Work.software's GRC and SOC 2
22 Manual SOC 2 Criteria covered with Work.software
In order to achieve SOC 2 compliance, you don’t just have to be successful at running vulnerability scans and hardening your infrastructure. You also need to be good at less technical controls. SOC 2 requires organizations to oversee internal controls, establish reporting structures, demonstrate a commitment to attract, develop and retain competent individuals, communicate with internal and external stakeholders regarding matters affecting internal control, and communicate internal control deficiencies. That’s where Work.Software comes to play. Our checklist and meeting templates assist you with keeping track of these activities as well as other ongoing control needs and ensures actionable items are assigned to the right people to get the job done.
Tools:
- Compliance Dashboard
- Create Custom Meetings and Link to SOC 2 Criteria and Controls
- Auditor Access and Exports
- Employee Evaluations and Performance Plans (CC1.4/CC1.5/CC2.2)
Meetings:
- Change Advisory Board (CC8.1)
- Executive Review (CC1.2, Repeats frequently throughout SOC)
- Board Meetings (CC1.2, Repeats frequently throughout SOC)
- Security Steering Committee (CC1.2, Repeats frequently throughout SOC)
- Business Continuity Plan Review (CC5.3/CC7.4/CC7.5)
- Disaster Recovery Plan Review (CC5.3/CC7.4/CC7.5)
- Business Continuity Test Retrospective (CC5.3/CC7.4/CC7.5)
- Disaster Recovery Test Retrospective (CC5.3/CC7.4/CC7.5)
- Sprint Retrospective (CC8.1)
- Job Description Review (CC1.4)
- Company Organizational Chart Review (CC1.3/CC3.4)
- New Hire Review (CC1.4/CC6.2)
- Department Meetings (CC1.2, Repeats frequently throughout SOC)
- Team Meeting, e.g. server team (CC1.2, Repeats frequently throughout SOC)
- Risk Assessment Retrospective (CC3.2)
- Review Authorized Personnel Roles for Access to Data, Software, Functions, and Other IT Resources (CC4.1, CC6.2, CC6.3)
- Review Personnel with Physical Access to Sensitive Locations (CC4.1, CC6.5)
- Review Incident Response Procedures (CC7.3, CC7.4)
- Incident Response Retrospective (CC7.4, CC7.5)
Checklists:
- Employee Exit (CC6.2/CC6.3/CC6.5)
- Employee New Hire (CC6.2/CC6.3)
- Employee Onboarding (CC1.1/CC1.4/CC6.2/CC6.3)
- Hardware Deployment (CC6.1/CC6.6/CC6.8)
- Security Policies (CC1.2/CC2.1)
- Security Awareness Training (CC1.4/CC1.5)
- Vendor Management Assessments (CC3.2, CC9.2)
Mappings:
| Criteria | Control # | Description of Controls | Meetings, Events and Checklists | |
| CC1.0 | Common Criteria Related to Control Environment | |||
|
CC1.1
|
COSO Principle 1: The entity demonstrates a commitment to integrity and ethical values.
|
CC1.1.2 | Personnel are required to read and accept the code of conduct upon being hired and annually thereafter. | Employee Onboarding Checklist (CC1.1/CC1.4/CC6.2/CC6.3) |
| CC1.1.3 | Personnel are required to read and accept an acceptable use agreement upon being hired and annually thereafter. | Employee Onboarding Checklist (CC1.1/CC1.4/CC6.2/CC6.3) | ||
| CC1.1.4 | New hires are required to pass a background check as a condition of their employment. | Employee Onboarding Checklist (CC1.1/CC1.4/CC6.2/CC6.3) | ||
|
CC1.2
|
COSO Principle 2: The board of directors demonstrates independence from management and exercises oversight of the development and performance of internal control.
|
CC1.2.3 | Executive Management exercises oversight of security controls by reviewing security policies on an annual basis. | Executive Review (CC1.2, Repeats frequently throughout SOC) Security Policies Checklist (CC1.2/CC2.1) |
| CC1.2.4 | Executive Management exercises oversight and independence of risk management activities by reviewing results of internal assessments. | Executive Review (CC1.2, Repeats frequently throughout SOC) | ||
| CC1.2.5 | The Engineering Team meets on a periodic basis to review security initatives, goals and projects. | Department Meetings (CC1.2, Repeats frequently throughout SOC) Team Meeting, e.g. server team (CC1.2, Repeats frequently throughout SOC) |
||
| CC1.2.6 | The Security Steering Committee meets on a periodic basis to review security initatives, goals and projects. | Security Steering Committee (CC1.2, Repeats frequently throughout SOC) | ||
| CC1.2.7 | The Security Steering Committee provides a report on Information Security to the Board of Directors on an annual basis. | Board Meetings (CC1.2, Repeats frequently throughout SOC) | ||
|
CC1.3
|
COSO Principle 3: Management establishes, with board oversight, structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives.
|
CC1.3.1 | Executive Management reviews its organizational structure, reporting lines, authorities, and responsibilities in terms of information security on an annual basis. | Company Organizational Chart Review (CC1.3/CC3.4) |
| CC1.3.2 | An organizational chart has been defined to appropriately document reporting lines. | Company Organizational Chart (CC1.3) | ||
|
CC1.4
|
COSO Principle 4: The entity demonstrates a commitment to attract, develop, and retain competent individuals in alignment with objectives.
|
CC1.4.1 | Job requirements and responsibilities are documented in job descriptions. Job descritions are reviewed on an annual basis | Job Description Review (CC1.4) |
| CC1.4.2 | Security awareness training is provided to all employees on an annual basis. | Employee Onboarding Checklist (CC1.1/CC1.4/CC6.2/CC6.3) | ||
| CC1.4.3 | Managers are required to complete performance appraisals for direct reports at least annually. | Employee Evaluations and Performance Plans (CC1.4/CC1.5/CC2.2) | ||
|
CC1.5
|
COSO Principle 5: The entity holds individuals accountable for their internal control responsibilities in the pursuit of objectives.
|
CC1.1.2 | Personnel are required to read and accept the code of conduct upon being hired and annually thereafter. | Employee Onboarding Checklist (CC1.1/CC1.4/CC6.2/CC6.3) |
| CC1.1.3 | Personnel are required to read and accept an acceptable use agreement upon being hired and annually thereafter. | Employee Onboarding Checklist (CC1.1/CC1.4/CC6.2/CC6.3) | ||
| CC1.4.2 | Security awareness training is provided to all employees on an annual basis. | Security Awareness Training (CC1.4/CC1.5) | ||
| CC1.4.3 | Managers are required to complete performance appraisals for direct reports at least annually. | Employee Evaluations and Performance Plans (CC1.4/CC1.5/CC2.2) | ||
| CC2.0 | Common Criteria Related to Communication and Information | |||
| CC2.1 | COSO Principle 13: The entity obtains or generates and uses relevant, quality information to support the functioning of internal control. | CC2.1.1 | The entity has a defined Information Security Policy that covers policies and procedures to support the functioning of internal control. | Security Policies (CC1.2/CC2.1) |
| CC3.0 | Common Criteria Related to Risk Assessment | |||
|
CC3.2
|
COSO Principle 7: The entity identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed.
|
CC3.2.2 | Management prepares a remediation plan to formally manage the resolution of findings identified in risk assessment activities. | Risk Assessment Retrospective (CC3.2) |
| CC3.2.3 | Management monitors key vendors and business partners on an annual basis by either obtaining and reviewing the vendors' most currently available SOC Reports or by performing other monitoring procedures. | Vendor Management Assessments (CC3.2, CC9.2) | ||
|
CC3.3
|
COSO Principle 8: The entity considers the potential for fraud in assessing risks to the achievement of objectives.
|
CC3.3.1
|
Web application vulnerability scans are performed on a monthly basis to identify vulnerabilities and management takes action based on the results of the scan.
|
|
| Security Steering Committee (CC1.2, Repeats frequently throughout SOC) Department Meetings (CC1.2, Repeats frequently throughout SOC) Team Meeting, e.g. server team (CC1.2, Repeats frequently throughout SOC) |
||||
|
CC3.3.2
|
Web application penetration tests are performed by an independent third party on an annual basis and management takes action, as necessary, based on the results of scans.
|
|||
| Security Steering Committee (CC1.2, Repeats frequently throughout SOC) Department Meetings (CC1.2, Repeats frequently throughout SOC) Team Meeting, e.g. server team (CC1.2, Repeats frequently throughout SOC) |
||||
| CC4.0 | Common Criteria Related to Monitoring Activities | |||
|
CC4.1
|
COSO Principle 16: The entity selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning.
|
CC4.1.1 | Access reviews foinfrastructure, version control and Company Applicaitons are performed on an annual basis. | Review Authorized Personnel Roles for Access to Data, Software, Functions, and Other IT Resources (CC4.1, CC6.2, CC6.3) |
|
CC4.1.2
|
An internal audit is implemented for controls to assess the effectiveness of controls and detect associated risk items. Management takes action to resolve risk issues in a timely manner.
|
Internal Audit Checklist (CC4.1) | ||
| CC5.0 | Common Criteria Related to Control Activities | |||
|
COSO Principle 11: The entity also selects and develops general control activities over technology to support the achievement of objectives.
|
CC5.2.2
|
IT and security policies are defined for protecting against unauthorized access that could compromise the availability, integrity, confidentiality, and privacy of information or systems. IT and security policies are reviewed by appropriate members of management on an annual basis.
|
||
| Security Policies (CC1.2/CC2.1) | ||||
|
CC5.3
|
COSO Principle 12: The entity deploys control activities through policies that establish what is expected and in procedures that put policies into action.
|
CC5.3.1
|
Business and system recovery plans are documented, which provide roles and responsibilities and detailed procedures for recovery of systems to a known state per defined recovery time objectives (RTOs) and recovery point objectives (RPOs). Plans reviewed and are tested annually.
|
Disaster Recovery Plan Review (CC5.3/CC7.4/CC7.5) Business Continuity Test Retrospective (CC5.3/CC7.4/CC7.5) |
| Disaster Recovery Test Retrospective (CC5.3/CC7.4/CC7.5) | ||||
| CC6.0 | Common Criteria Related to Logical and Physical Access Controls | |||
| CC6.1 | The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives. | CC6.1.1 | Server-hardening standards are followed when implementing a new server or golden image into the organization's environment. | Hardware Deployment (CC6.1/CC6.6/CC6.8) |
|
CC6.2
|
Prior to issuing system credentials and granting system access, the entity registers and authorizes new internal and external users whose access is administered by the entity. For those users whose access is administered by the entity, user system credentials are removed when user access is no longer authorized.
|
CC6.2.1 | Prior to granting new hires and contractors access to system resources, an access request form must be approved by approprite personnel | New Hire Review (CC1.4/CC6.2) Employee Onboarding Checklist (CC6.2/CC6.3) |
|
CC6.2.3
|
An off- boarding checklist is completed for terminated employees, documenting access had been removed within one business day of the termination date.
|
Employee Exit (CC6.2/CC6.3/CC6.5) | ||
| Employee Exit (CC6.2/CC6.3/CC6.5) | ||||
| CC6.4 | The entity restricts physical access to facilities and protected information assets (for example, data center facilities, back-up media storage, and other sensitive locations) to authorized personnel to meet the entity’s objectives. | CC6.4.1 | An card-based physical access control system has been implemented within the perimeter of facilities and at the entry and exit points of sensitive areas within these facilities, including areas containing backup media. | Review Personnel with Physical Access to Sensitive Locations (CC4.1, CC6.5) |
| CC7.0 | Common Criteria Related to System Operations | |||
|
CC7.3
|
The entity evaluates security events to determine whether they could or have resulted in a failure of the entity to meet its objectives (security incidents) and, if so, takes actions to prevent or address such failures.
|
CC7.3.1 | The incident response team follows defined incident response procedures for resolving and escalating reported security issues. | Review Incident Response Procedures (CC7.3, CC7.4) |
| CC7.3.2 | The entity responds to incidents to determine if the incident is considered a security incident and resolution is tracked. | Incident Response Retrospective (CC7.4, CC7.5) | ||
| CC7.4 | The entity responds to identified security incidents by executing a defined incident response program to understand, contain, remediate, and communicate security incidents, as appropriate. | CC7.4.1 | For all confirmed security incidents, a root cause analysis is performed to determine what corrective actions are necessary to prevent the issue from occurring in the future. | Incident Response Retrospective (CC7.4, CC7.5) |
| CC7.5 | The entity identifies, develops, and implements activities to recover from identified security incidents. | CC7.5.1 | Incident response plan testing is performed on an annual basis. | Incident Response Retrospective (CC7.4, CC7.5) |
| CC8.0 | Common Criteria Related to Change Management | |||
|
CC8.1
|
The entity authorizes, designs, develops or acquires, configures, documents, tests, approves, and implements changes to infrastructure, data, software, and procedure to meet its objectives.
|
CC8.1.1 | Sprint retrospectives are completed after each major release to identify bugs, outstanding issues and follow-up activites. Responsibility for resolving outstaing items if formally assigned. | Sprint Retrospective (CC8.1) |
| CC8.1.2 | A Change Advisory Board meets on a periodic basis to discuss and priortize changes. | Change Advisory Board (CC8.1) | ||
| CC9.0 | Common Criteria Related to Risk Mitigation | |||
|
CC9.2
|
The entity assesses and manages risks associated with vendors and business partners
|
CC9.2.1
|
An inventory of vendors and business partners is maintained that ranks vendors based on criticality. Vendor monitoring procedures are implemented based on identified vendor criticality.
|
Vendor Management Assessments (CC3.2, CC9.2)
|