Reviewing Vendor SOC Complementary User Entity Controls (CUECs)

Many of us are likely familiar with the information security risk that comes from working with vendors. When vendors have access to your organization or customers’ data, it’s critical to ensure that they have controls in place to protect it. A vendor’s SOC report will provide details on these controls and will also describe what your organization needs to do for the controls to be effective. SOC complementary user entity controls (CUECs) are essentially used to help achieve the vendor’s control objectives.
Let’s review some of the basics of CUECs and some tips on how to review them.

Basics of Vendor CUECs

CUECs are meant to ensure that the vendor’s control objectives can be met while informing your organization of your responsibilities. Vendor controls are a shared responsibility. CUECs are your organization’s responsibility in the relationship. The number of CUECs for different vendors or services can vary. There can be less than five or there can be as many as 30 or more.

In SOC 2 reports, CUECs address and are mapped to the Trust Services Criteria of security, availability, processing integrity, confidentiality or privacy. The organization being examined for a SOC 2 report gets to select the Trust Services Criteria and scope they’re examined against. Common criteria are those that are common to all five of the trust service categories. Controls can address common criteria or individual Trust Services Criteria. By ensuring implementation of the established CUECs, your organization is ensuring security through the Trust Services Criteria.

SOC 1 reports do not address the Trust Services Criteria. Instead, the organization being examined is tested on internal controls they have selected relevant to their financial operations. However, the organization being examined does not get to determine the scope of the exam as all controls are tested. By implementing CUECs described in a SOC 1 report, your organization is ensuring security according to your vendor’s selected controls.

How to Review Vendor CUECs

You can find CUECs in the Description or Tested Controls section of your vendor’s SOC report. CUECs found in the Description section, often Section III, include details on controls and how they relate to the control objectives found in the report. This subsection is often found toward the end of the Description section. CUECs may also be found in the Tested Controls section, or section IV, of the SOC report. Controls may be documented with the control objectives to which they are mapped.

Now that you have found the CUECs, here’s how to review them:

1. Review the CUECs and their associated control objectives to ensure context is understood
2. Determine which CUECs apply to you as not all will always apply
3. Assign each CUEC to a person/team/role for responsibility
4.  Determine which CUECs you’re already addressing
5. Address each applicable remaining CUEC
6. Record how each CUEC is addressed. Here are questions to ask:
   
   1. Is this CUEC similar to any of your organization’s existing controls?
   2. Who owns this control and takes responsibility for it?
   3. How often is this control validated or tested for effectiveness?
7. Assess CUECs with each new SOC report or with any significant internal changes
8. Document, document, document! Make sure you record this work.

Excluding Vendor Controls From the Review

A Subject Matter Expert (SME) in your organization should review the CUECs to determine which controls apply to the products or services your organization is using. If CUECs are specific to products or services your organization does NOT use, then you can exclude these from your activities. CUECs that are specific criteria that apply to products or services you are using should be implemented by a SME in your organization. CUECs classified as common criteria should also be implemented by your organization.

Tips for Mapping CUECs

It’s your organization’s responsibility to ensure you’re meeting any regulatory or contractual requirements with your controls. Map CUECs to these requirements and then analyze what other requirements have not yet been fulfilled.

Mapping CUECs to appropriate business units will ensure that controls are implemented by the proper SMEs. Consider which department would be most knowledgeable about each control and who would be able to best accomplish the control objective.

Assigning the implementation of CUECs to the SME will provide the best assurance that the control objective is effective to ensure security.

When mapping controls to your organization, make sure the activities you are implementing are also included in your governance documentation to aid with consistency and accountability.

CUECs are critical activities your organization should be doing to ensure that your vendor’s control objectives are met to achieve optimal security. A SME in your organization should review the CUECs to determine which controls apply to the products and services utilized. The applicable controls must be assigned so that they can be effectively implemented. CUECs are designed to give your organization confidence that security is not compromised by your vendor relationships.