Due Diligence and Ongoing Monitoring

 View Only
  • 1.  SOC 2 Review By Relationship Owners

    This message was posted by a user wishing to remain anonymous
    Posted 01-05-2021 03:31 PM
    This message was posted by a user wishing to remain anonymous

    We are in the process of trying to beef up our SOC review process and wondered if any FI's specifically require their business unit relationship owners to review SOC 2 reports?

    Our Information Security team currently reviews these documents, but we were unsure if we should require the actual business owner to review, as well? Who reviews those documents at your institutions?


  • 2.  RE: SOC 2 Review By Relationship Owners

    Posted 01-05-2021 04:54 PM
    Dear 'tbd',
    Before reading the rest, does your review of SOC 2 reports include and focus on responsibilities of the Business Unit for "Complementary User Entity Controls" and/or requirements?  For many infrastructure vendors, IT is the business unit (BU).

    If not, then in my own opinion, generally, I would always recommend the business unit SME (VP, etc) is involved and owns the CUE controls.  This is especially true for SaaS and other offerings that are close but not quite Shadow IT where business unit pays and manages the services.

    When possible, we have the business unit (BU) drive the communications with the vendor to get the correct SOC2 Type II for the service in question, and then after IT (IT or InfoSec based on size of your organization) does the SOC2 review; and afterwards, the intent is to rely on the BU to handle all identified "Complementation User Entity Controls" requirements assuming all remaining steps of your SOC2 review and vendor onboarding process are successful and you have a new vendor.

    1. Be sure your Info Sec / SOC2 review team identifies all Complementary User Entity Controls ("CUE Controls")

    2. Training may be required to bring the BU to level where they are self-sufficient to manage the CUE Controls. The Service Provider uses the SOC2 process to provide legal protection for issues, breaches, data protection gaps, etc. if the cause is due to the failure of the customer / client / subscriber to meet and manage all CUE controls.

    3. The Service Provider includes CUE Controls to state they can't be held responsible if their customer doesn't remove/control user subscriptions, user passwords, terminations, etc. 

    4. The Service Auditor's opinion will state whether the CUE Controls have been audited for the purpose or that they are not audited during the SOC2 examination. 

    Larry
    This is my humble opinion and does not reflect, imply or infer any official company position or policy

    Notes:
    (A) Your InfoSec / IT team needs to just evaluate whether alone or together, all your cybersecurity requirements for your own security posture are still met and the BU's Risks are addressed from the combination of (a) all SOC2 covered service provider controls;  (b) execution of all User Entity controls and (c) potentially, the further SOC2 reports, etc. to cover fourth party service providers (sub-servicers) that the Service Provider uses, but the Service Auditor of the SOC2 did not audit as part of their examination and it is left to the User Entity to be responsible to do further research.

    (B) I have yet to see where there is an auditor opinion where the CUE Controls combined with the audited service provider controls are sufficient even if the User Entity successfully handles all the CUE controls.   Have SOC2 review team take special note to review CUE Controls and whether they meet your definition of what a BU does or whether IT or third party needed to handle them (for scale, etc.).

    P.S. [Have Legal be sure you don't sign contract that states Service Provider is not responsible for user related breaches, etc.  There is always room for language to state Service Provider remains responsible (as long as User Entity at least audits users, subscribers, etc. in SaaS/SP service at least as often the User Entity audits its own enterprise users, etc.  Not a lawyer, but you get the drift. ]

    Larry
    This is my humble opinion and does not reflect, imply or infer any official company position or policy


  • 3.  RE: SOC 2 Review By Relationship Owners

    Posted 01-05-2021 05:35 PM

    I will agree with Larry.

     

    With a SOC 2 Type 2, the business owners will be significantly out of their area of expertise, and my suspicion is that there will be either active or passive push back on reviewing the whole SOC report.

     

    The Complimentary User Controls, though, are absolutely within their scope, and they are the best suited to confirm the processes.

                    The exception would be those Controls that are clearly IT based [things like accounts of terminated staff are disabled in a timely manner, or encryption levels].

     

    Generally, I've had the BU owner request the SOC [among other things], and then I will pull out the User Controls and bounce them back for review and confirmation of processes.

                    [Pro tip- most auditors don't want a blanket "yup, we do that stuff" statement for the entirety of the list of Controls. They want granularity to at least give the illusion that the BU owner has reviewed and put thought into the Controls, so individual comments are a better practice, and it does encourage actual reading and thinking.]

     

    Thanks,

          Dave

     

    David Howe

    Chief Information Officer





  • 4.  RE: SOC 2 Review By Relationship Owners

    Posted 01-06-2021 09:15 AM
    We use an internal review form for all of our SOC2s to collect sign-offs.  It is routed to the business/relationship owner, Financial, Info Security, and finally Internal Audit.  All of the complementary users controls listed in the SOC2 are also listed on the review form and need to be addressed by one of the above parties.


  • 5.  RE: SOC 2 Review By Relationship Owners

    Posted 01-07-2021 11:53 AM
    Tracy, would you be willing to share your internal review form?


  • 6.  RE: SOC 2 Review By Relationship Owners

    Posted 01-07-2021 12:38 PM
      |   view attached
    I've attached our form, there really isn't much to it.  It is always routed to all parties involved and if there isn't anything for an area to review, they still sign-off that there isn't anything for them to review.  Internal Audit always does the final review and sign-off.

    Attachment(s)



  • 7.  RE: SOC 2 Review By Relationship Owners

    Posted 01-07-2021 03:09 PM
    Tracy,
    Thank you.  I was following your contributions and was curious about the form.  

    Have a great day.
    Larry