Common Criteria 6.7

During a SOC 2 audit engagement, an auditor will validate that an organization complies with the common criteria listed in the 2017 SOC 2 Trust Services Criteria, which means that they will assess an organization’s compliance with common criteria 6.7. Common criteria 6.7 says, “The entity restricts the transmission, movement, and removal of information to authorized internal and external users and processes, and protects it during transmission, movement, or removal to meet the entity’s objectives.” While we’ve discussed ways that organizations can comply with this requirement, let’s take a look at how an organization’s environment can change the way they approach compliance with common criteria 6.7.

What are Best Practices for Implementing Access Controls for Remote Employees?

Complying with common criteria 6.7 means different things for different organizations depending on their environment. For instance, if your employees work in an office building, then implementing and maintaining procedures for transmitting, moving, and removing data might be easier because of the lack of removable media in use. However, because so many organizations are opting to hire remote employees, implementing procedures for transmitting, moving, and removing data can be more difficult, which is why we suggest that organizations implement access controls for remote employees, along with these five best practices:

  1. Use security awareness training
  2. Establish thorough usage policies
  3. Create effective password and encryption policies
  4. Monitor Internet connections
  5. Ensure devices and applications are updated

Hiring remote employees has many benefits, but it also creates additional threats that must be accounted for. When an organization pursues SOC 2 compliance, it’s critical that they mitigate these risks by using access controls for remote employees, in addition to the best practices listed above. Doing so allows organizations to safeguard their business from potential breaches, demonstrates to clients that their data is protected, and provides peace of mind that the procedures for transmitting, moving, and removing sensitive information remotely are in place.

If you’re unsure if you’ve implemented access controls for remote employees, consider the following scenario. Let’s say that your remote employee leaves their laptop containing sensitive information in their rental car and is unable to recover the device. Do you have a GPS tracker on the device to locate it? Do you have the ability to wipe the device remotely? Are you able to restrict access to the device? It’s far too common for a situation like this to occur, which is why it’s necessary for SOC 2 compliance that organizations implement access controls for remote employees and their mobile devices.

More SOC 2 Resources

SOC 2 Academy

Understanding Your SOC 2 Report

SOC 2 Compliance Handbook: The 5 Trust Services Criteria

 Common criteria 6.7 in the SOC 2 framework is an excellent example of how the criteria change depending on the environment we’re talking about. If we’re talking about a system that’s in a data center where there are production servers or virtual servers and there’s not a lot of removable media or mobile devices in and out of that environment, then common criteria 6.7 wouldn’t cause you to put a lot of controls in place to manage laptops. However, if you’re in an environment where people do work remotely, or they do carry around laptops, smartphones, or tablets, then common criteria 6.7 takes on a whole other meaning, because you have to think about ways to restrict the movement of those devices that may have critical information on them, or at least they have the ability to access critical information through the technologies that you have installed on those devices. If you are a company that has a situation like this, you’ll hear your auditor ask more questions about how you control mobile devices. Do you have an inventory of all of the devices that you allow into your environment, so that if something does go missing, you can do a regular audit and you can check regularly to make sure that everything is accounted for and nothing has been taken out. You’ll hear your auditor ask questions like: Do you have methods to do remote wiping of these remote devices? Do you use GPS tracking so you can figure out where the device went? Do you have those kinds of controls remotely so that you can enforce policies out to those devices that are in the field, so that if you want to restrict access to them, you could? Again, this goes back to assessing risk and understanding what your environment looks like and how common criteria 6.7 would apply to your specific circumstance.

Common Criteria 6.7

When a service organization undergoes a SOC 2 audit, auditors will verify whether they comply with the common criteria listed in the 2017 SOC 2 Trust Services Criteria. Common criteria 6.7 says, “The entity restricts the transmission, movement, and removal of information to authorized internal and external users and processes, and protects it during transmission, movement, or removal to meet the entity’s objectives.” How does understanding the movement of data influence SOC 2 compliance? What will auditors be evaluating when assessing an organization’s compliance with common criteria 6.7? Let’s discuss.

How Does the Movement of Data Impact SOC 2 Compliance?

Service organizations need to assure their clients that their sensitive information is secure. Understanding the movement of data within the organization is key to making this happen. Why? Because if an organization doesn’t have clearly defined policies and procedures for transmitting, moving, and removing data, how will they be able to convince their customers that they are a secure service provider? Let’s say that an organization’s employees work remotely, and each employee has a company-supplied laptop. What processes are in place to ensure that the data stored on that laptop isn’t copied or removed? What security awareness training is used to educate employees on the correct protocols for transferring data? Or let’s say that a company uses a file-sharing platform. Can those files be accessed outside of the company network? Could they be copied onto a flash drive?

During a SOC 2 audit, an auditor will verify that the organization has such processes in place that allow for the secure transmission, movement, and removal of data. Auditors might ask questions such as, does the organization restrict the ability to perform transmission? Does the entity use encryption technologies or secure communication channels to protect data? How does the entity protect mobile devices? To demonstrate compliance, organizations should begin by showcasing that they do in fact have written policies and procedures, have trained their employees on those policies and procedures, and have then implemented additional security measures, such as data loss prevention technologies to ensure that the movement of data is secure.

More SOC 2 Resources

SOC 2 Academy

Understanding Your SOC 2 Report

SOC 2 Compliance Handbook: The 5 Trust Services Criteria

SOC 2 common criteria 6.7 restricts the transmission, movement, and removal of information from your systems by internal or external users. Let’s talk about what that looks like. As an organization, you don’t want people taking data outside of the boundaries you have set up and use it for some nefarious purpose. There was a famous case years ago where an IT person was allowed to take data home to do work and then when they terminated that particular employee, he successfully defended his right to not return the data because the organization he worked for did not have anything in writing with him that required him to return that data. They allowed him to take it to his house and that’s where it stayed. Every organization is concerned about information ending up in a place where it shouldn’t be. Let’s talk about transmission. First of all, if you are successfully transmitting data from your environment to an authorized outside environment, you want to do that via some encrypted technology. You would want to make sure that the proper level of encryption was being utilized, and employees understand that when information is being transferred properly, it is done over encrypted channels. Another way of looking at that is that you wouldn’t want to have an attacker on the inside be able to create this back channel or create an encrypted tunnel to exfiltrate information out of your environment. So, how do you do that? How can you identify that that is occurring? There are data loss prevention technologies that are out there and becoming more popular as a way to recognize abnormal events and try to identify traffic patterns that would indicate that someone is trying to take the data out a route that they shouldn’t be using. When we talk about the movement of data or the removal of data, that starts getting into how do you allow your employees to get to the data in the first place? Can they get to it from a laptop, which is easily carried out of the building? Do you allow people to put data on thumb drives or access Dropbox online? These kinds of things need to be considered and restricted if you’re concerned about someone copying data, moving it, and ultimately removing it from your environment. Putting policies and procedures into place whether initially by manual methods via a written policy, and you train people on it and make them sign a written agreement that they’ve reviewed it and acknowledge that they’re not supposed to use removable media to store data. That’s the first, obvious place to start. Beyond that, though, you can put enforceable domain policies in place and utilize other technologies that are out there to actually physically restrict people from moving data from that type of device to an unauthorized device. Think about what it is you want to protect and what kind of protections you would want to put on the transmission, movement, and removal of data out of your environment.

Common Criteria 6.6

When a service organization undergoes a SOC 2 audit, auditors will verify whether they comply with the common criteria listed in the 2017 SOC 2 Trust Services Criteria. Common criteria 6.6 says, “The entity implements logical access security measures to protect against threats from sources outside its system boundaries.” How can organizations be sure that they’re complying with this criterion? Let’s discuss.

Dealing with External Threats During a SOC 2 Audit

Although human error is often viewed as one of the top risks that organizations must account for, dealing with external threats is just as important. What would be the impact if a disgruntled former employee was able to access sensitive company information because processes to revoke their credentials weren’t in place? Whether an employee quits, is terminated, or a malicious third party tries to access an organization’s network, businesses must have effective processes in place that assist them in dealing with external threats. When an auditor is reviewing an organization’s compliance with common criteria 6.6 during a SOC 2 audit, they’ll look to see if processes such as the following are in place:

  • Restricting access to certain communication channels
  • Protecting identification and authentication credentials when used outside system boundaries
  • Requiring additional authentication information
  • Implementing boundary protection systems

For example, implementing MFA is one proactive way that organizations can go about dealing with external threats. By requiring additional authentication information, organizations are more likely to mitigate the risk of a malicious outsider gaining access to their system. Likewise, organizations might also opt to utilize FTP servers or firewalls so they can monitor who is trying to gain access to their system and make sure that they are not successful in doing so. Ultimately, when pursuing SOC 2 compliance, it’s critical that organizations can demonstrate that they are dealing with external threats so that they can prove to their auditor and their clients that they provide.

More SOC 2 Resources

SOC 2 Academy

Understanding Your SOC 2 Report

SOC 2 Compliance Handbook: The 5 Trust Services Criteria

SOC 2 common criteria 6.6 talks about protecting your system from threats that are outside of your boundaries. So, rather than implementing password controls that are inside your network, we’re really talking about systems that can be accessed from outside your network. Obviously, the risks are greater and the threats are more extensive, because anyone in the world can access any publicly-facing IP, as opposed to there’s a more limited attack surface internally. When we look at common criteria 6.6 and external threats, we think about hackers or former employees whose access has been deleted from the system. How do you protect any type of threat that’s from the outside coming into your system? These might be web servers, firewalls, VPNs to your network, or anything that has a public-facing aspect to it. You want to think about not only requiring credentials but requiring additional methods of authentication. Think about multi-factor authentication, for example. There are three factors: something you know, something you have, and something you are. For instance, something you know (i.e. a password) and something you have (i.e. a code on your smart phone) are two methods of authentication you could require for access coming from the outside of your boundaries. You want to make sure that you have the proper monitoring controls and tools in place, because those are the systems that are going to produce the most data as far as unauthorized attempts go. If you have an FTP server or firewall, you’ll clearly see a lot of traffic that needs to be shunned or at least needs to be monitored in order to make sure that no one is successfully breaking into your system from the outside.

Common Criteria 6.5

When a service organization pursues SOC 2 compliance, auditors will verify whether they comply with the common criteria listed in the 2017 SOC 2 Trust Services Criteria. Common criteria 6.5 says, “The entity discontinues logical and physical protections over physical assets only after the ability to read or recover data and software from those assets has been diminished and is no longer required to meet the entity’s objectives.” Let’s take a look at why disposing of physical devices is important.

Why is Disposing of Physical Devices Important to SOC 2 Compliance?

Common criteria 6.5 goes hand in hand with common criteria 6.1, which is about how to perform an inventory of assets. In order to perform an effective inventory, organizations must dispose of physical devices that are no longer in use or needed to help the entity meet their business objectives. Why? Because in order to properly manage the physical devices that an organization holds, they need to have an accurate inventory of which physical devices are currently in use. For example, let’s say that an organization has upgraded all of its employees’ laptops. What processes are in place to securely get rid of the old laptops? How will data and company information on those devices be wiped? Who will be wiping them? A third party or an IT administrator?

During the SOC 2 compliance journey, an auditor will want to validate that such processes are in place for securely disposing of physical devices and removing any sensitive data from physical devices that are no longer in use. Specifically, auditors will be using the following two points of focus to verify compliance with common criteria 6.5:

  • Does the entity have procedures in place to identify data and software that needs to be disposed of?
  • Does the entity have procedures in place to remove data and software from the physical control of the entity and render that data unreadable?

More SOC 2 Resources

SOC 2 Academy

Understanding Your SOC 2 Report

SOC 2 Compliance Handbook: The 5 Trust Services Criteria

SOC 2 common criteria 6.5 is really about the physical disposal of assets that you no longer need to keep. Let’s say that you upgraded your equipment, or you have damaged equipment and it’s just sitting around and piling up. Should you just throw it in the recycling bin? Do you take it to the dumpster? Do you take a shotgun and blow it up? What method are you using to dispose of that asset? You have to have a proper method of disposal so that you can be certain that you don’t have to protect that data any longer. You don’t just want to sell it on eBay or give it to an employee to throw away or take home to their kids. You want to be assured that even if a system is going to be functional when it leaves the building, that all of your sensitive data has been wiped off of it. There are tools that you can acquire if you simply just want to wipe off a hard drive if you want to sell it or give it to someone as a donation or to an employee. There are tools you can use that will apply Department of Defense methods to make sure that it’s a secure wiping method. You might also opt to just make sure that the asset is physically destroyed and would be unreadable that way. There are many third parties that will come to your location with a large shredding device on their truck that will destroy hard drives and other types of computer media. So, keep this in mind before you let something walk out of the door, and make sure that you’re properly disposing of the data you’re protecting.

Common Criteria 6.4

One of the first steps of the SOC 2 audit process is scoping the engagement, which tells auditors what people, processes, and technologies will be included in the assessment. Because auditors will assess an organization’s compliance with the 2017 Trust Services Criteria, organizations need to demonstrate that they comply with common criteria 6.4. Common criteria 6.4 says, “The entity restricts physical access to facilities and protected information assets (for example, data center facilities, backup media storage, and other sensitive locations) to authorized personnel to meet the entity’s objectives.” In order to comply with this criterion, organizations need to identify all people, processes, and technologies that impact the internal controls over physical security by taking inventory of physical devices. It’s no longer enough for organization’s to only identify physical devices within their office buildings. Instead, they’ll need to look at remote locations, such as home offices or coffee shops, as well as third-parties. Let’s discuss why taking inventory of physical devices is so important to SOC 2 compliance.

The Importance of Taking Inventory of Physical Devices

If you don’t know which physical devices your organization possesses, how can you possibly ensure that they aren’t stolen or breached? What would be the impact if your remote employee’s company-provided cell phone was stolen? Could sensitive company information be accessed? While taking inventory of physical devices within an office building is important, organizations must go a step further to identify absolutely all physical devices, including both hard and software, that could be compromised by a malicious hacker or employee. For example, let’s say that more than half of an organization’s employees work remotely. What physical security controls need to be employed to ensure that the physical devices they hold are protected? Are there processes in place to wipe an employee’s laptop remotely if it is stolen? When pursuing SOC 2 compliance, taking an accurate and realistic inventory of physical devices is critical for ensuring that the engagement is properly scoped and that the internal controls over physical device security are accurately assessed.

More SOC 2 Resources

SOC 2 Academy

Understanding Your SOC 2 Report

SOC 2 Compliance Handbook: The 5 Trust Services Criteria

It’s very important when you’re assessing your physical environment to take a good inventory of where you have not only electronic data, but physical devices that could potentially store that data or access that data through some remote technology. When I talk about inventory, I’m talking about not only the physical offices where your people operate, but also home offices, third-party locations where you might have employees do some work, backup media facilities or third-parties that pick up media, tapes, drives, etc. You want to include all of these places in your inventory of where you want to ensure that proper physical access controls are located. Too often, clients minimize the impact of where a physical location may or may not be in scope, and they forget about some of the locations where they should still consider physical controls. For example, if you have remote employees – people that work out of their car, coffee shops, or home or they travel with laptops and other removable media – you would want to think about other physical controls that you would put on those devices, so that you can make sure that they are protected and not stolen out of cars or in transit. When you think about physical security controls and where to implement them, make sure you first do a proper inventory of your locations so that you can then evaluate which controls are necessary.