The MeridianLink system was designed with the assumption that internal controls would be placed in operation by user entities. The application of such internal controls by user entities is necessary to achieve certain control objectives. There may be additional control objectives and related controls that would be appropriate for the processing of user entity transactions.

 

This section describes certain controls that user entities should consider for achievement of control objectives. The complementary user entity controls presented below should not be regarded as a comprehensive list of all the controls that should be employed by user entities.

 

System DevelopmentClients should ensure system development requests are clearly communicated to MeridianLink and that all user requirements are accurate and complete.

During user acceptance testing, clients should ensure system functionality is operating as intended.
Provisioning AccountsCustomers are responsible for controlling the authorized user assignments.

Clients are responsible for designating and communicating authorized administrative users to MeridianLink for use in establishing and maintaining user accounts.
Termination ProceduresUsers are responsible for contacting MeridianLink in a timely manner to ensure their terminated employees no longer can request for information or system changes from MeridianLink.

Clients are responsible for notifying MeridianLink promptly of users whose access should be removed.
Network SecurityUsers are responsible for ensuring user accounts as well as user-owned or managed applications, platforms, databases, and network devices that may process or store data derived from MeridianLink are logically secured to at least the standards recommended by MeridianLink.

Clients are responsible for notifying MeridianLink when it has reason to believe that one of its administrative user accounts has become compromised.

Clients are responsible for establishing physical security over their own workstations, servers, and communication hardware that connect to MeridianLink application products or services.
User Access ControlsClients should ensure that an appropriate level of application access has been granted to their users and that user access is reviewed on a periodic basis to ensure the appropriateness of user access.
General ControlsUsers are responsible for ensuring user access to reports and other information generated from MeridianLink is restricted and based on business need.

Users of MeridianLink-hosted applications are responsible for maintaining appropriate IT general computer controls (ITGCC) and application controls.
Regulatory, Compliance, and Service AgreementsUsers are responsible for adhering to all regulatory compliance issues when they are associated with MeridianLink in a service agreement.

Users are responsible for reviewing and approving the terms and conditions stated in service agreements with MeridianLink.
Note: the policies listed on this webpage may be updated by MeridainLink from time to time without notice.