SOC2 and human resource security (Part 1)

In this first article, I am going to look at the components of the Control Environment criteria for SOC2 accreditation and how these define the human resource security requirements for your organization.

Internal Controls

The Control Environment criteria for SOC2 encompass the 17 COSO Principles developed by The Committee of Sponsoring Organizations of the Treadway Commission in their Internal Control-Integrated Framework.

The criteria provide focus points to assist management with the design, implementation, and operation of internal controls to mitigate risks in the security, availability, processing integrity, confidentiality, and privacy of information (data). If you are looking to obtain SOC2 accreditation you will need to demonstrate and provide evidence to your auditor that you are meeting these criteria.

Out of the 17 COSO Principles, 3 directly impact your employees and therefore should form part of your organization’s human resource security processes. Below, each criterion is defined, the key elements documented and the impact on human resource security is explored.

COSO Principle 4:- The entity demonstrates a commitment to attract, develop, and retain competent individuals in alignment with objectives.

The key focus points here include:

• Establishes Policies and Practices
• Evaluates Competence and Addresses Shortcomings
• Attracts, Develops, and Retains Individuals
• Plans and Prepares for Succession
• Considers the Background of Individuals
• Considers the Technical Competency of Individuals
• Provides Training to Maintain Technical Competencies

Your organization will require a strict recruitment procedure to ensure that individuals are recruited to meet the exact needs of your business. Roles and responsibilities need to be defined, and continually reviewed and your employees supported with training and mentoring. For SOC2 accreditation, evidence will be required to confirm these processes are in place and that your organization considers the competency of individuals against the requirements of your organization. You will need to demonstrate that background checks were undertaken and reviewed. Evidence to show that you have shared roles and responsibilities with your new hirers, that you have provided them with any necessary technical training and, continue to monitor performance competency and address any shortcomings will be required for your annual audit.

COSO Principle 11: The entity also selects and develops general control activities over technology to support the achievement of objectives.

The key focus points here include:

• Determines Dependency Between the Use of Technology in Business Processes and Technology General Controls
• Establishes Relevant Technology Infrastructure Control Activities
• Establishes Relevant Security Management Process Controls Activities
• Establishes Relevant Technology Acquisition, Development, and Maintenance Process Control Activities

Your organization will need to ensure that controls are in place to restrict employee access rights to your technology. Access should be based on the user’s role and responsibilities within your organization. Granted access rights should be monitored, reviewed regularly and, revoked when employees leave or change employment terms within your organization. For a SOC2 audit, these controls and the granting and revoking of rights will need to be demonstrated and evidenced.

COSO Principle 14: The entity internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control.

The key focus points here include:

• Communicates Internal Control Information
• Communicates With the Board of Directors
• Provides Separate Communication Lines
• Selects Relevant Method of Communication
• Communicates Responsibilities
• Communicates Information on Reporting Failures, Incidents, Concerns, and Other Matters
• Communicates Objectives and Changes to Objectives
• Communicates Information to Improve Security Knowledge and Awareness
• Communicates Information About System Operation and Boundaries
• Communicates System Objectives
• Communicates System Changes

Your organization will need to have a process in place for communicating policies and procedures, roles and responsibilities, and other key information to your employees. Training will need to be provided to employees to improve security knowledge and awareness, to ensure that employees understand and take responsibility for internal control practices and, to help mitigate risk for your organization. Your procedures will need to be fully documented and evidence provided to your auditor that this information has been acknowledged and understood by your employees.

Best Practice

Following best practices for human resource security will ensure data risks are mitigated. Developing and implementing these processes from the start ensures a controlled environment for your organization as it grows. Engaging staff in the process encourages their willingness to develop and maintain internal controls.

A strong control environment will give your auditor confidence for SOC2 accreditation, which in turn will give your customers and users confidence in your product.

Part two of this article on SOC2 and human resource security can be found here.

Please note the information presented on this website is provided as a general guide and is not a substitute for legal or tax advice. For specific advice, be sure to consult with a qualified professional.