One important and often overlooked use of the System Description (sometimes called a Section 3) is to demonstrate to your existing and potential customers that your organization has adequate ‘operational’ controls in place to support the service you are providing. Getting this right can encourage your customers to trust in your organization's leadership, and ultimately the product or service.
“These don't look like security controls!”
Controls that demonstrate this trust often center around reporting lines, ethics, and overall governance. Controls can also illustrate how involved management is in communicating goals and objectives to employees, or even how involved the Board is. These controls will reflect a handful of the Common Criteria that address specific “COSO Principles and Points of Focus” which have been rebranded by the AICPA as “Common Criteria” for the SOC 2. (The COSO Framework was developed by the AICPA which is the same organization that governs SOC reports, so if we are going for a SOC 2, we all have to use COSO, there is no way around it).
The COSO heavy Common Criteria speak more to your organization’s ‘Tone at the Top’ and operations. These specific Criteria may initially seem like they have nothing to do with IT security (or the other TSCs). However, by spending an equal amount of time identifying and developing controls to address the COSO related Common Criteria, you will provide both your auditor and, more importantly, your customers with powerful insights into your organization’s level of security. Also, in order to pass a SOC 2 audit, you are required to identify controls that demonstrate how your organization meets each of the COSO principles.
So why do things like Board Minutes, performance improvement programs, or the other ‘operational’ controls matter? These seem like an overreach for a cyber security review, right? These more operational controls are incredibly valuable for the readers of your SOC 2 report. They illustrate the expectations and behaviors of management and employees. The business principles addressed by the operational controls provide a holistic view of your organization beyond just a firewall setting or a review of user access.
A leg up in the procurement process
When you inevitably come across an audit request that makes you think “what the heck does this have to do with Security?” Don’t try to fight it - use it to your advantage!
You may find yourself neck and neck with a competitor in the vendor selection process for a potential customer. If you have a similar service and your security controls are comparable, having these operational COSO controls accurately described in your System Description may give you the needed edge to win that new customer. You will earn their trust. The key here is that you want to describe the current controls that are in place ‘today’ - no forward looking statements are allowed in System Descriptions.
Strong “COSO controls” will also demonstrate that your company is ready to enter the ring by shedding light on the maturity of your organization and your company’s Tone at the Top. For example, a good auditor does not expect a startup or small company to have a fully formed Employee Performance Program. However, a control around periodic one-on-one’s between a manager and a staff member will go a long way - especially if it includes a standing discussion around performance concerns. Leadership sets the tone around performance, and can demonstrate it through this control.
The Strike Graph Solution
Strike Graph provides a library of controls that can demonstrate every COSO Principle, point of focus, or common criteria. This library includes audit proven controls that can support both younger organizations that are getting their processes off the ground, and organizations that have been around awhile and may have a more traditional or mature control environment. We also provide a library of audit proven evidence examples that you can use as a guide to demonstrate that you are performing the control. When it comes time to prepare the System Description, which includes a snapshot of your controls and processes, we have a tool to get you there too.