Professional Documents
Culture Documents
SOC 2 Controls Spot Check
SOC 2 Controls Spot Check
Controls
The list below is just an example. Your company will have controls unique to its environment. The goal of this list is to provide an example and help you get started.
Please update this list as needed based on your unique control environment.
www.risk3sixty.com
risk3sixty
# Topic Spot Check Procedure Owner Status
4 Background Checks Review the completed background check for a sample of employees hired
during the examination period to spot-check that all employees undergo
formal screening prior to hire.
5 Security Training For a sample of employees onboarded during the examination period,
Review the completed security and privacy training to spot-check that
employees complete security and privacy awareness training within two
weeks of being granted systems access.
For a sample of current employees, Review the most recent security and
privacy training to spot-check that employees complete security training on
an annual basis.
6 Formal Disciplinary Review the Company's standards of conduct to spot-check that the Company
Process defines a formal disciplinary process for instances of noncompliance with the
standards of conduct related to security and privacy (if Privacy is in scope) to
include disciplinary measures up to and including termination.
7 Quarterly Strategy Review top-level management meeting minutes for a sample of quarterly
Meeting meetings during the examination period to spot-check that top-level
management meets at least quarterly to review the Company strategy,
goals, and performance objectives.
8 Performance Reviews Review the completed performance review for a sample of current
employees to spot-check that management and employees complete
performance reviews at least annually, and if performance reviews are
evaluated by management to ensure that each employee's goals and
performance are in alignment with business objectives.
www.risk3sixty.com
risk3sixty
# Topic Spot Check Procedure Owner Status
9 Org Chart Review the Company's organizational chart and associated revision history
to spot-check that the Company maintains an organizational and
management reporting structure that aligns with business objectives and if
the organizational chart was _<for small orgs>_ updated by management
upon significant changes to the Company's organizational structure. _<or,
for large orgs>_ updated automatically within the HRIS.
10 Job Descriptions Review job descriptions for a sample of current employees to spot-check
that responsibilities for the roles were documented.
Review assessment results for the internal and external security assessments
completed during the examination period to spot-check that the Company
performs internal and external security assessments.
www.risk3sixty.com
risk3sixty
# Topic Spot Check Procedure Owner Status
13 Reporting Mechanisms & Review the reporting mechanisms for internal and external system users to
User-Submitted Issues spot-check that reporting mechanisms are in place for processing and
responding to security incidents and compliance concerns.
Review the log solution's user access listing to spot-check that access is
restricted to appropriate individuals.
15 Security Policies Review the Company's policies and procedures to spot-check that the
policies and procedures communicate objectives and responsibilities for
internal control, necessary to support the function of internal control.
www.risk3sixty.com
risk3sixty
# Topic Spot Check Procedure Owner Status
17 System Descriptions Review system description documentation made available to external users
to spot-check that an accurate system description is made available to
authorized external users.
Review the results of the annual risk assessment to spot-check that the
Company completed a formal risk assessment within the past year.
www.risk3sixty.com
risk3sixty
# Topic Spot Check Procedure Owner Status
21 Third-Party Risk Review company's vendor management policy to spot-check that a third-
Management Program party risk management program has been established to collect, track, and
manage third-party security controls based upon the risk presented to the
business.
www.risk3sixty.com
risk3sixty
# Topic Spot Check Procedure Owner Status
25 External Penetration Tests Review the penetration test result to spot-check that the Company engages
a third party to perform external penetration tests of the system on an
annual basis.
Review the system generated listing of individuals with physical access to the
facility to spot-check that only appropriate individuals have access to the
facility based on job function, active employment with the Company, and
confirmation with management.
28 IT Asset Inventory Review the IT asset inventory to spot-check that the Company maintains an
up-to-date and complete inventory of information technology assets and
asset owners.
www.risk3sixty.com
risk3sixty
# Topic Spot Check Procedure Owner Status
29 Firewall ACLs Review the Company's network diagram to identify areas where the
Company's perimeter is separated from the public-facing internet via
firewall.
www.risk3sixty.com
risk3sixty
# Topic Spot Check Procedure Owner Status
33 Admin Access to Review the system generated list of users with administrative access to the
Production Infrastructure all critical systems (databases, critical infrastructure, servers, etc.) to spot-
check that administrative level access to the Company's system is limited to
appropriate individuals based on job function, current employment with the
Company, and confirmation with management.
34 Generic/Shared Accounts Review the system generated list of individuals with access to the generic
and shared account credentials repository (secrets management system) to
spot-check that access to generic and shared accounts is limited to only
appropriate individuals based on job function, active employment with the
Company, and confirmation with management.
35 Key Management System Review the Company's key management system to spot-check that sensitive
authentication data, such as service accounts and encryption keys are stored
in a key management system.
Review the system generated list of individuals with access to the key
management system to spot-check that access to sensitive authentication
data is limited to only appropriate individuals based on job function, active
employment with the Company, and confirmation with Management.
36 Unique Username & Review a user log in to the Company's network to spot-check that access to
Password the Company's systems requires a unique username and password.
37 Password Complexity Review the Company's password complexity configuration settings to spot-
Standards check that password complexity standards are enforced.
www.risk3sixty.com
risk3sixty
# Topic Spot Check Procedure Owner Status
40 Data in Transit Encryption Review the Company's data flow diagram to identify areas of data in transit,
and for a sample of data transit mechanisms, Review the data transfer
mechanism configuration settings to spot-check that data in transit is
encrypted.
41 Access to Modify Data Review the employee log and inquired of management for a sample of users
Transmission Protocols with access to modify data transmission protocols to spot-check that all
users had appropriate access based on job function, current employment
status and inquiry with management.
42 New User Access For a sample of employees hired during the examination period, Review
Provisioning management approvals and current access levels within the system to spot-
check that management approves and provisions new user access based
upon the user's job function and business need prior to granting the user
access to the system.
43 Terminated User Removal Review the termination documentation and current access levels within the
system for a sample of users terminated during the examination period to
spot-check that management removed terminated users' access on or
before their termination date.
44 User Access Review Review the user access reviews for a sample of quarters during the
examination period to spot-check that management performed a periodic
user access review of all systems at least quarterly.
www.risk3sixty.com
risk3sixty
# Topic Spot Check Procedure Owner Status
46 Data Destruction Review the Company's Data Destruction Policy to spot-check that it requires
that all media containing sensitive data, including electronic, hardcopy, and
photocopy, be destroyed when it is no longer needed for business or legal
reasons.
www.risk3sixty.com
risk3sixty
# Topic Spot Check Procedure Owner Status
50 Antivirus Software Review the antivirus solution dashboard to spot-check that antivirus
software is configured to be installed on workstations and laptops
supporting the system.
www.risk3sixty.com
risk3sixty
# Topic Spot Check Procedure Owner Status
53 Detection & Monitoring Review the configuration and alert settings of the change detection and
Tools monitoring tools to spot-check that the Company has implemented
detection and monitoring tools to identify anomalies including potential
changes to configurations that result in the introduction of new
vulnerabilities as well as susceptibilities to newly discovered vulnerabilities
and to spot-check that the tool is configured to send alerts to Management
based on pre-defined thresholds.
Review the results of the business continuity and disaster recovery plan test
to spot-check that the Company tests the business continuity plan and
disaster recovery plan on an annual basis.
60 System Backups Review the Company's backup configuration settings to spot-check that the
Company performs incremental backups of its critical information systems
on a <daily> basis, full backups on at least a <weekly> basis, and if IT
management is alerted in the case of a backup failure.
www.risk3sixty.com
risk3sixty
# Topic Spot Check Procedure Owner Status
62 Separate Environments Review the configuration settings for the development, staging, and
production environments to spot-check that separate environments are
used for development, staging, and production.
Review the change tickets for a sample of application source code changes
to spot-check that source code scanning was performed on each application
source code change, and if each critical vulnerability identified was
remediated prior to promotion into the production environment.
65 Version Control Software Review the version control software dashboard to spot-check that version
control software is in place to manage current versions of source code.
Review the commit log history to spot-check that commit logs of all changes
to source code libraries are maintained.
66 Source Code Access Review the system generated list of individuals with access to make changes
to source code to spot-check that access to make changes to source code is
limited to only appropriate individuals based on job function, active
employment with the Company, and confirmation with management.
www.risk3sixty.com
risk3sixty
# Topic Spot Check Procedure Owner Status
67 Source Code Promotion Review the system generated list of individuals with access to promote
Access source code to production to spot-check that access to promote source code
to the production environment is limited to only appropriate individuals
based on job function, active employment with the Company, and
confirmation with management.
68 Production Promotion Review the configuration settings for the company's production promotion
Alerts alerting tool to spot-check that automated alerts are in place to notify
management when changes are promoted to the production environment.
69 Monthly Change Review Review review documentation for a sample of monthly change review
(If no Automated meetings during the examination period to spot-check that changes
Production Alerting is in promoted to the production environment are reviewed by management on
Place) at least a monthly basis to verify that each change was authorized,
approved, and that no changes were developed and promoted by the same
individual.
70 Insurance Policies Review the Company's certificate of insurance to spot-check that insurance
policies are utilized to transfer risk as part of the Company's risk
management strategy.
71 Vendor Risk Management Review the vendor management policies and procedures to spot-check that
Procedure the Company has implemented a vendor risk management policy that
provides guidance in managing risks associated with vendors and business
partners.
72 MSAs with Vendors Review the signed MSA for a sample of vendors onboarded during the
examination period to spot-check that MSAs are established to help define
third-party requirements for maintaining security and related regulatory and
policy commitments.
www.risk3sixty.com