SOC 2 Academy: Incident Response Teams

by Joseph Kirkpatrick / December 16, 2022

Common Criteria 7.4 When a service organization undergoes a SOC 2 audit, auditors will verify whether they comply with the common criteria listed in the 2017 SOC 2 Trust Services Criteria. Common criteria 7.4 says, “The entity responds to identified security incidents by executing a defined incident response program to understand, contain, remediate, and communicate security incidents, as appropriate.” Let’s take a look at what organizations need to do to…

Key Takeaways from the SEC’s Cybersecurity Guidance

by Sarah Harvey / December 16, 2022

In February 2018, the US Securities and Exchange Commission (SEC) affirmed something we know to be true: as organizations rely more and more on technology, the frequency and complexity of cybersecurity threats continue to increase. The SEC issued interpretive cybersecurity guidance, which builds upon the Division of Corporation Finance’s guidance from 2011, for public companies to follow when dealing with cybersecurity incidents and risks. This cybersecurity guidance communicates several major…

Penetration Testing in Support of HIPAA Compliance

by Sarah Harvey / December 16, 2022

According to the Department of Health and Human Services Office for Civil Rights’ “wall of shame,” data breaches and security incidents have impacted more than 450,000 individuals so far this year. With no solution or end to the pervasive threat landscape in sight, this begs the question: what more could the healthcare industry do to protect their patients’ PHI, provide quality healthcare services, and ensure that their security posture remains…

SOC 2 Academy: Incident Response Best Practices

by Joseph Kirkpatrick / December 16, 2022

Common Criteria 7.3 When an organization undergoes a SOC 2 audit, auditors will be looking to validate that they comply with the common criteria listed in the 2017 SOC 2 Trust Services Criteria. Common criteria 7.3 says, “The entity evaluates security events to determine whether they could or have resulted in a failure of the entity to meet its objectives (security incidents) and, if so, takes actions to prevent or…

SOC 2 Academy: Performing Daily Log Reviews

by Joseph Kirkpatrick / February 17, 2023

Common Criteria 7.2 Common criteria 7.2 of the 2017 Trust Services Criteria says, “The entity monitors system components and the operation of those components for anomalies that are indicative of malicious acts, natural disasters, and errors affecting the entity’s ability to meet its objectives; anomalies are analyzed to determine whether they represent security events.” When an auditor verifies an organization’s compliance with this criterion during a SOC 2 audit, they’ll…