Aug 16, 2017
How to Leverage your GRC Platform for SOC 2 Compliance
Service Organization Control (SOC) reports have become more and more important to the world of information security and compliance since being introduced by the American Institute of CPAs (AICPA) in 2011. This is particularly the case for SOC 2, which focuses on availability, confidentiality, privacy, processing integrity, and security as its trust services criteria or requirements:
Availability refers to a system's operational readiness for use as agreed or committed
Confidentiality means that all data is protected and classified as agreed or committed
Privacy indicates that all personal data is collected, retained, used transferred as agreed or committed
Processing integrity means system processing is accurate, timely, complete, and authorized
Security refers to the logical and physical protection versus unauthorized access
One of the reasons for the increasing acceptance of SOC 2 is it's providing a bit more flexibility to data providers to determine how it wishes to fulfill its requirements.
Without the extremely explicit criteria of some other standards, each SOC 2 report is unique for every organization. You are allowed to map which criteria are relevant to your organization and then create your controls to meet those criteria. With that, you can disregard certain controls that are not relevant to your organizational practices and create extra controls according to your needs.
Use Adequate and Efficient Alerting
To successfully maintain SOC 2 compliance, it's recommended to complement your organizational controls with appropriate alerts that will sound in case of security incidents. It is important that your company can demonstrate that these alerts are in place to respond to any unauthorized access to your information systems and take timely corrective action.
Take extra care to ensure your alerts are configured to trigger only for real anomalies otherwise you risk noise coming from false positives. The types of alerts include unauthorized file transfers, exposure or modification of controls, data, or configurations, and privileged login access, account, and filesystems.
You need to map the kind of activities that indicate threats according to your organization's risk profile and the cloud environment where you operate. This way, you are guaranteed of being alerted by whatever security incident that occurs and can thus act quickly to stop data compromise or loss.
Practice Continuous Monitoring
Apart from patently anomalous or malicious activities, it is important for you also develop a capacity for the continuous monitoring of your normal everyday activities. Only by baselining what this normal activity consists of in your cloud environment can you determine the kind of abnormal activities that you need to watch out for.
To be SOC 2 compliant, you have to setup a system of practices and processes in your company that conform to the standard's required level of oversight. In particular, this means the continuous monitoring of system configuration changes, both authorized and unauthorized, user access levels, and various system activities.
With continuous monitoring you can be assured of detecting possible threats from both internal and external sources and safe keep your confidential information. Whatever may be going on in your cloud infrastructure would not come to you as a surprise.
Use Action Items
The controls within your SOC 2 report need to ensure that you can take corrective action whenever security incidents do occur.
You have to make sure that your system makes use of action items to track ongoing testing and validation and make informed decisions. It is important that you can trace the origins of an attack, here it is headed to, the parts of the system that are affected by the attack, the nature of its impact, and its next possible moves.
By putting up controls that allow you to use actionable data by SOC 2 criteria, you can be confident about detecting threats effectively, mitigating whatever impact it may cause, and most importantly, apply corrective steps to avoid the recurrence of similar incidents in the long term.
Enable Audit Trails
Now to determine the source of a security incident, carrying out audit trails is the best way to move forward in a view to find out the context of any attack. Through detailed audit trails you can know the what, who, where, when and how of an attack and enable you to formulate an effective response.
Audits can be simplified by including all program data in a system of record. Some of the insights that such audit trails can give you include the point of source of an attack, the extent of its impact, addition, modification, or removal of vital system components, and the unauthorized alteration or modification of systems configurations and data.
Go Agnostic
In the end, SOC 2 is not just about answering check boxes on complying with strictly defined requirements but of setting-up well-defined and clear-cut procedures, policies, and practices that can help secure your organization's cloud infrastructure. This means putting in place enduring organizational practices that ensure information security.
Given the overlap between different standards, it is best for your company controls to be agnostic of any standard. This way they can be reused and mapped to other standards while at the same time simplifying the process of implementing and managing your GRC programs.
Are all these details leaving you dizzy? StandardFusion is a great solution for managing your SOC 2 controls. StandardFusion is an agnostic platform that helps you create controls according to the requirements of your organization.