When companies think of data protection and security, they focus on operations. What data is collected? How is it stored? Who has access? They spend hours establishing internal procedures to ensure compliance with industry standards and government regulations. Few think of data security as involving a Board of Directors.
When companies think of data protection and security, they focus on operations. What data is collected? How is it stored? Who has access? They spend hours establishing internal procedures to ensure compliance with industry standards and government regulations. Few think of data security as involving a Board of Directors.
SOC 2 is a compliance standard that stipulates how service organizations including their Board of Directors should manage customer data. It is based on the following trust service criteria (TSC):
- Security
- Availability
- Processing Integrity
- Confidentiality
- Privacy
TSC is the current term for the control criteria used to assess and report on how well organizations manage their information and systems. TSCs are the same as the original trust services principles or TSPs.
What is TSP Section100?
TSP Section 100 outlines the requirements for meeting SOC 2 standards. Each subsection describes the common criteria used to evaluate the effectiveness of an entity's controls. The five common criteria include:
- The control environment (CC1 series)
- Communication and information (CC2 series)
- Risk assessment (CC3 series)
- Monitoring of controls (CC4 series)
- Control activities related to the design and implementation of controls (CC5 series)
Of these common control criteria, the control environment (CC1) focuses on a Board's involvement, although the Board of Directors is mentioned throughout the TSP.
CC1: The Control Environment
The control environment refers to the guidelines for structure, authority, responsibility, and oversight of information. Organizations with well-established controls should exhibit a commitment to:
- Ethical values
- Integrity
- Competency
- Accountability
CC1 criteria are broken into subsections as described below.
CC1.1 Principle 1
The entity demonstrates a commitment to integrity and ethical values.
To meet this standard, organizations must demonstrate the following:
- Sets the Tone at the Top — The board of directors and management, at all levels, demonstrate through their directives, actions, and behavior the importance of integrity and ethical values to support the functioning of the system of internal control.
- Establishes Standards of Conduct — The expectations of the board of directors and senior management concerning integrity and ethical values are defined in the entity’s standards of conduct and understood at all levels of the entity and by outsourced service providers and business partners.
- Considers Contractors and Vendor Employees in Demonstrating Its Commitment — Management and the board of directors consider the use of contractors and vendor employees in its processes for establishing standards of conduct, evaluating adherence to those standards, and addressing deviations in a timely manner.
CC1.2 Principle 2
The board of directors demonstrates independence from management and exercises oversight of the development and performance of internal control.
Specific efforts should include:
- Establishes Oversight Responsibilities — The board of directors identifies and accepts its oversight responsibilities in relation to established requirements and expectations.
- Applies Relevant Expertise — The board of directors defines, maintains, and periodically evaluates the skills and expertise needed among its members to enable them to ask probing questions of senior management and take commensurate action.
- Operates Independently — The board of directors has sufficient members who are independent from management and objective in evaluations and decision-making.
- Supplements Board Expertise — The board of directors supplements its expertise relevant to security, availability, processing integrity, confidentiality, and privacy, as needed, through the use of a subcommittee or consultants.
CC1.3 Principle 3
Management establishes, with board oversight, structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives.
The Board should have direct involvement in:
- Considers All Structures of the Entity — Management and the board of directors consider the multiple structures used (including operating units, legal entities, geographic distribution, and outsourced service providers) to support the achievement of objectives.
- Defines, Assigns, and Limits Authorities and Responsibilities — Management and the board of directors delegate authority, define responsibilities, and use appropriate processes and technology to assign responsibility and segregate duties as necessary at the various levels of the organization.
- Addresses Specific Requirements When Defining Authorities and Responsibilities — Management and the board of directors consider requirements relevant to security, availability, processing integrity, confidentiality, and privacy when defining authorities and responsibilities.
- Considers Interactions With External Parties When Establishing Structures, Reporting Lines, Authorities, and Responsibilities — Management and the board of directors consider the need for the entity to interact with and monitor the activities of external parties when establishing structures, reporting lines, authorities, and responsibilities.
CC1.4 Principle 4
The entity demonstrates a commitment to attract, develop, and retain competent individuals in alignment with objectives.
Entity's Boards should participate in the following:
- Evaluates Competence and Addresses Shortcomings — The board of directors and management evaluate competence across the entity and in outsourced service providers in relation to established policies and practices and act as necessary to address shortcomings.
- Plans and Prepares for Succession — Senior management and the board of directors develop contingency plans for assignments of responsibility important for internal control.
CC1.5 Principle 5
The entity holds individuals accountable for their internal control responsibilities in the pursuit of objectives.
The Board should establish criteria and procedures to ensure accountability.
- Enforces Accountability Through Structures, Authorities, and Responsibilities — Management and the board of directors establish the mechanisms to communicate and hold individuals accountable for performance of internal control responsibilities across the entity and implement corrective action as necessary.
- Establishes Performance Measures, Incentives, and Rewards — Management and the board of directors establish performance measures, incentives, and other rewards appropriate for responsibilities at all levels of the entity, reflecting appropriate dimensions of performance and expected standards of conduct, and considering the achievement of both short-term and longer-term objectives.
- Evaluates Performance Measures, Incentives, and Rewards for Ongoing Relevance — Management and the board of directors align incentives and rewards with the fulfillment of internal control responsibilities in the achievement of objectives.
Beyond CC1
Although most Board of Director responsibilities are found in CC1: Control Environment, there are additional duties outlined throughout TSP Section 100. These include the following:
- Considers Excessive Pressures — Management and the board of directors evaluate and adjust pressures associated with the achievement of objectives as they assign responsibilities, develop performance measures, and evaluate performance.
- Evaluates Performance and Rewards or Disciplines Individuals — Management and the board of directors evaluate performance of internal control responsibilities, including adherence to standards of conduct and expected levels of competence, and provide rewards or exercise disciplinary action, as appropriate.
- Communicates With the Board of Directors — Communication exists between management and the board of directors so that both have information needed to fulfill their roles with respect to the entity’s objectives.
- Enables Inbound Communications — Open communication channels allow input from customers, consumers, suppliers, external auditors, regulators, financial analysts, and others, providing management and the board of directors with relevant information.
- Communicates With the Board of Directors — Relevant information resulting from assessments conducted by external parties is communicated to the board of directors
- COSO Principle 17: The entity evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the board of directors, as appropriate.
SOC 2 & Boards of Directors: Wrapping Up
Preparing for a SOC 2 audit requires time, resources, and a commitment from the top. If that commitment is not present, the chances of a successful SOC 2 audit are significantly reduced. As organizations look to their first assessments, they need to ensure that their Boards are aware of their responsibilities.