Overview:
The entity implements policies and procedures to store inputs, items in processing, and outputs completely, accurately, and timely in accordance with system specifications to meet the entity’s objectives.
Action Items:
1) Create an access control policy and related procedures and publish on the company intranet for employees to access and review.
2) Create a data archival and backup policy and related procedures and publish on the company intranet for employees to access and review.
3) Inspect the administrative access listings for the in-scope systems to determine that administrative access privileges to the centrally managed access control systems are restricted to user accounts accessible by authorized personnel.
4) Inspect the automated backup system configurations to determine that an automated backup system is in place to perform scheduled backups of production databases on a daily or recurring basis, as outlined in the backup policy.
5) Inspect the backup configuration to determine that the automated backup system is configured to notify IT personnel via e-mail regarding the failure of backup jobs.
Related Documents:
1) Access control policy
2) Data archival and backup policy
3) Administrative account inventory
4) Automated backup system configurations
5) Evidence of security event notifications
Additional Guidance:
The following points of focus highlight important characteristics related to this criterion:
1) Protects Stored Items—Stored items are protected to prevent theft, corruption, destruction, or deterioration that would prevent output from meeting specifications.
2) Archives and Protects System Records—System records are archived, and archives are protected against theft, corruption, destruction, or deterioration that would prevent them from being used.
3) Stores Data Completely and Accurately—Procedures are in place to provide for the complete, accurate, and timely storage of data.
4) Creates and Maintains Records of System Storage Activities—Records of system storage activities are created and maintained completely and accurately in a timely manner.
Article ID: 258
Created: September 26, 2022
Last Updated: September 26, 2022
Author: Matthew Burdick
Online URL: http://www.compliancewiki.org/article/soc-2-policies-and-procedures-for-storing-inputs-items-in-processing-and-outputs-pi1-5-258.html