Due Diligence and Ongoing Monitoring

 View Only
Venminder Venmonitor
Back to discussions
Expand all | Collapse all

SOC2 CUECs

  • 1.  SOC2 CUECs

    This message was posted by a user wishing to remain anonymous
    Posted 09-14-2021 11:22 AM
    This message was posted by a user wishing to remain anonymous

    In reviewing SOC2 CUECs, should you review ALL the CUECs including any additional specific criteria for availability (A), processing integrity (PI), confidentiality (C), and privacy categories (P) on the report, or just the common criteria (CC)?


  • 2.  RE: SOC2 CUECs

    Posted 09-21-2021 11:48 AM
    Since CUEC's are controls your Vendor is expecting you to implement within your organization and complement the controls at the vendor, I would definitely review both the ones listed for the Common Criteria as well as for any additional specific criteria. You can then eliminate any that don't specifically apply to your use of the Vendor product or service or you as an organization. Generally speaking, we recommend the following high level steps when approaching CUECs:

    •Review the CUECs and their associated control objectives to ensure context is understood
    •Determine which CUECs apply to you as not all will always apply
    •Assign each CUEC to a person/team/role for responsibility
    •Determine which CUECs you are already addressing
    •Address each applicable remaining CUEC
    •Record how each CUEC is addressed
    •Assess CUECs with each new SOC report or with any significant internal changes

    Interested to hear if others have any thoughts on this.
    Original Message


  • 3.  RE: SOC2 CUECs

    Posted 09-23-2021 08:21 AM
    Hi Lisa, agree 100% with your comments.

    We review all of the CUES and only omit those that specifically don't apply based on our use of the product or services.  

    We map the CUEC's to our business unit mitigations and controls.  That has been really helpful documentation both for us internally as well as of external auditors and regulators.  

    Shelly

    ------------------------------
    Shelly Chase
    Senior Risk Analyst Officer
    ------------------------------

    Original Message


  • 4.  RE: SOC2 CUECs

    Posted 09-23-2021 12:43 PM

    Would anyone have a template they could share of how they handle the mapping?

     

    Thank you!

     

     




    Original Message


  • 5.  RE: SOC2 CUECs

    Posted 10-20-2021 10:18 AM
    I too would like to view any templates you may use to document responsible parties and their acceptance of the responsibility.
    Original Message


  • 6.  RE: SOC2 CUECs

    This message was posted by a user wishing to remain anonymous
    Posted 10-11-2021 02:45 PM
    This message was posted by a user wishing to remain anonymous

    Sorry- newbie here.  What does CUEC stand for?  Thank you!
    Original Message


  • 7.  RE: SOC2 CUECs

    This message was posted by a user wishing to remain anonymous
    Posted 10-11-2021 04:49 PM
    This message was posted by a user wishing to remain anonymous

    Complimentary User Entity Controls - The following site maybe useful for you. The Importance of System Organization Control Reports and How to Effectively Interpret Them (vermont.gov)
    Original Message


  • 8.  RE: SOC2 CUECs

    This message was posted by a user wishing to remain anonymous
    Posted 11-01-2023 08:16 AM
    This message was posted by a user wishing to remain anonymous

    Hello all,

    I am new to this too.

    My question is: Who within the organization is responsible for completing the CUEC.

    I have been sending the CUEC's to our vendor owners, and they have no idea how to respond to these control objectives.

    Is our Chief information officer responsible?  Chief security officer? 

    Any feedback will be greatly helpful.


    Original Message


  • 9.  RE: SOC2 CUECs

    Posted 11-01-2023 08:18 AM

    Usually those are technical in nature so the decision maker works directly with our IT Security Officer to make sure the appropriate controls are in place.


    Original Message


  • 10.  RE: SOC2 CUECs

    Posted 11-01-2023 08:33 AM

    Vendor owners do it here, but they are coached if they require assistance. We provide examples when necessary. Our CUECs are all "approved" by our committee that is responsible for vendor oversight.

     

     

    Cheers

    BEN FURLONG, SSCP, CEH

    CHIEF INFORMATION SECURITY OFFICER


    A picture containing text, clipart Description automatically generated
     

     


           Like us on Facebook

     




    Original Message


  • 11.  RE: SOC2 CUECs

    Posted 11-01-2023 11:08 AM

    Good point Ben.  Ours have a signoff by the vendor owner, SVP Chief Strategy, SVP CEO, and SVP of Operations and Risk Management.  It then goes to our Technology committee.

     

    Thanks,
    Kelli Shoup | Technology Support Lead/Information Security Specialist

    The Farmers Bank

    This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, privileged, confidential, and exempt from disclosure under applicable law or may constitute as attorney work product. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, notify us immediately by telephone and (i) destroy this message if a facsimile or (ii) delete this message immediately if this is an electronic communication. Thank you.




    Original Message


  • 12.  RE: SOC2 CUECs

    Posted 11-01-2023 08:34 AM

    Good morning.

     

    I am the vendor manager for my organization.  I have been working in vendor management for about 16 years.  While the expectation is to have the vendor owner fill them out, what I do is fill out what pertains to policy/technology (as I am in technology as well).  If it then requires a department procedure then the vendor owner needs to fill it out or tell me the procedure that pertains to the items.

     

    Thanks,
    Kelli Shoup | Technology Support Lead/Information Security Specialist

    The Farmers Bank

    This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, privileged, confidential, and exempt from disclosure under applicable law or may constitute as attorney work product. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, notify us immediately by telephone and (i) destroy this message if a facsimile or (ii) delete this message immediately if this is an electronic communication. Thank you.




    Original Message