Even a choose-your-own-adventure book has a certain structure to it. Sure, you might be making your own way through the book, but there are still plot points, challenges, and decisions the author will include along every path.
SOC 2, being the choose-your-own-adventure cybersecurity compliance standard, is similar in this regard.
An organization pursuing a SOC 2 will make many of their own decisions about the scope of their audit and the controls they choose to implement in their security program. However, the American Institute of Certified Public Accountants (AICPA) authored the standard, and they have ensured one set of principles will guide the core of every SOC 2 compliance program: The Security Trust Services Criteria.
SOC 2 and its Trust Services Criteria
In SOC 2, an organization’s controls are evaluated using a set of five criteria called the Trust Service Criteria (abbreviated to TSP because they were originally known as the Trust Service Principles).
The TSP contains five criteria categories are Security, Availability, Processing Integrity, Confidentiality and Privacy, each a group of controls revolving around a certain area of focus. For example, the Availability criteria focuses on controls relating to data availability and service uptime.
These controls are mapped to SOC 2’s internal framework known as the Committee of Sponsoring Organization of the Treadway Commission (COSO). When evaluating an organization, the SOC 2 auditor will evaluate how well the organization’s security program meets the objectives of controls laid out within the COSO framework.
SOC 2 is a very flexible cybersecurity compliance regime. It does not explicitly call for many specific cybersecurity controls like multi-factor authentication (MFA). Instead, the COSO framework provides a framework by which to design, implement, and operate cybersecurity controls over each of the five criteria.
For example, instead of simply specifying how users are to be authenticated, the COSO framework on access control demands that “The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity’s objectives.” From that top level, it then lays out a number of more specific demands of the cybersecurity program. This is just one of the many sub-points related to access control.
“Manages Identification and Authentication — Identification and authentication requirements are established, documented, and managed for individuals and systems accessing entity information, infrastructure, and software.”
Ultimately, it is on the organization to design and implement identification and authentication practices that meet this objective and others laid out in the COSO framework.
The framework is designed so that an organization’s management may either customize a point of focus or describe alternative control methods with similar characteristics that maintain the overall spirit of that focal point.
There are 17 COSO criteria that the Trust Service Criteria are aligned to.
In addition to the 17 COSO framework principles the TSP have supplemental criteria related to logical access that apply to each of the individual trust services categories criteria categories.
As such, the complete SOC2 Trust Service Criteria are composed of
- Criteria shared between all five of the trust services categories and
- Additional specific criteria for the availability, processing integrity, confidentiality, and privacy categories.
Part of choosing the scope of the SOC 2 audit is selecting which of the five Trust Service Criteria that the organization will comply with. The only required TSP is Security, the other four are optional. Organizations will select which mix of Trust Services Criteria they want to meet based on the nature of their business and what types of services they provide their customers.
From here, we’ll examine the Security criteria in more depth.
The Security Trust Services Criteria
Since the goal of the SOC 2 standard is to secure organizations from various risks, security is the mandatory criteria all organizations pursuing a SOC 2 must comply with.
As defined by SOC 2, Security means that an organization’s information and systems are protected from unauthorized access, information disclosure, and damage to systems that could compromise the confidentiality, integrity, availability, and privacy of information or systems, which would affect the entity’s ability to achieve its objectives.
Security refers to the protection of information and systems.
- Information during its collection or creation, use, processing, transmission, and storage
- Systems that use electronic information to process, transmit or transfer, and store information to enable the entity to meet its objectives. Controls over security prevent or detect the breakdown and circumvention of segregation of duties, system failure, incorrect processing, theft or other unauthorized removal of information or system resources, misuse of software, and improper access to or use of, alteration, destruction, or disclosure of information.
There are a number of COSO principles which apply to all five Trust Services Criteria. This overlap creates a set of “Common Criteria,” which defines the Security Criteria.
The Security criteria is the only criteria that is required for SOC 2 compliance. This set of criteria is robust enough that scoping a SOC2 audit to just the Security Criteria is likely enough for clients to be assured of the security of their information – though it may not be enough depending on the size and nature of the organization receiving the audit.
In total there are 9 main points to the Security Criteria control list. The first five encompass the 17 COSO principles. The last four are an expansion of COSO’s 12th principle: ”The entity deploys control activities through policies that establish what is expected and in procedures that put policies into action.”
SOC 2 Common Security Criteria Control List
Common Criteria 1: The Control Environment
The Control Environment criteria sets the tone and provides the foundation for the other controls within the organization. The “control environment” in the title refers to the organization itself. It focuses primarily on company and management culture.
Controls and policies such as organization charts, internal review policies, and hiring competence are elements of this criteria.
This criteria is designed to ensure that management of the organization buys into the security program. If it does not, the company will fail to be SOC 2 compliant.
Common Criteria 2: Communication and Information
This criteria examines the communication and information sharing processes of an organization, both internally and externally. Internal communication lines are expected to be established directionally across an organization such as communications from management to the board of directors, reporting lines for incidents or system failures, or alternative reporting lines such as whistleblower hotlines.
External communication practices should be in place and set boundaries and expectations between an organization and external entities. This control looks at Master service Agreements to ensure service levels, responsibilities, and expectations are set – including when and how to report any relevant system changes or incidents to external parties.
Common Criteria 3: Risk Assessment
The Risk Assessment criteria is designed to ensure that businesses have an ongoing risk assessment process to identify and manage risks it is facing. This includes having a policy in place describing the components of the risk assessment process, as well as ensuring that various types of risks are assessed such as internal risks, vendor risks, and fraud risks. It also looks to see that management participates in the risk assessment process.
To comply with this criteria, a new or updated risk assessment must be performed and a report published within the SOC 2 audit period (usually annual, sometimes every six months).
Common Criteria 4: Monitoring Activities
The goal of the Monitoring Activities criteria is to ensure the SOC 2-compliant business is regularly evaluating their own security practices, so that they can catch and correct any issues that may arise.
Common Criteria 5: Control Activities
This criteria provides guidance on how control activities should be designed and implemented to support the business’s objectives, and tasks the organization seeks with continually improving these activities.
Control activities should be in place throughout all business levels and can include the technical environment. The remainder of the Common Criteria are broken down aspects of these control activities.
Common Criteria 6: Logical and Physical Access Controls
This criteria examines an organization’s access control processes. This includes physical and logical access procedures, access provision, restriction, removal, and unauthorized access prevention methods.
Another important element of access control is the conducting of an access audit. Businesses frequently forget to update access roles for employees when they leave the organization or their responsibilities change – a serious security risk which this criteria seeks to mitigate.
This area also includes controls such as encryption, antivirus, and antimalware.
Common Criteria 7: System Operations
The System Operations criteria tasks businesses with protecting their information systems. A special emphasis is placed on identifying and responding to vulnerabilities.
Common control activities include configuration monitoring, vulnerability scanning, and incident response plans.
Common Criteria 8: Change Management
Change Management is very important to SOC 2 – most of its criteria require businesses to watch out for changes that could leave it vulnerable.
In its own criteria, Change Management requires businesses to create policies and procedures for just how it detects the needs for changes, monitors changes approves changes, allows for emergency changes, and prevents unauthorized changes
Lots of documentation is needed for this criteria!
Common Criteria 9: Risk Mitigation
The Risk Mitigation criteria looks to ensure a business has processes in place to mitigate risks from potential business disruptions. The criteria calls out risks originating from within the organization itself, and from within the organization’s vendors. This criteria is what creates SOC 2’s requirement for a strong vendor management program.
Risk mitigation is one of the four strategies of risk management, defined as reducing the risk – whether that’s reducing the likelihood of a risk occurring or reducing the damage a risk causes.
For SOC 2, this requires an organization to have a business continuity/disaster recovery plan in place. It also encourages organizations to use cyber insurance to mitigate the potential loss caused by a cyber attack.
No SOC 2 compliance program is complete unless it meets the objectives laid out in the Common Criteria. While organizations may have choose-your-own-adventure freedom to meet those criteria – it’s important to remember that the author (the AICPA) has its own goals, guidelines, and a conclusion for each organization adhering to its standard to meet.
Thankfully, that goal is a good one: stronger security programs to increase the safety of all organizations from cyber attacks.
Want to get great cybersecurity content delivered to your inbox? Click here to sign up for our monthly newsletter, Tales from the Click.