Part 1: From Monster to Mascot
How did a fairly straightforward endeavor – an IT audit – become that monster under the bed?
Compliance projects all too often feel a massive box checking exercise. You may be pulling staff and co-workers into a vast abyss, mapping arcane compliance controls, deciphering audit speak, all to hopefully pass an audit and maybe shore up security. So how can you, the IT experts, quickly tease out the essence of what an auditor needs to give them confidence that you have passed an audit?
In this post we will use the example of a SOC 2 Type 1 audit (a Type 1 audit looks at a moment in time v. Type 2, an audit over a period of time) in a cloud native environment to demystify all of the dots, dashes and control numbers, giving you a high level roadmap of key elements required to pass your own SOC 2 audit regardless of where you are on your cloud native or compliance journey.
Why are we hearing so much about SOC 2?
We often hear SOC 2 in the same sentence as “audit” because of the breadth of reporting. Readying your organization for SOC 2 is a good starting point for building structures which can produce audit evidence and enforce controls. These controls and evidence can often be repurposed to support a wide variety of compliance controls from PCI-DSS to NIST 800-53. In short, putting structures in place to pass a broad audit such as SOC 2 is a great springboard for overall success in your compliance journey.
You may know having SOC 2 attestation in the cloud puts you at a competitive advantage, can help you win and maintain customers, and often satisfies internal and external stakeholders. Yes SOC 2 certification helps build trust – yes it differentiates you from your peers, but why are we hearing so much about it now?
2020’s new normal of a heavily distributed workforce, working with heavily distributed data and systems, with even fewer resources, makes the stakes even higher. Heavy regulation and the highly complicated challenges to 2020’s IT workforce is requiring CISOs, CEOs and CIOs to get on the same page. No longer overseeing their silos of responsibilities, 2020’s stark realities, the continued threat of needing real security solutions which comply with heavily regulated and monitored compliance controls, often forces additional capital investment with a deep understanding that firms must get compliance right the first time.
The challenges of understanding and responding to this quickly changing compliance landscape are exacerbated in a cloud native environment. Software-defined perimeters and traditional anti-virus are just some of the tools many organizations have come to rely upon to pass audits. However, will these tools even function or scale across multiple Cloud Service Providers (CSPs), a purley cloud native infrastructure, or both?
Adding new tools to the toolbox to satisfy compliance requirements can be costly and difficult to operationalize. More and more tools can create alert fatigue, especially if your IT budget has been impacted, and this alert fatigue combined with a lack of familiarity with new tools can actually detract from your overall security, even though you may check some checkboxes for that audit.
You must find balance. A clear compliance narrative to describe your IT systems is the foundation for producing clear use cases for audit evidence which is essential to pass any audit, SOC 2 or otherwise. And in truth, with the ‘new normal’ you are likely already tackling SOC 2 trust service criteria (more below) everyday. You’re already doing the work, why not bake in compliance, at the outset, and couch all work in compliance and security use cases across every facet of your IT program?
Tl:dr on SOC 2
Who may consider SOC 2 certification? Service organizations which hold, store or process customer data
What is required as a MVP? The required criteria for a SOC 2 non-privacy principled audit are the trust service criteria pertaining to security, specifically –
- Common Control 2.x – Communication and Information
- Common Control 5.x – Control Activities
- Common Control 6.x – Logical and Physical Access
- Common Control 7.x – System Operations
- Common Control 8.x – Change Management
Where can I see details on the required common criteria for security? The AICPA guidance can be found in a detailed online PDF
In addition, most organizations are actively revisiting and working to ‘solve’ most SOC 2 trust service criteria beyond just security. 2020’s new normal has you preparing for SOC 2 whether you realize it or not.
SOC 2 Trust Service Criteria:
- Security – five months ago we could not have foreseen the level and rapidity of change. We have a highly distributed workforce, a reduced response team in some cases, and a spike in threats from all angles. Zero Trust is not just a framework, it is reality. How are you going to demonstrate how you protect against unauthorized disclosure of information or unauthorized access?
- Availability – If your move to cloud native just accelerated, how are you going to explain to your auditor that you have actually enhanced accessibility and resilience by leveraging containers and microservices? What does that workflow look like? How can you leverage existing frameworks to tell this story?
- Process integrity – Maybe your firm is leaning on B2B partners more; maybe you are leaning on offshore resources more than in the past. Do you have easy access to the procedures and processes of all third parties you employ? Do you know all that you should about those who participate in the care and feeding of infrastructure, data and software for your organization?
- Confidentiality – Working from home now exposes physical security in a new way. More and more employees may have to work from ‘common spaces’ for stable internet and power. Simply having a laptop with sensitive data in a busy household brings new challenges to theft and damage. How are you going to demonstrate your handle on confidential information in a highly distributed workforce?
- Privacy – It is in no way ambiguous that the EU drew a line in the sand on July 16th, 2020. Data rights are human rights, ruled the European Court of Justice, and US surveillance practices are in conflict with that human right. It is also becoming factious within the US as well – California’s Consumer Privacy Act now allows consumers to opt-out of the sale of their personal data while New York’s Shield Act (also went into effect in 2020) also focuses on the protection of private information but seeks to enforce disclosure from organizations if they are breached. Data privacy concerns are shifting in real-time; at least part of your firm’s resources should be applied to monitor for updates.
Read post 2 in this blog series: SOC 2 Type 1 MVP Playbook