As organizations increasingly rely on third-party service providers for critical business functions, evaluating and monitoring those providers’ SOC 2 reports have become an important part of vendor risk management.
In this blog post, we will review the role of “complementary user entity controls” (CUECs) in SOC 2 reports; best practices for determining and mapping your organization’s applicable CUECs; and how continuous monitoring can help you maintain CUEC compliance and minimize risk exposure.
What are SOC 2 Complementary User Entity Controls?
SOC 2 reports are intended to provide assurance over a service provider’s controls are relevant to security, confidentiality, and privacy. The reports describe the provider’s system and control environment and assess the operating effectiveness of its controls, according to five “Trust Service Criteria” adopted by American Institute of Certified Public Accountants (AICPA). SOC 2 audits, and the reports arising from those audits, are done by certified public accountants (CPAs).
All that said, no provider’s controls exist in a vacuum. Typically some controls must be implemented by the provider’s clients (that is, the user entities) to meet control objectives. These are referred to as complementary user entity controls, or CUECs. Common examples of CUECs include controls around logical access, authorization, and data transmission policies.
Who Is Responsible for CUECs?
Responsibility for CEUCs falls into two halves. Broadly speaking, the provider is responsible for writing each individual CEUC that’s necessary, and the user is then responsible for implementing those CEUCs.
When writing CUECs, service providers should ensure that the wording is clear and understandable to non-technical customers. Meanwhile, customers must (1) understand the CUEC requirements outlined; and (2) confirm that required controls are in place within their environment.
How to Determine Your CUECs
When reviewing a service provider’s SOC 2 report, pay especially close attention to the CUECs section since it outlines the controls that you will need to implement on your end. Some ways to do this are listed below.
Logical Access
Look for any CUECs for managing logical access to the service provider’s system. This can include controls around account provisioning, access revocation, and password policies. You need to confirm that strong logical access controls are implemented within your organization.
Separation Procedures
Review for CUECs that define timely account removal and regular user access reviews, to avoid commingling data. This can include controls to avoid commingling data with other clients.
Authorization Policies and Procedures
Identify controls focused on authorization procedures, such as ensuring access is granted on a need-to-know and least-privilege basis. Your internal authorization policies must align with the service provider’s controls.
Data Transmission Policies and Procedures
Pay close attention to controls for data transmission, encryption, and other cybersecurity safeguards when data is in transit between your organization and the vendor.
Mapping Your CUECs to Governance Documents
Once you, the company, understand the CEUCs required by the provider, you must next identify where in your organization those controls do (or don’t) exist. Hence you must map those control requirements to your existing internal governance framework. Best practices to do this include…
- Cross-reference CUECs to existing security policies and procedures. Update docs as needed to align with the International Organization for Standardization (ISO), Health Insurance Portability and Accountability Act (HIPAA), and other industry standards.
- Assign CUECs in your governance, risk, and compliance (GRC) platform to owners, so you can track the implementation of security controls.
- Embed CUECs into risk assessments and vendor scorecards as part of the SOC 2 report review process. Monitor continuously.
- Review CUECs when updating policies, procedures, risks, and contracts to maintain alignment and effective third-party risk management.
- Link CUECs to regulatory frameworks like ISO 27001.
- Reassess CUECs upon receiving new vendor reports or after organizational changes evolving vendor relationships.
The most important steps are to identify existing relevant controls, assign owners to those controls, document the details of your CEUCs, integrate the CEUCs into your governance processes and templates, and re-evaluate them regularly as your business evolves over time.
This makes CUECs an integral part of your risk management and compliance program. It leads to better vendor risk management, better regulatory compliance, and lower risk for your organization.
The Importance of Continuously Monitoring Your CUECs
You need to monitor your CEUCs often (ideally on a continuous basis) because SOC 2 reports only provide assurance for limited periods of time. As your business evolves, gaps might emerge in the effectiveness of your CEUCs. Monitoring will bring those gaps to light promptly, so you can take corrective action.
You should monitor vendor relationships continuously and review updated SOC 2 reports at least annually; validate that your internal controls align with updated CEUCs. This is crucial for reducing third-party risk and avoiding negative audit findings or compliance violations.
How ZenGRC Can Help You Track CUECs
Managing CUECs across multiple vendors is challenging. Using a GRC tool such as ZenGRC alleviates that burden because it centralizes vendor risk management and easily tracks SOC 2 CUECs in one platform.
ZenGRC allows you to store vendor compliance reports in a single repository; extract and map CUEC requirements; and embed controls into internal risk procedures for continuous updates. This allows you to coordinate the shared responsibility for SOC 2 security and compliance efficiently and effectively.
Schedule a demo to see how ZenGRC can optimize your SOC 2 CUEC tracking and reporting.