SOX CUEC Mapping Procedure
In accordance with ITGC SR.1 - SOC Report Review, GitLab executes annual CUEC mappings of our internal controls to each SOC report associated with a SOX in scope application to ensure controls are adequately designed to address the CUEC requirements outlined in the SOC report. This activity is executed in Q1 of each fiscal year in order to gain the greatest coverage for the prior fiscal year.
Formal CUEC mappings are limited to SOX in scope third party SaaS applications as defined by management.
All third party SOX system’s SOC1 reports and bridge letters providing coverage over the prior fiscal year (2/1/20xx-1/31/20xx) will be obtained. If SOC1 reports are unavailable, SOC2 reports will obtained.
Roles & Responsibilities
|Security Risk - TPRM||Executes collateral collection and vendor interface - Creates CUEC Mapping templates and populates with CUECs & CSOCs|
|Internal Audit||Defines scope of SOX systems and facilitates mapping activities|
|Business Owners||Participates in mapping activities and provides final approval|
Collateral Collection (Security Risk)
As Security Risk is responsible for executing third party security risk management activities the team will support CUEC activities through the gathering of necessary collateral, specifically SOC reports and bridge letters. Security Risk follows this process:
- Validates the systematic scope by leveraging IAs SOX listing
- Creates a GitLab Epic for activity tracking and transparency/visibility. This epic can be modeled after prior year.
- Initiates requests and obtains the applicable third party reports and bridge letters
- Reviews SOC reports for CSOCs and initiates requests to obtain all CSOC reports. Note that Security Risk does not determine whether or not GitLab business processes rely on CSOCs. As such, we request all CSOC SOC reports.
- Validates that reports provide coverage over the prior fiscal year (2/1/20xx-1/31/20xx). If coverage is lacking additional requests are sent.
Throughout this process, Security Risk manages the status of requested reports and CUEC mapping template creation prior to handoff to IA.
Google Sheet CUEC Template Creation (Security Risk)
To help formally hand-off the CUEC mapping activity, Security Risk creates CUEC mapping templates and adds CUECs/CSOCs from in-scope SOC reports. Security Risk follows this process:
- Creates CUEC mapping templates in Google Sheets for each in-scope report (including CSOCs)
- Lists all CUECs within the template
- Shares the CUEC mapping templates and applicable reports with Internal Audit
ITGC and Business Process Control Mappings (Business Owners/Internal Audit)
Once updated SOC report are obtained, Internal Audit will:
- Work with the Business Owner to map internal controls to the CUECs
- Coordinate with business owners to review SOC report findings and evaluate impact on business and ITGC controls
- Coordinate with business owners to review user control considerations to ensure appropriate GitLab controls are in place to address user control considerations
- Manage the status of business owner approvals
Approvals (Business Owners)
At conclusion of the mapping activities the Business Owners must provide final approval of the mapping. This activity is managed by Internal Audit.