CUECs mapped to your own controls
Demonstrate that customer-operated controls are formally mapped to the organization's security baseline, accountability boundaries are documented, and mechanisms exist to validate customer compliance with delegated control requirements.
Description
What this control does
Customer User Entitlement Controls (CUECs) are controls defined and operated by a service provider's customers within a shared responsibility model, particularly in SaaS and PaaS environments. The service provider maps these customer-managed controls to their own baseline security requirements, establishing accountability boundaries and ensuring customers understand which security configurations they must maintain. This mapping enables the provider to assess compliance risk across their tenant base and enforce minimum security postures through tenant-level validation or attestation requirements.
Control objective
What auditing this proves
Demonstrate that customer-operated controls are formally mapped to the organization's security baseline, accountability boundaries are documented, and mechanisms exist to validate customer compliance with delegated control requirements.
Associated risks
Risks this control addresses
- Customers misconfigure identity federation or access controls in multi-tenant environments, exposing their data to unauthorized access while implicating the provider's platform
- Absence of formal responsibility mapping leads to security gaps where neither customer nor provider believes they own a control activity
- Customers fail to implement required encryption key management practices, leading to data exposure incidents attributable to the service platform
- Service provider cannot demonstrate due diligence in audits because customer-operated controls lack validation mechanisms or documentation
- Regulatory compliance failures occur when customers do not maintain required logging or retention settings within their tenant configurations
- Provider's security baseline degrades over time as customers disable required controls without detection or intervention
- Incident response is delayed because unclear control ownership prevents timely escalation and coordination between provider and customer teams
Testing procedure
How an auditor verifies this control
- Obtain the organization's shared responsibility matrix or CUEC mapping documentation that identifies which controls customers operate versus provider-operated controls
- Select a representative sample of 10-15 mapped CUECs spanning identity management, data protection, logging, and access control domains
- For each sampled CUEC, verify that the internal control framework includes a corresponding provider-side control that establishes validation requirements or monitoring obligations
- Review customer onboarding documentation and service agreements to confirm that CUEC responsibilities are explicitly communicated to tenants during provisioning
- Examine technical validation mechanisms such as tenant configuration scanning, policy compliance dashboards, or attestation workflows that verify customer control implementation
- Interview personnel responsible for customer success or security operations to confirm processes exist for detecting and remediating customer control deficiencies
- Select three customer tenants and retrieve evidence of their CUEC compliance status, such as configuration audit reports or self-assessment attestations
- Trace one CUEC from the mapping document through to a real customer tenant implementation, verifying end-to-end accountability and evidence collection capability
Where this control is tested