Leveraging the Cloud for SOC 2 Compliance
Here are some best practices for ensuring their cloud environment meets security compliance regulations
In a world of high-profile attacks, breaches and information compromises, companies that rely on third parties to manage and/or store their datasets are wise to consider a road map for their security, risk and compliance strategy. Failure to detect or mitigate the loss of data or other security breaches, including breaches of their suppliers’ information systems, could seriously expose a cloud user and their customers to a loss or misuse of information in such a harmful way that it becomes difficult to recover.
In 2018, there were nearly 500 million records exposed from data breaches, according to the Identity Theft Resource Center’s findings. While absolute security never can be attained when running a business, there are frameworks, tools and strategies that can be applied to minimize the risks to acceptable levels while maintaining continuous compliance. SOC 2 is one framework that is particularly beneficial. It is built on the AICPA’s Trust Services Principles for service security, availability, confidentiality, processing integrity and privacy.
SOC 2 is well-suited for a wide range of applications, especially in the cloud. Companies have realized that their security and compliance frameworks must stay aligned with the inherent changes that come with cloud adoption. This includes making sure to stay abreast of developing capabilities and feature enhancements. When embedded into their cloud strategy, companies can use the common controls that SOC 2 offers to build the foundation for a robust information systems security program.
CISOs, CSOs and company stakeholders must not take on the process of forming the company security strategy in a vacuum. Taking advantage of core leaders in the organization, both at the management level and at the individual contributor level, should be part of the overall security development strategy, just as it is with successful innovation strategies. In fact, the security strategy should be integrated within the company’s larger innovation strategy. One of the best approaches to ensuring this happens is to develop a steering committee with participation from all major divisions and/or groups in the company. This is more effective with smaller organizations where information can quickly flow vertically and horizontally; however, larger organizations simply would need to ensure that the vehicles are in place to allow for a quick flow of information to all stakeholders.
Organizations with strong security programs have good controls in place to address each of the major domain categories under the Trust Service Principles. Each of the Trust Service Principles can be described through the controls that the company has established. Below are some ways that companies can meet the compliance requirements for security, availability and confidentiality while simultaneously lowering the overall risk to their business and their customers’ businesses.
Security
To meet compliance, companies should implement internal and external system change management policies using effective IT services management (ITSM) tools to track, at a minimum, the change subject, descriptions, requester, urgency, change agent, service impact, change steps, evidence of testing, backout plan and appropriate stakeholder approvals. I would also recommend implementing full-disk encryption for end user devices, deploying centrally managed Directory Services for authorization, using multi-factor authentication, following password/key management best-practices, using role-based access controls, segregating permission using a least-user-privilege approach, and documenting policies and procedures. These are great moves toward securing environments quickly.
Companies also should work to ensure that their managed services provider (MSP) is running regular vulnerability scans and performing prompt risk remediation. Independent testing of the provider’s environment will help to identify any unexpected risks, so implementing an annual penetration test is important. And, finally, door access badges, logs and monitoring of entry/exit points are positive ways to prevent unauthorized physical entry.
Availability
Disaster recovery and incident escalation are critical components of any security strategy. For compliance, companies need to ensure their MSP maintains current documented disaster recovery plans with at least annual exercises. Well-thought-out plans include testing of upstream and downstream elements of the supply chain, including a plan for notifications to all stakeholders. Furthermore, companies should implement an annual formal risk assessment with a risk mitigation plan for the most likely situations.
Confidentiality
One important action item for companies is to implement ways and techniques to prevent data from being lost by unsuspecting employees or customers. Examples may include limiting use of external media ports to authorized devices, depreciating old cypher protocols and blocking unsafe or malicious downloads. Companies also should use secure protocols and connections for the safe transmission of confidential information, and be sure to identify elements of their cloud environment so that the MSP can properly secure and protect those elements with a tagging strategy. Finally, companies must use email encryption when sending any confidential information and check with their own legal department for proper use of a confidentiality statement in email signatures that are appropriate to their business.
By implementing these SOC 2 controls, companies can be expected to have a solid security framework. Regardless of their stage in the cloud adoption life cycle, businesses must continue to demonstrate to their stakeholders (customers, board members, employees, shareholders) that their business is secure and meets compliance. As with any successful customer-service provider relationship, the use of properly formed contracts and agreements comes into play. Without these elements in place and in constant use, it is difficult to evaluate how well a company is measuring up. This is where controls and a framework on compliance like SOC 2 plays a critical role.
