Overview:
The entity also selects and develops general control activities over technology to support the achievement of objectives.
Action Items:
1) Create a risk assessment policy and related procedures that outlines the organization's risk assessment approach and publish on the company intranet for employees to access and review.
2) Inspect the most recent risk assessment to determine that assigned risk owners selected and developed control activities, documented within mitigation plans, to mitigate the risks identified during the annual risk assessment process.
Related Documents:
1) Risk assessment policy
2) Sample of recent business risk assessments
Additional Guidance:
The following points of focus highlight important characteristics related to this criterion:
1) Determines Dependency Between the Use of Technology in Business Processes and Technology General Controls—Management understands and determines the dependency and linkage between business processes, automated control activities, and technology general controls.
2) Establishes Relevant Technology Infrastructure Control Activities—Management selects and develops control activities over the technology infrastructure, which are designed and implemented to help ensure the completeness, accuracy, and availability of technology processing.
3) Establishes Relevant Security Management Process Controls Activities—Management selects and develops control activities that are designed and implemented to restrict technology access rights to authorized users commensurate with their job responsibilities and to protect the entity's assets from external threats.
4) Establishes Relevant Technology Acquisition, Development, and Maintenance Process Control Activities—Management selects and develops control activities over the acquisition, development, and maintenance of technology and its infrastructure to achieve management's objectives.
Article ID: 231
Created: September 26, 2022
Last Updated: September 26, 2022
Author: Matthew Burdick
Online URL: http://www.compliancewiki.org/article/soc-2-technology-control-activities-principle-11-cc5-2-231.html