Unless you work in the audit space directly, you probably don’t get excited about policies and procedures. A SOC 2 examination is an auditors’ dream because you can’t get through a SOC 2 without a deep dive into the policies and procedures in place at your organization. The CC5 series focuses on the policies and procedures documented and in place. This blog post will provide a detailed overview of each criterion, key concepts assessed, typical evidence requests for each criterion, and the ByteChek difference.
Overview of CC5.0 (Control Activities)
CC5.1. CC5.2 and CC5.3
CC5.1 The entity selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels.
CC5.2 The entity also selects and develops general control activities over technology to support the achievement of objectives.
CC5.3 The entity deploys control activities through policies that establish what is expected and in procedures that put policies into action.
Key Concepts Assessed in CC5.1. CC5.2 and CC5.3:
Information Security Policies and Procedures
Typical evidence requests Your information security policies and procedures that include approvals and version history. Your auditors may provide templates or websites where you can generate a policy that will sufficiently address this criterion. Be prepared to explain the process or tools used to communicate these policies and procedures to employees (i.e. acknowledged upon hire, stored on internal document repository, etc.). A few key concepts your information security policy should cover are:
Roles and Responsibilities
Human Resources Security
Compliance & Internal Audit
Logging and Monitoring
Software Development Lifecycle
With ByteChek, our platform is built with an intuitive information security policy generator which will help you quickly create a robust and detailed policy. If you already have a policy, you can upload it directly to our platform to address this control. We also take care of the communication to users, your employees can use the ByteChek platform to read and acknowledge their understanding of the information security policy (and other applicable policies and procedures).
Control Self Assessments or Internal Audits:
Typical evidence requests: Provide proof of your most recent control self-assessment or internal audit (must be performed within the past 12 months). The proof is generally the output of a report that includes the date of completion, the individuals that completed the self-assessment, the controls evaluated, their control status, and mitigation strategies for any controls not operating effectively. Due to the sensitive nature of these self-assessments, prepare to review the results, and discuss the details of the internal audit during interviews with your auditors.
With ByteChek, our platform automates the continuous monitoring and evaluation of your controls. The ByteChek platform is continuously assessing your control environment (cloud infrastructure, code repositories, HR tools, etc.) to determine control operating effectiveness and alerting your team when control status changes. We understand that a control self-assessment is not a single point-in-time activity, controls should be continually assessed and evaluated.
Risk Management Policies and Procedures:
Typical evidence requests: You will be required to provide your risk management policies and procedures. Your auditors will be concerned with the contents of the policy some common themes they will look for:
Key risk management procedures such as system characterization, threat identification, vulnerability identification, control analysis, likelihood determination, impact analysis, risk determination, control recommendations, and results from the documentation.
Guidance on the identification of potential threats, rating the significance of the risks associated with the identified threats, and mitigation strategies for those risks.
With ByteChek, our platform is built with an intuitive information security policy generator which will help you quickly create a robust and detailed policy that includes risk management policies and procedures. If you already have a policy, you can upload it directly to our platform to address this control. We also take care of the communication to users, your employees can use the ByteChek platform to read and acknowledge their understanding of the risk management policy (and other applicable policies and procedures).
Typical evidence requests: Excel sheets or observations of GRC tools outlining the identified risks and how the risks were formally assessed with documented treatment plans and assigned risk owners. This risk assessment should be conducted by an appropriate individual in security, governance, or executive roles. You should expect a detailed conversation with your auditors to explain the inputs for the risk assessment and the individuals involved in the process.
With ByteChek, we built an intuitive risk assessment directly into our platform. The Bytechek platform automatically generates a continuous risk register that is based on the information the platform ingested from your business applications (AWS, Splunk, GitHub, BambooHR, etc.). When our platform integrates with these tools we are assessing your controls which are in place to mitigate risks, as the control status changes, your risk posture should change as well. We understand that a risk assessment is not a single point-in-time activity, risks should be continually assessed and evaluated. Your team still owns this risk register and will be required to review the risks, and document any additional risk mitigation strategies but our platform helps you begin the process and update threats in real-time.
Typical evidence requests An output (PDF or Word) of your most recent penetration test report (at least within the last 12 months). Your auditors will confirm the scope of the penetration test, review the methodology utilized by your third-party vendor, and all identified vulnerabilities. Be prepared to provide remediation evidence for any critical or high vulnerabilities identified during the penetration test.
With ByteChek, you will upload the penetration test report directly to the Bytechek platform where our assessors can review the report and communicate via our chat feature about the details. If you utilize JIRA for your remediation tracking, our integration with JIRA allows our team to automatically assess whether the critical or high vulnerabilities identified were remediated within the timeframe specified in your information security policy.
Typical evidence requests: Screenshots or an observation of the email alerts, Slack RSS subscriptions, or other evidence showing the security bulletins you and your team are subscribed to.
With ByteChek, you can provide screenshots or you can integrate your security bulletins Slack channel with the platform to automatically test this control. The Bytechek Newsletter (subscribe with email or Slack) is a great source to help address this control.
The ByteChek Difference
We started ByteChek with one goal in mind: Make Compliance Suck Less. This blog post covers a small subset of the controls we built our platform to automate and move away from status quo SOC 2 examinations and other framework audits. Automating compliance and eliminating screenshots, document uploads, and generic evidence requests help your team focus on growing and securing your business. Reach out to our team to learn how you can automate compliance and set up a demo of the ByteChek platform.