Complementary User Entity Controls: The key to Enhanced Security

Imagine if a bank provides you with a vault equipped with a high-quality locking mechanism and surveillance systems, you assume that you are protected from all theft and your assets are safe. However, if you are negligent with your key and pass code, the bank cannot safe-keep your assets. The vault’s features and user entity controls work in tandem to protect the vault’s contents and establish a comprehensive security system. One cannot work without the other.  

Now when we take the case of businesses, the vault represents service organization’s controls, while the key and personal code symbolize complementary user entity controls or CUECs. Together, these elements create a robust security environment. Similarly in the compliance space, service organizations rely on user entities to implement CUECs and help them maintain security and compliance.

This blog gives you an overview of CUECs and their relevance in the SOC reports.

What are complementary user entity controls (CUEC)?

Complementary user entity controls are controls that user entities must implement to utilize the services provided by a third-party organization. These complementary controls are essential for enabling the service organization to achieve its control objectives and maintain the desired level of security and compliance.

CUECs represent a shared responsibility model where the service organization implements certain controls and the user entities, which happen to be their customers, implement other specific controls to achieve operational effectiveness.

CUECs are documented in SOC 1, SOC 2 and SOC 3 reports and are used by the auditor to assess the control effectiveness of service organizations.

Importance of complementary user entity controls

Complementary user entity controls are critical because they ensure that both service organization and user entities meet their obligations to minimize the risks of data breaches or non-compliance. The service organization controls are designed with the assumption that user entities will also implement the necessary controls to meet the control environment objectives. Without CUECs, the effectiveness of service organization’s controls can be significantly compromised leading to security risks and compliance issues.

For the user entities, CUECs ensure that the services used are effective and secure, thereby maximizing the benefits. It builds trust and transparency and leads to smoother operations and enhanced user experience.

Who is responsible for the complementary user entity controls?

Complementary user entity controls work on a shared responsibility model, so both parties have their share of duties. While the user entity oversees the implementation, the service organization is responsible for communicating about the requirements.

Let’s look at the responsibility for CUECs in detail:

User Entity

• The user entity is responsible for understanding the CUEC requirements and implementing controls to enable the service organization to achieve its objectives. 
• If there are any uncertainties related to the CUECs, the user entity must communicate these with the service organization for proactive actions. 
• Lastly, the user entity is responsible for continuously monitoring and maintaining the complementary controls to ensure that they function effectively.

Service Organization

• The service organization is responsible for clearly communicating the complementary controls required and providing any guidance or support needed to the user entity. Technical jargon must be avoided to enable non-technical customers to understand the control requirements. 
• Service organizations must also document the CUECs in the SOC report and ensure that everything is on track.

How are CUECs related to SOC?

SOC reports were formerly known as SAS 70 and User Control Considerations (UCC) was a concept in these reports. Over the years, both the report and the concept evolved and now they are known as SOC reports and Complementary User Entity Controls. So CUECs have been related to SOC for quite a long time.

When the service organization undergoes the SOC audit, the auditor examines the organization’s control environment and also reviews if CUECs are communicated to and implemented by user entities. If the report does not specify complementary user entity controls, it may be considered incomplete by the auditor and he may not be able to form an opinion.

SOC reports highlight the applicable CUECs and ensure that these entities understand their responsibilities in meeting the control objectives and enabling smooth services.

Where are CUECs located in the SOC report?

SOC audit reports usually have four sections: the auditor’s opinion, Management assertion, System Description, and Tests of controls. The details on complementary user entity controls are laid out in the System Description and tested controls sections.

Source: LCMS Foundation SOC report

Source: LCMS Foundation SOC report

The management assertion section may highlight that the CUECs are assumed to be implemented to fulfill the control objectives.

The SOC 1 report’s control objectives and related test section also lists CUECs to indicate what user entities must implement.

In the SOC 2 report, CUECs are identified in the Trust Service Criteria and applicable control objectives.

Examples of CUECs

Complementary user entity controls can vary based on user entities and the type of service organizations they deal with. Here are some common examples of what CUECs usually look like:

• A technology company’s policy requires user entities to enforce endpoint device security measures.
• A healthcare vendor that provides cloud-based EHR (electronic health records) systems to user entities ie hospitals and clinics mandates that all data transmitted must be in an encrypted format
• A SaaS company necessitates that user organization enforce data retention policies and delete customer data after a specified period or on request
• An IT service provider requires user entities to conduct regular access reviews and ensure that permissions are aligned with job functions
• A payment processing platform requires user entities to implement multi-factor authentication for high-value transactions.
• A company may require user entities to ensure timely account removal of terminated employees

Sprinto’s approach to Addressing CUEC deficiencies

While the user entity is responsible for the implementation of CUECs, any control failure on their end can impact security and compliance. Even the SOC 2 report can indicate that certain control objectives were not met.

Sprinto ensures iron-clad protection against CUEC misses through numerous automated checks and multiple layers of security controls.

• Access to all user entities that are added as ‘critical systems’ is protected via a secure login method – multi-factor authentication, single sign on, VPN and complex passwords.
• Sprinto supports role-based access controls and access is validated based on job functions. In other cases, it is approved via an access request ticket.
• The platform enables ongoing monitoring of user activities within critical systems. Any unusual or unauthorized behavior is promptly reported to risk owners to enable proactive action. This helps you stay on track and ensure continuous security and compliance.

As for SOC 2, it can help you get ready in weeks instead of months and save hundreds of manhours with automated workflows.

Want to see Sprinto in action? Take a tour with a compliance expert and fast-track your SOC 2 journey.

FAQs

How can we determine our CUECs?

A user entity can determine their CUECs by reviewing the SOC reports of the service organization. These reports include a section on customer responsibilities or user control considerations, outlining the controls that must be implemented to ensure overall control effectiveness.

What are complementary sub-service organization controls?

Complementary subservice organization controls are controls that must be implemented by the subservice organizations—third parties that provide services to the primary service organizations. The implementation of these controls is necessary to ensure security and compliance for the primary organization.

Are CUECs the same for all user entities using the same service organization?

CUECs are generally unique to user entities and are customized as per requirements. However depending on the service organization policies and the nature of services provided, there can be some uniformity across control requirements.

What is the difference between CUECs and user entity responsibilities?

Complementary User Entity Controls (CUECs) are specific controls that user entities must implement to complement the controls of the service organization. User Entity Responsibilities encompass a broader range of duties and actions that user entities must undertake to ensure their security and compliance, with implementing CUECs being one of these responsibilities.

While service organizations need to clearly specify the CUECs that user entities should implement, user entity responsibilities might not always be explicitly outlined. Instead, user responsibilities generally include a range of actions necessary for maintaining overall security and compliance, of which implementing CUECs is a part.