SOC 2 compliance is a crucial framework for technology and cloud computing companies today. As with many other compliance mandates, it is not a simple connect-the-dots proposition, but rather a complex set of requirements that must be reviewed and carefully addressed. But it doesn’t have to be overwhelming. Below, we’ll break down nine of the most common basic questions that we hear about SOC 2. Think of it as a 101 on SOC 2.
1. What is SOC 2 compliance?
SOC 2 compliance is a component of the American Institute of CPAs (AICPA)’s Service Organization Control reporting platform. Its goal is to make sure that systems are set up so they assure security, availability, processing integrity, confidentiality, and privacy of customer data. SOC 2 is both a technical audit and a requirement that comprehensive information security policies and procedures be written and followed.
2. Who does SOC 2 apply to?
As we mentioned above, SOC 2 applies to technology-based service organizations that store customer data in the cloud. That means it applies to pretty much every single SaaS company, and any company that uses the cloud to store its customers’ information (which today is quite a few organizations). SOC 2 is one of the most common compliance requirements that technology-focused companies must meet today.
3. What does SOC 2 require?
First and foremost, SOC 2 requires that you develop security policies and procedures. These need to be written out and followed, and auditors can and will ask to review them. The policies and procedures should encompass: security, availability, processing integrity, confidentiality, and privacy of data stored in the cloud.
4. What must I monitor for SOC 2?
Meeting SOC 2 compliance means establishing a process and practices that guarantee oversight across your organization. Specifically, you want to be monitoring for any unusual, unauthorized, or suspicious activity. Often this takes place at the level of system configuration and user access. You need to be able to monitor for both known malicious activity (like a common phishing scheme or obviously inappropriate access) and unknown malicious activity (like a zero-day threat or a new type of misuse). To find these “unknowns,” you must establish a baseline of normal activity in your cloud environment, because this will make it clear when abnormal activity takes place. The best way to do this is with a continuous security monitoring service.
5. What kind of alerts must I set up?
To ensure that you are meeting SOC 2 requirements, you must receive alerts whenever unauthorized access to customer data occurs. If you do not receive these alerts in time, you may not be able to respond and take corrective action in a timely fashion. To combat false alarms and increase the signal to noise ratio, you need a system that only sounds the alarm when activity strays outside of what is normal for your environment.
SOC 2 in particular requires that you set up alerts for:
- Exposure or modification of data, controls, configurations
- File transfer activities
- Privileged filesystem, account, or login access
Make sure your organization is clear on what constitutes a threat indicator for your environment and risk profile, and then fine-tune your alerts so you know when something significant happens and you can move quickly to preserve the integrity of your data.
6. What type of auditing is required?
Detailed. You need audit trails that go deep on context, because if an incident takes place, you need to know where to begin with remediation. Audit trails should give you the insight you need to effectively conduct security operations, providing sufficient context (who, what, when, where, how) to allow for a rapid and accurate response. These will both aid you in meeting SOC 2 compliance requirements and make it possible to run an effective security organization.
7. What kind of visibility do I need?
Ideally, you should prioritize gaining visibility at the host level. You should seek out security and compliance solutions that enable you to conduct behavior-based monitoring and immediately detect suspicious events, no matter where they take place. SOC 2 compliance demands granular visibility into user activity, processes, network connections, and more.
8. What type of incidents must I prevent?
Any incident that threatens the security, availability, processing integrity, confidentiality, and/or privacy of customer data in the cloud is a big no-no from the SOC 2 perspective. SOC 2 is designed to assure your customers that you are monitoring for suspicious activity and are able to take corrective action quickly if an incident takes place. This gives them the confidence they need to trust you with their sensitive data.
9. Is AWS SOC 2 compliant?
If you’re running in AWS, as the majority of cloud-based organizations are, then you’re probably wondering whether AWS meets SOC 2 compliance. The short answer is Yes. If you’d like to review it yourself (trust, but verify), customers can access the AWS SOC 2 report here.
Final Words. . .
- If you have more questions about SOC 2 compliance, send them to us, either at [email protected] or on Twitter @threatstack. We’ll be happy to answer, and if we get enough of them, we’ll put together a follow-up Q&A on SOC 2 compliance and how you can meet it in today’s conditions.
- If you’d like to read about how Threat Stack achieved SOC 2 compliance, read this blog post: Threat Stack Successfully Achieves Type 2 SOC 2 Examination