Trying to manage all the critical controls, testing and procedures to prepare for your SOC Audit? We created a Runbook and Framework to help manage the project execution process before your SOC Audit.
Simplifying Complexity: How the Four-Field Matrix Reshapes Thinking
SOC Certification Runbook Template
1. Achieving SOC Certification
Integration Runbook V 2.2
Planning, Design, Execution & Testing of Critical Controls
Prepared By:
Mark S Mahre
Managing Partner US
Mobile 678-641-0390
mark.mahre@clearcost.us
March 2018
2. Methodology Created and Documented by Written Mark S Mahre
ClearCost US Reserves all rights for information contained within this SOC Integration Runbook Page #2
TABLE OF CONTENTS
SOC PROJECT ENGAGEMENT..................................................................................................................................................................................................................................4
Engagement Process ..........................................................................................................................................................................................................................................5
Critical Controls Process.....................................................................................................................................................................................................................................6
Areas of Required Critical Controls ....................................................................................................................................................................................................................7
Five Principles of Critical Controls......................................................................................................................................................................................................................8
Types of Reporting .............................................................................................................................................................................................................................................8
CLIENT Leadership Meetings..............................................................................................................................................................................................................................8
Project Approach and Execution........................................................................................................................................................................................................................9
ClearCost Responsibilities ................................................................................................................................................................................................................................10
CLIENT Responsibilities ....................................................................................................................................................................................................................................10
MAJOR COMPOMENTS OF PROJECT ENGAGMENT..............................................................................................................................................................................................11
Project Deliverables & Documentation............................................................................................................................................................................................................12
SOC Compliance & Readiness Templates.........................................................................................................................................................................................................13
SOC INTEGRATION FRAMEWORK.........................................................................................................................................................................................................................14
Task Owners:....................................................................................................................................................................................................................................................14
Recording Tasks and Key Objectives: ...................................................................................................................................................................................................................15
Mapping & Approach:..................................................................................................................................................................................................................................15
Readiness & Resources: ...............................................................................................................................................................................................................................15
Analysis, Architecture & Processes: .............................................................................................................................................................................................................15
Suitability, Remediate & Pre-Testing: ..........................................................................................................................................................................................................15
Execution, Sustainability & Reporting:.........................................................................................................................................................................................................15
Testing, Sampling, and Fairness: ..................................................................................................................................................................................................................15
IN CLOSING...........................................................................................................................................................................................................................................................16
3. Methodology Created and Documented by Written Mark S Mahre
ClearCost US Reserves all rights for information contained within this SOC Integration Runbook Page #3
Version Control
Created By: Mark S Mahre Title: Managing Partner US
Ver # Revised By Date Revised Notes
1.0 Mark S Mahre January 2017 Template Creation
1.1 Mark S Mahre March 2018 Added more SOC Project Engagement Details
2.0 Mark S Mahre March 2018 Made for generic ‘CLIENT’ for sending for Marketing
2.1 Mark S Mahre April 2018 Modified for Partners
2.2 Mark S Mahre April 2018 Modified for LinkedIn
QA Approval Date Approved By:
4. Methodology Created and Documented by Written Mark S Mahre
ClearCost US Reserves all rights for information contained within this SOC Integration Runbook Page #4
SOC PROJECT ENGAGEMENT
ClearCost US will provide professional services (or “Consulting Services”) for the purpose of a Service Organization Controls 2 (“SOC”) engagement covering the System
Description, Information Security and the Critical Controls Table and other components within SOC. This engagement will NOT cover any Out-of-Scope Areas of Control
shown in table below. ClearCost may also provide guidance on building a central repository for housing all the supporting SOC documentation.
Specific SOC components for SOC Compliance:
SOC Component Critical Control Area
System Description Company & Services In Scope
Information Security IT Operations & Controls In Scope
Readiness Planning & Strategy On-Going Meetings with Audit Firm and Setting Target Requirements In Scope
Critical Controls Section Security In Scope
Critical Controls Section Availability In Scope
Critical Controls Section Processing Integrity In Scope
Critical Controls Section Confidentiality In Scope
Critical Controls Section Privacy (includes PHI & HIPAA) In Scope
Governance, Policies & Procedures Repository, Processes, Training & Documentation In Scope
Infrastructure & Monitoring All Items Technical Services In Scope
Evidence & Audit Procedures, Timing, Expectations, Resources In Scope
Management Assertion Performed by Audit Firm Out of Scope
Fairness & Evidence Report Performed by Audit Firm Out of Scope
ClearCost consulting services will include guidance and readiness for the SOC audit, however ClearCost will not include any legal advice or direction for implementing
controls, procedures or policies within the CLIENT data center facility, meaning that CLIENT employees will be responsible for creating the proper governance, controls
and procedures for each component of Critical Control Targets within the Critical Controls Criteria. The Audit Firm will provide services marked in Light Blue, ClearCost
consultant(s) will Lead for the following components in Red, with the CLIENT Lead subjects noted in Dark Blue.
Assertion
System
Description
Critical Control
Targets & Execution
SOC
Reporting
Fairness &
Evidence
Strategy &
Planning
Policies &
Procedures
Information
Security
Readiness
Assessment
SOC
Training
Infrastructure
& Monitoring
Uploading
Evidence
Providing
Evidence
Fairness Meetings, Status Meetings, Critical Control Target Reviews,
and Compliance Documentation Reviews
Assertion
Approvals
5. Methodology Created and Documented by Written Mark S Mahre
ClearCost US Reserves all rights for information contained within this SOC Integration Runbook Page #5
Engagement Process
6. Methodology Created and Documented by Written Mark S Mahre
ClearCost US Reserves all rights for information contained within this SOC Integration Runbook Page #6
Critical Controls Process
This engagement will include guidance and framework for the System Description, Information Security and Critical Controls Table (Five Areas) that are suitable for Type 1
or Type 2 reporting. Services will also identify risk assessment gaps within the control domains and remediation recommendations before the pre-audit and audit
process. ClearCost services will include reviewing controls related to Change Management, Breach Compliance, Help Desk, Client SLA’s, Change Authorization Board
Governance, SOC Training, Quarterly SOC Leadership Meetings and HR Controls for meeting compliance.
The diagram covers the Lead Responsibilities for setting the Critical Controls Language and Targets.
Critical Controls:
Assessments, Language
& Targets
Define Governance,
Security, Policies &
Controls
Execute Governance,
Security, Policies &
Contols
Achieve Compliance &
Evidence Gathering
Evidence Review &
Evidence Uploads
ClearCost Lead Joint Efforts CLIENT Lead
7. Methodology Created and Documented by Written Mark S Mahre
ClearCost US Reserves all rights for information contained within this SOC Integration Runbook Page #7
Areas of Required Critical Controls
8. Methodology Created and Documented by Written Mark S Mahre
ClearCost US Reserves all rights for information contained within this SOC Integration Runbook Page #8
Five Principles of Critical Controls
SOC 2 reports focus on controls at a service organization relevant to the following principles:
• Security: The system is protected against unauthorized access (both physical and logical); end-point security, Network, DC’s and Cloud environments,
• Availability: The system is available for operation and use as committed or agreed SLA’s,
• Processing Integrity: System processing is complete, accurate, timely, and authorized,
• Confidentiality: Information designated as confidential is protected as committed or agreed, and
• Privacy: Personal information collected, used, retained, disclosed, and destroyed in conformity with the commitments by CLIENT criteria set forth with regards
to Health Insurance Portability & Accountability Act of 1996 (“HIPAA”) and Personal Health Information (“PHI”) privacy principles.
Types of Reporting
The types of reporting are:
• Type I or Report 1 - A report on management’s description of the service organization’s system and the suitability of the design of the critical controls - at one-
point-in-time,
• Type 2 or Report 2 - A report on management’s description of the service organization’s system and the suitability of the design and operating effectiveness of
the controls – during the duration of time,
• Fairness and Evidence Process – What controls and required, how controls are defined, who is responsible for controls, maintain service levels per client
contracts, adhere to standards, and produce evidence during the audit period.
CLIENT Leadership Meetings
Quarterly Meetings with the CLIENT Leadership Team for meeting compliance:
• Predict, Monitor, Identify, Mitigate and Address areas of Risk and implement a proper Risk Mitigation strategy
• Controls for understanding the Compliance and Risk associated with the data and metadata that:
✓ operates,
✓ collects,
✓ processes,
✓ transmits,
✓ stores,
✓ organizes,
✓ maintains and
✓ disposes of information for our client’s entities.
9. Methodology Created and Documented by Written Mark S Mahre
ClearCost US Reserves all rights for information contained within this SOC Integration Runbook Page #9
Project Approach and Execution
Below is a systematic approach to our SOC Strategy, Analysis, Design, Governance, Readiness, Testing, Execution and Audit criteria and controls for the project.
10. Methodology Created and Documented by Written Mark S Mahre
ClearCost US Reserves all rights for information contained within this SOC Integration Runbook Page #10
ClearCost Responsibilities
This assessment engagement is designed to provide reasonable, but not absolute assurance on all controls and governance within the data center environment.
ClearCost will not perform any evidence gathering or write in documentation for the CLIENT environment outside of the noted areas of services shown in the deliverables
table on next page.
Consultant will be responsible for leading the following:
• Project Kick-Off Meeting,
• Project Status Meetings,
• SOC Overview Status Reporting,
• System Description Delivery,
• Information Security Delivery,
• Critical Controls Targets,
• Change Management, Infrastructure & Compliance Meetings,
• Pre-Audit Run Through,
• Evidence Uploading and,
• SOC Leadership Management DAR’s.
CLIENT Responsibilities
Because this assessment engagement is designed to provide reasonable, but not absolute assurance on all controls and governance within the data center environment,
ClearCost will not perform any examinations of systems, data or application transactions within the CLIENT environment, and not responsible for any breaches outside of
the noted areas of services in project scope section.
In addition, the assessment services cannot be relied on for any instances of non-compliance with laws of regulations, fraud or material errors attributed to CLIENT
personnel. CLIENT will understand its responsibility to inform, train and clearly communicate the security, availability, confidentiality and privacy that fall under the SOC
regulations and responsibilities. Meaning that CLIENT understands its responsibilities to proper training and testing systems within the user community.
CLIENT will be responsible for the following:
• Maintaining the content for System Description and Information Security documentation,
• Managing content of Critical Controls Table throughout the consulting engagement period and then until the final term after the official audit,
• Providing all services to support and compliance of the Critical Controls Table functions,
• Having personnel available for designing, implementing, documenting the controls suitable for operation effectiveness to fulfill the trust services criteria,
• Providing supporting documentation for the following; governance, workflow, organization structure, information systems, and third-party contracts,
• Participating in interviews, walk though reviews and evidence support to understand the elements within the Critical Controls Table,
• Provide ClearCost consultants with proper and reasonable access to resources in a timely manner, and
• Provide personnel for recording meeting notes, minutes and documenting recommendations during the consulting engagement.
11. Methodology Created and Documented by Written Mark S Mahre
ClearCost US Reserves all rights for information contained within this SOC Integration Runbook Page #11
MAJOR COMPOMENTS OF PROJECT ENGAGMENT
The following tasks are major components of deliverables for the consulting services engagement:
(Contact ClearCost for receiving IP information within the following sections)
Subject Task Est. Dates
(*) Estimates are based on very limited information on the CLIENT Organization’s Capability Maturity Level Integration (aka “CMM” or “CMMI”) and what is currently
available at the time of engagement. However, after the Project Kick-Off Meeting a ‘High-Leve’ Project Plan will be created to provide better accuracy and only ACTUAL
time worked on the specific tasks will invoiced for the project.
12. Methodology Created and Documented by Written Mark S Mahre
ClearCost US Reserves all rights for information contained within this SOC Integration Runbook Page #12
Project Deliverables & Documentation
ClearCost Consultant(s) deliverables for the project include:
Documents Format
Project Planning (modification of this template) MS Word
Monthly Project Status Reports PDF
SOC Project Kickoff PDF
System Description Template MS Word
Information Security Template MS Word
Critical Controls Table MS Excel
Change Management Controls MS Word and/or Visio
SOC Training Template PPTX
SOC Integration Framework Poster 24”x 48” Poster
Compliance & Readiness Templates MS Word
Risk Assessment Quarterly Meeting Agenda Template PPTX
Risk Assessment Worksheet Excel
13. Methodology Created and Documented by Written Mark S Mahre
ClearCost US Reserves all rights for information contained within this SOC Integration Runbook Page #13
SOC Compliance & Readiness Templates
Project templates may Include the following:
✓ Employee Handbook
✓ Employee Training Manuals
✓ Employee Job Descriptions
✓ Consultant or 3-Party Contractor NDA’s & Contracts
✓ Client, Vendor and 3-Party MSA’s
✓ Cloud or DC Infrastructure Diagrams
✓ Monitoring & Escalation Policy
✓ Asset Manage (CMDB) Table
✓ Risk Assessment Quarterly Agenda
✓ Risk Assessment Worksheet
✓ Breach Notification
✓ HIPAA Privacy Policy
✓ Terms of Acceptable Use Policy
✓ Incident Response Process
✓ Change Management Process
✓ Help Desk Process
✓ HIPAA / PHI Security Practice and Certification Manuals
✓ SOC Training Certifications
14. Methodology Created and Documented by Written Mark S Mahre
ClearCost US Reserves all rights for information contained within this SOC Integration Runbook Page #14
SOC INTEGRATION FRAMEWORK
The following SOC Integration Framework will be used for the Project Execution.
Business Objectives Project Execution & Milestone Tracking
Analysis, Strategy,
Architecture, Apps
& Processes
Mapping,
Approach &
Budgeting
Mark SMahre
SOC-2 Integration Framework
PLANINITIATE
Suitability,
Remediate &
Pre-Testing
AUDIT
C-Level , Security Officer, Analysts, Subject Matter Experts, Project Managers & Consultants
Assessment,
Resources &
Templates
Sponsors
Strategy,
Requirements
& Roadmap
Business Case
Project Scope
Success Criteria
HIPPA Req.
Road Map
Approvals
Project Design
Project Tasks
Risk Assessment
As-Is Assessment
Financials
Scheduling
Project Timeline
Resource Requirements
Gap Analysis
To-Be Requirements
Create Templates
Identify Partnerships
SOC Governance
HIPPA Mandates
Status Reporting
Change Controls
Authentication
Encryption Controls
Project Kick-Off
Auditor Assessment
Employee Awareness
Critical Controls
System Description
Information Security
Operational Effectiveness
Controls Testing
Readiness Reviews
Quarterly Meetings
Monitor Results
Lessons Learned
Upload Evidence
Audit Procedures
Sampling Process
SOC Compliance Report
Auditor s Letter
SOC Gap Letter
DESIGN CONTROLS OPERATIONAL
Execution,
Sustainability &
Reporting
Risk Mitigations
Suitability of Design
Data RPO/RTO
DR/BCP Strategy
Incident Response
Cloud Services
Mahre & Schweizer 2017
Auditor
Analysis
Testing,
Sampling &
Fairness
Task Owners:
Assigning the Task Owners (Stakeholders / SPOC) for each task in the tables below.
CXO & Leadership CISO CIO COO Legal CFO PMO
SOC Team Security Team IT Team Operations Team Contracts Team Finance Team Consultants
15. Methodology Created and Documented by Written Mark S Mahre
ClearCost US Reserves all rights for information contained within this SOC Integration Runbook Page #15
RECORDING TASKS AND KEY OBJECTIVES:
(Contact ClearCost for receiving IP information within the following sections)
Mapping & Approach:
Readiness & Resources:
Analysis, Architecture & Processes:
Suitability, Remediate & Pre-Testing:
Execution, Sustainability & Reporting:
Testing, Sampling, and Fairness:
16. Methodology Created and Documented by Written Mark S Mahre
ClearCost US Reserves all rights for information contained within this SOC Integration Runbook Page #16
IN CLOSING
Comments and Next Steps
Analyze, Predict, Plan, Test, Implement and Improve
End of Document