Hi Brittany,
What a great question! For an individual, I think that should be amendment to the acceptable use policy that employees need to sign every year, can be part of their mandatory training on policies, corporate oversight, etc. and reinforced in other areas of training - cybersecurity, phishing, privacy, etc.
Also for the business unit that requires the vendor, before worrying about access control rules, they should sign off and acknowledge any users they grant access to the services described in the SOC2 report should adhere to your comment (connect to work first then access service, especially when working from home, etc.).
In one of the forums, there was a Word attachment from "MWA" as an example of a SOC Report Review request form. The "SOC Report Review" form covered how a business unit lead should request a SOC report review and getting feedback on the required CUECs was a big part of it (section 2) where the reviewers (internal audit, information security, finance, etc.) would outline the CEUC / Controls the business unit was responsible for. If you started there, you then had the business
As Nicole O'Brien from Venminder always emphasizes, all this needs to be done before any data access is granted, before any contracts are signed (especially in minimum SLAs are not in the agreements). Otherwise its too late to rely on vendor compliance after the fact.
Likewise, the acceptable use change, requiring a SOC2 review request form, your review process and providing the business unit back strategies to comply with CUECs, what existing policies will assist/cover, and what policies and procedures the business unit needs to maintain are really important. Of course, what if the business unit needs to "move quickly". Our flow is for new vendor onboarding was easier place to start: request for review, getting correct SOC2 for services to be used, review, and via the business unit, getting a signed copy of a required cybersecurity questionnaire (which we pre-fill based on inspected controls (only) we accept from the SOC2). It's at this point we share any concerns, information, recommendations regarding how the business unit will managed the CUECs, including training, monitoring and reporting intervals.
What I liked about the MWA report review request form was it framed those communications. This is a work in progress and looking to apply to all SOC2 updates from priority vendors we will be getting this year in addition any new onboarding.
As stated on another response on TPTT, its may be okay to 'speed up the process' by changing the order of operations -- but never to circumvent any part of the process. Third party onboarding is not longer getting BAA (if needed), NDA , MSA and Invoice/PO approvals. Final agreement of SLAs needs to be part of business unit and employee training including mandatory right for independent security inspections. As far as SOC2 Type II reports, vendors can't assume that absolves them of the right for customers to audit their infrastructure, policy, breach/threat history, employee training, etc. -- only that the customer has the right based on its own data ownership guidance, data risk analysis and risk assessment.
So until there comes a time we can predict and know ahead of time what vendors might be needed, privacy concerns have to come first versus being nimble.
Again, great question Brittany.
Larry
Original Message:
Sent: 05-05-2021 11:26 AM
From: Brittany Dowdy
Subject: CUECs and user accesses
Hi all,
In reviewing many of the CUECs from the vendor's SOC Reports, I think it would be beneficial to have a form for employees (users) to sign that acknowledge that they only should access their accounts while on the bank's network.
Some of our vendors have it set up so that only approved IP addresses can login, but some do not.
Do any of you utilize a form like this? Or have a template that you would be willing to share?
Thanks in advance,
Brittany