Due Diligence and Ongoing Monitoring

  • 1.  SOC2 CUECs

    This message was posted by a user wishing to remain anonymous
    Posted 09-14-2021 11:22 AM
    This message was posted by a user wishing to remain anonymous

    In reviewing SOC2 CUECs, should you review ALL the CUECs including any additional specific criteria for availability (A), processing integrity (PI), confidentiality (C), and privacy categories (P) on the report, or just the common criteria (CC)?


  • 2.  RE: SOC2 CUECs

    Posted 09-21-2021 11:48 AM
    Since CUEC's are controls your Vendor is expecting you to implement within your organization and complement the controls at the vendor, I would definitely review both the ones listed for the Common Criteria as well as for any additional specific criteria. You can then eliminate any that don't specifically apply to your use of the Vendor product or service or you as an organization. Generally speaking, we recommend the following high level steps when approaching CUECs:

    •Review the CUECs and their associated control objectives to ensure context is understood
    •Determine which CUECs apply to you as not all will always apply
    •Assign each CUEC to a person/team/role for responsibility
    •Determine which CUECs you are already addressing
    •Address each applicable remaining CUEC
    •Record how each CUEC is addressed
    •Assess CUECs with each new SOC report or with any significant internal changes

    Interested to hear if others have any thoughts on this.


  • 3.  RE: SOC2 CUECs

    Posted 09-23-2021 08:21 AM
    Hi Lisa, agree 100% with your comments.

    We review all of the CUES and only omit those that specifically don't apply based on our use of the product or services.  

    We map the CUEC's to our business unit mitigations and controls.  That has been really helpful documentation both for us internally as well as of external auditors and regulators.  

    Shelly

    ------------------------------
    Shelly Chase
    Senior Risk Analyst Officer
    ------------------------------



  • 4.  RE: SOC2 CUECs

    Posted 09-23-2021 12:43 PM

    Would anyone have a template they could share of how they handle the mapping?

     

    Thank you!

     

     






  • 5.  RE: SOC2 CUECs

    Posted 10-20-2021 10:18 AM
    I too would like to view any templates you may use to document responsible parties and their acceptance of the responsibility.


  • 6.  RE: SOC2 CUECs

    This message was posted by a user wishing to remain anonymous
    Posted 10-11-2021 02:45 PM
    This message was posted by a user wishing to remain anonymous

    Sorry- newbie here.  What does CUEC stand for?  Thank you!


  • 7.  RE: SOC2 CUECs

    This message was posted by a user wishing to remain anonymous
    Posted 10-11-2021 04:49 PM
    This message was posted by a user wishing to remain anonymous

    Complimentary User Entity Controls - The following site maybe useful for you. The Importance of System Organization Control Reports and How to Effectively Interpret Them (vermont.gov)