The following is the SOC2 Readiness Questionnaire. Evidence is mapped according to the checklist and policies.
| Category ID | Name | Description | State | Evidence link to | |
|---|---|---|---|---|---|
| CC1 - Common Criteria Related to Control Environment | |||||
| FII-SCF-011-HRS-05 | Employee Manual or Handbook | Are core values are communicated from executive management to personnel through policies and the employee handbook? | Fulfilled | Employee Handbook |
|
| FII-SCF-011-HRS-03 | Organizational chart | Is management's organizational structure with relevant reporting lines documented in an organization chart ? | Fulfilled | Organizational chart |
|
| FII-SCF-001-GOV-04 | Including Privacy Officer and one executive position, i.e. CISO, CEO, CTO, CIO, and CFO? | Can management provide a sample of (5) company job descriptions? | Fulfilled | General Roles Definition |
|
| FII-SCF-011-HRS-05.1 | Employee Manual or Handbook | Is there an employee handbook in place, and does it include the organization's entity values and behavioral standards? If yes, how is it made available for all employees? | Fulfilled | Employee Handbook |
|
| FII-SCF-011-HRS-05 | Hiring procedures | Has management documented formal HR procedures that include the employee on-boarding process? | Fulfilled | Hiring procedures |
|
| FII-SCF-011-HRS-04 | Hiring checklist for a sample of employees | Are new hire checklists utilized and activities documented to help facilitate new hire procedures? | Fulfilled | Hiring & On-boarding checklist |
|
| FII-SCF-011-HRS-09.3 | Evidence that a third party (if a third party is used for recruiting) | How are candidates recruited for job openings? Evidence could include the recruitment policies and procedures; a PowerPoint deck, a questionnaire, job opening postings, or emails. | Fulfilled | As we are not using a third party for recruitment. | |
| FII-SCF-011-HRS-04.2 | Evidence that Continued Professional Education Training is tracked and monitored for employees (e.g. tracking tool / spreadsheet) | Are there any requirements for Continued Professional Education Training among employees? | Fulfilled | Professional Education Training |
|
| FII-SCF-023-SAT-02 | Evidence could include a mentor program guide; a PowerPoint deck; emails | Is there a mentor program to develop personnel in place? | Fulfilled | Professional Education Training |
|
| FII-SCF-011-HRS-09 | Termination procedures | Has management documented formal HR procedures that include employee terminations? | Fulfilled | Termination procedures |
|
| FII-SCF-011-HRS-09.1 | Termination checklist for a sample of employees | Are termination checklists utilized and activities documented to facilitate termination procedures? | Fulfilled | Termination and Off-boarding checklist |
|
| FII-SCF-011-HRS-02 | Listing of Executive Management (e.g. President, CIO, CTO, CEO, CFO, etc.) Members | Can you provide a listing of executive management members? | Fulfilled | Executive Management |
|
| FII-SCF-005-CPL-01 | "Evidence could include performance evaluation forms, tracking tool/spreadsheet, or certificates" | Are formal performance evaluations Fulfilled and documented? If yes, on what frequency and does this apply to all personnel? This includes executive management members such as CIO, CTO, CEO. | Fulfilled | Performance Evaluations |
|
| FII-SCF-0001-GOV-05 | Employee training documentation | Do employees complete periodic information security training? | Fulfilled | Employee Training |
|
| FII-SCF-0001-GOV-05.1 | Evidence of cross-training employees | Are employees cross-trained in roles and responsibilities? Evidence could include training materials; policies and procedures relating to training requirements; PowerPoint deck | Fulfilled | Employees cross-training |
|
| FII-SCF-011-HRS-05.1 | Evidence of anonymous hotline in place (whistleblower line) | Is there an employee hotline in place? | Fulfilled | Whistleblower Policy |
|
| FII-SCF-011-HRS-06.1 | Policies/procedures on reporting unethical behavior, emails on reporting unethical behavior, PowerPoint deck, website) | Are employees, third-parties, and customers directed on how to report unethical behavior in a confidential manner? | Fulfilled | We are using email communication for unethical behavior. Currently, no unethical behavior reporting happened. | |
| FII-SCF-011-HRS-11 | Internal Controls Matrix that includes: "Does management maintain an Internal Controls Matrix? | Internal Controls Matrix that includes: - a list of the internal controls implemented within the environment and technology infrastructure - who owns and operates each of the internal controls in place - the type of control (manual, automated, preventive, detective, corrective) - frequency control operates (daily, weekly, monthly, quarterly, yearly, multiple times a day) - documenting the relationship and linkage between business processes, the relevant technologies used to support the business processes, and the controls in place to help secure those business processes |
Fulfilled | Internal Controls Matrix |
|
| FII-SCF-001-GOV-01.1 | Example operational reports that show the operational/system performance and internal controls effectiveness | Does management meet on a regular basis to discuss organizational goals and objectives? (This could be operations management, IT management, executive management, or a combination of these.) | Fulfilled | Management Review Meeting Minutes |
|
| CC2 - Common Criteria Related to Information and Communications | |||||
| FII-SCF-002-AST-04 | Description of system/services | "Has management documented the description of their system for the services provided to their customers? A system description would include the following components used to provide services to their customers: * Infrastructure (facilities, hardware, equipment) * Software * People * Procedures * Data | Fulfilled | Description of system/services |
|
| FII-SCF-016-NET-06.1 | Organizational structure description from the intranet site | Has management published the company's organizational structure? | Fulfilled | Organizational structure |
|
| FII-SCF-018-PRI-01 | Privacy notice posted on website and software | How are the entity's security/confidentiality responsibilities communicated to customers? | Fulfilled | Privacy Policy |
|
| FII-SCF-013-IRO-10 | Customers are provided the procedures for reporting system failures and security breaches (if not in contract) | How do customers report system failures and security breaches? | Fulfilled | System failures and Security breaches |
|
| FII-SCF-013-IRO-01 | Incident Response Policies and Procedures | Has management documented a formal Incident Response Policy? | Fulfilled | Incident Response Policy |
|
| FII-SCF-004-CHG-02 | Employees are communicated system changes | How are system changes communicated to employees? | Fulfilled | Change Management Tickets |
|
| FII-SCF-004-CHG-05 | Customers are communicated system changes prior to implementing changes | How are system changes communicated to customers? | Fulfilled | Release Notes |
|
| 27 | Main product/service walk through (screen share) | Opportunity to observe and walk through product and services in scope, review data entered in the in-scope system, review data processed, and review data outputted from the in-scope system for completeness / accuracy | Fulfilled | We are prepared to go through our product in the upcoming meeting. | |
| FII-SCF-002-AST-04 | Data flow diagram | Data flow diagrams, process flow charts, and narratives identifying how data flows within the environment including the relevant information sources and systems | Fulfilled | Architecture |
|
| FII-SCF-007-MON-01.7 | File integrity monitoring | File integrity monitoring software configurations and example alert generated from the file integrity monitoring software | Fulfilled | File integrity monitoring |
|
| FII-SCF-016-NET-12.2 | VPN authenication configuration | VPN authentication configurations including password settings | Fulfilled | VPN authenication configuration |
|
| FII-SCF-023-SAT-01 | Information Security Awareness Training new hire testing (sample) | For a sample of new hires, evidence that information security and awareness training was performed upon hire. Evidence could include training completion forms, tracking tool/spreadsheet, or certificates | Fulfilled | Security Awareness Training |
|
| FII-SCF-023-SAT-02 | Information Security Awareness Training current employee testing (sample) | For a sample of current employees, evidence that information security and awareness training was performed annually. Evidence could include training completion forms, tracking tool/spreadsheet, or certificates | Fulfilled | Security Awareness Training |
|
| FII-SCF-025-TPM-02 | Policies are available to vendors/contractors | Evidence showing key policies and procedures (e.g. Information Security, Change Management, Incident Management) were available to external parties (contractors, third parties, vendors, customers)) via company [website, shared drive, intranet, email, or contract/agreement, etc.] | Fulfilled | Information Security Policy Vendor Management Policy Risk Management Policy |
|
| FII-SCF-013-IRO-14 | Escalation Policy | Copy of the Escalation policies and procedures for reporting failures, concerns, incidents, and complaints with revision history AND evidence that these escalation policies and procedures were available to external parties (contractors, third parties, vendors, customers) via company [website, shared drive, intranet, email, or contract/agreement, etc.] | Fulfilled | Escalation Policy |
|
| FII-SCF-012-IAC-02 | List of new customers | Listing of new customers during the audit period | Fulfilled | List of new customers |
|
| FII-SCF-003-BCD-10.1 | Contracts for new customers (sample) | Contract (service agreement) for a sample of new customers | Fulfilled | We consider all users who have signed up for the application as customers and there is no specific contract for customers. | |
| CC3 - Common Criteria Related to Risk Assessment | |||||
| FII-SCF-020-RSK-01 | Risk Assessment/Management Policy | Please describe your annual risk assessment process in regards to your service under review. (i.e., Risk assessments should identify, quantify, and prioritize risks against criteria for risk acceptance and objectives relevant to the organization. The results should guide and determine the appropriate management action and priorities for managing information security risks and for implementing controls selected to protect against these risks.) | Fulfilled | Risk Management Policy |
|
| FII-SCF-011-HRS-03 | Documented (1) compliance manager job description (2) audit manager job description and (3) risk management job description | Are there documented position descriptions for Risk Manager or Audit Manager? | Fulfilled | Currently, CEO is handling all these roles. | |
| FII-SCF-003-BCD-06 | Organizational business plans, records of budgets kept, etc. | Does entity maintain organizational business plans and budgets? | Fulfilled | Management Review Meeting Minutes |
|
| FII-SCF-001-GOV-04 | Evidence could include a report; certification; policies/procedures/ PowerPoint deck | Is entity's control framework based on a recognized (NIST 800-53; COBIT; ISO; COSA) framework? | Fulfilled | SOC2 Type 1 Report |
|
| FII-SCF-001-GOV-06 | Up-to-date registry of regulatory, statutory, legislative and contractual requirements. | Policies and procedures related to the relevant statutory, regulatory, legislative and contractual requirements | Fulfilled | Compliance Regulatory Policy |
|
| FII-SCF-011-HRS-09.1 | Master list of system components (servers, Operating systems, databases, etc.) | Does management maintain an asset inventory? | Fulfilled | Description of system/services |
|
| FII-SCF-020-RSK-03 | Most recently Fulfilled risk assessment | Can management provide the most recently Fulfilled risk assessment? | Fulfilled | Risk Register |
|
| FII-SCF-020-RSK-04.1 | Most recently Fulfilled fraud assessment | Can management provide the most recently Fulfilled risk assessment that includes fraud risk factors? including evidence that the assessment:- identifies and assesses the types of fraud that could impact business and operations (e.g. fraudulent reporting, loss of assets, unauthorized system access, overriding con" |
Fulfilled | Fraud Assessment |
|
| FII-SCF-027-VPM-06 | Most recently Fulfilled network Internal and External vulnerability scan/penetration tests reports | Are vulnerability scans or penetration testing performed on a periodic basis? | Fulfilled | Vulnerability Scan/Penetration Tests Reports |
|
| FII-SCF-003-BCD-02.2 | Business Continuity/Disaster Recover Plan | Is a comprehensive disaster recovery and business continuity plan in place and communicated to relevant personnel? | Fulfilled | Business Continuity/Disaster Recover Plan |
|
| FII-SCF-003-BCD-02.3 | Most recently Fulfilled disaster recovery tests | Is the disaster recovery program tested on a periodic basis to ensure adequate recovery? | Fulfilled | Disaster Recovery Test Reports |
|
| CC4 - Common Criteria Related to Monitoring of Controls | |||||
| FII-SCF-007-MON-01 | Monitoring system for performance, security threats, and unusual system activity | Are tools in place to monitor system performance, capacity, utilization and unusual system activity? | Fulfilled | Monitoring Tools |
|
| FII-SCF-027-VPM-01.1 | Most recently Fulfilled pen test results | Are vulnerability scans or penetration testing performed on a periodic basis? | Fulfilled | Vulnerability Scan/Penetration Tests Reports |
|
| FII-SCF-007-MON-01.4 | Example of monitoring alerts from software | Is there file integrity monitoring software in place? | Fulfilled | File integrity monitoring |
|
| CC5 - Common Criteria Related to Control Activities | |||||
| FII-SCF-020-RSK-02 | Most recently Fulfilled risk assessment | Are controls within the environment modified and implemented to mitigate identified vulnerabilities, deviations and control gaps? | Fulfilled | Risk Register |
|
| FII-SCF-013-IRO-02 | Sample incident response ticket | Are performance of the internal controls implemented within the environment assigned to appropriate process owners and operational personnel based on roles and responsibilities? | Fulfilled | Sample incident response ticket |
|
| FII-SCF-013-IRO-01 | Incident Response Policies and Procedures | Are incidents formally documented? | Fulfilled | Incident Response Policy |
|
| FII-SCF-013-IRO-04 | Sample incident response ticket | Are incidents resolved in a timely manner? | Fulfilled | Sample incident response ticket |
|
| FII-SCF-013-IRO-04.1 | Incident Response Policies and Procedures | Is the resolution and closure of incidents documented and communicated to affected users? | Fulfilled | Incident Response Policy |
|
| CC6 - Common Criteria Related to Logical & Physical Access | |||||
| FII-SCF-013-IRO-12 | Information security policies and procedures | Are information security policies and procedures in place to communicate managements requirements with regards to user account security, appropriate handling of information systems data, privacy standards, etc.? | Fulfilled | Information Security Policy |
|
| FII-SCF-003-BCD-02 | Listing of all systems, DBs, and applications | Does management have a policy defining the type of system and user events that should be logged for network devices, operating systems, databases and applications? | Fulfilled | Description of system/services |
|
| FII-SCF-016-NET-03 | Example network log extracts demonstrating that logging / auditing was in place for the network that supports the production systems | Are logs stored in a centralized log server and not accessible by system administrators? How are historic log files protected from modification and/or deletion? What is your log retention requirements? | Fulfilled | Example Network Log |
|
| FII-SCF-011-HRS-01 | Access Control Policy | Are user access requests formally documented? | Fulfilled | Access Control Policy |
|
| FII-SCF-011-HRS-02.1 | Sample user access provisioning ticket | Are user access requests approved? Is the approval documented? | Fulfilled | Sample user access provisioning ticket |
|
| FII-SCF-012-IAC-17 | Most recently Fulfilled user access review | Are user access reviews performed regularly (e.g., quarterly, monthly, etc.) | Fulfilled | User Access Reviews |
|
| FII-SCF-016-NET-14 | Remote Access Policies and Procedures | Provide a description of any remote access (i.e. VPN, Terminal Services, RADMIN) and the type of authentication required (two factor, RADIUS, TACAS, etc.) | Fulfilled | Remote Access Policy |
|
| FII-SCF-012-IAC-15 | Application administrators/super users for the application that supports the production systems under review | Is the administration of remote access technologies restricted to a specific department or group? | Fulfilled | Application Administrators Users |
|
| FII-SCF-016-NET-02 | Network diagrams inclusive of all firewalls protecting the production servers under review | Do network diagrams exist that illustrate the use of firewalls? | Fulfilled | Network diagrams |
|
| FII-SCF-016-NET-12.2 | Firewall rule sets that demonstrate that the system is in place and configured to block certain traffic | Are appropriate firewall rulesets in place to monitor and block traffic? | Fulfilled | Firewall Rules |
|
| FII-SCF-008-CRY-03 | URL for customer facing web portals w/valid certificate details | Are web servers encrypted with SSL/TLS? | Fulfilled | Customer facing web portals |
|
| FII-SCF-008-CRY-05 | Encryption policies and procedures | Do formal encryption policies exist? | Fulfilled | Encryption Policy |
|
| FII-SCF-009-DCH-10 | Disabling of removable media devices if applicable | How are removable media devices disabled? | ToDo | ||
| CC7 - Common Criteria Related to Systems Operations | |||||
| FII-SCF-003-BCD-11 | Backup policies and procedures | Are backups of critical data performed regularly (e.g., daily, weekly, monthly)? | Fulfilled | Backup and Restoration Policy |
|
| FII-SCF-003-BCD-11.2 | Backup policies and procedures | Are backups replicated offsite either virtually or via tape in case of natural disaster? | Fulfilled | Backup and Restoration Policy |
|
| FII-SCF-003-BCD-11.1 | Evidence of successful backup restore | Are backup restoration tests performed regularly to validate data can be restored if needed? | Fulfilled | Backup Restoration Tests |
|
| FII-SCF-007-MON-01.5 | Intrusion Detection System/Intrusion Prevention System | Is there an IDS or IPS in place? | Fulfilled | Monitoring Tools |
|
| CC8 - Common Criteria Related to Change Management | |||||
| FII-SCF-004-CHG-02 | Change control policies and procedures | Are changes formally documented? | Fulfilled | Change Control Policy |
|
| FII-SCF-004-CHG-02.1 | Full population of internal changes (infrastructure, network, database, application) during audit period | Are changes formally tested and approved, and is that testing and approval documented? | Fulfilled | Change Management Ticket |
|
| FII-SCF-004-CHG-01 | Sample change management ticket to validate that developer did not promote change to production environment | Are changes developed and implemented to the production environment by different individuals/teams? | Fulfilled | Change Management Ticket |
|
| FII-SCF-002-AST-04 | Network diagrams | Are there separate development/test environments from the production environment? | Fulfilled | Network Diagrams |
|
| CC9 - Common Criteria Related to Risk Mitigation | |||||
| FII-SCF-025-TPM-01 | Vendor risk assessment policies and procedures with revision history | Does a formal vendor management program exist? | Fulfilled | Vendor Management Policy |
|
| FII-SCF-011-HRS-10 | Most recently Fulfilled vendor risk assessment | Does management complete annual vendor risk assessments? | Fulfilled | Vendor Risk Assessment |
|
| C1.0 - Confidentiality | |||||
| FII-SCF-018-PRI-04 | Confidentiality policy | Are there confidentiality policies and procedures with revision history that describe: - defining, identifying and designating information as confidential; - protecting confidential information from erasure or destruction; - storing confidential data; - retaining confidential information for only as long as is required to achieve the purpose for which the confidential data was collected and processed - processes in place to delete conï¬dential information in accordance with specific retention requirements |
Fulfilled | Confidentiality Policy |
|
| FII-SCF-003-BCD-02 | Confidential Asset register | Do you maintain an inventory listing noting assets that maintain confidential data? | Fulfilled | Description of system/services |
|
| FII-SCF-018-PRI-04.1 | Population of Confidential data | Will you be able to provide an inventory listing of confidential data within assets, including their classification and retention period? | Fulfilled | Data Retention |
|
| FII-SCF-018-PRI-05 | Confidential information maintenance policy | Have you documented confidential information maintenance policies and procedures? | Fulfilled | Confidentiality Policy |
|
| FII-SCF-009-DCH-22 | Confidential data testing (sample) | During the audit we will select a sample of files/documents marked as confidential and evidence of the file / directory access permissions and the list of users with access to the confidential file/document were property limited. | ToDo | ||
| FII-SCF-009-DCH-21 | Confidential data disposal testing (sample) | During the audit we will ask for a population of confidential data that required disposal. For a sample of files/documents marked as confidential that required disposal, can you provide evidence that the file/document was disposed following the procedures documented in the Confidentiality and/or Data Disposal policies? | Fulfilled | Data Retention |
|
| FII-SCF-008-CRY-05 | Confidential data encryption | Can you provide evidence that confidential information is stored in an encrypted, secure environment? | ToDo | ||
| A1.0 - Availability | |||||
| FII-SCF-003-BCD-12 | Evidence of annual backup restoration testing | Does the organization meet its availability requirements? | Fulfilled | Backup Restoration Tests |
|
| FII-SCF-007-MON-01.4 | Evidence of hardware usage monitoring (usage alerts) | Does the organization meet its availability requirements? | Fulfilled | Monitoring Tools Network Log |
|
Last Updated by
Arun K R
on
August 10, 2023