risk3sixty

SOC 2 Controls Spot Check

Purpose
The purpose of this document is to help your organization maintain its SOC 2 program between external audits. The following list is a recommended list of controls you
should spot check throughout the year to help monitor the operating effectiveness of your SOC 2 program.

Controls
The list below is just an example. Your company will have controls unique to its environment. The goal of this list is to provide an example and help you get started.
Please update this list as needed based on your unique control environment.

# Topic Spot Check Procedure Owner Status

1 Employee Handbook
2 Code of Conduct &
Complaints
Review the employee handbook to spot-check that it contains standards for
ethical behavior.
Review the complaint submission system to spot-check that employees and
customers have a mechanism in place to submit potential issues to
management.

Review complaint remediation documentation for recent issues submitted

3 Employee Agreement
during the audit period to spot-check that management remediated the
identified issue in accordance with policies and procedures.
Review the signed employee agreement for a sample of employees hired
during the examination period to spot-check that employees sign an
employee agreement as part of their initial terms and conditions of
employment.

www.risk3sixty.com
 risk3sixty
# Topic Spot Check Procedure Owner Status
4 Background Checks Review the completed background check for a sample of employees hired
during the examination period to spot-check that all employees undergo
formal screening prior to hire.

5 Security Training For a sample of employees onboarded during the examination period,
Review the completed security and privacy training to spot-check that
employees complete security and privacy awareness training within two
weeks of being granted systems access.

For a sample of current employees, Review the most recent security and
privacy training to spot-check that employees complete security training on
an annual basis.
6 Formal Disciplinary Review the Company's standards of conduct to spot-check that the Company
Process defines a formal disciplinary process for instances of noncompliance with the
standards of conduct related to security and privacy (if Privacy is in scope) to
include disciplinary measures up to and including termination.
7 Quarterly Strategy Review top-level management meeting minutes for a sample of quarterly
Meeting meetings during the examination period to spot-check that top-level
management meets at least quarterly to review the Company strategy,
goals, and performance objectives.
8 Performance Reviews Review the completed performance review for a sample of current
employees to spot-check that management and employees complete
performance reviews at least annually, and if performance reviews are
evaluated by management to ensure that each employee's goals and
performance are in alignment with business objectives.

www.risk3sixty.com
 risk3sixty
# Topic Spot Check Procedure Owner Status
9 Org Chart Review the Company's organizational chart and associated revision history
to spot-check that the Company maintains an organizational and
management reporting structure that aligns with business objectives and if
the organizational chart was _<for small orgs>_ updated by management
upon significant changes to the Company's organizational structure. _<or,
for large orgs>_ updated automatically within the HRIS.
10 Job Descriptions Review job descriptions for a sample of current employees to spot-check
that responsibilities for the roles were documented.

Review the Company's job description document repository to spot-check

that job descriptions were available to managers and supervisors.
11 Control Monitoring Review the Company's Information Security Policy to spot-check that the
Responsibility & Review Company has designated the [job title] as responsible for monitoring
controls and security commitments.

Review assessment results for the internal and external security assessments
completed during the examination period to spot-check that the Company
performs internal and external security assessments.

Review meeting minutes for a sample of management meetings to spot-

check that assessment results are reviewed by top-level management.

Review remediation documentation of issues identified as a result of internal

and external security assessments to spot-check that the identified items
were tracked to final remediation.
12 System Monitoring Tools Review the alert configuration settings for the company's system monitoring
tools to spot-check that utilities were configured to monitor and report on
system performance.

www.risk3sixty.com

# Topic
13 Reporting Mechanisms &
User-Submitted Issues
14 System Logging (Optional
Control)
15 Security Policies
16 Customer Agreements
risk3sixty
Spot Check Procedure Owner Status
Review the reporting mechanisms for internal and external system users to
spot-check that reporting mechanisms are in place for processing and
responding to security incidents and compliance concerns.
Review the remediation documentation for a sample of incidents and
compliance concerns submitted by internal and external system users during
the examination period to spot-check that issues submitted by internal and
external system users are reviewed and prioritized by management, and if
prioritized issues are tracked to final remediation.
Review the logging solution configuration settings to spot-check that it
collects and retains system and application logs for at least one year, if logs
are immutable, and if alerting is configured to notify responsible personnel
based upon predefined thresholds.
Review the log solution's user access listing to spot-check that access is
restricted to appropriate individuals.
Review the Company's policies and procedures to spot-check that the
policies and procedures communicate objectives and responsibilities for
internal control, necessary to support the function of internal control.
Review the Company's policy document repository to spot-check that
policies and procedures were made available to employees in the Company's
policy document repository.
Review the customer agreement for a sample of customers onboarded
during the examination period to spot-check that customer responsibilities,
which include responsibility for reporting operational failures, incidents,
problems, concerns, and complaints, and the process for doing so, are
contained therein.
www.risk3sixty.com
 risk3sixty
# Topic Spot Check Procedure Owner Status
17 System Descriptions Review system description documentation made available to external users
to spot-check that an accurate system description is made available to
authorized external users.

Review the customer onboarding documentation for a sample of customers

onboarded during the examination period to spot-check that documentation
of the system description is made available to new customers in customer
onboarding documentation.
18 Security & Privacy Review the security and privacy commitments posted on the company
Commitments website to spot-check that relevant security and privacy commitments were
made available to relevant parties.
19 Security Commitment Review communication to stakeholders for a sample of security commitment
Change Notification changes during the examination period to spot-check that impacted
stakeholders were informed of the changes.
20 Risk Management Process Review the Company's risk management policies and annual risk assessment
results to spot-check that the Company has defined and implemented a risk
management process, overseen by top-level management, that includes
identification of risks, the process for evaluating risks based upon identified
threats, likelihood, impact, and the Company's specified risk treatment
plans.

Review the results of the annual risk assessment to spot-check that the
Company completed a formal risk assessment within the past year.

www.risk3sixty.com
 risk3sixty
# Topic Spot Check Procedure Owner Status
21 Third-Party Risk Review company's vendor management policy to spot-check that a third-
Management Program party risk management program has been established to collect, track, and
manage third-party security controls based upon the risk presented to the
business.

Review the vendor assessments for a sample of third-party service providers

active during the examination period to spot-check that the Company
conducts annual assessments of its service providers.

Review remediation documentation for a sample of issues identified during

the vendor assessments to spot-check that any issues identified during the
assessment are tracked through to remediation.
22 Access to Sensitive Review the individual user access permissions for a sample of users with
Information system roles granting the user access to sensitive information to spot-check
that the individual's access was appropriate based on job function, active
employment with the Company, and confirmation with management.
23 Management Reviews Review the annual management review and risk assessment to spot-check
Potential Changes that top-level management formally reviewed the results of potential
changes to the business, technology, and regulatory environment, including
with legal counsel and consultancies as needed.
24 Internal Vulnerability Review the vulnerability scan result for a sample of quarters during the
Scans examination period to spot-check that the Company performs internal
vulnerability scans of the system at least quarterly.

Review the remediation documentation for a sample of issues of medium

criticality or above found in the vulnerability scans to spot-check that
management assesses and prioritizes the results of the scans and tracks
identified issues to final remediation.

www.risk3sixty.com

# Topic
25 External Penetration Tests
26 Internal Control System
27 Physical Access
28 IT Asset Inventory
risk3sixty
Spot Check Procedure Owner Status
Review the penetration test result to spot-check that the Company engages
a third party to perform external penetration tests of the system on an
annual basis.
Review the remediation documentation for a sample of issues of medium
criticality or above found in the annual penetration test to spot-check that
management assesses and prioritizes the results of the penetration test and
tracks identified issues to final remediation.
Review management's written system of internal control to spot-check that
top-level management has implemented a system of internal control based
upon a framework such as ISO 27001, NIST, CIS Top 18, or similar best
practices.
Review the annual management review of the internal control environment
to spot-check that the internal control environment is reviewed and updated
at least annually.
Review the facility entrances to spot-check that all entrances and exits are
physically restricted with key card access.
Review the system generated listing of individuals with physical access to the
facility to spot-check that only appropriate individuals have access to the
facility based on job function, active employment with the Company, and
confirmation with management.
Review the IT asset inventory to spot-check that the Company maintains an
up-to-date and complete inventory of information technology assets and
asset owners.
www.risk3sixty.com

# Topic
29 Firewall ACLs
30 Logical Segmentation
31 Remote Access
32 Admin Access to Critical
Systems
risk3sixty
Spot Check Procedure Owner Status
Review the Company's network diagram to identify areas where the
Company's perimeter is separated from the public-facing internet via
firewall.
Review the firewall ruleset to spot-check that the network perimeter is
controlled with firewalls configured to prevent access based on pre-defined
access control lists.
Review the firewall notification configuration settings to spot-check that
firewalls monitor the network and if network administrators receive
notification of issues detected by the system based on pre-defined alert
thresholds.
Review the Company's access control lists (ACLs) to spot-check that the
Company has logically segmented the system so that unrelated portions of
the information system are isolated from each other.
Review the network authentication configuration settings and system
generated list of users with remote access to the Company's network to
spot-check that remote access to the Company's network is limited via MFA
to only appropriate individuals based on job function, active employment
with the Company, and confirmation with management.
Review the production infrastructure authentication configuration settings
and system generated list of users with remote access to the Company's
production infrastructure components to spot-check that remote access to
the Company's system infrastructure is limited via MFA to only appropriate
individuals based on job function, active employment with the Company,
and confirmation with management.
Review the system generated list of users with administrative access to the
all critical systems (network, cloud, etc.) to spot-check that administrative
level access to the Company's network is limited to appropriate individuals
based on job function, current employment with the Company, and
confirmation with management.
www.risk3sixty.com

# Topic
33 Admin Access to
Production Infrastructure
34 Generic/Shared Accounts
35 Key Management System
36 Unique Username &
Password
37 Password Complexity
Standards
38 Laptop Encryption
39 Database Encryption
risk3sixty
Spot Check Procedure Owner Status
Review the system generated list of users with administrative access to the
all critical systems (databases, critical infrastructure, servers, etc.) to spot-
check that administrative level access to the Company's system is limited to
appropriate individuals based on job function, current employment with the
Company, and confirmation with management.
Review the system generated list of individuals with access to the generic
and shared account credentials repository (secrets management system) to
spot-check that access to generic and shared accounts is limited to only
appropriate individuals based on job function, active employment with the
Company, and confirmation with management.
Review the Company's key management system to spot-check that sensitive
authentication data, such as service accounts and encryption keys are stored
in a key management system.
Review the system generated list of individuals with access to the key
management system to spot-check that access to sensitive authentication
data is limited to only appropriate individuals based on job function, active
employment with the Company, and confirmation with Management.
Review a user log in to the Company's network to spot-check that access to
the Company's systems requires a unique username and password.
Review the Company's password complexity configuration settings to spot-
check that password complexity standards are enforced.
Review to see if MFA is required.
Review the hard drive encryption settings for a sample of laptops with
access to the Company's network to spot-check that all laptops with access
to the Company's network are configured to enforce hard drive encryption.
Review the database configuration settings for a sample of databases from
the sensitive data inventory to spot-check that all data classified as
potentially sensitive is encrypted at the database level while at rest.
www.risk3sixty.com

# Topic
40 Data in Transit Encryption
41 Access to Modify Data
Transmission Protocols
42 New User Access
Provisioning
43 Terminated User Removal
44 User Access Review
45 Visitor Sign-Ins
risk3sixty
Spot Check Procedure Owner Status
Review the Company's data flow diagram to identify areas of data in transit,
and for a sample of data transit mechanisms, Review the data transfer
mechanism configuration settings to spot-check that data in transit is
encrypted.
Review the employee log and inquired of management for a sample of users
with access to modify data transmission protocols to spot-check that all
users had appropriate access based on job function, current employment
status and inquiry with management.
For a sample of employees hired during the examination period, Review
management approvals and current access levels within the system to spot-
check that management approves and provisions new user access based
upon the user's job function and business need prior to granting the user
access to the system.
Review the termination documentation and current access levels within the
system for a sample of users terminated during the examination period to
spot-check that management removed terminated users' access on or
before their termination date.
Review the user access reviews for a sample of quarters during the
examination period to spot-check that management performed a periodic
user access review of all systems at least quarterly.
Review the remediation documentation for a sample of issues noted in the
sampled access reviews to spot-check that management tracks identified
issues to remediation.
Review the visitor logs to spot-check that visitors were signed in by
authorized personnel before gaining access to the facility.
Review visitors being escorted by employees within the Company's facilities
to spot-check that visitors were escorted at all times.
www.risk3sixty.com
 risk3sixty
# Topic Spot Check Procedure Owner Status
46 Data Destruction Review the Company's Data Destruction Policy to spot-check that it requires
that all media containing sensitive data, including electronic, hardcopy, and
photocopy, be destroyed when it is no longer needed for business or legal
reasons.

For a sample of media destructions that occurred during the examination

period, Review records of destruction to spot-check that media containing
sensitive data is destroyed in accordance with the Data Destruction Policy.
47 Remote Access MFA Review the remote access authentication configuration settings to spot-
check that remote access to the Company's network and system
infrastructure requires a unique username, password, and one-time multi-
factor authentication code to authenticate.
48 Removable Media Policy Review the Company's security policy to spot-check that the Company's
security policy prohibits the use of removable media storage without prior
approval from management.
49 Mobile Device Review the MDM software configurations settings to spot-check that the
Management (MDM) Company has implemented MDM tools that enforce mobile device
Tools hardening and can remotely wipe devices, if needed.

Review the MDM solution dashboard to spot-check that the number of

devices protected by the MDM solution is equal to the number of devices in
the Company's asset inventory.

www.risk3sixty.com
 risk3sixty
# Topic Spot Check Procedure Owner Status
50 Antivirus Software Review the antivirus solution dashboard to spot-check that antivirus
software is configured to be installed on workstations and laptops
supporting the system.

Review the installed software on a sample of workstations and laptops

supporting the system to spot-check that antivirus software is installed on
workstations and laptops supporting the system.

Review the installed software on a sample of servers supporting the system

to spot-check that antivirus software is installed on servers supporting the
system.
51 Antivirus Daily Updates Review the antivirus configuration settings to spot-check that antivirus
software was configured to receive an updated virus signature at least daily.

Review the antivirus solution's configuration settings to spot-check that the

system was configured to send network operations personnel a report of
devices that have not been updated in more than 24 hours and if
management follows up on those devices.
52 Infrastructure & Review the Company's Configuration Management Policy to spot-check that
Configuration Change the Company has implemented a standard process to make changes to the
Management Company's applications, IT systems, and configurations.

Review the Company's configuration change management procedure to

spot-check that the Company enforces the process required to make
changes to the Company's applications, IT systems, and configurations.

www.risk3sixty.com

# Topic
53 Detection & Monitoring
Tools
54 Infrastructure & Software
Hardening Standards
55 IDS/IPS
56 Incident Management
57 Incident Remediation
risk3sixty
Spot Check Procedure Owner Status
Review the configuration and alert settings of the change detection and
monitoring tools to spot-check that the Company has implemented
detection and monitoring tools to identify anomalies including potential
changes to configurations that result in the introduction of new
vulnerabilities as well as susceptibilities to newly discovered vulnerabilities
and to spot-check that the tool is configured to send alerts to Management
based on pre-defined thresholds.
Review remediation documentation for a sample of system configuration
alerts to spot-check that management tracked identified issues to final
remediation.
Review the infrastructure and software hardening standards to spot-check
that management has established standards for hardening infrastructure
and software assets and for configuring key system components and
infrastructure.
Review the Company's Intrusion Detection System (IDS) / Intrusion
Prevention System (IPS) configuration settings to spot-check that the
solution is in place to monitor the Company's network and if it alerts the
security team, based on pre-defined thresholds.
For a selected sample of confirmed security issues reported by the IDS/IPS
during the examination period, Review issue documentation to spot-check
that security issues are tracked to remediation.
Review the Company's incident management and response policy to spot-
check that management has implemented an incident management and
response policy that outlines the requirements for responding to anomalies
that are indicative of malicious acts, natural disasters, and errors affecting
the entity's ability to meet its objectives.
Review the remediation documentation for a sample of security incidents
that occurred during the examination period to spot-check that security
events are documented, reviewed, and evaluated by the security team and if
management conducted a root cause analysis.
www.risk3sixty.com
 risk3sixty
# Topic Spot Check Procedure Owner Status
58 Incident Communication Review the incident management policy to spot-check that the policy defines
requirements for the communication of security incidents to the impacted
parties.

Review company communication to impacted stakeholders for a sample of

security incidents that occurred during the examination period to spot-check
that security incidents were communicated to the impacted parties per the
incident management policy.
59 BCP & DR Review the business continuity plan and disaster recovery plan to spot-check
that the Company has established a business continuity plan and a disaster
recovery plan which have been reviewed in the previous 12 months.

Review the results of the business continuity and disaster recovery plan test
to spot-check that the Company tests the business continuity plan and
disaster recovery plan on an annual basis.
60 System Backups Review the Company's backup configuration settings to spot-check that the
Company performs incremental backups of its critical information systems
on a <daily> basis, full backups on at least a <weekly> basis, and if IT
management is alerted in the case of a backup failure.

Review remediation documentation for a selected sample of backup failures

that occurred during the examination period to spot-check that IT
management took action to remediate failed backups.
61 Change Management Review the change management policies and procedures to spot-check that
Procedure management has implemented a change management policy that outlines
the requirements for authorization, design, development, configuration,
documentation, testing, approval, and implementation of changes to
infrastructure, data, and software.

www.risk3sixty.com

# Topic
62 Separate Environments
63 Change Review
64 Source Code Scanning
65 Version Control Software
66 Source Code Access
risk3sixty
Spot Check Procedure Owner Status
Review the configuration settings for the development, staging, and
production environments to spot-check that separate environments are
used for development, staging, and production.
Review access control permissions for the staging and production
environments to spot-check that developers are prohibited from making
changes to software in staging or production.
Review the change management documentation for a sample of changes
promoted into production during the examination period to spot-check that
all system changes are tested, reviewed, and approved prior to
implementation to the production environment.
Review the source code scanning configurations to spot-check that the
scanning tool is configured to automatically scan application source code for
vulnerabilities prior to promotion into the production environment.
Review the change tickets for a sample of application source code changes
to spot-check that source code scanning was performed on each application
source code change, and if each critical vulnerability identified was
remediated prior to promotion into the production environment.
Review the version control software dashboard to spot-check that version
control software is in place to manage current versions of source code.
Review the commit log history to spot-check that commit logs of all changes
to source code libraries are maintained.
Review the system generated list of individuals with access to make changes
to source code to spot-check that access to make changes to source code is
limited to only appropriate individuals based on job function, active
employment with the Company, and confirmation with management.
www.risk3sixty.com

# Topic
67 Source Code Promotion
Access
68 Production Promotion
Alerts
69 Monthly Change Review
(If no Automated
Production Alerting is in
Place)
70 Insurance Policies
71 Vendor Risk Management
Procedure
72 MSAs with Vendors
risk3sixty
Spot Check Procedure Owner Status
Review the system generated list of individuals with access to promote
source code to production to spot-check that access to promote source code
to the production environment is limited to only appropriate individuals
based on job function, active employment with the Company, and
confirmation with management.
Review the configuration settings for the company's production promotion
alerting tool to spot-check that automated alerts are in place to notify
management when changes are promoted to the production environment.
Review review documentation for a sample of monthly change review
meetings during the examination period to spot-check that changes
promoted to the production environment are reviewed by management on
at least a monthly basis to verify that each change was authorized,
approved, and that no changes were developed and promoted by the same
individual.
Review the Company's certificate of insurance to spot-check that insurance
policies are utilized to transfer risk as part of the Company's risk
management strategy.
Review the vendor management policies and procedures to spot-check that
the Company has implemented a vendor risk management policy that
provides guidance in managing risks associated with vendors and business
partners.
Review the signed MSA for a sample of vendors onboarded during the
examination period to spot-check that MSAs are established to help define
third-party requirements for maintaining security and related regulatory and
policy commitments.
Review to see if a vendor security risk assessment was performed.
www.risk3sixty.com