Getting Started – TrustCloud Auditors

Getting Started – TrustCloud Auditors Guide is to get access to the AuditLens application. Kindly reach out to your Customer contact. They will invite you to their AuditLens portal. The TrustCloud customer will be able to initiate access, and you will receive an invitation email. Once you have accepted the customer’s AuditLens invitation, click on the four squares at the top left side of the landing page. This will switch you from the TrustOps view to the Audit Lens view.

Below is a detailed overview of each of the frameworks for your review.

Auditor SOC2 Process Flow:

1. On the Audit Lens view:
   1. Systems and Vendors are at the very top. If you click on them, it will take you to your customer’s Systems or Vendors page, inside of their TrustOps. This will give you access to the organization’s tech stack. You will be able to see the types of data that your customer is storing on each system or vendor. We’ve segmented these into three different categories: Customer Confidential, [Company] Restricted, [Company] Confidential, and Public.
      
      
   2. Going back to the Audit Dashboard, the second thing you’ll notice is the framework Criteria section on the left. This is a summarized view of everything in scope for the audit, organized by framework criteria.
      
      
   3. Lastly, on the top right hand side, you will see an icon to download the control mapping. Selecting this will give you a CSV listing of all controls mapped to the SOC2 criteria. This will essentially be the Section 4 component of the SOC2 report.
   4. To give you an example of how to work out of this view, we’ve selected CC6 from the SOC2 framework to demonstrate.
      1. Once selected, you will be brought to a page that shows the policies and controls that need to be reviewed.
         1. The list is titled “Adopted Policies” because these are the policies that have officially been adopted internally by your customer.
         2. We generated this list from their program so you can have the ability to click on the policy name or link, review their policy text, look at the linked controls, see how the controls are being adhered to, and see the approval history.
         3. Instead of downloading their policies, you can now directly view them in their Trust Cloud.

AuditLens HIPAA Process Flow

1. Make sure you’re logged into Audit Lens, not TrustOps.
   1. If you’re logged into your client’s TrustOps, simply hover your mouse over the four squares in the top left corner and switch to the Audit Lens application.
2. You will be brought to an Audit Dashboard.
   Here, you’ll be shown your client’s Systems, Vendors, and HIPAA Activities. Systems and Vendors are at the very top. If you click on them, they will take you to your customer’s Systems or Vendors page, inside of their TrustOps.
   1. If you select Systems:
      1. This will give you access to the organization’s tech and business stack. Within, you will be able to see the types of data that your customer stores in each system or vendor. We’ve segmented these into three different categories: Customer Confidential, [Company] Restricted, [Company] Confidential, and Public.
      2. You’ll also be able to see the status of your customer’s Systems. After clicking a system, it’ll bring you to that individual system’s page. Here, you can find the details of the system, its Automated Tests, and Self-Assessments.
      3. Lastly, on the top right hand side, you will see an icon to download the control mapping. Selecting this will give you a CSV listing of all controls mapped to the HIPAA Security Requirements.
         
         
      4. Under Evidence, you’ll see either an orange exclamation icon or a green check mark. The orange exclamation icon means that the required evidence is missing. The green check mark means that evidence has been uploaded.
      5. To the right of these categories, you will see the “Related Controls” column, which brings you to related control’s individual page. The corresponding test will be highlighted.
      6. Next, you’ll see Actions, where you’ll be able to view their activity.
      7. Similarly, you’ll see a similar flow for the Automated Tests.
   2. If you select Vendors:
      1. This will prompt you to go to your customer’s Vendors page inside of Trust Cloud. You’ll be able to see their vendor list, with the same segmentation as before.
   3. If you browse HIPAA Activities:
      1. You will see a high level dashboard of your entire customer’s programs as they relate to HIPAA activities.
         1. The Controls and Policies have percentages. These are just percentages that show your progression. The percentages do not mean that your client’s have completed their controls or policies. It means that you have reviewed all of their controls and policies.
         2. Anything with a yellow circle would indicate that it’s in progress.
         3. A “blank” section is one that doesn’t have the check mark or the yellow circle indicator. These are just sections you have yet to review.
      2. Once you click on a tile under the HIPAA Activities Section, you can see all the related controls and policies for that particular activity.
         1. You can select the Policy name, which will bring you to your client’s entire policy, linked controls, and the status of the controls.
         2. You can also select the three ellipses (or dots) in the top right corner. This will give you the option to view the Approval History, as well as “Export the PDF”.
         3. If everything looks good, a policy’s Audit Status can be changed from “Not Started” to “Reviewed”. If you have additional questions for your client, you may select “Follow Up Required”.
         4. Once every policy has an Audit Status of “Reviewed”, you can then proceed to the top right corner and select the toggle button to officially mark the entirety as “Reviewed”.
            
            
      3. A similar flow will happen for the Adopted Controls section.
   4. You have the ability to click on the Control Name or Control ID.
   5. We created unique Control Names and Control IDs that are more approachable for customers, but on the left hand side, we’ve also mapped out the specific HIPAA Criteria.
   6. To confirm this, you can select the Control Name, which will show you a description of the control, automated tests, and self-assessments that are in place.

AuditLens ISO 27001 Process Flow

1. Make sure you’re logged into Audit Lens, not Trust Cloud.
   1. If you’re logged into your client’s Trust Cloud, simply hover your mouse over the four squares in the top left corner and switch to the Audit Lens application.
2. You will be brought to an Audit Dashboard.
   1. Here, you’ll be shown your client’s Systems, Vendors, and ISO 27001 Sections.

Systems and Vendors are at the very top. If you click on them, they will take you to your customer’s Systems or Vendors page, inside of their Trust Cloud.

1. If you select Systems:
   1. This will give you access to the organization’s tech and business deck. Within, you will be able to see the types of data that your customer is storing in each system or vendor. We’ve segmented these into three different categories: Customer Confidential, [Company] Restricted, [Company] Confidential, and Public.
   2. You’ll also be able to see the status of your customer’s Systems. After clicking a system, it’ll bring you to that individual system’s page. Here, you can find the details of the system, its Automated Tests, and Self-Assessments.
   3. Under the Status column, you’ll see which Tests are being run.
   4. Under Evidence, you’ll see either an orange exclamation icon or a green check mark. The orange exclamation icon means that the required evidence is missing. The green check mark means that evidence has been uploaded.
   5. To the right of these categories, you will see the “Related Controls” column, which brings you to related control’s individual page. The corresponding test will be highlighted.
   6. Next, you’ll see Actions, where you’ll be able to view their activity.
   7. Similarly, you’ll see a similar flow for the Automated Tests.
2. If you select Vendors:
   1. This will prompt you to go to your customer’s Vendors page inside of Trust Cloud. You’ll be able to see their vendor list, with the same segmentation as before.
      
3. If you select ISO 27001 Sections:
   1. You can click on each tile to see the Adopted Policies and Adopted Controls.
      
   2. If you select a Policy, you’ll be able to review your client’s policy inside of their Trust Cloud, as well as the related Controls and their status.
   3. You can also select the three ellipses (or dots) in the top right corner. This will give you the option to view the Approval history as well as “Export the PDF”.
   4. If everything looks good, a policy’s Audit Status can be changed from “Not Started” to “Reviewed”. If you have additional questions for your client, you may select “Follow Up Required”.
   5. Once every policy has an Audit Status of “Reviewed”, you can then proceed to the top right corner and select the toggle button to officially mark the entirety as “Reviewed”.
4. The Controls and Policies have percentages. These are just percentages that show your progression. The percentages do not mean that your client’s are completed their controls or policies. It means that you have reviewed all of their controls and policies.
5. Anything with a yellow circle would indicate that it’s in progress.
6. A “blank” section is one that doesn’t have the check mark or the yellow circle indicator. These are just sections you have yet to review.