What is SOC 2 Risk Assessment (CC3)?
Organizations need a firm understanding of enterprise risk assessments to not only properly handle risks within their organization, but to also obtain a clean SOC report thanks to the Common Criteria related to Risk Assessment (pgs. 20-25). When looking at this area, your Company needs to think carefully think about performing risk analysis that includes multiple tasks such as identifying assets, identifying the threats and vulnerabilities related to those assets, determining the likelihood and impact of those risks being realized, mitigating those risks, and dealing with any other issues that occur along the way.
What are the Requirements for SOC 2’s CC3?
Risk Assessment Policy
Your risk assessment policy should help a reader understand your scope and methodology for performing risk assessments. The golden standard in the risk assessment world is NIST 800-30r1. It explains everything that a risk assessment should contain and would be an informative read before you dive into the policy realm. To save you a few minutes of thinking, here are a few bare minimums you will need in your risk assessment policy, most importantly you’ll need to answer the following questions:
- What: What should your risk assessment cover? What assets should be included? What vendors and other third parties need to be considered?
- When: When should your risk assessment be completed? How often should it be revisited?
- Who: Who should drive the process? Who should act on identified issues, and who should approve the results?
Now that we’ve asked those questions, let’s give you a few answers:
- What: The scope of the risk assessment should minimally include the physical environment relevant to the system, the system(s) in scope, the information asset inventory for the system, the physical asset inventory for the system and third-party vendors.
- When: At least annually, after a major change or when new risks are identified.
- Who: The executives and board of the company should at least be informed about the risk assessment activities, results, and remediation plans.
Risk Assessment Process Documentation
Once the policy has been written, process documentation needs to be written to guide the completion of the assessment. There should be a standard process such that every assessment is completed with the same rigor and formal process. Keep in mind that the assessment will also need accompanying information from relevant third parties, asset inventories and other data points to allow for the completion of the assessment.
Reporting
Your risk assessment reporting requirements should be to ensure that all control owners know and understand the risks found, along with any mitigation needs identified. This includes all those responsible for completing controls with identified risks, along with management as they must ensure the mitigation and follow through of control modifications. Management must also review and approve the risk assessment and findings.
What Should be Included in a SOC 2 Risk Assessment?
A Risk Assessment
This is the most obvious part of the requirement. Dust off your copy of NIST 800-30r1 and start working through it. You will need to document the scope of the assessment, the identified threats, vulnerabilities, risks and controls relevant to the scope. When thinking through these, you should make sure that you address each of the following areas, even if you don’t think there’s anything interesting to document:
- Operational and financial goals
- External laws and regulations
- Entity and functional levels of the company
- Vendors and/or business partners
- Fraudulent use of assets
- Inherent incentives and pressures to commit fraud
- Fraud opportunities
- Fraud attitudes and rationalizations
- Misuse of access to information
- Regulatory, economic, and physical environment changes
- Business model changes
- Leadership changes
- Systems and technology changes
- Failure of the operation of various aspects of the Information Security program
Once you’ve got all that documented, you will want to follow your risk assessment methodology and assign a likelihood and impact to each of the identified risks which will result in that risk’s inherent risk rating. You’ll then identify the controls within your environment that mitigate that risk with some level of control effectiveness which will allow you to arrive at the residual risk of each risk identified.
Evidence of Review by Management and/or Board
Once you have finished your risk assessment, it’s not a good idea to file it in the cabinet and forget about it. While management should have been involved in the process (to provide input on the various risks), they should also review and approve the final risk assessment as it is a document that should guide their actions related to additional control implementation.
Depending on your organization, you may also wish to share it with your Board or other oversight function so that they are aware of the risks that have been identified to the business and can gain comfort that management is addressing them in the best interests of the shareholders.
Evidence of Additional Risk Mitigation Activities Taken
As with many activities that you perform for a SOC 2 audit, if there are any actions that should result from the assessment, they should be tracked through to resolution. We’ve seen this take many forms – anywhere from a stack of tickets in the ticket system to regular meetings to review the risk register and associated projects.
If you take nothing else from this section, take this: If your risk assessment says there’s an unacceptable (high) risk to your company, do something about it and be able to prove it.
Conclusion
The CC3 section of the SOC 2 revolves around the risk assessment process. This includes identifying risks, mitigating and relevant risks, and implementing controls to minimize or eliminate those risks. Get ahead of those risks with clear documentation and an established, formal process. Need to know more on how to get the assessment process started? Contact us and we’d love to help!