Do you wait until your auditors show up to perform a control assessment or internal audit? The CC4 series in your SOC 2 examination ensures you are not waiting until the last minute to assess whether or not the controls at your organization are in place and operating effectively. This blog post will provide a detailed overview of each criterion, key concepts assessed, typical evidence requests for each criterion, and the ByteChek difference.
Overview of CC4.0 (Monitoring Activities)
CC4.1 and CC4.2
CC4.1 The entity selects develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning.
CC4.2 The entity evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the board of directors, as appropriate.
Key Concepts Assessed in CC4.1 and CC4.2:
Control Self Assessments or Internal Audits:
Typical evidence requests: Provide proof of your most recent control self-assessment or internal audit (must be performed within the past 12 months). The proof is generally the output of a report that includes the date of completion, the individuals that completed the self-assessment, the controls evaluated, their control status, and mitigation strategies for any controls not operating effectively. Due to the sensitive nature of these self-assessments, prepare to review the results, and discuss the details of the internal audit during interviews with your auditors.
With ByteChek, our platform automates the continuous monitoring and evaluation of your controls. The ByteChek platform is continuously assessing your control environment (cloud infrastructure, code repositories, HR tools, etc.) to determine control operating effectiveness and alerting your team when control status changes. We understand that a control self-assessment is not a single point-in-time activity, controls should be continually assessed and evaluated.
Typical evidence requests: Excel sheets or observations of GRC tools outlining the identified risks and how the risks were formally assessed with documented treatment plans and assigned risk owners. This risk assessment should be conducted by an appropriate individual in security, governance, or executive roles. You should expect a detailed conversation with your auditors to explain the inputs for the risk assessment and the individuals involved in the process.
With ByteChek, we built an intuitive risk assessment directly into our platform. The Bytechek platform automatically generates a continuous risk register that is based on the information the platform ingested from your business applications (AWS, Splunk, GitHub, BambooHR, etc.). When our platform integrates with these tools we are assessing your controls which are in place to mitigate risks, as the control status changes, your risk posture should change as well. We understand that a risk assessment is not a single point-in-time activity, risks should be continually assessed and evaluated. Your team still owns this risk register and will be required to review the risks, and document any additional risk mitigation strategies but our platform helps you begin the process and update threats in real-time.
Typical evidence requests An output (PDF or Word) of your most recent penetration test report (at least within the last 12 months). Your auditors will confirm the scope of the penetration test, review the methodology utilized by your third-party vendor, and all identified vulnerabilities. Be prepared to provide remediation evidence for any critical or high vulnerabilities identified during the penetration test.
With ByteChek, you will upload the penetration test report directly to the ByteChek platform where our assessors can review the report and communicate via our chat feature about the details. If you utilize JIRA for your remediation tracking, our integration with JIRA allows our team to automatically assess whether the critical or high vulnerabilities identified were remediated within the timeframe specified in your information security policy.
Typical evidence requests: Screenshots or an observation of the email alerts, Slack RSS subscriptions, or other evidence showing the security bulletins you and your team are subscribed to.
With ByteChek, you can provide screenshots or you can integrate your security bulletins Slack channel with the platform to automatically test this control. The ByteChek Newsletter (subscribe with email or Slack) is a great source to help address this control.
The ByteChek Difference
We started ByteChek with one goal in mind: Make Compliance Suck Less. This blog post covers a small subset of the controls we built our platform to automate and move away from status quo SOC 2 examinations and other framework audits. Automating compliance and eliminating screenshots, document uploads, and generic evidence requests help your team focus on growing and securing your business. Reach out to our team to learn how you can automate compliance and set up a demo of the ByteChek platform.