SOC 2
Security Control Activities
CC5.1
COSO Principle 10: The entity selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels.
Integrates With Risk Assessment—Control activities help ensure that risk responses that address and mitigate risks are carried out. Considers Entity-Specific Factors—Management considers how the environment complexity nature and scope of its operations as well as the specific characteristics of its organization affect the selection and development of control activities.Determines Relevant Business Processes—Management determines which relevant business processes require control activities.Evaluates a Mix of Control Activity Types—Control activities include a range and variety of controls and may include a balance of approaches to mitigate risks considering both manual and automated controls and preventive and detective controls.Considers at What Level Activities Are Applied—Management considers control activities at various levels in the entity.Addresses Segregation of Duties—Management segregates incompatible duties and where such segregation is not practical management selects and develops alternative control activities.Determines Dependency Between the Use of Technology in Business Processes and Technology General Controls—Management understands and determines the dependency and linkage between business processes automated control activities and technology general controls.Establishes Relevant Technology Infrastructure Control Activities—Management selects and develops control activities over the technology infrastructure which are designed and implemented to help ensure the completeness accuracy and availability of technology processing.Establishes Relevant Security Management Process Controls Activities—Management selects and develops control activities that are designed and implemented to restrict technology access rights to authorized users commensurate with their job responsibilities and to protect the entity’s assets from external threats.Establishes Relevant Technology Acquisition Development and Maintenance Process Control Activities—Management selects and develops control activities over the acquisition development and maintenance of technology and its infrastructure to achieve management’s objectives.
Click here to Start your FREE trial today!
What is a Cybersecurity Compliance Framework?
You don’t need to clutter your security and privacy programs with an ever-increasing number of tools as they become more sophisticated. The Lionfish platform offers a one-stop solution to track progress and monitor any framework, from custom-built ones to highly-specialized and in-demand top security and privacy frameworks and certifications.
With the Lionfish platform, every framework is supported with guided scoping, policies, controls, automated evidence collection, and continuous monitoring, ensuring efficient preparation for audits or attestation in minimal time.
The Lionfish platform is compatible with a wide range of security and privacy frameworks, including:
- CMMC v2
- HIPAA
- NERC CIP-002 through CIP-014 Revision 6
- NIST 800-171
- NIST 800-172
- PCI (Payment Card Industry Security Standard)
- SOC 2
- NIST 800-53
- NIST SP800-161 Supply Chain Risk Management
- NIST-CSF
- CIS Framework Controls V8
Click here to Start your FREE trial today!