When I perform SOC 2 audits and assess vendors on behalf of large financial institutions, we are not concerned about the specific procedures in place when we are looking at the policy. Policy documents should only include the following:
1. The purpose of the policy
2. The scope of the policy
3. Roles and responsibilities for the activities required for the policy
4. Statement that directs the establishment of procedures
5. Any regulatory guidelines that may apply
6. Review and update cadence statement
7. Statement on how the policy is disseminated to employees
8. Formal approval from stakeholders
The procedure document would then state how the policy is being met. You may have your policies and procedures in the same document, but I would only start off by providing policies that only include the information I listed above, which should not be sensitive information. If they want specific procedures, then you should force them to sign an NDA - depending on how much leverage you have in the business relationship, you may have to "bite the bullet" and provide procedures.
Troy - Security Auditor
Schneider Downs
------------------------------
Troy Fine
Schneider Downs
Schneider Downs
------------------------------
Original Message:
Sent: Apr 15, 2021 08:57:35 PM
From: Greg Collins
Subject: Should I share our Company Policies during a security assessment
As a SaaS solution/product, I go through many security reviews by enterprise companies we are selling to. I'm trying to get a feel for what I should hand out and what I should just say we have.
As an example, I've been asked for our encryption management policy.
Should I just send the summary page i.e. title, revision history, approved data, table of contents. Or do I send the whole document.
Note: we are SOC2 certified.
------------------------------
Greg Collins