SOC 2 Type II Certification the Quick and Easy Way

The scope of the SOC 2 Report is under your control, so carefully consider the business context (e.g. vendor-customer relationship), strategic imperatives (e.g. budget, timelines) and make a determination regarding which of the five principles is critically important to you.

Based on your scope, the auditor, as a member of the American Institute of Certified Public Accountants (AICPA), will apply some or all of the following Trust Services Criteria (TSC):

1. Security. Information and systems are protected against unauthorized access, unauthorized disclosure of information, and damage to systems that could compromise the availability, integrity, confidentiality, and privacy of information or systems and affect the entity’s ability to meet its objectives.
   
   
2. Availability. Information and systems are available for operation and use to meet the entity’s objectives.
   
   
3. Processing integrity. System processing is complete, valid, accurate, timely, and authorized to meet the entity’s objectives.
   
   
4. Confidentiality. Information designated as confidential is protected to meet the entity’s objectives.
   
   
5. Privacy. Personal information is collected, used, retained, disclosed, and disposed to meet the entity’s objectives.

The above Trust Services Criteria do overlap. Your InfoSec Program may address all of the principles listed above and the SOC 2 Report may address all of some of the principles.

As part of the SOC 2 report, your management will be required to provide the auditor with a written assertion. This "written assertion" requires management to attest the "system description” fairly presents the service organization's system, the control objectives were suitably designed to achieve those control objectives, and other standard language (e.g. the controls were constantly applied, address risk factors, etc.).

The period coverage (examination period) is another way to limit scope.  The period is often 12 months (annually) but it can be as short as 3 or 6 months, especially for your initial report.

One important caveat: If you’re running mission-critical services that cannot afford any downtime, then potential customers are likely to require the Availability criteria.  Or if you’re a payment processor, then potential customers are likely to require the Processing Integrity criteria.  Reduce scope to a minimum, but not too much - rendering the report useless.

Pro Tip: For for your first SOC 2 Type II report, we suggest limiting the scope as much as possible. Perhaps focus on Security Criteria and a period of 6 months, not 12 months. Using this approach, you’ll have 3 months of preparation, 6 months of coverage, and then the final Report will arrive 30-60 days thereafter, so you’ll finish within one year.

4. Selecting an audit firm based on firm credibility, budget, talent, scheduling

Your company may have preferred vendors in place for the audit, however you are likely to consider the following factors in selecting the CPA firm:

• Brand Prestige: Do you require a national, regional, or local CPA firm
  
  
• Industry Qualifications: Is the firm familiar with your industry and related systems/data
  
  
• Talent Resources: Bios of members assigned to the project (experienced professionals)
  
  
• SOC Expertise: Experience authoring SOC 2 Type I and Type II reports

There is some risk the audit may become disruptive to your technology or operations teams, so be sure to ask if the audit team will be on-site, and if so, how often and how long.  Some auditors are willing to author the report without any on-site visits, which can save time and prevent disruptions or scheduling conflicts among InfoSec, Tech, Ops and/or Compliance.

5. Selecting a SOC 2 readiness firm - business perspective and InfoSec expertise

CPA firms are not able to audit their own work because it presents a conflict of interest.  Therefore a InfoSec advisory firm (such as CAG)  is likely to handle the “readiness” or setup work and a CPA firm will perform the actual audit and issue the formal SOC 2 Report.

Engaging a firm, such as Cyber Advisory Group (CAG), to guide you through the readiness phase will ensure the actual audit goes smoothly, save time, and money since the control selection will be precise and SOC 2 Report will be on-time and without exceptions.

InfoSec expertise is critical in selecting a readiness firm.  The firm must understand the many stakeholders in InfoSec - CEO goals, budget constraints, compliance necessities, engineering work styles, and overall risk-based approaches to security (e.g. cost-benefit analysis).

Pro Tip: CAG works with the big four CPA firms as well as regional and local CPA firms.  CAG often recommends a regional firm since they offer the benefits of both expertise and flexibility.

6. Understand Your Assets that Require Protecting

Imagine that you’re architecting a bank.  What security is required - an alarm system, video camera, man-trap doors, security guard, safe or vault?  Difficult to say without understanding the types and amount of valuables that will be stored there, public access to the space, and the neighborhood.  Are you designing Fort Knox or a Community Bank?

With the above in mind, you should list and attempt to quantify your assets or value-drivers:

• Customers Records (e.g. 200,000 accounts) x $400 Lifetime Value
  
  
• Credit Card Numbers (e.g. 100,000 account numbers) x $7 per data breach notification
  
  
• Revenue Generating Accounts (e.g. 200,000 accounts) x $20/monthly subscription

While not perfect, the above is a simple illustration of how to quantify your assets in order to effectively safeguard them and calibrate your InfoSec investments year over year.

7. Understand the threat Environment and essential countermeasures

Each industry is different - e-commerce, banking, manufacturing, etc.  Each has a unique set of threats.  For orientation, join the federal Information Sharing and Analysis Center (ISAC) related to your industry or specialty area.  ISACs work with federal organizations (e.g. homeland, defense, intelligence) to publish threat intelligence to enable collective defenses unique to your industry. Benefit from the work of US intelligence and industry peers.

Get started by listing threat types (e.g. external hackers, insiders, hacktivists, etc) and then write scenarios describing the techniques used.  You may want to classify adversaries based on the threat actor’s skill/sophistication level, motivation type, and/or resource levels.  For example, a Ukrainian-based credit card hacking syndicate could be categorized as highly sophisticated, profit-driven, highly motivated and exceptionally well-resourced.  In contrast, environmental hacktivists may be highly motivated, but lack technical sophistication and resources.  Your threat picture drives your defenses.  Although SOC 2 is largely an exercise in compliance, don’t overlook potential practical benefits of attaining your SOC 2 Report.

8. Select your security controls after building up your situational awareness

Security controls enable compliance through policy enforcement and help to mitigate risks ranging from internal insiders (e.g. disgruntled employees) to external hacking groups.

Control selection is largely a subjective exercise based on your knowledge and experience.  That said, a myriad a security control frameworks exist related to compliance, service delivery, and cybersecurity. Organizational-related controls (e.g. ISO 27001) often include HR areas (e.g. employee background checks, on-boarding/exit checklists, performance reviews, etc.) and audit-related controls (e.g. monitoring, audits, record keeping, etc).

Technical controls often originate from governmental or industry groups.  For example, the federal government publishes the most sophisticated security control framework as part of NIST (i.e. NIST 853) and a variety of related publications (e.g. system classification, risk management, etc).  Entities such as banks may be regulated by OCC or FDIC and examined using FFIEC’s standard or the new FFIEC the Cybersecurity Assessment Tool (CAT).    

Pro Tip: Consider mapping your controls to NIST since it remains the most comprehensive and up-to-date security control framework and most security controls map back to NIST, so you may be able quickly perform a gap analysis or meet new standards (e.g. HIPAA, PCI, etc).

As a practical matter, you should select security controls to address critical areas:

1. System Description
   
2. Cyber Risk Management
   
3. Employee Handbook
   
4. Information Security Policy
   
5. Organizational Structure
   
6. Security Control Matrix
   
7. Access Control
   
8. Security Awareness and Training
   
9. Audit and Accountability
   
10. Security Assessment and Authorization
    
11. Configuration Management
    
12. Contingency Planning
    
13. Identification and Authentication
    
14. Incident Response
    
15. Physical and Environmental Protection
    
16. Security Planning
    
17. Personnel Security
    
18. Risk Assessment
    
19. Vendor Management
    
20. System and Communications Protection
    
21. System and Information Integrity
    

Pro Tip: Be careful not to overlook personnel security, physical security, and vendor management areas.  Adversaries will target people, facilities, or critical vendors if they are comparatively weak and your technical security controls are exceptionally strong.  Aim to maintain a well-balanced security portfolio in order to effectively deter, detect and respond to adversaries.

9. Develop your InfoSec Policy and nested policies using simple, declarative statements

a. Development of policies

Too often, organizations become too prescriptive and detailed in their InfoSec Policies.  Instead, base your policy upon the security control.  Collectively, the policies are summarized in the organization’s written information security policy.  Consider declarative statements of what must happen, should happen, could happen, and/or won’t happen.  Avoid adding too much detail, otherwise deviations from the policy may result in audit deficiencies.

b. Development of procedures