Overview:
The entity implements policies and procedures over system processing to result in products, services, and reporting to meet the entity’s objectives.
Action Items:
1) Create a logging and monitoring policy and related procedures and publish on the company intranet for employees to access and review.
2) Inquire of the senior manager of compliance, or equivalent, regarding monitoring applications to determine that monitoring applications are utilized to monitor system performance and are configured to send automated alerts to IT personnel when predefined thresholds have been exceeded.
3) Inspect the company website and the customer portal, as applicable, to determine that a contact e-mail address and a customer portal are available for customers to submit security related tickets, report security incidents, concerns, and complaints. Verify that reports of concerns are reviewed by the information security team as they appear in the inbox.
4) Inspect the most recent quarterly customer success presentation for a sample of quarters during the review period to determine that customer success personnel discuss issues related to the processing and output of system data, and present results quarterly to the board of directors.
5) Inspect the data replication configurations to determine that data is replicated across geographically separate availability zones or regions.
6) Inspect the monitoring dashboard and alert configurations dashboard to determine that an enterprise monitoring application is utilized to monitor system performance and is configured to send automated alerts to IT personnel when predefined thresholds have been exceeded.
Related Documents:
1) Logging and monitoring policy
2) Monitoring and alerting configurations
3) Sample of alerts sent to security personnel during security incidents
4) Evidence that customers have methods to submit support tickets or security inquiries
5) Most recent customer success presentation
6) Data replication configurations
Additional Guidance:
The following points of focus highlight important characteristics related to this criterion:
1) Defines Processing Specifications—The processing specifications that are necessary to meet product or service requirements are defined.
2) Defines Processing Activities—Processing activities are defined to result in products or services that meet specifications.
3) Detects and Corrects Production Errors—Errors in the production process are detected and corrected in a timely manner
4) Records System Processing Activities—System processing activities are recorded completely and accurately in a timely manner.
5) Processes Inputs—Inputs are processed completely, accurately, and timely as authorized in accordance with defined processing activities.
Article ID: 256
Created: September 26, 2022
Last Updated: September 26, 2022
Author: Matthew Burdick
Online URL: http://www.compliancewiki.org/article/soc-2-policies-and-procedures-of-system-processing-pi1-3-256.html