SOC 2 System Description Template

A sample template to customize for a SOC 2 report System Description

DC 1: Description of Services Provided 

Company Overview

[company full legal name] (the “company” or “[company name]”) was founded in [year] and is headquartered in [city, state] with personnel working remote and from the main office location. [company name] provides [high level description of services/product provided to customers].

 

Description of Services Provided

[company name]’s core product in-scope is the [platform/product name] (the “system”) that provides:

 

[function/service category]

• [description of what function/service category delivers or provides to customer]
• [description of what function/service category delivers or provides to customer]

 

[function/service category]

• [description of what function/service category delivers or provides to customer]
• [description of what function/service category delivers or provides to customer]
• [description of what function/service category delivers or provides to customer]

 

[function/service category]

• [description of what function/service category delivers or provides to customer]
• [description of what function/service category delivers or provides to customer]

 

DC 2: The Principal Service Commitments and System Requirements 

[company name] designs its processes and procedures related to the [platform/product name] to meet its objectives for providing [type of services] services. Those objectives are based on the service commitments that [company name] makes to user entities, the laws and regulations that govern services, and the financial, operational, and compliance requirements that [company name] has established for the services. 

 

Terms and conditions are presented to provide a mechanism for communicating the terms of service within the company and between the company, customers, and website users. The terms and conditions outline terms for services, use of services, enforcement, intellectual property rights, and warranties. Terms of service documents can be found at [https://webaddress.com/terms-of-use] and the service-level agreement (SLA) is available upon request at [contact@emailaddress.com]. 

 

The terms of service are reviewed at least annually or more frequently when deemed necessary. Any changes are reviewed by management and sent to the marketing team for execution of the changes. Customers are notified via e-mail of any changes. The customer is not required to accept or agree to any change.

 

Security commitments to user entities are documented and communicated in SLAs and other customer agreements, as well as in the description of the service offering provided online. 

 

Security commitments include, but are not limited to, the following:

• System features and configuration settings designed to authorize user access while restricting unauthorized users;
• Use of security monitoring to detect and prevent potential security attacks from users outside the boundaries of the system;
• Weekly vulnerability scans on externally facing endpoints, and annual penetration tests over the production environment; and,
• Operational procedures for managing security incidents and breaches, including notification procedures.

 

Such requirements are communicated in [company name]'s system policies and procedures, system design documentation, and agreements with customers. Information security policies define an organization-wide approach to how systems and data are protected. These include policies around how the service is designed and developed, how the system is operated, how the internal business systems and networks are managed, and how employees are hired, trained and managed. In addition to these policies, standard operating procedures are documented on how to carry out specific manual and automated processes required in the operation and development of the services. 

 

In accordance with our assertion, and the description criteria, the aforementioned service commitments and requirements are those principal service commitments and requirements common to the broad base of users of the system and may therefore not fully address the specific service commitments and requirements made to all system users, in each individual case.

DC 3: The Components of the System Used to Provide the Services

The [platform/product name] has been designed, implemented, and is operated to achieve specific business objectives in accordance with management-specified requirements to meet our customers needs. The purpose of the system description is to delineate the boundaries of the system, which includes the services and commitments outlined above and the five components described below: infrastructure, software, people, procedures and data.

3.1 Primary Infrastructure 

The system is hosted in [cloud-hosting provider] within a virtual private cloud (VPC) environment and behind a perimeter security firewall which protects the network from unauthorized external access. The network topology includes public and private subnets with access control lists (ACLs). Compute and data storage resources are protected by [host-based firewalls]. [company name] uses [perimeter security firewall] and [threat detection] to identify and protect against threats.

The underlying physical infrastructure is hosted, managed and protected by [cloud-hosting provider]. Production resources for compute, storage, networking and virtualization maintain high availability and failover support within [cloud-hosting provider].

User requests to the [company name] Web Portal are encrypted with a secure version of Transport Layer Security (TLS) by using certificates from an established third party certificate authority. Remote access by developers and administrators is limited and requires multi-factor authentication. 

3.2 Software

[company name] is responsible for managing the development and operation of the [platform/product name] including infrastructure resources such as compute, storage, networking and virtualization. The in-scope [platform/product name] infrastructure and software components are shown in the table below:

 

Primary Infrastructure and Software
System/Application	Business/Function	Description
[platform/product name] Web-based Platform	Main product provided by [company name].	Provides access to the [company name] Platform through a web interface and user authentication
[Perimeter Security Firewall]	Perimeter Security Firewall	Defends our platform at the network border from unauthorized access and external attacks (e.g., DDoS), includes AWS Shield
[Host-based Firewalls]	Host-based Firewalls	Used to setup access rules at the resource/instance level
[Public and Private Network Segmentation]	Public and Private Network Segmentation	Defines and enforces isolation between public and private network areas in our cloud environment.
[Network ACLs/Subnets (network segmentation)]	Network ACLs/Subnets (network segmentation)	Used to allow or deny specific inbound or outbound traffic at the subnet level within VPCs (virtual private cloud)
[AWS CloudFront / Azure CDN / Google Cloud CDN]	Content delivery network (CDN)	Used to distribute static and dynamic content quickly and reliably with high speed to our user interface application
[AWS Route 53 / Azure DNS / Google Cloud DNS]	Highly available and scalable cloud Domain Name System (DNS) web service	Used to connect user requests to our web-based platform
[AWS ELB / Azure Load Balancer / Google Cloud Load Balancing]	Automatically distributes incoming network and application traffic	Used to increase availability and fault tolerance for our user interface application
[AWS ECS / Azure Kubernetes Service (AKS) / Google Kubernetes Engine (GKE)]	Fully managed container orchestration service	Used with EC2 instances and Docker images to easily build, run, test, deploy, manage, and scale our code
[AWS Lambda / Azure Functions / Google Cloud Functions]	Serverless compute service	Used to run our internal machine language API
[AWS RDS / Azure SQL Database / Google Cloud SQL]	Fully managed, open-source cloud relational database service	Used to securely store configuration data for our customers individual accounts
[AWS S3 / Azure Blob Storage / Google Cloud Storage]	Highly available and scalable object storage solution	S3 is controlled through the AWS IAM interface and securely stores machine language models
[AWS EFS / Azure Files / Google Filestore]	Simple, scalable fully managed elastic NFS file system	Used to securely store files for our customers individual accounts
[AWS Certificate Manager / Azure Key Vault / Google Cloud Key Management Service]	Provision, manage, and deploy public and private SSL/TLS certificates	Used to create, store, and renew our public SSL/TLS certificates to protect customer data in transit
[AWS SES / Azure Communication Services Email / Google Cloud Email]	Email Communication	Used to sent email updates and alerts to customers
[AWS IAM / Azure Active Directory / Google Cloud Identity & Access Management]	Web service to securely control access to AWS resources	Used to ensure segregation of duties and role-based access control (RBAC) for our internal engineering team
[Amazon Cognito / Azure Active Directory B2C / Google Identity Platform]	Identity platform for web and mobile applications	Used as an authorization service for OAuth 2.0 access tokens, by using OpenID Connect, to provide single-sign on (SSO) for our customers using their identity providers (IdP) (e.g., Google, Microsoft)
[Code Repository]	Build, release, and continuous integration systems	Source code repositories, version control systems, code reviews, and build software are hosted by GitHub.

 

Supporting Tools
System/Application	Business/Function	Description
[HRIS (Human Resource Information/Management System)]	HRIS (Human Resource Information/Management System) & Performance Evaluation	The centralized system used for managing HR processes, including payroll, benefits, performance evaluations, and employee data
[ATS (Applicant Tracking System)]	Modern ATS (Applicant Tracking System) and Collaborative Recruitment Software	Used for streamlining recruitment, from posting jobs to hiring, essential for maintaining data on recruitment processes
[Background Checks]	Employee Background Screening	Used for verifying candidate backgrounds, including criminal records and employment history
[Performance Evaluations]	Employee Performance Evaluations	Used for documenting and assessing employee performance
[Security Awareness Training]	Web-based Security Awareness & Training Platform	Used for educating employees on SOC 2 compliance and information security, necessary for mitigating risks and ensuring adherence to security policies and regulations
[MDM (Mobile Device Management)]	Mobile Device Management (MDM) Solution	Used to enforce encryption, malware protection, security updates, and enable remote wipe capabilities on all company-owned laptops
[Business Productivity and Collaboration Suite]	Collection of Cloud Productivity and Collaboration Tools	Central platform used for emails, document creation, collaboration, and productivity
[Communication & Alerts Monitoring]	Cloud-based Team Communication Platform	Used for real-time messaging and monitoring alerts from automated scanning technologies (e.g., vulnerabilities, application errors and crashes, security events)
[Internal Wiki/Intranet]	Web-based Corporate Wiki	Platform used for internal knowledge sharing and documentation (e.g., posting policies, plans and procedures)
[Customer Support Management]	Fully Integrated CRM Solution	Used by our customer success team for managing customer inquiries and support tickets, and provide knowledge base articles
[Internal Ticketing System]	Software Development Tool and Project Work Management	Used for tracking internal tasks and projects from submission to completion (software development, change management, business projects, access requests and removals)
[Application Monitoring - Errors and Crashes]	Modern Application Performance Monitoring (APM)	Used to continuously monitor for errors and crashes at the application layer across web and backend applications, to detect and resolve root causes faster, and avoid system downtime
[Cloud Infrastructure Vulnerability Scanning]	Automated Vulnerability Management Service	Used to continuously scan (weekly) our AWS workloads for software vulnerabilities and unintended network exposure
[Threat Detection]	Intelligent Threat Detection Services	Used to monitor our AWS accounts, workloads and data to identify malicious activity and anomalous behavior, and if threat is detected sends an alert to Slack
[Admin Activity Logging, Monitoring & Alerting]	Records events taken by a user, role or an AWS service	Events are filtered and set to trigger an alert when an event occurs for areas that are known targets or indicate potential individual with malicious intent has unauthorized access
[Capacity Monitoring & Management]	Performance Monitoring Tool	Used to collect and track preset metrics, to measure resources and applications
[Configuration Management (baseline for setup)]	Infrastructure as Code (IaC) provisioning tool	Used to model, provision and manage AWS resources, with templates and stacks
[Configuration Management Monitoring (after setup)]	Cloud security posture management (CSPM) service	Use to proactively monitor AWS resources to identify misconfigurations and prioritizes finding based on severity level
[Code Scanning (Dependency)]	Automated dependency updates built into GitHub	Used to generate alerts when repository is using software dependency with a known vulnerability
[Code Scanning (SAST)]	Open source security static analysis tool (SAST)	Used to find bugs and detect vulnerabilities, prior to each pull requests (PRs) being merged
[Incident Management]	Modern incident management for operating always-on services	Used by on-call engineers to build and modify schedules, and respond promptly to critical issues to avoid system downtime
[Incident Communication]	Proactive customer communication piece of incident management	Used to proactively communicate system operational status (uptime and downtime), public facing at [status.companyname.com]

 

Overall Technical Diagram

[insert Architecture Diagram]

3.3 People 

[company name] has established an organizational structure that includes consideration of key areas of authority and responsibility, as well as appropriate lines of reporting:

• Executive Management: Consists of the management committee, as outlined within the [company name] security committee charter, and is responsible for overseeing company wide activities, establishing and accomplishing goals, and overseeing objectives.
• GRC (Governance, Risk, and Compliance): Responsible for information security oversight and policies, annual risk assessments, third party/vendor risk management, and compliance, etc.

• Product: Responsible for the product life cycle, including adding additional product features and functionality, and overseeing change management. 

• Engineering: Responsible for the development, testing, deployment, and maintenance of the source code for the system. 

• Security Operations: Responsible for maintaining production infrastructure, managing access and security for production infrastructure and incident response. Members of the security operations team may also be members of the engineering team.
• IT: Responsible for access controls and security of the production environment, managing laptops, software, and other technology involved in employee productivity and business operations.
• People (Human Resources): Responsible for managing the employee life cycle to include recruiting and onboarding, performance management, security awareness training, compensation and benefits, people experience, and terminations and offboarding. 
• Sales, Marketing and Customer Success Operations: Responsible for sales, marketing, account management, and customer success teams and activities.

3.4 Data 

Customer data is managed, processed, and stored in accordance with the relevant data protection and other regulations, with specific requirements formally established in customer contracts. This data is managed and stored in a range of database technologies.

Data Classification
Data Sensitivity	Description	Example
Public	Information intended or required for public release. Disclosure of such information does not adversely impact [company name]’s business operations, financial wellbeing, or image and reputation.	Published website content Press releases
Sensitive	Sensitive data that requires additional levels of protection.	Operational information Personnel records Information security procedures Research Internal communications Log records (firewall logs, audit trails, etc.)
Confidential	Sensitive data that must be protected from unauthorized disclosure or public release based on state or federal law, and other constitutional, statutory, judicial, and legal agreements.	Personally identifiable information (PII), such as name Social Security Number (SSN) and/or financial account numbers Employment Records Intellectual property, such as: copyrights, patents, and trade secrets Client/Customer data

 

Processes and Procedures 

Formal IT security policies and procedures exist that describe incident response, network security, encryption, and system security standards. All teams are expected to adhere to [company name] policies and procedures that define how services should be delivered. These are located on [company name]’s internal designated [Internal Wiki/Intranet] page and are accessible to all [company name] personnel.

[company name] has the following information security policies in place with corresponding documented information security operational activities, which are owned by the [acting CISO or CISO]:

• Asset Management
• Business Continuity
• Change and Release Management
• Human Resources Security
• Identity and Access Management
• Incident and Event Management
• Information Protection (Data Classification)
• Information Security
• Legal and Compliance
• Risk Assessment and Management
• Secure Configuration
• Software Development Lifecycle
• Supplier Relationships Security
• System and Network Security
• Threat and Vulnerability Management

Policies are reviewed on an annual basis and changes are made to the policies when necessary. Members of the management team are authorized to perform reviews of policies with final approval for changes from the [acting CISO or CISO] in conjunction with other senior management. Approvals are documented and tracked as they occur. Any changes to the policies are then communicated to employees via e-mail and are posted on [company name]’s internal designated [Internal Wiki/Intranet] page accessible to all employees.

DC 4: Disclosures About Identified Security Incidents

[if an incident occurred leave and complete section 1, if an incident did not occur leave section 2]

[Section 1-delete after selection]

For identified system incidents that were the result of controls that were not suitably designed or operating effectively or otherwise resulted in a significant failure in the achievement of one or more of the service commitments and system requirements, as of the date of the description (for a type 1) or during the period of time covered by the description (for a type 2), as applicable, the following information:

1. Nature of each incident
2. Timing surrounding the incident
3. Extent (or effect) of the incident and its disposition

[Section 2-delete after selection]

There were no system incidents during the period of time covered by the description, requiring disclosure that either: 

1. Were the result of controls failing due to not being suitably designed or operating effectively; or,
2. Otherwise resulted in a significant failure in the achievement of one or more of the service commitments and system requirements.

DC 5: Relevant Aspects of the Control Environment, Risk Assessment, Control Activity, Monitoring, and Information and Communication

The applicable trust services criteria were used to evaluate the suitability of design and operating effectiveness of controls stated in the description. Although the applicable trust services criteria and related controls are included in Section IV, they are an integral part of [company name]'s description of the system. This section provides information about the five interrelated components of internal control at [company name], including:

Control environment: Sets the tone, influencing the control consciousness of its people. It is the foundation for all other components of internal control, providing discipline and structure.

Risk assessment: The entity’s identification and analysis of relevant risks to the achievement of its objectives, forming a basis for determining how the risks can be managed.

Control activities: The policies and procedures that help make sure that management’s directives are carried out.

Information and communication: Systems, both automated and manual, that support the identification, capture, and exchange of information in a form and time frame that enable people to carry out their responsibilities.

Monitoring controls: A process that assesses the quality of internal control performance over time.

5.1 Control Environment

The objectives of internal control as it relates to [company name] are to provide reasonable, but not absolute, assurance that controls are suitably designed and operating effectively to meet the relevant controls, that assets are protected from unauthorized use or disposition, and that transactions are executed in accordance with management’s authorization and client instructions. Management has established and maintains controls designed to monitor compliance with established policies and procedures. The remainder of this subsection discusses the tone at the top as set by management, the integrity, ethical values, and competence of [company name] employees, the policies and procedures, the risk management process and monitoring, and the roles of significant control groups. The internal control structure is established and refreshed based on [company name]’s assessment of risk facing the organization. 

Integrity and Ethical Values 

Integrity and ethical values are essential elements of the control environment, affecting the design, administration and monitoring of key processes. Integrity and ethical behavior are the products of [company name]’s ethical and behavioral standards, how they are communicated, and how they are monitored and enforced in its business activities. They include management’s actions to remove or reduce incentives/pressures, and opportunities that might prompt personnel to engage in dishonest, illegal, or unethical acts. They also include the communication of the entity’s values and behavioral standards to personnel through policy statements and codes of conduct, and by the examples the executives set.

[company name]’s senior management recognizes their responsibility to foster a strong ethical environment within [company name] to determine that its business affairs are conducted with integrity, and in accordance with high standards of personal and corporate conduct. This responsibility is characterized and reflected in [company name]’s Code of Conduct, which is distributed to all employees of the organization. 

All employees are required to maintain ongoing compliance with all statements of policies, procedures, and standards of the Code of Conduct and with lawful and ethical business practices, whether or not they are specifically mentioned in the Code of Conduct. Each employee is required to affirm annually that he or she received, read, understood, and complied with the requirements set forth in the Information Security Policy, Acceptable Use Policy, Employee Handbook, and Code of Conduct within the first week of employment and annually thereafter.

Executive Management Governance and Oversight

The management committee, chaired by the chief executive officer (CEO), has been delegated by the board the responsibility for managing [company name] and its business on a daily basis. Members of [company name]’s management committee draw experience from their former roles as senior executives of large organizations specializing in software integrations, product oversight, development, sales, and marketing, customer service, and governance, risk, and compliance. 

In its role, the management committee assigns authority and responsibility for operating activities and establishes reporting relationships and authorization hierarchies. The management committee designs policies and communications so that personnel understand [company name]’s objectives, know how their individual actions interrelate and contribute to those objectives, and recognize how and for what they will be held accountable. 

Lines of authority and responsibility are clearly established throughout the organization under the management committee. These lines of authority and the associated responsibilities are communicated through: (1) management’s philosophy and operating style; (2) organizational structure; (3) employee job descriptions; and (4) policy and procedure manuals. 

Managers are expected to be aware of their responsibilities and lead employees in complying with [company name] policies and procedures. 

Organizational Structure and Assignment of Authority and Responsibility

[company name]’s organizational structure provides the framework within which its activities for achieving entity-wide objectives are planned, executed, controlled, and monitored. [company name] has established an organizational structure that includes consideration of key areas of authority and responsibility, as well as appropriate lines of reporting.

[company name] has an established organizational structure with defined roles and responsibilities.

Commitment to Competence

[company name] has implemented a structured performance appraisal process. Managers are asked to discuss performance expectations and goals with each employee. These objectives and development goals are formally documented. [company name] conducts an annual performance review for each employee per calendar year. Annual performance evaluations affirmed by the employee, and their leader or manager are maintained in electronic form. Managers are also strongly encouraged to have ongoing, informal conversations with employees regarding their performance throughout the year.

[company name] has developed a mandatory training program for its employees, including a coordinated new hire orientation program. Additional continuing professional education and development opportunities are identified through the goal-setting and development-planning process. Managers and HR identify learning plans both by role and level. It is also the manager’s role to identify what training a particular employee requires to comprehend [company name]’s policies and procedures as they relate to specific job requirements. Each employee has the opportunity to partake in formal training classes, on-the-job training, or online education courses. A record of training program attendance is maintained for each employee.

Accountability

Human resource (HR) policies and practices relate to hiring, orienting, training, evaluating, counseling, promoting and compensating personnel. The competence and integrity of [company name] personnel are essential elements of its control environment. The organization’s ability to recruit and retain a sufficient number of competent and responsible personnel is dependent to a great extent on its HR policies and processes.

The HR policies and processes of [company name] are designed to: (1) identify and hire competent personnel; (2) provide employees with the training and information they need to perform their jobs; (3) evaluate the performance of employees to verify their ability to perform job assignments; and (4) through performance evaluation, identify opportunities for growth and job performance improvement.

Formal written job descriptions are developed and maintained for each position.

[company name] has established formal web-based security awareness training that is required to be completed by all new employees within the first two weeks of employment and on an annual basis. Employees are also encouraged to actively participate in professional organizations and forums to maintain their knowledge and develop awareness of issues facing [company name]. 

HR, in unison with the hiring manager, screens potential candidates and selects resumes of potential candidates to be interviewed. The managers review documentation, select candidates, and inform HR of individuals with whom they wish to schedule interviews. The relevant manager and HR conduct interviews and potential offers are submitted to the appropriate authority within the organization for approval. Individuals offered a position at [company name] are subject to background checks (as appropriate for each country with respect to local laws and regulations) prior to commencing employment. Prospective employees complete an employment application and sign waivers to release information for the background check. In addition, it is the policy of [company name] to request employment references to determine whether the candidate is well-qualified and has the potential to be productive and successful during his or her tenure.

After receiving a signature, all new employees receive an email containing information pertaining to the first day of employment. [company name]’s onboarding program includes the distribution and acknowledgement of the Employee Handbook, Information Security Policy and Acceptable Use Policy, relevant compensation materials, benefit materials, and Code of Conduct.

HR is responsible for managing voluntary and involuntary terminations. Voluntary terminations are identified by the employee’s supervisor and are tracked and recorded. HR personnel communicate with the employee to identify the employee’s final day of employment and to inform the employee of his or her rights and responsibilities. The final day is entered into the HR management system and an exit interview is scheduled. During the exit interview, the employee is asked to return any of [company name] assets in their possession, including laptop, and so on. The HR person records and tracks the information.

5.2 Risk Assessment

The process of identifying, assessing and managing risks is a critical component of [company name]’s internal control system. The purpose of [company name]’s risk assessment process is to identify, assess, and manage risks that affect the organization’s ability to achieve its objectives. The management of [company name] also monitors controls to consider whether they are operating as intended and whether they are modified as appropriate for changes in conditions or risks facing the organization.

Ongoing monitoring procedures are built into the normal recurring activities of [company name]’s and include regular management and supervisory activities. Managers of the various organizational units are regularly in touch with personnel and may question the accuracy of the information that differs significantly from their knowledge of operations.

[company name] has established an independent organizational business unit, that is responsible for identifying risks to the entity and monitoring the operation of the firm’s internal controls. The [acting CISO or CISO]’s approach is intended to align the entity’s strategy more closely with its key stakeholders, assist the organizational units with managing uncertainty more effectively, minimize threats to the business, and maximize its opportunities in the rapidly changing market environment. The [acting CISO or CISO] attempts to actively identify and mitigate significant risks through the implementation of various initiatives and continuous communication with other leadership and senior management.

At least annually, the [acting CISO or CISO] is responsible for assessing [company name]’s risk and control environment through rigorous evaluation of financial, operational, and administrative controls, risk management practices, and compliance with laws, regulations, and [company name] policies and procedures. The [acting CISO or CISO] reports functionality, significant findings and the status of corrective actions directly to the executive management team. The [acting CISO or CISO] adheres to standards of moral and ethical conduct, in addition to upholding relevant information security and privacy certifications and abiding by regulatory body requirements. 

An annual third party risk assessment is performed including a review of attestation reports (i.e., SOC 2, or ISO 27001) for critical vendors where user data is shared. Results and action items are communicated to the respective owners and tracked through internal risk management tools.

5.3 Control Activities

Along with assessing risks, management has identified and put into effect actions needed to address those risks. In order to address risks, control activities have been placed into operation to help ensure that the actions are carried out properly and efficiently. Control activities serve as mechanisms for managing the achievement of the trust service security category.

User Identification and Authentication

Employees and approved personnel sign into [company name] information systems using a unique ID and password, shared accounts are not permitted. Users are also required to separately sign on to any systems or applications that do not use the shared sign-on functionality of [Identity and Access Management (IAM) Solutions].

Passwords must conform to defined password standards and are enforced through parameter settings in  [Identity and Access Management (IAM) Solutions]. These settings are part of the configuration standards and force users to change passwords at a defined interval, will lock laptop screens, and require reentry of the user ID and password after a period of inactivity. 

[company name]’s personnel, who work remote and from the office, are required to use multi-factor authentication when accessing [company name]’s information systems. Password composition rules, including a minimum of nine characters, at least one number, special character, uppercase letter and lowercase letter, are systematically enforced across all production system components in accordance with company policy. Administrator access is restricted to authorized system and security administrators.

Customers access cloud services through the Internet using a secure version of Transport Layer Security (TLS) through their web browser. 

Laptops are initially configured in accordance with [company name]’s configuration standards, but these configuration parameters may be changed by the Mobile Device Management Policy.

Access Provisioning/Deprovisioning

Upon hire, employees are assigned to a position in the HR management system. Prior to the employees’ start date, HR completes an onboarding form with accounts to be created and access to be granted. Next, HR submits an access request ticket for authorized team leads to provide access to approved systems. Access requests are also submitted for employees with position changes and the associated roles to be changed.

On an annual basis, access for each user is reviewed by a working group composed of the HR manager and each department head, who is responsible for approving access for their assigned team. In evaluating user access, group members consider job description, duties requiring segregation, and risks associated with access. Completed user access is reviewed and approved by the CEO or [acting CISO or CISO]. As part of this process, the CEO or [acting CISO or CISO] reviews access by privileged roles and requests modifications based on this review.

All access request changes to user access are submitted through the access request ticket tracking system for review and approval by management. 

For terminated employees, HR completes an offboarding form based on the employee’s initial onboarding form. The form with a ticket request for access removal is submitted to authorized team leads to ensure access is removed within one business day. 

Asset Management

All dynamic resources (virtual instances and services) are generated with automation and tracked to ensure complete asset inventory of all virtual assets. 

Laptops are inventoried and formally documented to include device identifier and device owner. The list is kept up-to-date by the IT team. 

Laptop Management and Protection

For laptop endpoint protection and management, a mobile device management solution is used that includes: encryption, malware protection (antivirus), security updates and ability to set and enforce policies (i.e., screen saver, require password etc.), and remote wipe of laptop due to loss, damage, or theft. 

Encryption of Communication Outside the Boundaries

Authorized employees may access the system from the internet through the use of a leading virtual private network (VPN) technology. Employees are authenticated through the use of a multi-factor authentication system.

[company name] uses a certificate authority, to provide digital certificates used to support encrypted communication for customer user requests to and from the [platform/product name] web portal. 

Encryption for Storage of Customer Data

The storage of all customer data is securely encrypted. [company name] ensures the proper and effective use of cryptography to protect the confidentiality, authenticity, and integrity of information according to business and information security requirements, and takes into consideration legal, statutory, regulatory, and contractual requirements related to cryptography.

Configuration Management

For cloud-based images, if base images are used outside of preconfigured operating systems (OS) provided by the hosting provider, images are pulled directly from the verified official repositories and contain latest security updates. With preconfigured operating systems, live updates ensure that OSs and software are kept up-to-date with security patches. 

For automation in [company name]’s cloud-based environments, Infrastructure as Code (IaC) is used to manage security configurations. Security configurations are continuously monitored and reviewed. 

Change Management

[company name] has a formal process for tracking and managing system changes for the introduction of new systems and major changes to existing systems.

Changes are classified as (1) emergency deployment, meaning that they must be deployed on all production elements within a defined number of weeks; (2) standard deployment, which must be deployed on all production elements within a defined number of months; and (3) deploy on rebuild, which is classified as being deployed only when other changes are made to the system configuration. 

Secure Development 

[company name] has a formalized security and systems development methodology that includes project planning, tracking, designing, testing, implementation, maintenance, and disposal or decommissioning. Proposed changes are evaluated to determine if they present a security risk and what mitigating actions, including employee and user entity notifications, must be performed.

All infrastructure and code changes require independent validation prior to implementation to production to help ensure change requirements are met and security issues are resolved.

Changes to infrastructure and software are developed and tested in a separate development or test environment. Changes are tested according to the nature of the change prior to deployment to production. Customer content and personal information are not used in non-production environments. Applications are peer reviewed to address any concerns prior to production deployment. Developers do not have the ability to migrate their own code changes into production environments. 

New information systems, upgrades and new versions are thoroughly tested and verified during the development processes. Security testing is an integral part of the testing for systems or components. Static code analysis and dependency scanner tools are used to identify and remediate security vulnerabilities, prior to deploying to production. 

Development, testing and production environments are separated and secured to protect the production environment and data from compromise by development and test activities.

Physical Access and Environmental Controls 

No servers or computer facilities for the system applications are hosted on site. All computer facilities and access thereto are controlled at cloud infrastructure data centers. As such, trust service criteria CC6.4 is not applicable to [company name].

Networks Security

Networks and network devices are secured, managed, and controlled to protect against attacks that can affect availability, compromise security, or consume excessive resources. 

[company name] keeps an accurate and up-to-date architecture/network diagram. A [Perimeter Security Firewall] is configured to control access and monitor requests that are forwarded to protected web application resources: (1) to block all requests except the ones specified; (2) to protect against threats at the network and transport layers (e.g., DDoS attacks); (3) to manage, setup and configure web access control lists (ACLs); and (4) to ensure all egress and ingress traffic is going through the [Perimeter Security Firewall]. 

[Host-based Firewalls] and [Public and Private Network Segmentation] are set up and configured for network segregation to split the network into security boundaries and to control traffic between them based on business needs. This helps ensure development, testing, and production environments are separated and secured to protect the production environment and data from compromise by development and test activities. Network administration channels are also segregated from other network traffic.  

Monitoring Activities

Networks, systems and applications are monitored for anomalous behavior and appropriate actions are taken to evaluate potential information security incidents.

The following are included within the monitoring system: (1) outbound and inbound network, system and application traffic; (2) access to systems, servers, networking equipment, monitoring systems, critical applications, etc.; (3) critical or admin level system and network configuration files; (4) logs from security tools (e.g., antivirus, IDS, intrusion prevention system or IPS, web filters, firewalls, data leakage prevention); (5) event logs relating to system and network activity; (6) code being executed is authorized to run in the system and that it has not been tampered with (e.g., by recompilation to add additional unwanted code); and (7) use of the resources (e.g., CPU, hard disks, memory, bandwidth) and their performance. 

Incident Management

[company name] management defines and communicates the roles and responsibilities within the Incident Response Plan (IRP) to ensure individuals responsible understand the organization’s priorities for handling information security incidents including resolution time frame based on potential consequences and severity. 

All personnel and customers are made aware of their responsibility to report information security events as quickly as possible in order to prevent or minimize the effect of information security incidents.

[company name] uses a status and incident communication tool to keep customers and employees informed during downtime at [status.companyname.com].

Vulnerability Management and Penetration Testing 

Vulnerability scanning is performed on a weekly basis in accordance with [company name] policy. The scanning method uses industry standard scanning technologies and a formal methodology specified by [company name]. These technologies are customized to test [company name]’s infrastructure and software in an efficient manner while minimizing the potential risks associated with active scanning. Retests and on-demand scans are performed on an as-needed basis. Tools requiring installation in the system are implemented through the change management process. Scanning is performed with approved scanning templates and with bandwidth-throttling options enabled.

An annual penetration test is conducted by a third party vendor to measure the security posture of a target system or environment. The vendor uses an accepted industry standard penetration testing methodology specified by [company name]. The vendor’s approach begins with a vulnerability analysis of the target system to determine what vulnerabilities exist on the system that can be exploited via a penetration test. Once vulnerabilities are identified, the vendor attempts to exploit the vulnerabilities to determine whether unauthorized access or other malicious activity is possible. Penetration testing includes network layer testing as well as testing of controls and processes around the networks, and occurs from outside (external testing) the network.

The penetration testing reports specify identified vulnerabilities, a level of assessed risk for each vulnerability identified, and suggested remediation. The report includes an executive summary and client summary, which is available to [company name] customers upon request. 

Individual vulnerabilities identified during penetration and vulnerability testing are logged to the event management software and managed through the incident management process. 

5.4 Information and Communication

Information and communication is an integral component of [company name]’s internal control system. It is the process of identifying, capturing, and exchanging information in the form and time frame necessary to conduct, manage, and control the entity’s operations. This process encompasses the primary classes of transactions of the organization, including the dependence on, and complexity of, information technology. At [company name], information is identified, captured, processed, and reported by various information systems, as well as through conversations with clients, vendors, regulators, and employees.

Customer Support and Agreements

The organization plans and prepares for managing customer support requests and reporting of security incidents by defining, establishing, and communicating a formal process to ensure quick, effective, consistent, and orderly responses. A ticketing system is used to monitor, respond to, and track customer support requests and incidents: 

• During onboarding, clients are trained and provided a link to submit requests and security incidents. A backup option is provided to submit an email directly to the ticketing system or internal customer care team opens a ticket. 
• Tickets are used to document and track ongoing status updates and communication related to ticket requests 

Customer service agreements are established and documented to ensure there is clear understanding between the organization and customer regarding both parties’ obligations to fulfill relevant information security requirements. A cloud-based tool to manage, deploy, and catalog signed agreements is used. Management ensures the standard customer service agreement template is kept up-to-date and includes: 

1. Applicable standards, laws, and regulations
2. Defined SLAs
3. Rules of use (link to terms of use on website)
4. Defined confidentiality and security clauses with customer responsibilities

 

The company makes descriptions of its services, component systems, and their boundaries readily available to customers and other stakeholders via its website, product documentation, emails, and/or blog posts.

[company name] also maintains internal informational websites describing the system environment, its boundaries, user responsibilities, and services to employees.

5.5 Monitoring Controls

In addition to the quarterly testing, continuous monitoring tools are in place. Refer to Monitoring Activities and Incident Management sections above.

Changes to the System During the Period

There were no changes that are likely to affect report users' understanding of how the system is used to provide the service during the period from [audit period].

Disclosure of Incidents

There were no system incidents during the period from [audit period], requiring disclosure that either:

• Were the result of controls failing; or, 
• Resulted in a significant impairment to the achievement of systems requirements or service commitments to customers. 

DC6: Complementary User Entity Controls (CUECs)

[company name] controls were designed with the assumption that certain internal controls would be in place at customer organizations. The application of such internal controls by customer organizations is necessary to achieve certain trust services criteria identified in this report. In addition, there may be control activities that are not identified in this report that would be appropriate for processing of transactions for [company name] customers.

For customers to rely on the information processed through the [platform/product name], each customer is expected to evaluate its own internal controls to ensure appropriate control activities are in place. The following general procedures and controls should be considered. They should not, however, be regarded as a comprehensive list of all controls that should be implemented by customer organizations.

• User entity is responsible for protecting established user IDs within their organizations.
• User entity is responsible for reviewing customer access to the [platform/product name] periodically to validate appropriateness of access levels.
• User entity is responsible for approving and creating new user access to the [platform/product name].
• User entity is responsible for removing terminated employee access to the [platform/product name].
• User entity is responsible for implementing policies and procedures over the types of data that are allowed to be entered into the [platform/product name].
• User entity is responsible for sending data to [company name] via a secure connection and/or the data should be encrypted.
• User entity is responsible for notifying [company name] if they detect or suspect a security incident related to the [platform/product name].
• User entity is responsible for reviewing email and other forms of communications from [company name], related to changes that may affect [company name] customers and users, and their security obligations.
• User entity is responsible for establishing, monitoring, and maintaining controls over the security for system-generated outputs and reports from the system.
• User entity is responsible for endpoint protection of workstations used to access the system.

DC7: Complementary Subservice Organizations Controls 

[company name] uses a subservice organization in support of its system. [company name]’s controls related to the system cover only a portion of overall internal control for user entities. It is not feasible for the trust services criteria over the [platform/product name] to be achieved solely by [company name]. Therefore, user entity controls must be evaluated in conjunction with [company name]’s controls described in Section IV of this report, taking into account the related complementary subservice organization controls expected to be implemented at the subservice organization as described below.

[company name] periodically reviews the quality of the outsourced operations by various methods including:

• Review of the sub service organization’s SOC reports  
• Regular meetings to discuss performance
• Non-disclosure agreements

 

Control Activity Expected to be Implemented by Subservice Organization	Subservice Organization	Applicable Criteria
Logical access to the underlying network and virtualization management software for cloud architecture is appropriate.	[cloud-hosting provider]	CC6.1, CC6.2,  CC6.3, CC6.5,  CC7.2
Physical access to the data center facility is restricted to authorized personnel.	[cloud-hosting provider]	CC6.4, CC6.5
Intrusion detection mechanisms are in place to prevent or identify potential security attacks by unauthorized actors outside boundaries of the system.	[cloud-hosting provider]	CC6.1, CC7.2,  CC7.3, CC7.4
Environmental protections, including monitoring and alarming mechanisms, are implemented to address physical security and environmental control requirements.	[cloud-hosting provider]	CC6.4
A defined Data Classification Policy specifies classification levels and control requirements in order to meet the company’s commitments related to confidentiality.	[cloud-hosting provider]	CC1.1
A defined process is in place to sanitize and destroy hard drives and back up media containing customer data prior to leaving company facilities.	[cloud-hosting provider]	CC1.2

DC8: Trust Services Criteria not Relevant 

[NOTE: If one or more applicable trust services criteria are not relevant to the system being described, service organization management includes in the description an explanation of why such criteria are not relevant. For example, an applicable trust services criterion may not be relevant if it does not apply to the services provided by the service organization.]

All the trust services criteria for the category or categories addressed by the description are relevant to the system.

DC9: Disclosures of Significant Changes in Last 1 Year 

There were no changes that are likely to affect report users' understanding of how the system is used to provide the service during the period of time covered by the description.