SOC 2 Academy: How to Perform a Thorough Inventory

by Joseph Kirkpatrick / May 31, 2023

Common Criteria 6.1 When a service organization undergoes a SOC 2 audit, auditors will verify whether they comply with the common criteria listed in the 2017 SOC 2 Trust Services Criteria. Common criteria 6.1 says, “The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity’s objectives.” While we have discussed many points of focus that organizations…

SOC 2 Academy: Additional Points of Focus for Logical Access

by Joseph Kirkpatrick / May 31, 2023

Common Criteria 6.1 While not requirements, points of focus are meant to serve as references to assist organizations when they are designing, implementing, operating, and evaluating controls over security, availability, confidentiality, processing integrity, and privacy. When it comes to implementing logical access controls, there are some additional points of focus that will help organizations ensure that their information security systems remain secure. Let’s take a look at how these additional…

SOC 2 Academy: Protection Through Logical Access

by Joseph Kirkpatrick / May 31, 2023

Common Criteria 6.1 When a service organization undergoes a SOC 2 audit, auditor will look to validate that they comply with the common criteria listed in the 2017 SOC 2 Trust Services Criteria. Common criteria 6.1 says, “The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity’s objectives.” What will an auditor look for when assessing…

PCI Requirement 10.2.4 – Invalid Logical Access Attempts

by Randy Bartels / May 31, 2023

 Is There a Log of That? Invalid logical access attempts are often an indication of a malicious user attempting to access something they don’t have permission to. This is why PCI Requirement 10.2.4 requires that organizations implement automated audit trails to reconstruct invalid logical access attempts. Misspell your password? There should be a log of that. Someone tries to view a file that they don’t have permission to? There…

PCI Requirement 10 – Track and Monitor all Access to Network Resources and Cardholder Data

by Randy Bartels / May 31, 2023

 Importance of Logging and Tracking If data was compromised at your organization, how would you determine the cause? PCI Requirement 10 focuses on a critical aspect of data protection: logging and tracking. Implementing logging mechanisms at your organization gives you the ability to track user activities, which is crucial in preventing, detecting, and minimizing the consequences of a data breach. Without logging and tracking, it’s even more difficult to…