As security programs have matured, organizations have paid closer attention to the security of vendors and partners. Known as ‘supply chain risk’, poor security practices of partners and vendors can have catastrophic consequences — particularly if sensitive information is shared between organizations.
That’s where SOC 2 reports come in. They provide information about how effectively a service provider manages the security, privacy, and integrity of sensitive information, making it easier for organizations to know who they can trust with their data.
What is SOC 2 Compliance?
SOC 2 is a security standard created by the American Institute of Certified Public Accountants (AICPA). The standard was developed as a way to ensure service providers that store customer data in the cloud take adequate precautions to keep it safe.
SOC 2 assesses the management of customer data based on five Trust Service Principles: security, availability, processing integrity, confidentiality, and privacy. We’ll take a closer look at what each of these Principles is about shortly.
Originally designed for CPAs and accounting organizations, SOC 2 has become popular across all industries. Many organizations prefer to work — sometimes will only work — with partners that are SOC 2 certified, because it shows a commitment to data security that goes beyond regulatory requirements.
Realistically, any organization that provides a digital service (XaaS) or uses the cloud to store customer information should be SOC 2 certified, as potential customers will be more willing to work with them.
SOC 2 Certification
Most modern security standards list specific business control requirements. PCI-DSS is the obvious example, but other standards like HIPAA, NIST 800-53, and FedRAMP are also highly prescriptive.
SOC 2 takes a different approach. An organization seeking SOC 2 compliance will review the Trust Service Principles, and design its own controls to fulfill the requirements.
Of the five Trust Service Principles, only security is an essential component of SOC 2 certification. The other four Principles are optional, and only included if the organization feels they are relevant. As a result, each SOC 2 report is unique to an organization.
There are two types of SOC 2 reports, each requiring a different level of assessment:
Type 1 reports cover an organization’s systems and controls, and whether the assessor believes they properly address all included Trust Service Principles. The assessment for Type 1 reports is conducted at a single point in time.
Type 2 covers the same ground, but also tracks the operational effectiveness of an organization’s systems and controls over a period of time — usually six months — and the assessment is conducted throughout that period.
While Type 1 reports are worthwhile, most organizations value Type 2 reports more highly, particularly when making decisions about which vendors and partners to work with.
Trust Service Principles
So what exactly are the Trust Service Principles? Here’s an overview:
Security — Protection of data and assets against unauthorized access, theft, or alteration. Common controls include Identity and Access Management (IAM) solutions, network and application firewalls, Multi-Factor Authentication (MFA), and Intrusion Detection Systems (IDS).
Availability — Availability of a system, application, or service to the organization’s customers. This Principle is judged in line with agreed SLAs, so the minimum standard needed to ‘pass’ is set by both the organization and its customers. Common controls include performance monitoring, disaster recovery, and Incident Response (IR) processes.
Processing integrity — Ensuring system processing is “complete, valid, accurate, timely, and authorized to meet the entity’s objectives”. Meeting the requirements of this principle also means avoiding errors in processing, and quickly identifying and resolving any errors that occur. Common controls include quality assurance and processing monitoring.
Confidentiality — Ensuring data access and exposure is restricted to specific individuals, organizations, and systems. This is particularly critical for sensitive information such as PII (Personally Identifiable Information). Common controls include encryption, IAM, and network and application firewalls.
Privacy — Ensuring PII remains private throughout collection, use, retention, disclosure, and disposal. Success in this Principles relies on the organization’s ability to prevent unauthorized access to sensitive information. Common controls include IAM, MFA, and encryption.
Once again, while security is essential and must be included in every SOC 2 audit, the other four Principles are optional. They can be included as appropriate to satisfy the needs of the organization and/or its partners and customers.
SOC 2 Compliance Audits
Ultimately, the purpose of SOC 2 compliance is to earn a SOC 2 audit report. This provides detailed information and assurance about a service organization’s controls in each of the trust service principles, as set out by AICPA’s Trust Services Criteria.
To obtain a SOC 2 report your organization must undergo an audit, which can only be conducted by an independent Certified Public Accountant (CPA) or accountancy organization.
Once completed, a SOC 2 audit report will contain a description of your organization, details of the trust service categories included, and an explanation of the tests performed and results of testing.
SOC 2 Monitoring and Alerts
To achieve SOC 2 compliance — particularly Type 2 — an organization must have a process in place to monitor for unusual system activity. This includes authorized and unauthorized changes to system configuration and user access levels.
Any change to the configuration of an asset or user account can have a potentially significant effect on all of the Trust Service Principles. Since SOC 2 Type 2 reports monitor compliance over time, organizations must rigorously track changes in their environment to ensure compliance is maintained.
So what about when a genuine security incident occurs? To address this, organizations must also have alerts in place to warn of potential security incidents. When an incident occurs — for example, unauthorized access to customer data — the organization must be able to demonstrate its ability to respond and take corrective action.
Of course, the combination of change monitoring and incident alerts can produce a lot of ‘noise’ in the form of false positives. This is particularly true when organizations rely exclusively on a SIEM or similar technology for monitoring and alerting, because these solutions are often unable to distinguish between legitimate and malicious events.
To address this, it’s best to implement a process or tool that only produces alerts when activity is:
- Potentially concerning, and;
- Outside the norm for that environment.
The Importance of Managing Change
Earlier, we mentioned that SOC 2 reports come in two forms: Type 1, and Type 2. While Type 1 reports assess the quality of controls at a point in time, Type 2 reports are assessed over a longer period — usually 6 months. Naturally, SOC 2 Type 2 reports are more highly regarded, as they demonstrate a higher regard for adherence to the Trust Service Principles.
To achieve Type 2 compliance, an organization must be able to maintain its controls effectively over time. This can be challenging, as modern digital environments evolve rapidly, so systems must be in place to keep track of changes and ensure they don’t result in non-compliance with SOC 2 controls.
File Integrity Monitoring (FIM) solutions are ideal for maintaining security controls over time, making them an outstanding tool for achieving SOC 2 Type 2 compliance.
How CimTrak Helps
CimTrak is an IT integrity, security, and compliance tool that makes it easy for organizations to build and maintain strong controls across the five SOC 2 Trust Service Principles.
CimTrak continuously monitors your environment and detects changes to assets, files, and accounts. When specified changes occur, CimTrak raises an alert and a report, making it easy to identify security issues in hardware and software assets.
Crucially, CimTrak’s functionality directly contributes to 85 of the 319 controls outlined in the Trust Services Criteria. Top benefits include:
Continuous Monitoring — CimTrak creates a baseline of normal activity in your cloud environment, and instantly alerts you to suspicious, unknown, or unauthorized activity. CimTrak detects malicious and unwanted changes in minutes, compared to the industry average of over 206 days.
Alerting — CimTrak combats alert ‘noise’ by integrating with other ITSM solutions to create a closed-loop change management environment to reconcile expected and approved changes. This ensures alerts are only raised for unknown, unauthorized, and potentially malicious changes or activity.
Audit and Forensics — CimTrak produces forensic analysis of outages and security incidents in real-time, tracking which files were altered, the source IP address, which user made the change, what time the change was made, and the process involved.
Roll-Back — CimTrak can automatically roll-back unwanted changes and restore any file to its trusted state. This ensures critical system attributes and configurations are never allowed to change, and drastically improves the mean time to recover (MTTR) from security incidents and operational failures.
To find out more about how CimTrak can help your organization reach and maintain SOC 2 compliance, download the solution brief today.
September 29, 2020