Complementary User Entity Controls

Executive Summary

Complementary User Entity Controls are conditions a third-party vendor requires its customers to implement in order for the product to work as intended.  Enterprise customers must ensure they read and understand any and all of the requirements to ensure safe and secure deployment. Best practices include identifying such controls in vendor SOC reports and designating a specific role to ensure proper implementation. If users do not ensure they follow service organization’s requirements, preventable risks may be unnecessarily introduced.

Background

Many businesses rely on third party vendor products and services for the convenience they provide to support business operations while minimizing overhead. Systems and products aren’t operated in a vacuum; the user must be taken into account. Service organizations are responsible for informing users on how their product works and what is necessary to operate their product successfully [4]. Complementary User Entity Controls, or CUECs, are requirements that must be followed by the user for the product to work as designed. These conditions can only be set by users, and are considered beyond the control of the vendor. Although it is the responsibility of the vendor to disclose CUECs, it is the user’s responsibility to implement them. 

Service organizations will usually hire an independent auditor to assess their product for potential CUECs. Once identified, this information can usually be found in the vendor’s Systems and Organizations Controls, or SOC, reports. Although not always labeled using the title, “Complementary User Entity Control,” they can be identified in terms of user requirements [3]. For example, if a security system requires a user to enable Multi-Factor Authentication, or MFA, this would be considered a CUEC whether or not that term is explicitly used. This information can also be found in sections that address testing or user controls.

Vendors should perform ongoing analysis of their CUECs to ensure their validity. Although a product may have general CUECs that apply, CUECs should ideally be user specific and agreed upon by both parties [5]. Users should maintain ongoing review of CUEC updates from the service organization to remain up-to-date. 

Impact

Operating a product without required CUECs can introduce preventable risks, increasing an organization’s attack surface. Disregarding these requirements ignores known vulnerabilities. This can negatively impact compliance, assets and business continuity. It is industry standard that this type of risk cannot be transferred back to the vendor, making it of utmost importance that users understand and are willing to meet all conditions needed for product implementation. 

Mitigation

Users should confirm whether or not a product has identified CUECs. If they exist, all controls should be implemented per the service agreement and documented. Identifying if a user organization already has existing controls in place that satisfy CUEC requirements can make adherence simpler. Additionally, the ability of an organization to meet requirements should be taken into account before choosing a vendor. If an organization cannot provide the necessary requirements to allow a product to operate as designed, they should choose a different product for which they can. Enterprises should designate at least one entity for the handling and monitoring of CUECs. This entity should understand the correct contact avenues to contact the service organization and where documentation regarding CUEC implementation resides. 

Although it is possible that a product may not have any CUECs, the lack of such necessary controls should still be identified and denoted by the service organization. This communicates that there aren’t additional requirements that need to be set in place for the product to work as designed. It’s a best practice to also follow any non-CUEC recommendations provided by the vendor. Users should make every effort to follow such suggestions for optimal results.

Users should choose quality service organizations that utilize sound practices and provide clear information. Vendors should use third-party, independent auditors to analyze the necessity and quality of user controls for their products [1]. They should perform ongoing analysis of their CUECs to ensure their validity and communicate changes to users. Users should never assume a product does not have CUECs if not denoted and confirm with the service organization if unclear.  Vendors who are unwilling to provide CUEC information or support are best avoided. 

Relevance

CUECs are an important aspect of shared responsibility models. In the event of a cyber incident, the user would be at fault if the incident occurred as a result of failure to implement CUECs identified by the vendor [2].  If the user does not allow the product to work as designed, they will likely be held responsible for breakdowns in system performance.

References

[1] Fitzgerald, A. (2023, October 18). What Is a SOC Report & Why Is It Important? Secureframe. https://secureframe.com/blog/soc-report

[2] Hill, L. (2023, May 23). Importance of Complementary User Entity Controls for Vendor Relationships. Venminder. https://www.venminder.com/blog/importance-complementary-user-entity-controls-vendor-relationships

[3] Venminder. (2024, June 5). Vendor Complementary User Entity Controls: What They Are and How to Use Them [Video]. Venminder. https://www.youtube.com/watch?v=NKPHcXSme_k&t=3033s

[4] Wadhwa, P. (2024, August 20). Complementary User Entity Controls: The key to Enhanced Security. Sprinto. https://sprinto.com/blog/complementary-user-entity-controls/

[5] ZenGRC. (2024, September 24). Complementary User Entity Controls, Explained. ZenGRC. https://www.zengrc.com/blog/complementary-user-entity-controls-explained/