| Control # | Control Activity Specified by the Service Organization | Service Auditor’s Test of Controls | Test Results | |
| CC1.1.1 | “Company Name” maintains updated policies and procedures that outline requirements that employees and engineering contractors must follow as it pertains to conducting themselves appropriately and maintaining security of Company and customer information. These policies and procedures are accessible to all employees and are acknowledged upon hire and on an annual basis. | Inspected the collection of organizational policies and procedures to determine whether they adequately outline requirements pertaining to information security and employee / contractor conduct. Also verified whether the policies were appropriately updated and reviewed during the 3-month review period. For a sample of four personnel who were employed or under contract with “Company Name”, including two new hires, verified through inspection whether the policies were acknowledged in a timely manner upon hire and on an annual basis. | No exceptions noted. | |
| CC1.1.2 | “Company Name” has established a Code of Conduct policy that is acknowledged by all new employees and engineering contractors upon hire and on an annual basis. This policy outlines expectations the Company has set related to ethics and standards of conduct. Additionally, this policy outlines processes that Management has established to evaluate adherence to standards of conduct and address deviations in a timely manner. | Inspected the “Company Name” Code of Conduct to determine whether it outlines expectations around ethical conduct for employees and contractors as well as disciplinary actions if the policy is violated. For a sample of four personnel who were employed or under contract with “Company Name”, including two new hires, verified through inspection whether the Code of Conduct was acknowledged in a timely manner upon hire and on an annual basis. | No exceptions noted. | |
| CC1.1.3 | Prior to joining “Company Name”, all independent contractors are required to sign consulting agreements that contain confidentiality and non-disclosure obligations. | For a sample of independent contractors hired during the 12-month review period, verified whether consulting agreements that contain confidentiality and non-disclosure obligations were signed by the contactor prior to joining “Company Name”. | No exceptions noted. | |
| CC1.3.1 | “Company Name” maintains an updated organizational chart that establishes structure, reporting lines and delegation of authority and responsibility across the Company. This organizational chart is available to all employees through the Vanta application. | Inspected “Company Name”‘ organizational chart and verified whether it establishes the structure, reporting lines and delegation of authority across the Company. Also verified through inspection whether it is up-to-date and available to all employees in Vanta. | No exceptions noted. | |
| CC1.3.2 | “Company Name” has an assigned security team that is responsible for the design, implementation and oversight of the organization’s security policies and procedures. The security team communicates important information security events to company management in a timely manner. | Inspected “Company Name”‘ Information Security Policy to verify whether a security team and security officer have been formally designated, along with clearly-defined roles and responsibilities. Inspected screenshots evidencing communication amongst the security team around information systems and security. | No exceptions noted. | |
| CC1.4.1 | All positions have a detailed job description that lists qualifications, such as required skills and experience, which candidates must meet in order to be hired by “Company Name”. | Inspected the job descriptions for all positions at “Company Name” to determine whether they outlined required skills and experience that is expected of candidates. | No exceptions noted. | |
| CC1.4.2 | Background checks are performed on new employees and engineering contractors prior to the new hire’s start date, as permitted by local laws. The results are reviewed by Management and appropriate action is taken if deemed necessary. | Inspected background checks for a sample of two newly hired employees / contractors to determine whether they were performed before their start dates and that Management reviewed the results. | Noted the following exceptions: • For a sample of 1 out of 2 new hires, noted that the background check was completed one week after the contactor’s start date. | |
| CC1.4.3 | Executive Management holds weekly meetings that include analyzing the competency of its staff against the required business objectives and forecasted growth to determine whether additional resources are necessary. | Inspected an email invite of the Executive Team recurring meeting to determine whether the CEO, CFO, Head of Engineering and Head of Sales are scheduled to meet on a weekly basis. Inquired with Management whether these discussions incorporate all matters relevant to senior leadership, including staff competency and resource needs. | No exceptions noted. | |
| CC1.4.4 | “Company Name” employees are required to attend training to develop and maintain their skills and technical competency. | For a sample of employees, verified whether appropriate role-based training was provided during the 3-month review period. | No exceptions noted. | |
| CC1.4.5 | Management maintains contingency plans for assignment of responsibilities in the event of organizational turnover. | Inspected the “Company Name” Contingency Plan for Key Employees to determine whether it adequately outlines the assignment of responsibilities in the event of employee turnover. | No exceptions noted. | |
| CC1.5.1 | “Company Name” maintains formalized performance expectations for each position and uses these expectations as a basis for evaluating the performance of each of its employees. These performance evaluations, which incorporate internal control responsibilities, are completed on an annual basis. | For a sample of two employees, inspected their annual performance evaluations to determine whether they were based on a formalized set of expectations that were relevant to the position, including internal control requirements. | No exceptions noted. | |
| CC1.5.2 | “Company Name” provides incentives to its employees by rewarding exceptional performance and the fulfillment of internal control responsibilities. Additionally, disciplinary action is taken to address inadequate performance and failure to meet internal control responsibilities. | For a sample of two employees, inspected their annual performance evaluations to determine whether they provided adequate performance feedback and rated the performance for the year as Satisfactory or Non-Satisfactory. Inspected a performance improvement plan that was issued during the 12-month review period to confirm whether employees were held accountable for failure to meet expectations. | No exceptions noted. | |
| CC1.5.3 | On a periodic basis, Management evaluates the requirements and expectations for the various positions within the company and adjusts expectations as needed, to ensure they align with the objectives of the organization. This includes evaluating whether excessive pressure exist and making changes when necessary. | Inspected evidence of weekly Executive Team meetings, documented job descriptions, as well as recent new hires that were made, to determine whether Management adequately addresses the resource needs at “Company Name”, based on organizational objectives and pressures. | No exceptions noted. | |
| CC2.2.1 | “Company Name” maintains updated policies and procedures that enable all personnel to understand and carry out their internal control responsibilities, including ensuring confidentiality, integrity, and availability of all systems and data. These policies and procedures are accessible to all personnel through the Vanta application and are acknowledged by all employees and engineering contactors upon hire and on an annual basis. | Inspected the collection of organizational policies and procedures to determine whether they outline roles and responsibilities around internal controls. Also verified through inspection whether the policies and procedures are up-to-date and available to all employees in Vanta. For a sample of four personnel who were employed or under contract with “Company Name”, including three new hires, verified through inspection whether the policies were acknowledged in a timely manner upon hire and on an annual basis. | A comprehensive record retention policy has not been implemented. Exception noted. | |
| CC2.2.2 | “Company Name” employees are required to complete an annual Information Security Awareness training. | Inspected the content of the Information Security Awareness training to verify whether it was appropriate. For a sample of two employees, inspected the training completion records to confirm that the Information Security Awareness training was completed during the 3-month review period. | No exceptions noted. | |
| CC2.2.3 | “Company Name” provides a process for employees and contractors to report security, confidentiality, integrity and availability failures, incidents, and concerns, and other complaints to Management. | Inspected the Responsible Disclosure Policy to determine whether it provides a process for employees and contractors to report potential vulnerabilities, security incidents and general concerns. | No exceptions noted. | |
| CC2.2.4 | “Company Name” maintains a confidential whistleblower hotline which enables anonymous reporting in the event that normal communications are not effective. | Inspected the “Company Name” Network Protection Policy to determine whether an anonymous whistleblower hotline has been implemented. | No exceptions noted. | |
| CC3.4.1 | As part of the risk assessment process, Management identifies and assesses changes that could significantly impact the system of internal control. The assessment includes evaluating changes pertaining to engineering, information security, finance, legal, sales, human resources, and vendors. | Inspected the most recent Risk Assessment completed in Vanta during the 3-month review period to verify that it includes an evaluation of changes pertaining to: • Engineering • Information Security • Finance • Legal • Sales • Human Resources • Vendors | No Exceptions noted | |
| CC4.1.1 | “Company Name” conducts ongoing monitoring over internal controls to ensure they are appropriately designed and operating effectively in accordance with baseline requirements. These evaluations are conducted with knowledgeable personnel, integrates with business processes, considers changes in business processes, and vary in frequency based on associated risks. | Inspected the following monitoring tools that were in place during the 3-month review period to determine whether they were adequately leveraged by knowledgeable personnel: • LinkedInn Phishing attempts • Vulnerability Scanning • Pentration Testing • AWS CloudWatch (with CloudTrail enabled) • DataDog • Scalyr • Rollbar | Noted the following exceptions: • Web application penetration testing is not being performed on an annual basis. • Phishing tests are not currently being performed to gauge employee and contractor response to simulated phishing attacks. • A File Integrity Monitoring (FIM) system to monitor file changes has not been implemented. | |
| CC4.1.2 | “Company Name” has implemented a vulnerability management program to detect and remediate system vulnerabilities in software packages used in the Company’s infrastructure. | Inspected the “Company Name” Vulnerability Management & Patch Program to verify that it adequately outlines processes that are in place to detect and remediate system vulnerabilities on servers and software packages in a timely manner. Inspected the Threat Stack and Vanta vulnerability scanning reporting tools to determine what percentage of detected vulnerabilities were not resolved in a timely manner, in accordance with SLA requirements. Inspected the Vanta computer monitoring dashboard to verify whether all employees / contractors were utilizing appropriate versions of OS X, Windows, or Linux operating systems. | Noted the following exceptions: • Documentation was unavailable to show what percentage of vulnerabilities detected by Threat Stack were not remediated in a timely manner in accordance with SLA requirements. • 16 out of 1,010 (1.58%) vulnerabilities detected by Vanta were not remediated in a timely manner in accordance with SLA requirements. • 1 out of 11 employees / engineering contractors did not have the Vanta agent installed on their workstations to monitor for vulnerabilities. | |
| CC4.1.3 | “Company Name” uses AWS CloudWatch with CloudTrail enabled to monitor the infrastructure and web application, including tracking user activity and API usage. | Inspected screenshot of “Company Name”’ AWS infrastructure to verify whether AWS CloudTrail was enabled. | No exceptions noted. | |
| CC4.1.4 | “Company Name” uses DataDog to monitor system performance and alert the CEO to potential issues. | Verified through observation whether DataDog has been implemented by “Company Name” and was being used to monitor system performance. Verified through inspection whether DataDog system performance alerts were sent to the CEO via email. | No exceptions noted. | |
| CC4.1.5 | “Company Name” uses Scalyr to monitor server logs and alert the CEO to potential issues. | Verified through observation whether Scalyr was implemented to monitor server logs. Verified through inspection whether alerts were being generated and sent to the CEO via email. | No exceptions noted. | |
| CC4.1.6 | “Company Name” uses Rollbar to monitor errors and bugs during software development. | Verified through observation whether Rollbar has been implemented by “Company Name” and is being used by the engineering team to monitor coding errors and bugs. | No exceptions noted. | |
| CC4.1.7 | “Company Name” gets an external pentration test done of its application. | Inspected pentration test report at (CC.4.1) noting no high security items noted. | No exceptions noted. | |
| CC5.3.1 | “Company Name” maintains updated policies and procedures that incorporate activities across the organization. These policies and procedures establish requirements pertaining to timely performance of controls, taking corrective action on control deficiencies, and ensuring that competent personnel are accountable for control execution. | Inspected the organizational policies and procedures to determine whether they incorporated a comprehensive suite of internal controls, outline roles and responsibilities for control performance, and established requirements related to the timely remediation of control deficiencies. | No exceptions noted. | |
| CC6.6.1 | “Company Name” utilizes a Network Address Translation (NAT) Gateway in AWS to enable instances in a private subnet to connect to the internet or other AWS services, while preventing the internet from initiating a connection with those instances. | Inspected the network configuration settings in AWS to verify whether NAT Gateways have been established. | No exceptions noted. | |
| CC6.6.2 | Vanta is utilized as a threat detection service that continuously monitors for malicious activity and unauthorized behavior to protect AWS accounts, workloads, and data stored in Amazon S3. | Inspected “Company Name”‘ Vanta application to verify whether it was enabled to monitor AWS accounts, workloads and data for malicious activity and unauthorized behavior. | No exceptions noted. | |
| CC7.1.1 | “Company Name” has established an enterprise-wide security program to identify incidents and issues occurring in the environment through monitoring and reporting. | Inspected the “Company Name” Policy Packet to verify whether an enterprise-wide security program has been established that enables the prevention and detection of security incidents and vulnerabilities within the organization and provide mechanisms for timely remediation. | No exceptions noted. | |
| CC7.1.2 | “Company Name” maintains an updated baseline configuration of its information systems as well as the Cloud LDAP, Cloud RADIUS, and Cloud SSH Key Management Services system. | Inspected the Vanta application to verify whether baseline configurations were documented and included information around system components, network topology and the logical placement of those components within the system architecture. Confirmed through observation of the GitHub code repository that baseline configurations of the “Company Name” system are documented. | No exceptions noted. | |
| CC7.1.3 | “Company Name” utilizes VPC Flow Logs in AWS to capture information about IP traffic going to and from network interfaces within their VPC. | Inspected the VPC Flow Logs in AWS to verify whether they are achieving the following objectives: • Diagnosing overly restrictive security group rules • Monitoring the traffic that is reaching the instance • Determining the direction of traffic to and from the network interfaces | TBD – Need to see screenshot showing that VPC Flow Logs are used in AWS. | |
| CC7.1.4 | “Company Name” conducts automated vulnerability scans at least daily to identify potential vulnerabilities or misconfigurations. | Inspected the Threat Stack vulnerability scanning tool to verify whether it was enabled to run automated daily vulnerability scans from November 2019 – August 2020. Inspected the Vanta application to verify whether it was enabled to run continuous, automated vulnerability scans of AWS servers and packages from September 2020 – October 2020 (replacing Threat Stack). | No exceptions noted. | |
| CC7.1.5 | Viewable file extensions are enabled to allow users to determine whether a file is executable. | Inspected Windows and OS X settings to verify whether viewable file extensions were enabled to reduce the risk of users downloading dangerous files. | TBD – Need to see screenshots of settings to verify whether viewable file extensions are enabled. | |
| CC7.1.6 | Spam filtering mechanisms are in place to block known email spammers and malware. Additionally, external emails alert users to potential risks associated with opening attached files from outside the organization. | Inspected spam filtering settings to verify whether known / suspected spammers and malware were flagged for filtering. Also verified through inspection that external emails were flagged to alert users to the risks associated with interacting with the email and opening attachments. | No exception noted. | |
| CC7.2.1 | “Company Name” maintains updated detection policies, procedures, and tools to identify anomalies or unusual activity on information systems. Potential security incidents are filtered and analyzed based on established detection measures. | Inspected the Incident Management Policy to verify whether it adequately documented incident detection processes, as well as management of potential incidents. Inspected the following monitoring tools that were in place during the 12-month review period to determine whether they were adequately leveraged by knowledgeable personnel: • Threat Stack Vulnerability Scanning • Vanta Vulnerability Scanning • HackerOne Bug Bounty Program • AWS CloudWatch (with CloudTrail enabled) • DataDog • Scalyr • Rollbar | Noted the following exceptions: • Web application penetration testing is not being performed on an annual basis. • Phishing tests are not currently being performed to gauge employee and contractor response to simulated phishing attacks. • A File Integrity Monitoring (FIM) system to monitor file changes has not been implemented. | |
| CC7.2.2 | Detection tools are periodically analyzed by Management for effectiveness and remedial action is taken when necessary. | Inspected the weekly meeting invite between the CEO and Operations Engineer, as well as Slack communications, to verify whether Senior Leadership was involved in conducting issue remediation, as well as analyzing the effectiveness of their internal monitoring tools. | No exceptions noted. | |
| CC7.2.3 | Management reviews channel dashboards in real time summarizing incidents, root cause of incidents, and corrective action plans and as part of the review, management identifies the need for system changes and implementation of additional controls based on incident patterns and root causes. | Inspected the Slack channel dashboards to determine that management reviewed channel dashboards in real time summarizing incidents, root cause of incidents, and corrective action plans and as part of the review, management identified the need for system changes and implementation of additional controls based on incident patterns and root causes. (see w/p’s CC7.3 – CC7.5) | No exceptions noted. | |
| CC7.2.4 | Load balancers are used to distribute traffic in a way that increases the reliability and availability of the system. | Inspected the company’s infrastructure configuration and determined that the company uses load balancers. (Screenshots below) | No exceptions noted. | |
| CC7.2.5 | The Company uses a system that collects and stores server logs in a central location. The system can be queried in an ad hoc fashion by authorized users. | Sighted screenshot from EventLog Analyzer showing log repository (see below). | No exceptions noted. | |
| CC7.2.6 | Logging software retains log entries for at least 12 months. | Inspected the logging settings and confirmed that server logs are set to retain entries for at least 12 months (see screenshot below). | No exceptions noted. | |
| CC7.3.1 | “Company Name” has established an internal ticketing system for tracking potential incidents. Tickets are prioritized based on their impact and severity. | Inspected the Jira ticketing system to verify whether potential incidents that are reported are tracked and prioritized for investigation based on impact and severity. | No exceptions noted. | |
| CC7.3.2 | Detailed security events are evaluated to determine whether there was any unauthorized disclosure or use of personal information. | Per inquiry with the CEO and inspection of the security@”Company Name”.com email account, determined that there were no security incidents reported during the period of 9/30/2020 to 11/30/2020. Therefore, testing was not applicable. | ||
| CC7.3.3 | In the event that unauthorized use or disclosure of personal information has occurred, Management identifies the affected information and determines whether there has been a failure to comply with applicable laws or regulations. | |||
| CC7.4.1 | “Company Name” maintains an updated Incident Response Program that establishes roles and responsibilities and includes procedures for containing, mitigating, and ending the threats posed by security incidents and restoring operations. The program also includes communication protocols as well as requirements pertaining to understanding the nature of the incident, determining containment strategy, remediating identified vulnerabilities, and communicating remediation activities. | Inspected the Incident Response Program to verify whether it incorporated the following: • Clearly defined roles and responsibilities • Procedures for containing, mitigating, and ending the threat • Restoring operations in a timely manner • Communication requirements to internal / external stakeholders • Post-mortem procedures around analyzing the incident, including a root-cause evaluation, and • Implementing and communicating process / control changes to ensure that similar incidents do not occur in the future For a sample of security incidents, verified whether the Incident Response Program was adequately followed. | No exceptions noted. | |
| CC7.4.2 | The Incident Response Program is re-evaluated after security incidents to determine whether any system or process changes are necessary. | Per inquiry with the CEO and inspection of the security@”Company Name”.com email account, determined that there were no security incidents reported during the period of 11/1/2019 to 10/31/2020. Therefore, testing was not applicable. | ||
| CC7.4.3 | Events that resulted in unauthorized use or disclosure of personal information are communicated to the data subjects, legal and regulatory authorities, and others as required. | |||
| CC7.4.4 | The conduct of individuals and third parties involved in the unauthorized use or disclosure of personal information is evaluated and, if appropriate, sanctioned in accordance with “Company Name” policies and legal / regulatory requirements. | |||
| CC7.5.1 | “Company Name” follows the Incident Response Program to restore the affected environment to full operation by rebuilding systems, updating software, installing patches, and / or changing configurations, as needed. | Per inquiry with the CEO and inspection of the security@”Company Name”.com email account, determined that there were no security incidents reported during the period of 11/1/2019 to 10/31/2020. Therefore, testing was not applicable. | ||
| CC7.5.2 | Information about the nature of the incident, recovery actions taken, and activities required for the prevention of future security events are communicated to Management and other internal and external parties, as appropriate. | |||
| CC7.5.3 | After an incident has been resolved and appropriate parties have been notified, a postmortem that includes a root cause analysis and lessons learned is completed. Architectural and / or procedural changes are implemented, when possible, to prevent and detect recurrences of similar incidents. This includes conducting additional training to educate personnel on how to prevent future incidents. | |||
| CC7.5.1 | Change management requests are opened for incidents that require permanent fixes. | Inquired with the Director of Platform Engineering regarding security incidents that required permanent fixes to determine that change management requests were required to be opened for incidents that required permanent fixes, noting that “Company Name” has had no security incidents reported from 11.1.19 – 10.31.20. | No exceptions noted. | |
| CC7.5.2 | After critical incidents are investigated and addressed, lessons learned are documented and analyzed, and incident response plans and recovery procedures are updated based on the lessons learned. | Inspected the Incident Response Plan (CC7.1) to determine that it states that “All incidents classified as “High” or above require a retrospective meeting and a “lessons learned” document. Inquired with the Director of Platform Engineering, noting that “Company Name” has had no security incidents reported from 11.1.19 – 10.31.20. | No exceptions noted. | |
| CC7.5.3 | Data backups are performed daily and retained in accordance with a pre-defined schedule in the Backup Policy. | Inspected the Backup Policy (CC.1.1 page 18) and noted that it documents the requirement for daily backups of the database for all data stored by the cloud services provider. Obtained screenshot below showing that configuration is set to automatically back up data daily and retain for 30 days. | No exceptions noted. | |
| CC8.1.1 | “Company Name” maintains an updated Change Management Policy that governs the software development lifecycle (SDLC), including (1) authorizing system changes prior to development; (2) designing and developing system changes; (3) documenting and tracking changes prior to implementation; (4) testing and approving system changes; (5) deploying changes to production; (6) evaluating the changes against their objectives; and (7) modifying infrastructure, data, software and procedures to remediate identified incidents. | Inspected the Change Management Policy to verify whether it adequately documented SDLC processes and controls, including requirements around maintaining information security during software development. Inspected the Vanta monitoring application to verify whether a version control system has been implemented to manage source code and change requests. | No exceptions noted. | |
| CC8.1.2 | “Company Name” maintains an Emergency Change Policy that outlines procedures for authorizing, designing, testing, approving, and implementing changes necessary in emergency situations. | Inspected the Change Management Policy to verify whether it outlined requirements around implementing changes in emergency situations. | No exceptions noted. | |
| CC8.1.3 | Prior to implementing changes to information systems, the engineering team conduct a security impact analysis to analyze potential security impacts of the proposed changes. | There have been no major changes or additions to “Company Name” products during the 3-month review period that required a security impact analysis. Therefore, testing was not applicable. | ||
| CC8.1.4 | “Company Name” maintains procedures for protecting personal and confidential information during system design, development, testing, and implementation. | Inspected the Change Management Policy to verify whether it incorporated procedures for protecting personal and confidential information during the SDLC. | No exceptions noted. | |
| CC8.1.5 | “Company Name” uses a version control system to manage source code, documentation, release labeling, and other change management tasks. Access to the system must be approved by a system administrator. | Inspected the Vanta application to verify whether a version control system has been implemented to manage source code and change requests. Inspected the user access rights to GitHub to verify whether access rights were appropriately assigned by the system administrator based on job responsibilities. | No exceptions noted. | |
| CC8.1.6 | System users who make changes to the development system are unable to deploy those changes to production without independent approval. An authorized engineer reviews, tests, and approves network configuration changes before the changes are deployed to production. All deployments are logged, including who deployed the change and at what time it was deployed. | Inspected GitHub configuration settings to verify whether pull requests are automatically blocked without independent code review or administrator override. Inspected the Vanta application to verify whether code changes and approvals are logged in GitHub. | No exceptions noted. | |
| CC8.1.7 | Changes to the production environment are communicated to affected internal and external stakeholders. | Inspected the “Company Name” Blog (www.”Company Name”.com/blog) to verify whether new products and features were communicated to internal and external stakeholders. | No exceptions noted. | |
| CC9.1.1 | Business continuity and disaster recovery plans are developed and updated on an annual basis. | Inspected the business continuity (w/p CC1.1 page 19) plan and disaster recovery plan (w/p CC1.1 page 35) and verified that both plans were last updated in August 2020. | No exceptions noted. | |
| CC9.1.2 | The entity has purchased insurance to offset the financial loss that could result from a critical security incident or exploitation of a vulnerability. | Inspected the insurance documentation available on Vanta (Screenshot below) to determine that the entity purchased insurance through Hardford, and General/Office to offset the financial loss that could result from a critical security incident or exploitation of a vulnerability. | No exceptions noted. | |
| CC9.2.1 | “Company Name” maintains an updated Third-Party and Vendor Management Policy to monitor and ensure service levels and ongoing compliance of existing vendors and third parties. | Inspected the Third-Party Monitoring and Vendor Management Policy to verify whether it adequately documented procedures for conducting vendor due diligence reviews and risk assessments. | No exceptions noted. | |
| CC9.2.2 | “Company Name” obtains confidentiality and privacy commitments from vendors prior to onboarding and assesses compliance with those commitments on an annual basis. | For a sample of new vendors, verified whether confidentiality and privacy commitments were obtained for those vendors prior to onboarding. | ||
| CC9.2.3 | “Company Name” assigns roles / responsibilities and communication protocols for managing vendor relationships and exception handling. | Inspected the Vendor Management Policy (w/ps CC.1.1 page 59) to verify whether roles and responsibilities around vendor management and exception handling were clearly defined. | No exceptions noted. | |
| CC9.2.4 | “Company Name” conducts a vendor risk assessment prior to onboarding a new vendor, as well as on an annual basis for existing vendors. This assessment outlines the services performed for “Company Name” and covers vendor performance, risk factors and mitigation strategies. Procedures are in place to terminate vendor relationships when necessary. | Inspected the vendor risk assessment to verify whether it adequately documented services performed for “Company Name”, vendor performance on its security commitments, as well as risk factors and mitigation strategies. Inspected the Vendor Management Policy (w/ps CC.1.1 page 59) to verify whether roles and responsibilities around vendor management and exception handling were clearly defined. | A vendor risk assessment was missing for the following vendors: • Office 365 – operational software • Vanta, a SOC 2 readiness and security monitoring software that integrates with AWS and other cloud-based applications to automate evidence collection and centralize risk management processes. Exception noted. | |
| CC9.2.5 | “Company Name” collects and reviews the SOC 2 reports and/or ISO 27001 certifications of its significant vendors and subservice organizations annually. | Inspected the Vanta application to verify whether SOC 2 reports or ISO 27001 certifications were obtained and reviewed by Management for its significant vendors. Inspected a record of any additional questionnaires or follow-up communications that were completed following review of the security assessments to verify whether Management obtained adequate assurance of the vendors’ security commitments. | No exceptions noted. |
