Dear 'tbd',
Before reading the rest, does your review of SOC 2 reports include and focus on responsibilities of the Business Unit for "Complementary User Entity Controls" and/or requirements? For many infrastructure vendors, IT is the business unit (BU).
If not, then in my own opinion, generally, I would always recommend the business unit SME (VP, etc) is involved and owns the CUE controls. This is especially true for SaaS and other offerings that are close but not quite Shadow IT where business unit pays and manages the services.
When possible, we have the business unit (BU) drive the communications with the vendor to get the correct SOC2 Type II for the service in question, and then after IT (IT or InfoSec based on size of your organization) does the SOC2 review; and afterwards, the intent is to rely on the BU to handle all identified "Complementation User Entity Controls" requirements assuming all remaining steps of your SOC2 review and vendor onboarding process are successful and you have a new vendor.
1. Be sure your Info Sec / SOC2 review team identifies all Complementary User Entity Controls ("CUE Controls")
2. Training may be required to bring the BU to level where they are self-sufficient to manage the CUE Controls. The Service Provider uses the SOC2 process to provide legal protection for issues, breaches, data protection gaps, etc. if the cause is due to the failure of the customer / client / subscriber to meet and manage all CUE controls.
3. The Service Provider includes CUE Controls to state they can't be held responsible if their customer doesn't remove/control user subscriptions, user passwords, terminations, etc.
4. The Service Auditor's opinion will state whether the CUE Controls have been audited for the purpose or that they are not audited during the SOC2 examination.
Larry
This is my humble opinion and does not reflect, imply or infer any official company position or policy
Notes:
(A) Your InfoSec / IT team needs to just evaluate whether alone or together, all your cybersecurity requirements for your own security posture are still met and the BU's Risks are addressed from the combination of (a) all SOC2 covered service provider controls; (b) execution of all User Entity controls and (c) potentially, the further SOC2 reports, etc. to cover fourth party service providers (sub-servicers) that the Service Provider uses, but the Service Auditor of the SOC2 did not audit as part of their examination and it is left to the User Entity to be responsible to do further research.
(B) I have yet to see where there is an auditor opinion where the CUE Controls combined with the audited service provider controls are sufficient even if the User Entity successfully handles all the CUE controls. Have SOC2 review team take special note to review CUE Controls and whether they meet your definition of what a BU does or whether IT or third party needed to handle them (for scale, etc.).
P.S. [Have Legal be sure you don't sign contract that states Service Provider is not responsible for user related breaches, etc. There is always room for language to state Service Provider remains responsible (as long as User Entity at least audits users, subscribers, etc. in SaaS/SP service at least as often the User Entity audits its own enterprise users, etc. Not a lawyer, but you get the drift. ]
Larry
This is my humble opinion and does not reflect, imply or infer any official company position or policy
Original Message:
Sent: 01-05-2021 03:14 PM
From: Anonymous Member
Subject: SOC 2 Review By Relationship Owners
This message was posted by a user wishing to remain anonymous
We are in the process of trying to beef up our SOC review process and wondered if any FI's specifically require their business unit relationship owners to review SOC 2 reports?
Our Information Security team currently reviews these documents, but we were unsure if we should require the actual business owner to review, as well? Who reviews those documents at your institutions?