Wilson Mar bio photo

Wilson Mar

Hello!

Email me Calendar Skype call

LinkedIn Twitter Gitter Instagram Youtube

Github Stackoverflow Pinterest

So salespeople can close faster with prospective customers by providing a SOC 2 Type II report

US (English)   Español (Spanish)   Français (French)   Deutsch (German)   Italiano   Português   Estonian   اَلْعَرَبِيَّةُ (Egypt Arabic)   中文 (简体) Chinese (Simplified)   日本語 Japanese   한국어 Korean

Overview

NOTE: “SOC” here does not refer to “Security Operations Center” nor “Systems on a Chip”.

NOTE: Content here are my personal opinions, and not intended to represent any employer (past or present). “PROTIP:” here highlight information I haven’t seen elsewhere on the internet because it is hard-won, little-know but significant facts based on my personal research and experience.

socforserviceorganizationslogocpas200x200 Here, the “SOC” in “SOC2” stands for (“Systems and Organization Controls”, formerly “Service Organization Controls”) reports as defined by the American Institute of Certified Public Accountants (AICPA).[1] The AICPA was formed as an association of independent CPA firms (such as PwC, Deloitte, EY, KPMG, etc.) who are approved by a company’s shareholders to perform audits. Additionally, each CPA is licensed by the government after an examination. So they are built to be an “objective 3rd-party”. However, SOC auditing is another line of business for CPAs.

VIDEO: Summary

A SOC 2 audit is not a legal or regulatory requirement like HIPAA, PCI DSS, or SOX.

PROTIP: Preparing for and conducting a SOC2 audit strengthens an organization’s overall security posture and thus lower the potential risk of a security breach.

Cloud salespeople report that it is “table stakes” to provide a SOC2 Type II report. The document contains an attestation from a CPA firm hired by each service provider to evaluate and attest that there is proof the service provider indeed has measures in place to protect the integrity, confidentiality, and privacy of data on behalf of customers. This is done typically each year.

(AAC-02.1) Cloud vendors post their reports in the Cloud Security Alliance Registry and on their website to signed-on users at:

  • https://console.aws.amazon.com/artifact/reports
  • https://servicetrust.microsoft.com/
  • https://cloud.google.com/security/compliance/soc-2
  • etc.

https://www.securitypalhq.com/

CCM of CAIQ from CSA

Cloud vendors make use of the Cloud Security Alliance (CSA) Consensus Assessment Initiative Questionnaire (CAIQ) v4 based on the CSA Cloud Controls Matrix (CCM) from various cloud vendors:

  • PDF: ESRI’s answers references both SOC2, ISO 27001:2018, and FedRamp 880-53.
  • PDF: Amazon’s answers
  • https://cloudsecurityalliance.org/star/registry/microsoft/
  • https://www.oracle.com/a/ocom/docs/oci-corporate-caiq.pdf
  • https://services.google.com/fh/files/misc/sep_2021_caiq_self_assessment.pdf
  • https://cloudsecurityalliance.org/star/registry/atlassian/services/jira-and-confluence-cloud/

There are both full and lite editions of CAIQ. The full 261 questions in v4.0 map validates controls in 17 control categories:

  1. A%A = Audit Assurance & Compliance
  2. AIS = Application & Interface Security
  3. BCR = Business Continuing Management & Operational Resilience
  4. CCC = Change Control & Configuration Management
  5. CEK = Cryptography, Encryption, and Key Management
  6. DCS = Datacenter Security
  7. DSP = Data Security & Privacy Lifecycle Management
  8. GRC = Governance, Risk Management, and Compliance
  9. HRS = Human Resources
  10. IAM = Identity & Access Management
  11. IPY = Interoperability & Portability
  12. IVS = Infrastructure & Virtualization Security
  13. LOG = Logging and Monitoring
  14. SEF = Security Incident Management, E-Discovery, and Cloud Forensics
  15. STA = Supply Chain Management, Transparancy, and Accountability
  16. TVM = Threat and Vulnerability Management
  17. UEM = Universal Endpoint Management

The below is generated by a Python program excel-to-gm.py using library xlrd which enables reading of an Excel spreadsheet file CAIQ4.0.1.xlsx (for CAIQ v4.0.1), after manual removal of text wrap and line breaks with =SUBSTITUTE(A1,CHAR(10),” “) A feature flag in the program can output only lines which contain an answer.

A&A = Audit Assurance & Compliance

  1. A&A-01.1 - Audit and Assurance Policy and Procedures

    Are audit and assurance policies, procedures, and standards established, documented, approved, communicated, applied, evaluated, and maintained?

  2. A&A-01.2 -

    Are audit and assurance policies, procedures, and standards reviewed and updated at least annually?

  3. A&A-02.1 - Independent Assessments

    Are audit and assurance policies, procedures, and standards reviewed and updated at least annually?

  4. A&A-02.2 -

    Are independent audit and assurance assessments conducted according to relevant standards at least annually?

  5. A&A-03.1 - Risk Based Planning Assessment

    Are independent audit and assurance assessments performed according to risk-based plans and policies?

  6. A&A-04.1 - Requirements Compliance

    Is compliance verified regarding all relevant standards, regulations, legal/contractual, and statutory requirements applicable to the audit?

  7. A&A-05.1 - Audit Management Process1.

    Is an audit management process defined and implemented to support audit planning, risk analysis, security control assessments, conclusions, remediation schedules, report generation, and reviews of past reports and supporting evidence?

  8. A&A-06.1 - Remediation

    Is a risk-based corrective action plan to remediate audit findings established, documented, approved, communicated, applied, evaluated, and maintained?

  9. A&A-06.2 -

    Is the remediation status of audit findings reviewed and reported to relevant stakeholders?

    AIS = Application & Interface Security

  10. AIS-01.1 - Application and Interface Security Policy and Procedures

    Are application security policies and procedures established, documented, approved, communicated, applied, evaluated, and maintained to guide appropriate planning, delivery, and support of the organization’s application security capabilities?

  11. AIS-01.2 -

    Are application security policies and procedures reviewed and updated at least annually?

  12. AIS-02.1 - Application Security Baseline Requirements

    Are baseline requirements to secure different applications established, documented, and maintained?

  13. AIS-03.1 - Application Security Metrics

    Are technical and operational metrics defined and implemented according to business objectives, security requirements, and compliance obligations?

  14. AIS-04.1 - Secure Application Design and Development

    Is an SDLC process defined and implemented for application design, development, deployment, and operation per organizationally designed security requirements?

  15. AIS-05.1 - Automated Application Security Testing

    Does the testing strategy outline criteria to accept new information systems, upgrades, and new versions while ensuring application security, compliance adherence, and organizational speed of delivery goals?

  16. AIS-05.2 -

    Is testing automated when applicable and possible?

  17. AIS-06.1 - Automated Secure Application Deployment

    Are strategies and capabilities established and implemented to deploy application code in a secure, standardized, and compliant manner?

  18. AIS-06.2 -

    Is the deployment and integration of application code automated where possible?

  19. AIS-07.1 - Application Vulnerability Remediation

    Are application security vulnerabilities remediated following defined processes?

  20. AIS-07.2 -

    Is the remediation of application security vulnerabilities automated when possible?

    ANSWER: Because Consul issues Health Checks of services, Consul is able to route traffic only to healthy app services.

    BCR = Business Continuing Management & Operational Resilience

    ANSWER: Enterprise Consul is configured to use Consul Redundancy Zones, which ???

  21. BCR-01.1 - Business Continuity Management Policy and Procedures

    Are business continuity management and operational resilience policies and procedures established, documented, approved, communicated, applied, evaluated, and maintained?

  22. BCR-01.2 -

    Are the policies and procedures reviewed and updated at least annually?

  23. BCR-02.1 - Risk Assessment and Impact Analysis

    Are criteria for developing business continuity and operational resiliency strategies and capabilities established based on business disruption and risk impacts?

  24. BCR-03.1 - Business Continuity Strategy

    Are strategies developed to reduce the impact of, withstand, and recover from business disruptions in accordance with risk appetite?

  25. BCR-04.1 - Business Continuity Planning

    Are operational resilience strategies and capability results incorporated to establish, document, approve, communicate, apply, evaluate, and maintain a business continuity plan?

  26. BCR-05.1 - Documentation

    Is relevant documentation developed, identified, and acquired to support business continuity and operational resilience plans?

  27. BCR-05.2 -

    Is business continuity and operational resilience documentation available to authorized stakeholders?

  28. BCR-05.3 -

    Is business continuity and operational resilience documentation reviewed periodically?

  29. BCR-05.4 - Business Continuity Exercises

    Are the business continuity and operational resilience plans exercised and tested at least annually and when significant changes occur?

  30. BCR-07.1 - Communication

    Do business continuity and resilience procedures establish communication with stakeholders and participants?

  31. BCR-08.1 - Backup

    Is cloud data periodically backed up?

  32. BCR-08.2 -

    Is the confidentiality, integrity, and availability of backup data ensured?

  33. BCR-08.3 -

    Can backups be restored appropriately for resiliency?

  34. BCR-09.1 - Disaster Response Plan

    Is a disaster response plan established, documented, approved, applied, evaluated, and maintained to ensure recovery from natural and man-made disasters?

  35. BCR-09.2 -

    Is the disaster response plan updated at least annually, and when significant changes occur?

  36. BCR-10.1 - Response Plan Exercise

    Is the disaster response plan exercised annually or when significant changes occur?

  37. BCR-10.2 -

    Are local emergency authorities included, if possible, in the exercise?

  38. BCR-11.1 - Equipment Redundancy

    Is business-critical equipment supplemented with redundant equipment independently located at a reasonable minimum distance in accordance with applicable industry standards?

    CCC = Change Control & Configuration Management

    ANSWER: We configure Enterprise Consul to perform upgrades automatically. On AWS, Consul works with ASG (Auto Scaling Groups).

    CEK = Cryptography, Encryption, and Key Management

    ANSWER: We configure Enterprise Consul to use a Consul Network Mesh to provide mTLS (Mutual TLS) communicatons between app services and also with services (through a Gateway) on a wide variety of services:

    DCS = Datacenter Security

    DSI = Data Security & Information Lifecycle Management

    ANSWER: We use the cloud region appropriate to the data laws of each country. Sensitive data of German citizens are stored in servers in a region in Germany.

    GRC = Governance, Risk Management, and Compliance

    ANSWER: We use Consul to control routing of traffic among apps based on Intentions and ACL (Access Control List) in the Consul KV (Key Value) store. Intentions determine the identities which an app may communicate with. ACLs determine whether specific permissions (such a Read, Write) are allowed or denied.

    HRS = Human Resources

    IAM = Identity & Access Management

    ANSWER: Instead of blindly routing to IP addresses, our apps use Consul which uses cryptographic certificates (mTLS) to authenticate with services.

    IPY = Interoperability & Portability

    ANSWER: Because Consul is configured with uses Health Checks, Consul is able to only route traffic to healthy app services.

    IVS = Infrastructure & Virtualization Security

    ANSWER: We use Consul to automatically discover IP addresses and other metadata as soon as a service comes online.

    LOG = Logging and Monitoring

    CONSUL: Consul emits a log for each transfer.

    CONSUL: Logs emitted from Consul are routed to a SIEM collector.

    SEF = Security Incident Management, E-Discovery, and Cloud Forensics

    STA = Supply Chain Management, Transparancy, and Accountability

    ANSWER: We follow the same standards that we ask our vendors follow. We install GPG on each workstation. We use GPG to sign commits to source control repositories. We use GPG to verify signatures before downloading binaries (such as Terraform, Consul, Vault).

    TVM = Threat and Vulnerability Management

    ANSWER: These reference other standards, such as data-labeling standards ISO 15489, Oasis XML Catalog Specification, CSA.

    UEM = Universal Endpoint Management

    DEFINITION: Unified Endpoint Management (UEM) allows IT to manage, secure, and deploy corporate resources and applications on any device from a single console. UEM “unifies” legacy mobile device management (MDM) by incorporating IoT and other new device technologies.

  39. UEM-01.1 - Endpoint Devices Policy and Procedures

    Are policies and procedures established, documented, approved, communicated, applied, evaluated, and maintained for all endpoints?

  40. UEM-01.2 -

    Are universal endpoint management policies and procedures reviewed and updated at least annually?

  41. UEM-02.1 - Application and Service Approval

    Is there a defined, documented, applicable and evaluated list containing approved services, applications, and the sources of applications (stores) acceptable for use by endpoints when accessing or storing organization-managed data?

  42. UEM-03.1 - Compatibility

    Is a process defined and implemented to validate endpoint device compatibility with operating systems and applications?

  43. UEM-04.1 - Endpoint Inventory

    Is an inventory of all endpoints used and maintained to store and access company data?

  44. UEM-05.1 - Endpoint Management

    Are processes, procedures, and technical measures defined, implemented and evaluated, to enforce policies and controls for all endpoints permitted to access systems and/or store, transmit, or process organizational data?

  45. UEM-06.1 - Automatic Lock Screen

    Are all relevant interactive-use endpoints configured to require an automatic lock screen?

  46. UEM-07.1 - Operating Systems

    Are changes to endpoint operating systems, patch levels, and/or applications managed through the organizational change management process?

  47. UEM-08.1 - Storage Encryption

    Is information protected from unauthorized disclosure on managed endpoints with storage encryption?

  48. UEM-09.1 - Anti-Malware Detection and Prevention

    Are anti-malware detection and prevention technology services configured on managed endpoints?

  49. UEM-10.1 - Software Firewall

    Are software firewalls configured on managed endpoints?

  50. UEM-11.1 - Data Loss Prevention

    Are managed endpoints configured with data loss prevention (DLP) technologies and rules per a risk assessment?

  51. UEM-12.1 - Remote Locate

    Are remote geolocation capabilities enabled for all managed mobile endpoints?

  52. UEM-13.1 - Remote Wipe

    Are processes, procedures, and technical measures defined, implemented, and evaluated to enable remote company data deletion on managed endpoint devices?

  53. UEM-14.1 - Third-Party Endpoint Security Posture

    Are processes, procedures, and technical and/or contractual measures defined, implemented, and evaluated to maintain proper security of third-party endpoints with access to organizational assets?


Titles Alphabetically

The program also generates this list of titles in alphabetical order:


Types of SOC

The “2” in “SOC2” and “Type II” refers to the specific type of report issued. A SOC 2 Type II report of “attestation” is issued by a CPA for the service organization to provide to prospective customers. (By contrast, ISO 27001 auditors issue a “certificate of compliance”.)

SOC1 is on audits of a service organization’s Internal Control over Financial Reporting (ICFR). It is applicable only to service organizations which perform outsourced services that affect the financial statements of another Company (the “User Organization”), such as Payroll Processing, Loan Servicing, Data Center/Co-Location/Network Monitoring Services, Software as a Service (SaaS), Medical Claims Processors, etc.

REMEMBER: “POLICIES” refer to rules defined to protect assets. “CONTROLS” are rules implemented (such as use MFA, etc.).

AICPA FAQ

SOC2 Type I reports address the suitability of policies and procedures in operation at a specific moment in time.

“SOC2 Type II” reports address both the suitability and effectiveness of policies and procedures over a period of time – no less than six months (usually a year). Since this report takes into account historical data generated, it is a more accurate and comprehensive audit. However, many companies are not able to adequately generate data as the basis for an audit until they have adequate controls in place.

Type 3 reports are a simplified version of the SOC 2 report. It is designed to publicly attest that the service provider has completed a SOC 2 assessment, while also limiting the information to what is relevant to public parties. SOC 3 report were created as a result of the growing demand for a public facing report.

soc2-rpt-sections-vanta-1872x694
[6]

These defined controls are a series of standards designed to help measure how well a given service organization conducts and regulates its information. They are designed to provide clients confidence that an organization can be trusted to keep their data secure.

SSAE 18

The AICPA “Statement on Standards for Attestation Engagements” (SSAE) define standards auditors use to conduct audits. Verion 16 of SSAE replaced SAS (“Statement on Auditing Standards”) 70 on 2011. SSAE version 18 PDF was created May 2017. Its requirements defines some acronymns:

  • IPE (Information Produced by the Entity): Companies must provide evidence of the accuracy of any information provided. Examples include SQL queries or Tableau report parameters.

  • Vendor management and monitoring of sub-service organizations: Service providers or data centers must include controls for sub-service organizations. The goal is to ensure that anybody with access to the data is adhering to control standards.

  • CUECs or Complementary User Entity Controls: limited to controls that are needed to achieve the stated control objectives

  • Internal audit and regulatory examinations: service organizations read the latest reports relating to internal and regulatory examinations. For example, SOC Cybersecurity examination and updated trust services principles went into effect on December 15th, 2018.

The equivalent for SSAE 18 internationally is the ISAE 3402 (International Standards for Audit Engagements) published by the International Auditing and Standards Board (IASB).

Timeline & Strategies

soc2-timeline-2692x850
[2]

  1. Evaluate and hire a certified external consultant with experience in your particular industry (such as Truvantis, etc.).

  2. Educate each department on the need for each control, the audit process, what documents and evidence are needed, and how to prepare (format) them:

    • Send invitations and track attendance and follow-up
    • Outside speakers to provide perspective and enthusiasm
    • Tracking of activities and achievements by individuals

  3. Survey the organization, conduct document reviews, employee interviews, and walk-throughs to identify the amount of time and work to develop controls needed

    • System to survey opinions about buy-in and guage understanding
    • System to track progress on gaps in each control within each department

  4. Clarify the scope and activities based on what customers want prioritized against limitations of time and resources.

    • Systems involved and their needs
    • Since internal audit resources are limited, plan readiness assessments one department at a time

  5. Specify who is involved and each of their roles, responsibilities, and activities to achieve the desired objectives

    • Time requests into departmental Jira/Asana or other planning/tracking system in regular use
    • Metrics

  6. Identify an auditor and choose testing timelines.

  7. Prepare the organization for mock and actual audits:

    • Schedules
    • Document Samples/templates with guidance on how to prepare (format) policies, procedures, playbooks (with linkages)
    • Traceability from Selection Of Controls through implementation and assessment (OSCAL)

    Perform

  8. Write/revise and review security policies and procedures (System Security Plans) behind each control where prior efforts (ISO) did not cover.

  9. Conduct processes to create evidence data and System Assessment Plans (SAPs) as the basis for audit and reporting during the audit period (6 months to a year). Processes may include internal and external pen-testing.

  10. Track and report progress each week/month on where each team still needs additional work, with projections toward when audit readiness will occur. Metrics for the Security Operations Center incident response and corrective action:

    • Mean Time to respond/remediate
    • Mean Time to acknowledge
    • Mean Time to close (Incident dwell time)
    • Percentage of false positives

    SOC2 Type I audit (single process run)

  11. Identify issues in audit preparations. This can be done by an internal auditor or an auditing consultant to provide guidance.

    A few weeks before the start of your audit, your auditor will send you a PBC (Provided By Client) list based on the controls identified for auditor review. There is often follow-up questions with some back-and-forth communication.

  12. Pepare for and perform a SOC2 Type 1 mock audit by ensuring that procedures and evidence for each control can be confidently presented for a single process run.

  13. Assess System Assessment Results (SARs).

  14. Manage auditors on Type 1 audit day if that is part of the strategy. Challange controls auditors ask for, when appropriate.

    SOC2 Type 2 audit

  15. Perform a Type 2 mock audit. Ensure that evidence for each control can be presented for the audit period (6 months to a year).

  16. Prepare for Type 2 audit. Ensure that each department has the evidence at the ready before auditor arrival.

  17. Manage auditors on audit day. Challange controls auditors ask for, when appropriate.

  18. Dispute draft auditor report language where it’s unfavorable.

  19. Publicize/leverage the report with customers and prospects.


Type 2 trust principles

Type 2 reports focus on five trust principles which each service organization deem relevant to their business [3]:

soc2-tsc-from-dash-1300x712

  • Security – Information and system assets are protected against unauthorized access, unauthorized disclosure of information and damage to systems that could compromise security availability, confidentiality, integrity, and privacy of data or systems. That also affects the entity’s ability to meet its objectives.

  • Availability – Information and organizational systems are available (accessible) for operation and use to meet the entity’s objective requirements. Controls include fail-over.

  • Integrity – System processing is complete, valid, accurate, timely, and authorized to meet the entity’s objectives.

  • Confidentiality – Information designated as confidential is protected (such as passwords, encryption using security certificates, etc.) to meet the entity’s objectives.

  • Privacy – Personal information is collected, used, retained, disclosed and disposed of to meet the entity’s objectives.

The categories above all share a set of trust services criteria known as the standard criteria for each trust principle.

Additionally, each TSC contains points of focus to assist management when designing, implementing, and operating controls.

PROTIP: Service providers are regularly advised to limit their first SOC 2 audit to just Security and only include additional criteria if necessary.

Trust Standard Criteria

The Trust Service Criteria (TSC) for each trust principal include these Common Criteria (CC):

Each of the above criteria are addressed in every SOC audit. Additionally, there may be more TSC’s which need to be evaluated in addition to the standard criteria, depending on which TSC categories are being assessed.

When you order your compliance audit, you can decide which TSC categories are the most important. Base your decisions on what clients are most likely to want. Doing so will ensure that clients get the information they need. They will be less likely to come back to you with questions if they are addressed in the SOC 2 report.

Who does what

WhoTopics Walk throughs Auditor Hours
Sales & Marketing Timeline, Description of product/service in auditor reports 0 0
Leadership Auditor agreement, Assertion of Mangement in Draft auditor reports 1-2 4-8
Legal, HR Customer Agreements, Employee Policies & Agreements 1-2 4-8
Security Risk management, Business Continuity, Audit & Compliance 1-2 10-20
Facilities Facilities Access Control, Asset Management 1-2 1-2
Info technology Operations Security Operations (Security Policies, Network security), Data Security (in IT Operations), Information & Communications 1-2 10-20
Engineering, DevSecOps, Development Systems Access Control, SDLC (Change Controls) 1-2 10-20
Total 6-12 39-78

[2] 16:32

$30-50K by a boutique firm such as risk3sixty[2], 4x for a “Big Four” firm.

Videos from the Tugboat Logic SOC 2 Bootcamp:

  1. Auditor Selection & Scoping
  2. Policies & Controls
  3. Evidence Collection
  4. The Audit

Management Insights

Management of the process requires these areas of insight:

  • Audit report countdown: When can salespeople provide customers with a current SOC2 Type II report?

  • Audit readiness: Are policies, controls, and procedures defined and reviewed in each area?

  • Compliance status: Are proofs of compliance being generated for controls in each area?

  • Gap analysis: In what areas do compliance gaps exist?

  • Trend: How has our security posture improved over time?

  • Future gap analysis: How much effort is required to comply with additional frameworks?

  • Benchmarking: How are we doing relative to competitors?

GRC Automation

Reciprocity’s ZenGRC provides a platform for integrating compliance, audit, risk management, third-party risk solutions, and governance and policy management applications. It covers 32 domains and over 750 controls. It supports several compliance frameworks in addition to SOC2.

VIDEO Vanta

KnowB34, founded by reformed hacker Kevin Mitnick, offers their KCM GRC SaaS product, which claims “KCM GRC has a simple, intuitive user interface, easy to understand workflows, a short learning curve, and will be fully functional in a matter of days.”

Additional frameworks

Many controls covered by SOC 2 are also of concern in legal standards as well as ISO, CCPA, GDPR, and customer-specific requirements.

Customers outside the US will ask for an attestation in the ISO 2700x international standard by independent auditors (not necessarily CPAs).

Since 2017, a SOC 2+ report allow a service organization to address additional criteria from other compliance standards such as HITECH, HIPAA compliance, ISO 27001, Cloud Security Alliance (CSA), NIST 800-53, or COBIT 5.


Public companies required under Section 404 of the Sarbanes-Oxley Act (SOX) to file annual reports on the design and operating effectiveness of their internal controls.

COSO

  • https://us.aicpa.org/interestareas/frc/assuranceadvisoryservices/sorhome.html
  • https://weaver.com/blog/coso-frameworks-17-principles-effective-internal-control

The 2013 version of the framework from COSO (Committee of Sponsoring Organizations of the Treadway Commission) at coso.org has a PDF consists of 17 principles organized in 5 categories (summarized below).

soc2-coso-816x844

Each level of an organization are assessed for each of 17 items across the 5 categories for three aspects:

  • Operations - Policies and Procedures
  • Reporting - Metrics collection, dashboards, alerts
  • Compliance - Time-stamped evidence stored

PROTIP: The contribution of this document is sorting the list by COSO Principle number rather than CC code:

Control Environment (CC1)

CC1.1 \1. The entity demonstrates a commitment to integrity and ethical values.

CC1.2 \2. The board of directors demonstrates independence from management and exercises oversight of the development and performance of internal control.

CC1.3 \3. Management establishes, with board oversight, structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives.

CC1.4 \4. The organization demonstrates a commitment to attract, develop, and retain competent individuals in alignment with objectives.

CC1.5 \5. The organization holds individuals accountable for their internal control responsibilities in the pursuit of objectives.

Risk Assessment (CC3)

CC3.1 \6. The entity specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives.

CC3.2 \7. The entity identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed.

CC3.3 \8. The entity considers the potential for fraud in assessing risks to the achievement of objectives.

CC3.4 \9. The entity identifies and assesses changes that could significantly affect the system of internal control.

Control Activities (CC5)

CC5.1 \10. The entity selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels.

CC5.2 \11. The entity selects and develops general control activities over technology to support the achievement of objectives.

CC5.3 \12. The entity deploys control activities through policies that establish what is expected and procedures that put policies into action.

Communication and Information (CC2)

CC2.1 \13. The entity obtains or generates and uses relevant, quality information to support the functioning of internal control.

CC2.2 \14. The entity internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control.

CC2.3 \15. The entity communicates with external parties regarding matters affecting the functioning of internal control.

Monitoring Activities (CC4)

CC4.1 \16. The entity selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning.

CC4.2 \17. The entity evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the board of directors, as appropriate.

Logical and Physical Access Security (CC6)

CC6.1 The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity’s objectives

CC6.2 Prior to issuing system credentials and granting system access, the entity registers and authorizes new internal and external users whose access is administered by the entity. For those users whose access is administered by the entity, user system credentials are removed when user access is no longer authorized.

CC6.3 The entity authorizes, modifies, or removes access to data, software, functions, and other protected information assets based on roles, responsibilities, or the system design and changes, giving consideration to the concepts of least privilege and segregation of duties, to meet the entity’s objectives.

CC6.4 The entity restricts physical access to facilities and protected information assets (for example, data center facilities, back-up media storage, and other sensitive locations) to authorized personnel to meet the entity’s objectives.

CC6.5 The entity discontinues logical and physical protections over physical assets only after the ability to read or recover data and software from those assets has been diminished and is no longer required to meet the entity’s objectives.

CC6.6 The entity implements logical access security measures to protect against threats from sources outside its system boundaries.

CC6.7 The entity restricts the transmission, movement, and removal of information to authorized internal and external users and processes, and protects it during transmission, movement, or removal to meet the entity’s objectives

CC6.8 The entity implements controls to prevent or detect and act upon the introduction of unauthorized or malicious software to meet the entity’s objectives.

System Operations (CC7)

CC7.1 To meet its objectives, the entity uses detection and monitoring procedures to identify (1) changes to configurations that result in the introduction of new vulnerabilities, and (2) susceptibilities to newly discovered vulnerabilities

CC7.2 The entity monitors system components and the operation of those components for anomalies that are indicative of malicious acts, natural disasters, and errors affecting the entity’s ability to meet its objectives; anomalies are analyzed to determine whether they represent security events.

CC7.3 The entity evaluates security events to determine whether they could or have resulted in a failure of the entity to meet its objectives (security incidents) and, if so, takes actions to prevent or address such failures.

CC7.4 The entity responds to identified security incidents by executing a defined incident -response program to understand, contain, remediate, and communicate security incidents, as appropriate.

CC7.5 The entity identifies, develops, and implements activities to recover from identified security incidents.

Change Management (CC8)

CC8.1 The entity authorizes, designs, develops or acquires, configures, documents, tests, approves, and implements changes to infrastructure, data, software, and procedures to meet its objectives.

Risk Mitigation (CC9)

CC9.1 The entity identifies, selects, and develops risk mitigation activities for risks arising from potential business disruptions.

CC9.2 The entity assesses and manages risks associated with vendors and business partners.

Additional Criteria (A1)

PDF: 2017 Trust Services Criteria TSP Section 100.05 (March 2020 redline version) describes criteria in addition to COSO principles

A1.1 The entity maintains, monitors, and evaluates current processing capacity and use of system components (infrastructure, data, and software) to manage capacity demand and to enable the implementation of additional capacity to help meet its objectives.

A1.2 The entity authorizes, designs, develops or acquires, implements, operates, approves, maintains, and monitors environmental protections, software, data back-up processes, and recovery infrastructure to meet its objectives.

A1.3 The entity tests recovery plan procedures supporting system recovery to meet its objectives.

FOR CONFIDENTIALITY (C1)

C1.1 The entity identifies and maintains confidential information to meet the entity’s objectives related to confidentiality

C1.2 The entity disposes of confidential information to meet the entity’s objectives related to confidentiality.

FOR PROCESSING INTEGRITY (PI1)

PI1.1 The entity obtains or generates, uses, and communicates relevant, quality information regarding the objectives related to processing, including definitions of data processed and product and service specifications, to support the use of products and services.

PI1.2 The entity implements policies and procedures over system inputs, including controls over completeness and accuracy, to result in products, services, and reporting to meet the entity’s objectives.

PI1.3 The entity implements policies and procedures over system processing to result in products, services, and reporting to meet the entity’s objectives.

PI1.4 The entity implements policies and procedures to make available or deliver output completely, accurately, and timely in accordance with specifications to meet the entity’s objectives.

PI1.5 The entity implements policies and procedures to store inputs, items in processing, and outputs completely, accurately, and timely in accordance with system specifications to meet the entity’s objectives.

FOR PRIVACY (PI)

P1.1 The entity provides notice to data subjects about its privacy practices to meet the entity’s objectives related to privacy. The notice is updated and communicated to data subjects in a timely manner for changes to the entity’s privacy practices, including changes in the use of personal information, to meet the entity’s objectives related to privacy.

P2.1 The entity communicates choices available regarding the collection, use, retention, disclosure, and disposal of personal information to the data subjects and the consequences, if any, of each choice. Explicit consent for the collection, use, retention, disclosure, and disposal of personal information is obtained from data subjects or other authorized persons, if required. Such consent is obtained only for the intended purpose of the information to meet the entity’s objectives related to privacy. The entity’s basis for determining implicit consent for the collection, use, retention, disclosure, and disposal of personal information is documented.

P3.1 Personal information is collected consistent with the entity’s objectives related to privacy.

P3.2 For information requiring explicit consent, the entity communicates the need for such consent, as well as the consequences of a failure to provide consent for the request for personal information, and obtains the consent prior to the collection of the information to meet the entity’s objectives related to privacy

P4.1 The entity limits the use of personal information to the purposes identified in the entity’s objectives related to privacy.

P4.2 The entity retains personal information consistent with the entity’s objectives related to privacy.

P4.3 The entity securely disposes of personal information to meet the entity’s objectives related to privacy.

P5.1 The entity grants identified and authenticated data subjects the ability to access their stored personal information for review and, upon request, provides physical or electronic copies of that information to data subjects to meet the entity’s objectives related to privacy. If access is denied, data subjects are informed of the denial and reason for such denial, as required, to meet the entity’s objectives related to privacy.

P5.2 The entity corrects, amends, or appends personal information based on information provided by data subjects and communicates such information to third parties, as committed or required, to meet the entity’s objectives related to privacy. If a request for correction is denied, data subjects are informed of the denial and reason for such denial to meet the entity’s objectives related to privacy.

P6.1 The entity discloses personal information to third parties with the explicit consent of data subjects, and such consent is obtained prior to disclosure to meet the entity’s objectives related to privacy.

P6.2 The entity creates and retains a complete, accurate, and timely record of authorized disclosures of personal information to meet the entity’s objectives related to privacy.

P6.3 The entity creates and retains a complete, accurate, and timely record of detected or reported unauthorized disclosures (including breaches) of personal information to meet the entity’s objectives related to privacy.

P6.4 The entity obtains privacy commitments from vendors and other third parties who have access to personal information to meet the entity’s objectives related to privacy. The entity assesses those parties’ compliance on a periodic and as-needed basis and takes corrective action, if necessary.

P6.5 The entity obtains commitments from vendors and other third parties with access to personal information to notify the entity in the event of actual or suspected unauthorized disclosures of personal information. Such notifications are reported to appropriate personnel and acted on in accordance with established incident -response procedures to meet the entity’s objectives related to privacy.

P6.6 The entity provides notification of breaches and incidents to affected data subjects, regulators, and others to meet the entity’s objectives related to privacy.

P6.7 The entity provides data subjects with an accounting of the personal information held and disclosure of the data subjects’ personal information, upon the data subjects’ request, to meet the entity’s objectives related to privacy.

P7.1 The entity collects and maintains accurate, up-to-date, complete, and relevant personal information to meet the entity’s objectives related to privacy.

P8.1 The entity implements a process for receiving, addressing, resolving, and communicating the resolution of inquiries, complaints, and disputes from data subjects and others and periodically monitors compliance to meet the entity’s objectives related to privacy. Corrections and other necessary actions related to identified deficiencies are made or taken in a timely manner.


Controls

PROTIP: Each GRC vendor and auditor has its own names for controls, organized a different way.

Therefore, a mapping of company internal names and organization needs to be mapped to the auditor’s structure.

Controls per TugboatLogic

The “Audit Readiness Module” from Tugboat Logic (https://tugboatlogic.com) translated SOC 2 requirements into a set of controls using a questionnaire, service providers can define their own scope. From questionaire answers, a list of 80-90 prebuilt policies and controls is mapped to the SOC2 framework:

  • AA = Access Authentication
  • AC = Access Control
  • AT = Awareness and Training
  • CM = Change Management
  • CR = Continuity and Resilience

  • DS = Data Security
  • HR = Human Resources
  • IM = Incident Management
  • OM = Organization and Management
  • RM = Risk Management

  • SO = Security Operations
  • VM = Vendor Management
  • WS = Workstation Security

  • SDLC Security?
  • Asset Management?
  • Audit and Compliance?

Specifically:

ACCESS CONTROL

  • ACCESS CONTROL - Access Control Policy defines high-level requirements and guidelines on user account management, access enforcement and monitoring, separation of duties, and remote access.

  • KEY MANAGEMENT AND CRYPTOGRAPHY - The organization utilizes the latest commercially accepted encryption protocols.

  • SERVER SECURITY - The organization manages, configures, and protects organization servers and hosts based on industry best practices.

  • PHYSICAL AND ENVIRONMENTAL SECURITY - The organization protects managed systems and personnel from unauthorized access and from natural and human caused damage or destruction.

  • SERVERLESS SECURITY - The organization has established guidelines for the secure deployment and maintenance of the serverless architecture.

  • IT ASSET MANAGEMENT - A formal change management policy governs changes to the applications and supporting infrastructure. That aids in minimizing the impact that changes have on organization processes and systems.

SECURITY OPERATIONS

How the organization handle system vulnerabilities, detect system operational issues and respond to security incidents:

  • VULNERABILITY MANAGEMENT - The organization conducts scheduled application/network scanning and penetration tests.

  • INCIDENT MANAGEMENT - It is critical to the organization that security incidents that threaten the security or confidentiality of information assets are properly identified, contained, investigated, and remediated.

  • CHANGE MANAGEMENT - how the organizations conduct scheduled application/network scanning and penetration tests.

  • MONITORING ACTIVITIES – how the organizations develop, monitors, and ensure that internal security controls are active and functioning.

RISK MANAGEMENT

  • RISK ASSESSMENT - The organization institutes regular risk assessments and uses industry best practices in remediation.

  • VENDOR MANAGEMENT - The organization actively manages risks around 3rd party vendors and their access to your company’s data.

  • INFORMATION SECURITY - The business utilizes (ex. “Tugboat Logic Platform”) to manage InfoSec policies, provide security awareness training, implement and document security controls, and track compliance with customers, third party vendors, independent auditors and regulatory agencies.

BUSINESS CONTINUITY

  • BUSINESS CONTINUITY AND DISASTER RECOVERY - Your company has a Business Continuity and Disaster Recovery Policy that ensures that the organization can quickly recover from natural and man-made disasters while continuing to support customers and other stakeholders.

ORGANIZATION & MANAGEMENT

The “Control Environment” is how the organization sets security roles, manages oversight and deals with security as related to employees, hiring, and overall management.

  • ACCEPTABLE USE - the “Acceptable Use Policy” is a document stipulating constraints and practices that a user must agree to for access to a corporate network and other organizational assets.

  • CORPORATE ETHICS - The organization values ethics, trust, and integrity throughout its business practices. How are they promoted and enforced?

  • PERSONNEL SECURITY - Organization members understand their roles and responsibilities around security and privacy.

ASSET MANAGEMENT

  • IT ASSET MANAGEMENT - A formal change management policy governs changes to the applications and supporting infrastructure.

  • TECHNOLOGY EQUIPMENT HANDLING AND DISPOSAL - The organization appropriately disposes of equipment that contains sensitive information.

  • BRING YOUR OWN DEVICE (BYOD) - Protect the security and integrity of organization’s data and technology infrastructure when employees are using their personal device(s) to connect to organization’s assets.

INFORMATION & COMMUNICATIONS

  • INFORMATION CLASSIFICATION - Information classification assigns a value to information in order to organize it according to its risk to loss or harm from disclosure.

  • WORKSTATION SECURITY - The organization protects laptops and workstations and their contents using industry best practices.

  • NETWORK SECURITY - Your business provides a protected, interconnected computing environment through the use of securely configured network devices to meet organizational missions, goals, and initiatives.

  • DATA INTEGRITY - Your company ensures that system processing is complete, valid, accurate, timely, and authorized to meet the entity’s objectives.regulatory agencies.

AUDIT & COMPLIANCE

  • CUSTOMER SUPPORT AND SLA - Customers are important to your business. You provide Customer Support and a Service Level Agreement (SLA) to support customers.

  • INTERNAL AUDIT - The organization conducts Internal Audits on its existing policies and controls to ensure the best level of service to customers.

  • CUSTOMER SUPPORT AND SLA - Customers are important to your business. You provide Customer Support and a Service Level Agreement (SLA) to support customers.

DATA SECURITY

  • DATA RETENTION AND DISPOSAL - This policy is about the organization’s approach for data retention and secure disposal.

  • MOBILE DEVICE MANAGEMENT - This policy defines procedures and restrictions for connecting mobile devices to organization’s corporate network.

SDLC SECURITY

  • SOFTWARE DEVELOPMENT - The organization designs and builds software with security and privacy as design principles.

  • CHANGE MANAGEMENT – The organization defines how organizations handle development, testing, and deployment of systems and applications.

  • PHYSICAL AND ENVIRONMENTAL SECURITY - The organization protects managed systems and personnel from unauthorized access and from natural and human caused damage or destruction.

CONTINUOUS COMPLIANCE

NIST Open Security Controls Assessment Language (OSCAL) at https://github.com/usnistgov/OSCAL has JSON Schema files

https://www.slideshare.net/MichaelaIorgaPhD/open-security-controls-assessment-language-oscal-1st-workshop-nov-57-2019 https://pages.nist.gov/OSCAL/contribute/devlunch Bi-weekly conf.

ArmorCode provides a tool which integrates DevSecOps pipelines with their tracking


References

[1] https://us.aicpa.org/interestareas/frc/assuranceadvisoryservices/aicpacybersecurityinitiative

[2] Timeline from VIDEO: “SOC 2: Everything You Need to Get a SOC 2 Report” by risk3sixty

[3] TSC by DashSDK.

[4] VIDEO: CertMike Explains SOC Audits by Mike Chapple (who created the preminent tutorials for security certifications)

[5] https://www.ssae-16.com/ssae-16/ssae-16-preparation-checklist

[6] VIDEO: SOC2 Compliance for Startups by Venta CEO Christina Cacioppo

“Jump-start Your SOC Analyst Career: A Roadmap to Cybersecurity Success” (Apress March 2021) by Tyler Wall, Jarrett Rodrick

https://www.strikegraph.com/strikegraph_blog/how-auditors-test-and-what-to-expect

Great pdf intro to SOC2 from PracticalAssurance.com

heylaika.com offers their “Unified SOC 2 Platform”.


More about Security

This is one of a series about cyber security:

  1. SOC2
  2. CAIQ (Consensus Assessment Initiative Questionnaire) by cloud vendors

  3. Git Signing
  4. Hashicorp Vault

  5. WebGoat known insecure PHP app and vulnerability scanners
  6. Test for OWASP using ZAP on the Broken Web App

  7. Encrypt all the things

  8. AWS Security (certification exam)
  9. AWS IAM (Identity and Access Management)

  10. Cyber Security
  11. Security certifications