In accordance with ITGC SR.1 - SOC Report Review, GitLab executes annual CUEC mappings of our internal controls to each SOC report associated with a SOX in scope application to ensure controls are adequately designed to address the CUEC requirements outlined in the SOC report. This activity is executed in Q1 of each fiscal year in order to gain the greatest coverage for the prior fiscal year.
Formal CUEC mappings are limited to SOX in scope third party SaaS applications as defined by management.
All third party SOX system's SOC1 reports and bridge letters providing coverage over the prior fiscal year (2/1/20xx-1/31/20xx) will be obtained. If SOC1 reports are unavailable, SOC2 reports will obtained.
|Security Risk - TPRM||Executes collateral collection and vendor interface - Creates CUEC Mapping templates and populates with CUECs & CSOCs|
|Internal Audit||Defines scope of SOX systems and facilitates mapping activities|
|Business Owners||Participates in mapping activities and provides final approval|
As Security Risk is responsible for executing third party security risk management activities the team will support CUEC activities through the gathering of necessary collateral, specifically SOC reports and bridge letters. Security Risk follows this process:
Throughout this process, Security Risk manages the status of requested reports and CUEC mapping template creation prior to handoff to IA.
To help formally hand-off the CUEC mapping activity, Security Risk creates CUEC mapping templates and adds CUECs/CSOCs from in-scope SOC reports. Security Risk follows this process:
Once updated SOC report are obtained, Internal Audit will:
At conclusion of the mapping activities the Business Owners must provide final approval of the mapping. This activity is managed by Internal Audit.