Overview:
The entity deploys control activities through policies that establish what is expected and in procedures that put policies into action.
Action Items:
1) Create an information security policy to govern the entire information security program and publish to the company intranet for employees to access and review.
2) Create an employee disciplinary policy and publish it on the company intranet for employees to access and review.
3) Inspect the policies to determine that procedures are in place to guide personnel on satisfying the company’s security, availability, confidentiality, privacy, and processing integrity commitments and the associated system requirements, and that policies are available to internal personnel via the company intranet.
4) Inspect the information security policy to determine that the information security program is formally documented and reviewed on an annual basis.
5) Inspect the employee disciplinary policy to determine that an employee disciplinary policy is in place communicating that an employee may be terminated for noncompliance or nonconformity with a policy and procedure.
Related Documents:
1) Information security policy
2) Employee disciplinary policy
Additional Guidance:
The following points of focus highlight important characteristics related to this criterion:
1) Establishes Policies and Procedures to Support Deployment of Management 's Directives—Management establishes control activities that are built into business processes and employees' day-to-day activities through policies establishing what is expected and relevant procedures specifying actions.
2) Establishes Responsibility and Accountability for Executing Policies and Procedures—Management establishes responsibility and accountability for control activities with management (or other designated personnel) of the business unit or function in which the relevant risks reside.
3) Performs in a Timely Manner—Responsible personnel perform control activities in a timely manner as defined by the policies and procedures.
4) Takes Corrective Action—Responsible personnel investigate and act on matters identified as a result of executing control activities.
5) Performs Using Competent Personnel—Competent personnel with sufficient authority perform control activities with diligence and continuing focus.
6) Reassesses Policies and Procedures—Management periodically reviews control activities to determine their continued relevance and refreshes them when necessary.
Article ID: 232
Created: September 26, 2022
Last Updated: September 26, 2022
Author: Matthew Burdick
Online URL: http://www.compliancewiki.org/article/soc-2-policies-and-procedures-principle-12-cc5-3-232.html