So salespeople can close faster with prospective customers by providing a SOC 2 Type II report

NOTE: “SOC” here does not refer to “Security Operations Center” nor “Systems on a Chip”.

BTW content here are my personal opinions, and not intended to represent any employer (past or present).

Here, the “SOC” in “SOC2” stands for (“Systems and Organization Controls”, formerly “Service Organization Controls”) reports as defined by the American Institute of Certified Public Accountants (AICPA).[1] The AICPA was formed as an association of independent CPA firms (such as PwC, Deloitte, EY, KPMG, etc.) who are approved by a company’s shareholders to perform audits. Additionally, each CPA is licensed by the government after an examination. So they are built to be an “objective 3rd-party”. However, SOC auditing is another line of business for CPAs.

VIDEO: Summary

A SOC 2 audit is not a legal or regulatory requirement like HIPAA, PCI DSS, or SOX.

PROTIP: Preparing for and conducting a SOC2 audit strengthens an organization’s overall security posture and thus lower the potential risk of a security breach.

Cloud salespeople report that it is “table stakes” to provide a SOC2 Type II report. The document contains an attestation from a CPA firm hired by each service provider to evaluate and attest that there is proof the service provider indeed has measures in place to protect the integrity, confidentiality, and privacy of data on behalf of customers. This is done typically each year.

(AAC-02.1) Cloud vendors post their reports in the Cloud Security Alliance Registry and on their website to signed-on users at:

• https://console.aws.amazon.com/artifact/reports
• https://servicetrust.microsoft.com/
• https://cloud.google.com/security/compliance/soc-2

CCM of CAIQ from CSA

Cloud vendors make use of the Cloud Security Alliance (CSA) Consensus Assessment Initiative Questionnaire (CAIQ) v3.1 based on the CSA Cloud Controls Matrix (CCM) from various cloud vendors:

• PDF: ESRI’s answers references both SOC2, ISO 27001:2018, and FedRamp 880-53.
• PDF: Amazon’s answers
• https://cloudsecurityalliance.org/star/registry/microsoft/
• https://www.oracle.com/a/ocom/docs/oci-corporate-caiq.pdf
• https://services.google.com/fh/files/misc/sep_2021_caiq_self_assessment.pdf
• https://cloudsecurityalliance.org/star/registry/atlassian/services/jira-and-confluence-cloud/

There are both full and lite editions of CAIQ. The full 310 questions in v3.1 and 261 questions in v4.0 map validated controls to 16 control categories, in this (alphabetical) order by code:

1. AIS (Application & Interface Security)
2. AAC (Audit Assurance & Compliance)
3. BCR (Business Continuing Management & Operational Resilience)
4. CCC (Change Control & Configuration Management)

5. DSI (Data Security & Information Lifecycle Management)

6. DCS (Datacenter Security)
7. EKM (Encryption & Key Management)
8. GRM (Governance and Risk Management)
9. HRS (Human Resources)

10. IAM (Identity & Access Management)

11. IVS (Infrastructure & Virtualization Security)
12. IPY (Interoperability & Portability)
13. MOS (Mobile Security)
14. SEF (Security Incident Management, E-Discovery, & Cloud Forensics)

15. STA (Supply Chain Management)

16. TVM (Threat and Vulnerability Management)

These reference other standards, such as data-labeling standards ISO 15489, Oasis XML Catalog Specification, CSA data type guidance.

Types of SOC

The “2” in “SOC2” and “Type II” refers to the specific type of report issued. A SOC 2 Type II report of “attestation” is issued by a CPA for the service organization to provide to prospective customers. (By contrast, ISO 27001 auditors issue a “certificate of compliance”.)

SOC1 is on audits of a service organization’s Internal Control over Financial Reporting (ICFR). It is applicable only to service organizations which perform outsourced services that affect the financial statements of another Company (the “User Organization”), such as Payroll Processing, Loan Servicing, Data Center/Co-Location/Network Monitoring Services, Software as a Service (SaaS), Medical Claims Processors, etc.

REMEMBER: “POLICIES” refer to rules defined to protect assets. “CONTROLS” are rules implemented (such as use MFA, etc.).

AICPA FAQ

SOC2 Type I reports address the suitability of policies and procedures in operation at a specific moment in time.

“SOC2 Type II” reports address both the suitability and effectiveness of policies and procedures over a period of time – no less than six months (usually a year). Since this report takes into account historical data generated, it is a more accurate and comprehensive audit. However, many companies are not able to adequately generate data as the basis for an audit until they have adequate controls in place.

Type 3 reports are a simplified version of the SOC 2 report. It is designed to publicly attest that the service provider has completed a SOC 2 assessment, while also limiting the information to what is relevant to public parties. SOC 3 report were created as a result of the growing demand for a public facing report.

[6]

These defined controls are a series of standards designed to help measure how well a given service organization conducts and regulates its information. They are designed to provide clients confidence that an organization can be trusted to keep their data secure.

SSAE 18

The AICPA “Statement on Standards for Attestation Engagements” (SSAE) define standards auditors use to conduct audits. Verion 16 of SSAE replaced SAS (“Statement on Auditing Standards”) 70 on 2011. SSAE version 18 PDF was created May 2017. Its requirements defines some acronymns:

• IPE (Information Produced by the Entity): Companies must provide evidence of the accuracy of any information provided. Examples include SQL queries or Tableau report parameters.

• Vendor management and monitoring of sub-service organizations: Service providers or data centers must include controls for sub-service organizations. The goal is to ensure that anybody with access to the data is adhering to control standards.

• CUECs or Complementary User Entity Controls: limited to controls that are needed to achieve the stated control objectives

• Internal audit and regulatory examinations: service organizations read the latest reports relating to internal and regulatory examinations. For example, SOC Cybersecurity examination and updated trust services principles went into effect on December 15th, 2018.

The equivalent for SSAE 18 internationally is the ISAE 3402 (International Standards for Audit Engagements) published by the International Auditing and Standards Board (IASB).

Timeline & Strategies

[2]

1. Evaluate and hire a certified external consultant with experience in your particular industry (such as Truvantis, etc.).

2. Educate each department on the need for each control, the audit process, what documents and evidence are needed, and how to prepare (format) them:

   • Send invitations and track attendance and follow-up
   • Outside speakers to provide perspective and enthusiasm
   • Tracking of activities and achievements by individuals

3. Survey the organization, conduct document reviews, employee interviews, and walk-throughs to identify the amount of time and work to develop controls needed

   • System to survey opinions about buy-in and guage understanding
   • System to track progress on gaps in each control within each department

4. Clarify the scope and activities based on what customers want prioritized against limitations of time and resources.

   • Systems involved and their needs
   • Since internal audit resources are limited, plan readiness assessments one department at a time

5. Specify who is involved and each of their roles, responsibilities, and activities to achieve the desired objectives

   • Time requests into departmental Jira/Asana or other planning/tracking system in regular use
   • Metrics

6. Identify an auditor and choose testing timelines.

7. Prepare the organization for mock and actual audits:

   • Schedules
   • Document Samples/templates with guidance on how to prepare (format) policies, procedures, playbooks (with linkages)
   • Traceability from Selection Of Controls through implementation and assessment (OSCAL)

   Perform

8. Write/revise and review security policies and procedures (System Security Plans) behind each control where prior efforts (ISO) did not cover.

9. Conduct processes to create evidence data and System Assessment Plans (SAPs) as the basis for audit and reporting during the audit period (6 months to a year). Processes may include internal and external pen-testing.

10. Track and report progress each week/month on where each team still needs additional work, with projections toward when audit readiness will occur. Metrics for the Security Operations Center incident response and corrective action:

    • Mean Time to respond/remediate
    • Mean Time to acknowledge
    • Mean Time to close (Incident dwell time)
    • Percentage of false positives

    SOC2 Type I audit (single process run)

11. Identify issues in audit preparations. This can be done by an internal auditor or an auditing consultant to provide guidance.

    A few weeks before the start of your audit, your auditor will send you a PBC (Provided By Client) list based on the controls identified for auditor review. There is often follow-up questions with some back-and-forth communication.

12. Pepare for and perform a SOC2 Type 1 mock audit by ensuring that procedures and evidence for each control can be confidently presented for a single process run.

13. Assess System Assessment Results (SARs).

14. Manage auditors on Type 1 audit day if that is part of the strategy. Challange controls auditors ask for, when appropriate.

    SOC2 Type 2 audit

15. Perform a Type 2 mock audit. Ensure that evidence for each control can be presented for the audit period (6 months to a year).

16. Prepare for Type 2 audit. Ensure that each department has the evidence at the ready before auditor arrival.

17. Manage auditors on audit day. Challange controls auditors ask for, when appropriate.

18. Dispute draft auditor report language where it’s unfavorable.

19. Publicize/leverage the report with customers and prospects.

---

Type 2 trust principles

Type 2 reports focus on five trust principles which each service organization deem relevant to their business [3]:

• Security – Information and system assets are protected against unauthorized access, unauthorized disclosure of information and damage to systems that could compromise security availability, confidentiality, integrity, and privacy of data or systems. That also affects the entity’s ability to meet its objectives.

• Availability – Information and organizational systems are available (accessible) for operation and use to meet the entity’s objective requirements. Controls include fail-over.

• Integrity – System processing is complete, valid, accurate, timely, and authorized to meet the entity’s objectives.

• Confidentiality – Information designated as confidential is protected (such as passwords, encryption using security certificates, etc.) to meet the entity’s objectives.

• Privacy – Personal information is collected, used, retained, disclosed and disposed of to meet the entity’s objectives.

The categories above all share a set of trust services criteria known as the standard criteria for each trust principle.

Additionally, each TSC contains points of focus to assist management when designing, implementing, and operating controls.

PROTIP: Service providers are regularly advised to limit their first SOC 2 audit to just Security and only include additional criteria if necessary.

Trust Standard Criteria

The Trust Service Criteria (TSC) for each trust principal include these Common Criteria (CC):

Each of the above criteria are addressed in every SOC audit. Additionally, there may be more TSC’s which need to be evaluated in addition to the standard criteria, depending on which TSC categories are being assessed.

When you order your compliance audit, you can decide which TSC categories are the most important. Base your decisions on what clients are most likely to want. Doing so will ensure that clients get the information they need. They will be less likely to come back to you with questions if they are addressed in the SOC 2 report.

Who does what

Who	Topics	Walk throughs	Auditor Hours
Sales & Marketing	Timeline, Description of product/service in auditor reports	0	0
Leadership	Auditor agreement, Assertion of Mangement in Draft auditor reports	1-2	4-8
Legal, HR	Customer Agreements, Employee Policies & Agreements	1-2	4-8
Security	Risk management, Business Continuity, Audit & Compliance	1-2	10-20
Facilities	Facilities Access Control, Asset Management	1-2	1-2
Info technology Operations	Security Operations (Security Policies, Network security), Data Security (in IT Operations), Information & Communications	1-2	10-20
Engineering, DevSecOps, Development	Systems Access Control, SDLC (Change Controls)	1-2	10-20
Total	6-12	39-78

[2] 16:32

$30-50K by a boutique firm such as risk3sixty[2], 4x for a “Big Four” firm.

Videos from the Tugboat Logic SOC 2 Bootcamp:

Management Insights

Management of the process requires these areas of insight:

• Audit report countdown: When can salespeople provide customers with a current SOC2 Type II report?

• Audit readiness: Are policies, controls, and procedures defined and reviewed in each area?

• Compliance status: Are proofs of compliance being generated for controls in each area?

• Gap analysis: In what areas do compliance gaps exist?

• Trend: How has our security posture improved over time?

• Future gap analysis: How much effort is required to comply with additional frameworks?

• Benchmarking: How are we doing relative to competitors?

GRC Automation

Reciprocity’s ZenGRC provides a platform for integrating compliance, audit, risk management, third-party risk solutions, and governance and policy management applications. It covers 32 domains and over 750 controls. It supports several compliance frameworks in addition to SOC2.

VIDEO Vanta

KnowB34, founded by reformed hacker Kevin Mitnick, offers their KCM GRC SaaS product, which claims “KCM GRC has a simple, intuitive user interface, easy to understand workflows, a short learning curve, and will be fully functional in a matter of days.”

Additional frameworks

Many controls covered by SOC 2 are also of concern in legal standards as well as ISO, CCPA, GDPR, and customer-specific requirements.

Customers outside the US will ask for an attestation in the ISO 2700x international standard by independent auditors (not necessarily CPAs).

Since 2017, a SOC 2+ report allow a service organization to address additional criteria from other compliance standards such as HITECH, HIPAA compliance, ISO 27001, Cloud Security Alliance (CSA), NIST 800-53, or COBIT 5.

---

Public companies required under Section 404 of the Sarbanes-Oxley Act (SOX) to file annual reports on the design and operating effectiveness of their internal controls.

• https://us.aicpa.org/interestareas/frc/assuranceadvisoryservices/sorhome.html
• https://weaver.com/blog/coso-frameworks-17-principles-effective-internal-control

The 2013 version of the framework from COSO (Committee of Sponsoring Organizations of the Treadway Commission) at coso.org has a PDF consists of 17 principles organized in 5 categories (summarized below).

Each level of an organization are assessed for each of 17 items across the 5 categories for three aspects:

• Operations - Policies and Procedures
• Reporting - Metrics collection, dashboards, alerts
• Compliance - Time-stamped evidence stored

PROTIP: The contribution of this document is sorting the list by COSO Principle number rather than CC code:

Control Environment (CC1)

CC1.1 \1. The entity demonstrates a commitment to integrity and ethical values.

CC1.2 \2. The board of directors demonstrates independence from management and exercises oversight of the development and performance of internal control.

CC1.3 \3. Management establishes, with board oversight, structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives.

CC1.4 \4. The organization demonstrates a commitment to attract, develop, and retain competent individuals in alignment with objectives.

CC1.5 \5. The organization holds individuals accountable for their internal control responsibilities in the pursuit of objectives.

Risk Assessment (CC3)

CC3.1 \6. The entity specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives.

CC3.2 \7. The entity identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed.

CC3.3 \8. The entity considers the potential for fraud in assessing risks to the achievement of objectives.

CC3.4 \9. The entity identifies and assesses changes that could significantly affect the system of internal control.

Control Activities (CC5)

CC5.1 \10. The entity selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels.

CC5.2 \11. The entity selects and develops general control activities over technology to support the achievement of objectives.

CC5.3 \12. The entity deploys control activities through policies that establish what is expected and procedures that put policies into action.

Communication and Information (CC2)

CC2.1 \13. The entity obtains or generates and uses relevant, quality information to support the functioning of internal control.

CC2.2 \14. The entity internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control.

CC2.3 \15. The entity communicates with external parties regarding matters affecting the functioning of internal control.

Monitoring Activities (CC4)

CC4.1 \16. The entity selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning.

CC4.2 \17. The entity evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the board of directors, as appropriate.

Logical and Physical Access Security (CC6)

CC6.1 The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity’s objectives

CC6.2 Prior to issuing system credentials and granting system access, the entity registers and authorizes new internal and external users whose access is administered by the entity. For those users whose access is administered by the entity, user system credentials are removed when user access is no longer authorized.

CC6.3 The entity authorizes, modifies, or removes access to data, software, functions, and other protected information assets based on roles, responsibilities, or the system design and changes, giving consideration to the concepts of least privilege and segregation of duties, to meet the entity’s objectives.

CC6.4 The entity restricts physical access to facilities and protected information assets (for example, data center facilities, back-up media storage, and other sensitive locations) to authorized personnel to meet the entity’s objectives.

CC6.5 The entity discontinues logical and physical protections over physical assets only after the ability to read or recover data and software from those assets has been diminished and is no longer required to meet the entity’s objectives.

CC6.6 The entity implements logical access security measures to protect against threats from sources outside its system boundaries.

CC6.7 The entity restricts the transmission, movement, and removal of information to authorized internal and external users and processes, and protects it during transmission, movement, or removal to meet the entity’s objectives

CC6.8 The entity implements controls to prevent or detect and act upon the introduction of unauthorized or malicious software to meet the entity’s objectives.

System Operations (CC7)

CC7.1 To meet its objectives, the entity uses detection and monitoring procedures to identify (1) changes to configurations that result in the introduction of new vulnerabilities, and (2) susceptibilities to newly discovered vulnerabilities

CC7.2 The entity monitors system components and the operation of those components for anomalies that are indicative of malicious acts, natural disasters, and errors affecting the entity’s ability to meet its objectives; anomalies are analyzed to determine whether they represent security events.

CC7.3 The entity evaluates security events to determine whether they could or have resulted in a failure of the entity to meet its objectives (security incidents) and, if so, takes actions to prevent or address such failures.

CC7.4 The entity responds to identified security incidents by executing a defined incident -response program to understand, contain, remediate, and communicate security incidents, as appropriate.

CC7.5 The entity identifies, develops, and implements activities to recover from identified security incidents.

Change Management (CC8)

CC8.1 The entity authorizes, designs, develops or acquires, configures, documents, tests, approves, and implements changes to infrastructure, data, software, and procedures to meet its objectives.

Risk Mitigation (CC9)

CC9.1 The entity identifies, selects, and develops risk mitigation activities for risks arising from potential business disruptions.

CC9.2 The entity assesses and manages risks associated with vendors and business partners.

Additional Criteria (A1)

PDF: 2017 Trust Services Criteria TSP Section 100.05 (March 2020 redline version) describes criteria in addition to COSO principles

A1.1 The entity maintains, monitors, and evaluates current processing capacity and use of system components (infrastructure, data, and software) to manage capacity demand and to enable the implementation of additional capacity to help meet its objectives.

A1.2 The entity authorizes, designs, develops or acquires, implements, operates, approves, maintains, and monitors environmental protections, software, data back-up processes, and recovery infrastructure to meet its objectives.

A1.3 The entity tests recovery plan procedures supporting system recovery to meet its objectives.

FOR CONFIDENTIALITY (C1)

C1.1 The entity identifies and maintains confidential information to meet the entity’s objectives related to confidentiality

C1.2 The entity disposes of confidential information to meet the entity’s objectives related to confidentiality.

FOR PROCESSING INTEGRITY (PI1)

PI1.1 The entity obtains or generates, uses, and communicates relevant, quality information regarding the objectives related to processing, including definitions of data processed and product and service specifications, to support the use of products and services.

PI1.2 The entity implements policies and procedures over system inputs, including controls over completeness and accuracy, to result in products, services, and reporting to meet the entity’s objectives.

PI1.3 The entity implements policies and procedures over system processing to result in products, services, and reporting to meet the entity’s objectives.

PI1.4 The entity implements policies and procedures to make available or deliver output completely, accurately, and timely in accordance with specifications to meet the entity’s objectives.

PI1.5 The entity implements policies and procedures to store inputs, items in processing, and outputs completely, accurately, and timely in accordance with system specifications to meet the entity’s objectives.

FOR PRIVACY (PI)

P1.1 The entity provides notice to data subjects about its privacy practices to meet the entity’s objectives related to privacy. The notice is updated and communicated to data subjects in a timely manner for changes to the entity’s privacy practices, including changes in the use of personal information, to meet the entity’s objectives related to privacy.

P2.1 The entity communicates choices available regarding the collection, use, retention, disclosure, and disposal of personal information to the data subjects and the consequences, if any, of each choice. Explicit consent for the collection, use, retention, disclosure, and disposal of personal information is obtained from data subjects or other authorized persons, if required. Such consent is obtained only for the intended purpose of the information to meet the entity’s objectives related to privacy. The entity’s basis for determining implicit consent for the collection, use, retention, disclosure, and disposal of personal information is documented.

P3.1 Personal information is collected consistent with the entity’s objectives related to privacy.

P3.2 For information requiring explicit consent, the entity communicates the need for such consent, as well as the consequences of a failure to provide consent for the request for personal information, and obtains the consent prior to the collection of the information to meet the entity’s objectives related to privacy

P4.1 The entity limits the use of personal information to the purposes identified in the entity’s objectives related to privacy.

P4.2 The entity retains personal information consistent with the entity’s objectives related to privacy.

P4.3 The entity securely disposes of personal information to meet the entity’s objectives related to privacy.

P5.1 The entity grants identified and authenticated data subjects the ability to access their stored personal information for review and, upon request, provides physical or electronic copies of that information to data subjects to meet the entity’s objectives related to privacy. If access is denied, data subjects are informed of the denial and reason for such denial, as required, to meet the entity’s objectives related to privacy.

P5.2 The entity corrects, amends, or appends personal information based on information provided by data subjects and communicates such information to third parties, as committed or required, to meet the entity’s objectives related to privacy. If a request for correction is denied, data subjects are informed of the denial and reason for such denial to meet the entity’s objectives related to privacy.

P6.1 The entity discloses personal information to third parties with the explicit consent of data subjects, and such consent is obtained prior to disclosure to meet the entity’s objectives related to privacy.

P6.2 The entity creates and retains a complete, accurate, and timely record of authorized disclosures of personal information to meet the entity’s objectives related to privacy.

P6.3 The entity creates and retains a complete, accurate, and timely record of detected or reported unauthorized disclosures (including breaches) of personal information to meet the entity’s objectives related to privacy.

P6.4 The entity obtains privacy commitments from vendors and other third parties who have access to personal information to meet the entity’s objectives related to privacy. The entity assesses those parties’ compliance on a periodic and as-needed basis and takes corrective action, if necessary.

P6.5 The entity obtains commitments from vendors and other third parties with access to personal information to notify the entity in the event of actual or suspected unauthorized disclosures of personal information. Such notifications are reported to appropriate personnel and acted on in accordance with established incident -response procedures to meet the entity’s objectives related to privacy.

P6.6 The entity provides notification of breaches and incidents to affected data subjects, regulators, and others to meet the entity’s objectives related to privacy.

P6.7 The entity provides data subjects with an accounting of the personal information held and disclosure of the data subjects’ personal information, upon the data subjects’ request, to meet the entity’s objectives related to privacy.

P7.1 The entity collects and maintains accurate, up-to-date, complete, and relevant personal information to meet the entity’s objectives related to privacy.

P8.1 The entity implements a process for receiving, addressing, resolving, and communicating the resolution of inquiries, complaints, and disputes from data subjects and others and periodically monitors compliance to meet the entity’s objectives related to privacy. Corrections and other necessary actions related to identified deficiencies are made or taken in a timely manner.

---

Controls

PROTIP: Each GRC vendor and auditor has its own names for controls, organized a different way.

Therefore, a mapping of company internal names and organization needs to be mapped to the auditor’s structure.

Controls per TugboatLogic

The “Audit Readiness Module” from Tugboat Logic (https://tugboatlogic.com) translated SOC 2 requirements into a set of controls using a questionnaire, service providers can define their own scope. From questionaire answers, a list of 80-90 prebuilt policies and controls is mapped to the SOC2 framework:

• AA = Access Authentication
• AC = Access Control
• AT = Awareness and Training
• CM = Change Management

• CR = Continuity and Resilience

• DS = Data Security
• HR = Human Resources
• IM = Incident Management
• OM = Organization and Management

• RM = Risk Management

• SO = Security Operations
• VM = Vendor Management

• WS = Workstation Security

• SDLC Security?
• Asset Management?
• Audit and Compliance?

Specifically:

ACCESS CONTROL

• ACCESS CONTROL - Access Control Policy defines high-level requirements and guidelines on user account management, access enforcement and monitoring, separation of duties, and remote access.

• KEY MANAGEMENT AND CRYPTOGRAPHY - The organization utilizes the latest commercially accepted encryption protocols.

• SERVER SECURITY - The organization manages, configures, and protects organization servers and hosts based on industry best practices.

• PHYSICAL AND ENVIRONMENTAL SECURITY - The organization protects managed systems and personnel from unauthorized access and from natural and human caused damage or destruction.

• SERVERLESS SECURITY - The organization has established guidelines for the secure deployment and maintenance of the serverless architecture.

• IT ASSET MANAGEMENT - A formal change management policy governs changes to the applications and supporting infrastructure. That aids in minimizing the impact that changes have on organization processes and systems.

SECURITY OPERATIONS

How the organization handle system vulnerabilities, detect system operational issues and respond to security incidents:

• VULNERABILITY MANAGEMENT - The organization conducts scheduled application/network scanning and penetration tests.

• INCIDENT MANAGEMENT - It is critical to the organization that security incidents that threaten the security or confidentiality of information assets are properly identified, contained, investigated, and remediated.

• CHANGE MANAGEMENT - how the organizations conduct scheduled application/network scanning and penetration tests.

• MONITORING ACTIVITIES – how the organizations develop, monitors, and ensure that internal security controls are active and functioning.

RISK MANAGEMENT

• RISK ASSESSMENT - The organization institutes regular risk assessments and uses industry best practices in remediation.

• VENDOR MANAGEMENT - The organization actively manages risks around 3rd party vendors and their access to your company’s data.

• INFORMATION SECURITY - The business utilizes (ex. “Tugboat Logic Platform”) to manage InfoSec policies, provide security awareness training, implement and document security controls, and track compliance with customers, third party vendors, independent auditors and regulatory agencies.

BUSINESS CONTINUITY

• BUSINESS CONTINUITY AND DISASTER RECOVERY - Your company has a Business Continuity and Disaster Recovery Policy that ensures that the organization can quickly recover from natural and man-made disasters while continuing to support customers and other stakeholders.

ORGANIZATION & MANAGEMENT

The “Control Environment” is how the organization sets security roles, manages oversight and deals with security as related to employees, hiring, and overall management.

• ACCEPTABLE USE - the “Acceptable Use Policy” is a document stipulating constraints and practices that a user must agree to for access to a corporate network and other organizational assets.

• CORPORATE ETHICS - The organization values ethics, trust, and integrity throughout its business practices. How are they promoted and enforced?

• PERSONNEL SECURITY - Organization members understand their roles and responsibilities around security and privacy.

ASSET MANAGEMENT

• IT ASSET MANAGEMENT - A formal change management policy governs changes to the applications and supporting infrastructure.

• TECHNOLOGY EQUIPMENT HANDLING AND DISPOSAL - The organization appropriately disposes of equipment that contains sensitive information.

• BRING YOUR OWN DEVICE (BYOD) - Protect the security and integrity of organization’s data and technology infrastructure when employees are using their personal device(s) to connect to organization’s assets.

INFORMATION & COMMUNICATIONS

• INFORMATION CLASSIFICATION - Information classification assigns a value to information in order to organize it according to its risk to loss or harm from disclosure.

• WORKSTATION SECURITY - The organization protects laptops and workstations and their contents using industry best practices.

• NETWORK SECURITY - Your business provides a protected, interconnected computing environment through the use of securely configured network devices to meet organizational missions, goals, and initiatives.

• DATA INTEGRITY - Your company ensures that system processing is complete, valid, accurate, timely, and authorized to meet the entity’s objectives.regulatory agencies.

AUDIT & COMPLIANCE

• CUSTOMER SUPPORT AND SLA - Customers are important to your business. You provide Customer Support and a Service Level Agreement (SLA) to support customers.

• INTERNAL AUDIT - The organization conducts Internal Audits on its existing policies and controls to ensure the best level of service to customers.

• CUSTOMER SUPPORT AND SLA - Customers are important to your business. You provide Customer Support and a Service Level Agreement (SLA) to support customers.

DATA SECURITY

• DATA RETENTION AND DISPOSAL - This policy is about the organization’s approach for data retention and secure disposal.

• MOBILE DEVICE MANAGEMENT - This policy defines procedures and restrictions for connecting mobile devices to organization’s corporate network.

SDLC SECURITY

• SOFTWARE DEVELOPMENT - The organization designs and builds software with security and privacy as design principles.

• CHANGE MANAGEMENT – The organization defines how organizations handle development, testing, and deployment of systems and applications.

• PHYSICAL AND ENVIRONMENTAL SECURITY - The organization protects managed systems and personnel from unauthorized access and from natural and human caused damage or destruction.

CONTINUOUS COMPLIANCE

NIST Open Security Controls Assessment Language (OSCAL) at https://github.com/usnistgov/OSCAL has JSON Schema files

https://www.slideshare.net/MichaelaIorgaPhD/open-security-controls-assessment-language-oscal-1st-workshop-nov-57-2019 https://pages.nist.gov/OSCAL/contribute/devlunch Bi-weekly conf.

ArmorCode provides a tool which integrates DevSecOps pipelines with their tracking

---

References

[1] https://us.aicpa.org/interestareas/frc/assuranceadvisoryservices/aicpacybersecurityinitiative

[2] Timeline from VIDEO: “SOC 2: Everything You Need to Get a SOC 2 Report” by risk3sixty

[3] TSC by DashSDK.

[4] VIDEO: CertMike Explains SOC Audits by Mike Chapple (who created the preminent tutorials for security certifications)

[5] https://www.ssae-16.com/ssae-16/ssae-16-preparation-checklist

[6] VIDEO: SOC2 Compliance for Startups by Venta CEO Christina Cacioppo

“Jump-start Your SOC Analyst Career: A Roadmap to Cybersecurity Success” (Apress March 2021) by Tyler Wall, Jarrett Rodrick

https://www.strikegraph.com/strikegraph_blog/how-auditors-test-and-what-to-expect

Great pdf intro to SOC2 from PracticalAssurance.com

heylaika.com offers their “Unified SOC 2 Platform”.

---

More about Security

This is one of a series about cyber security:

---

SOC2 (CPA attestation report on each service organization's information security controls) was published on May 30, 2022.