Imagine you are working on your SOC 2 report and trying to ensure you meet the CC1 (Common Criteria) controls. Most of these are met by performing corporate strategy and governance actions in a timely manner. For this, written procedures, recurring agendas, and a checklist will be your greatest asset. CC1 focuses primarily on the Control Environment, which would be your leadership team, your personnel, and your commitment to integrity and ethical values. Since SOC 2 is customizable, there is no set way to meet the criteria, but some of the most common controls can be met by following the best practices listed below.
Your leadership team should be setting the goals, strategy, and performance objectives of your business. On a quarterly basis, they should be reviewing where the company is and where the company is going, creating and adjusting the strategy used to meet the goals, and determining how they will measure success at a high level. This meeting will need to be documented. Documentation should include:
- a list of who attended, including the report of attendees generated by the system if it was held online
- the discussion points
- the decisions made
- the action items
The leadership team should be handing down these priorities so that management can execute the plans to meet the objectives. Additionally, this documentation is best kept in a shared folder between the leadership team, so it’ll be easy to locate and provide for the audit. Pro tip: You can use risk3sixty’s compliance calendar found within Phalanx to keep track of these meetings and documentation associated with them!
Human Resources (HR) will likely be responsible for several CC1 controls, so make sure they know what the controls say and what their responsibilities are. These responsibilities often include:
- ensuring job descriptions and responsibilities are written for each position
- organizational chart creation
- making policies available to employees
- ordering and reviewing background checks prior to employee start date
- ensuring the employee handbook is signed by new hires
- verifying security training is completed for new hires and annually thereafter
- ensuring performance reviews are completed
- receiving and responding to complaints
- initiating new hire paperwork and communicating to other responsible parties (e.g., IT).
The organizational chart, policy availability, and job descriptions may be an HR responsibility, but management will need to review the accuracy of these at least annually. The best way to meet this is for management to meet quarterly to review the objectives handed down by the leadership team and then ensure that the correct departments have their action plans and objectives. This meeting should also be documented in a similar manner as the leadership meeting.
At least annually, management should ensure that reporting lines are accurate, policies are reviewed, and that job description updates are sent to HR, based on any changes to the business in the past year.
Using a personnel management system (HRIS) is a best practice for ensuring that hire dates, termination dates, employee types, managers, job titles, and names are maintained and able to be provided upon request. The HR system will be the most accurate source for an organization chart. In addition, user access reviews can help ensure that the organization chart is up to date as a listing of all personnel, including their job titles, managers, and current employment status, should be utilized for the user access reviews, with any issues noted being sent back to HR for correction.
Policies relevant to all personnel should be made available to them either by full company access or group access. Policies are usually communicated through SharePoint, Google Drive, Confluence, or similar systems. Access to policies relevant to subsets of employees should be managed by groups. Individually managing access can create future problems when access is not granted to someone that should have access or not removed for someone that should no longer have access. Pro tip: You can use risk3sixty’s Policies module found within Phalanx to manage policies!
To ensure all personnel are aware of their job responsibilities, it’s a best practice to attach the job descriptions for their roles to their offer letters and promotion documentation (or agreements for contractors or third-party employees). This will allow the business to gather an acceptance of the job responsibilities. Additionally, job descriptions should be made available within the HR portal that employees can access as part of performance reviews (or more often). While security may not be the main responsibility for every employee, every employee has a responsibility for security, so additional responsibilities for security controls should be documented in the security policy so every employee knows what their responsibilities for security are.
HR will likely take most of the responsibility for employee onboarding activities until access provisioning is handed over to IT. A best practice for ensuring that each of the onboarding activities is done in a timely manner is to require them to be completed prior to the employee gaining access to the system. Many can be done prior to the hire start date. A checklist ticket should be utilized to ensure that each step has been completed before the ticket is created for granting user access or providing access to the password manager. To make finding all documentation easier, should you need it for your SOC 2 audit, it’s critical that it be stored together and named appropriately.
After the agreement, including the job description, is signed by new personnel, the next step should be to open the new hire ticket containing the list of required activities before access can be granted. This list should include background check review, signing the employee handbook, completion of security training, and any steps requiring additional team members to be involved.
Background checks should be ordered upon receiving a signed offer letter and reviewed prior to access being granted. By ordering the check upon receipt of the offer letter, management reduces the risk of an incomplete background check preventing the employee from gaining access. By requiring the background check in order to grant access, management prevents the risk of inappropriate access being granted or the background check never being ordered at all.
On the new hire’s first day, they should meet with HR and be required to sign the handbook, which should outline the code of conduct, security, and confidentiality responsibilities, and procedures for submitting complaints or concerns. This information should additionally be available to the personnel through the HR system so that they can go back and review this information on an as-needed basis.
Next, new hires should obtain security and privacy training on threats present to the business. This training should take place as soon as possible as a preventative measure for common security concerns presented by new personnel. Additionally, training should also take place on an annual basis for all personnel. Management may also consider role-specific security training based on common issues faced in each role.
To prevent access from being granted before it is appropriate, management should refrain from creating access until all activities have been satisfactorily completed. Even granting access to an employee’s email could create trouble if the security training hasn’t been completed (i.e., through phishing attacks). To prevent these issues, HR should send confirmation after the onboarding activities have taken place to the individuals (likely IT) responsible for granting access. The communication should include the new hire’s name, job title, and manager.
On an annual basis, HR will need to make sure that performance reviews take place and annual security training is completed. Performance reviews should be documented and acknowledged by both employee and manager, to include a review against the job position held by the employee and any improvements requested of the employee. For best results, both performance reviews and security training should be included as company-wide quarterly goals to ensure that all personnel complete them by the end of the quarter.
It is important to know that personnel is not referring to just employees. Personnel will include everybody that gains individual access to your company’s systems, such as contractors and third-party employees that have access to the system. Agreements for third-party individuals and contractors should include clauses for each of the personnel compliance controls to ensure that a party is responsible for each. Should your business take on the responsibility for any of these controls with regard to the personnel, you will still need to provide evidence this was done. Pro tip: Try to include a buffer zone to give yourself time to get this done before people gain access to your systems!
Integrity & Ethical Values
To show your commitment to integrity and ethical values, you’ll need to create;
- a code of conduct
- security policies
- confidentiality requirements
- a process for reporting issues
Your new hires will need to sign acknowledgements of these documents.
In addition, you’ll need to follow up on ensuring any complaints are remediated.
Your code of conduct, security policies, and confidentiality requirements should outline actions that are and are not permissible. It should also contain a clause for disciplinary action up to and including termination for noncompliance, and a requirement that personnel report if they suspect or know of any noncompliance.
Your process for reporting issues with policy compliance must be clear and easy for readers to understand. For easier tracking of issues, all reported issues of the same type should be submitted to a ticketing system so that a population of these issues can be pulled. If the system takes multiple categories of tickets, tagging should be utilized to ensure a full and complete population can be pulled.
Issues must be responded to in a timely manner by the appropriate party. Remediation should be fully documented, including the steps taken and the conclusion of the issue. Issues should be able to be reviewed later for a full understanding of what occurred and what was done.
These are the best practices for addressing common CC1 controls. By implementing the recommendations, you can help organize common administrative activities, and ensure that you are meeting the requirements of CC1. Make sure to involve the parties most responsible for these actions and help them create checklists, agendas, and procedures that will help them to keep these best practices in place. By keeping your control environment in check, you’ll pave the way for the rest of your controls.
For more information, watch the video below: