Table of Contents

Introduction

If you consider how rapidly organizations are increasing their cloud footprint, ensuring compliance with the different compliance standards can get challenging very quickly. SOC 2 audits are applicable for service organizations that hold, store, or process customer data. In today's digital environment, SOC 2 compliance is a necessity for any organization concerned with how their data is handled.

What is SOC 2?

SOC 2 is an auditing procedure and report that is part of the SSAE (Statement on Standards for Attestation Engagements) maintained by the AICPA.

SOC2-certificationv2-crop

 

Only the security criteria is relevant for organizations in the public cloud.

 

 

Want this information in a pdf? Download our free guide.

Pillar-Page-CTA-LARGE-1

 

SOC Reporting Comparison

SOC-Report-2

 

Security Criteria for the Public Cloud

Within the Security Criteria, these are the controls that are relevant for security and compliance teams responsible for public cloud infrastructure.

 

 

security-compliance-2

 

    CC2.0: Communication and Information


    CC5.0: Control Activities


    CC6.0: Logical and Physical Access Controls


    CC7.0: System Operations


    CC8.0: Change Management


    The different controls are discussed in more details below.


 

 

CC2.0: Communication and Information

The communications and information criteria of SOC 2 address how service organizations handle internal and external communication and information flows.

 

CC2.1 states that “the entity obtains or generates and uses relevant, quality information to support the functioning of internal control.”

 

CC5.0: Control Activities

The control activities criteria of SOC 2 deals with how service organization control activities account for risk management and technology.

 

CC5.2 states that “the entity also selects and develops general control activities over technology to support the achievement of objectives.” This includes that management develops control activities to restrict technology access rights to authorized users commensurate with their job responsibilities and to protect the entity’s assets from external threats.

 

SOC#1-CTA

CC6.0: Logical and Physical Access Controls

The logical and physical access controls criteria of SOC 2 concern how service organization controls implement logical access to IT systems/credentials, physical access to facilities, and security measures to detect and prevent unauthorized access.


For example, CC6.1 states that “the entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity’s objectives.” Organizations should identify and authenticate users, consider network segmentation, manage credentials for infrastructure and software, use encryption to protect data, and protect encryption keys.

CC7.0: System Operations

The system operations criteria of SOC 2 address how service organization controls monitor systems for potential anomalies, events, and configuration changes that may carry security risks, and define incident response protocols to contain, remediate, and communicate security incidents.

CC7.1 elaborates that service organizations should monitor infrastructure and software, implement change-detection mechanisms, and detect unknown or unauthorized components. Fugue promotes compliance with CC7.1 by detecting when CloudWatch and CloudTrail are not enabled and configured correctly. For example, Fugue checks to ensure that a CloudWatch metric filter and alarm is enabled to catch changes made to IAM policies. Monitoring changes to IAM policies helps ensure authentication and authorized controls remain intact.

 

 

SOC#2-CTA

CC8.0: Change Management

The change management criteria of SOC 2 deal with how organizations evaluate and determine necessary changes in infrastructure, data, software, and procedures, which gives them the ability to securely make changes and prevent unauthorized changes.

 

For example, CC8.1 addresses protecting confidential information - “The entity authorizes, designs, develops or acquires, configures, documents, tests, approves, and implements changes to infrastructure, data, software, and procedures to meet its objectives.” The criterion further elaborates that service organizations should create baseline configurations of IT technology and protect confidential information.