According to analysts, more than 85% of organizations will adopt cloud-first principles by 2025 and will not be able to fully execute their digital strategies without using cloud-native architectures and technologies. As we increasingly move to cloud environments, do you know what complementary sub-service organization controls are, how to distinguish between vendors and sub-service organizations, and how to monitor sub-service organizations and their associated CSOCs? Do you? We cover all of this in this week’s blog post.
Complementary Subservice Organization Controls (CSOC)
Complementary Sub-Service Organization Controls (CSOC) are controls that service organization administrators assume will be implemented by sub-service organizations in the design of the service organization’s system and are described in the administrator’s description. necessary to achieve the control objectives/reliability service standards in place. of the system of the service organization.
Examples of CSOCs
Your company offers Software as a Service (SaaS) to customers (your company is a service organization) and your company’s infrastructure is hosted in a service provider’s cloud environment (such as Amazon Web Services or Google Cloud Platform). Suppose there is In this example, the cloud environment provider is a sub-service organization (primary vendor). Your company may expect sub-service providers in cloud environments to implement certain physical and environmental controls to address risks to the company’s ability to continue to provide software services to its customers. I have. For example, a sub-service cloud provider can be expected to have a CSOC stating that the sub-service provider has a business continuity plan and performs annual disaster recovery tests to ensure the cloud environment can continue to be delivered.
As a service organization undergoing SOC inspections (so that we can provide SOC reports to our customers), we do not need to outline all vendors in the system description (Section III of the SOC report). Learn more about carve-outs and comprehensive audit methodology here. In fact, of the multiple vendors a company may use, only a few are actually considered sub-service providers.
How to distinguish between vendors and subservice organizations
The key here is that all subservice organizations are vendors, but not all vendors are subservice organizations. What distinguishes a sub-service organization from a vendor is that a sub-service organization provides functions that affect the delivery of the services it provides to its customers, whose management is necessary in conjunction with that of the company, and that the company’s services It’s about meeting commitments and system requirements.
Using the cloud environment/hosting example above, if a natural disaster wiped out the data center and the cloud environment/hosting provider was unable to move the system back to another location, the customer would not be able to use the SaaS and would be unable to use the service. may not be able to meet its commitments. A cloud provider is therefore considered a sub-service organization. However, even if the cloud environment is available as usual and the vendor that provides instant his messaging capabilities to the company is not available, it may still be able to serve customers, meet service commitments, and maintain system requirements.
Who is responsible for CSOC?
Simply put, the service organization (your company) is responsible for ensuring that the CSOC is properly deployed and operating effectively. The CSOC is a control designed and operated by the sub-service organization/provider, but as part of the regular risk assessment process (after identifying the sub-service organization/provider and distinguishing it from the vendor), the expected CSOC must be specified. A place to address your company’s identified risks. Once you have determined who the sub-service provider is and which her CSOCs need to be designed and operated effectively, you will need to determine the oversight activities the company will undertake to gain assurance against the identified her CSOCs.
How to monitor subservice organizations and CSOCs
There are multiple methods a company can choose to monitor subservice organizations.
Examples of monitoring activities AICPA AT-C320.A27 include:
- “Review and refine output reports.”
- “We have regular discussions with sub-service organizations.”
- “Perform regular site visits to subservice organizations.”
- “Control test In sub-service organizations by members of the internal audit function of the service organization.
- “Reviewing Type 1 or Type 2 report On the system of the subservice organization. “
- “Monitoring of external communications, such as customer complaints related to services by subservice organizations.”
Not all vendors agree with all or some of the above activities (the vendor likely has multiple customers, all of whom wish to perform some level of monitoring activity). be careful). The monitoring activities your company employs depend on multiple factors, including company internal resource constraints (financial resources to support business travel, human resources to conduct audits, etc.), contracts with the organization, etc. Sub-service organization (i.e. right to audit), alternative monitoring activity options, etc.
The most common method is to obtain and review the SOC report of the subservice organization. Just as not all vendors need to be included in a company’s SOC report, it is not necessary to document all CSOCs in a sub-service organization’s SOC report in the system description section of the SOC report. In fact, if you choose a carve-out approach, you just need to cover the general types/broad categories of controls rather than the detailed processing or controls performed in the sub-service organization. Not only are the details of the CSOC controls not required to be included in his SOC report for his own company, but not all controls listed in the sub-service provider’s report are applicable to the company’s service commitments or system requirements. A review of the SOC report should focus on the relevant CSOCs identified from the internal risk assessment as well as the relevant services provided by sub-service providers.
Evidence of monitoring activities
One of the key elements when reviewing a subservice SOC report is documenting the process you went through in performing this review. The document should include a list of all CSOCs included in the sub-service provider’s report (i.e., all controls for the relevant service) and a simple “yes” or “no” as to whether the company considers them to be relevant CSOCs. It can contain no. For relevant CSOCs, you should document whether there were any exceptions/problems in those CSOCs with a yes or no. You can also tie each relevant control to a relevant Trust Service Criteria so that if a problem arises, you can point to additional relevant controls that meet the criteria.
While this post focused on the CSOC, similarly, when performing and documenting a review of a sub-service organization and its associated CSOC, the Supplemental User Entity Control (CUEC ) can also be reviewed and documented at the same time.
Overview of CSOCs
As companies continue to expand into cloud environments and use other types of vendors to ultimately serve their customers, understand which vendors are sub-service providers and associate them with those service providers. Formally monitoring the CSOC is key to ensuring continuous service delivery. Serve customers, meet service commitments, and maintain system requirements.
If you have any questions about SOC 1 or SOC 2 services, or the inclusion of CSOCs in service audit reports, please contact us.
DELTA Data Protection & Compliance, Inc. Academy & Consulting – The DELTA NEWS – info@delta-data-compliance.com
