assessor on an annual basis, and the results of the audits are reviewed by management and the board of directors annually.
14) Inspect the review of the third party compliance report to determine that the compliance team obtained and reviewed the compliance report from third-party vendors and that the review covered the operating effectiveness of controls and any identified risks were addressed.
15) Inspect the internal collaboration tool and a sample of security incident tickets to determine that security personnel are notified via an internal collaboration platform when security events are identified and identified security events are evaluated to determine whether the event resulted in the unauthorized disclosure of confidential information or PII.
16) Inspect the monitoring dashboard and alert configurations dashboard to determine that enterprise monitoring applications are utilized to monitor system performance and are configured to send automated alerts to IT personnel when predefined thresholds have been exceeded.
17) Inspect the capacity planning policy and corresponding monitoring configurations to determine that monitoring applications are configured to monitor the in-scope systems capacity levels.
18) Inspect the change tickets for a sample of changes implemented during the review period to determine that changes made to any in-scope systems are authorized, tested, and approved prior to implementation for each change sampled.
19) Inspect the internal collaboration tool and a sample of security incident tickets to determine that security personnel are notified via an internal collaboration platform when security events are identified and identified security events are evaluated to determine whether the event resulted in the unauthorized disclosure of confidential information or PII.
Related Documents:
1) Threat and vulnerability management policy
2) Internal audit procedure
3) Capacity planning policy
4) Change management policy
5) Logging and monitoring policy
6) Sample of recent vulnerability assessments
7) Most recent board of directors presentation regarding information security
8) Third party compliance reports and/or attestations of compliance
9) Sample of security incident tickets
10) Monitoring and alerting configurations
11) Change tickets for a sample of changes
Additional Guidance:
The following points of focus highlight important characteristics related to this criterion:
1) Considers a Mix of Ongoing and Separate Evaluations—Management includes a balance of ongoing and separate evaluations.
2) Considers Rate of Change—Management considers the rate of change in business and business processes when selecting and developing ongoing and separate evaluations.
3) Establishes Baseline Understanding—The design and current state of an internal control system are used to establish a baseline for ongoing and separate evaluations.
4) Uses Knowledgeable Personnel—Evaluators performing ongoing and separate evaluations have sufficient knowledge to understand what is being evaluated.
5) Integrates With Business Processes—Ongoing evaluations are built into the business processes and adjust to changing conditions.
6) Adjusts Scope and Frequency—Management varies the scope and frequency of separate evaluations depending on risk.
7) Objectively Evaluates—Separate evaluations are performed periodically to provide objective feedback.
8) Considers Different Types of Ongoing and Separate Evaluations—Management uses a variety of different types of ongoing and separate evaluations, including penetration testing, independent certification made against established specifications (for example, ISO certifications), and internal audit assessments.
Article ID: 228
Created: September 26, 2022
Last Updated: September 26, 2022
Author: Matthew Burdick
Online URL: http://www.compliancewiki.org/article/soc-2-evaluating-and-monitoring-internal-controls-principle-16-cc4-1-228.html