Common Criteria 6.7

When a service organization undergoes a SOC 2 audit, auditors will verify whether they comply with the common criteria listed in the 2017 SOC 2 Trust Services Criteria. Common criteria 6.7 says, “The entity restricts the transmission, movement, and removal of information to authorized internal and external users and processes, and protects it during transmission, movement, or removal to meet the entity’s objectives.” How does understanding the movement of data influence SOC 2 compliance? What will auditors be evaluating when assessing an organization’s compliance with common criteria 6.7? Let’s discuss.

How Does the Movement of Data Impact SOC 2 Compliance?

Service organizations need to assure their clients that their sensitive information is secure. Understanding the movement of data within the organization is key to making this happen. Why? Because if an organization doesn’t have clearly defined policies and procedures for transmitting, moving, and removing data, how will they be able to convince their customers that they are a secure service provider? Let’s say that an organization’s employees work remotely, and each employee has a company-supplied laptop. What processes are in place to ensure that the data stored on that laptop isn’t copied or removed? What security awareness training is used to educate employees on the correct protocols for transferring data? Or let’s say that a company uses a file-sharing platform. Can those files be accessed outside of the company network? Could they be copied onto a flash drive?

During a SOC 2 audit, an auditor will verify that the organization has such processes in place that allow for the secure transmission, movement, and removal of data. Auditors might ask questions such as, does the organization restrict the ability to perform transmission? Does the entity use encryption technologies or secure communication channels to protect data? How does the entity protect mobile devices? To demonstrate compliance, organizations should begin by showcasing that they do in fact have written policies and procedures, have trained their employees on those policies and procedures, and have then implemented additional security measures, such as data loss prevention technologies to ensure that the movement of data is secure.

More SOC 2 Resources

SOC 2 Academy

Understanding Your SOC 2 Report

SOC 2 Compliance Handbook: The 5 Trust Services Criteria

SOC 2 common criteria 6.7 restricts the transmission, movement, and removal of information from your systems by internal or external users. Let’s talk about what that looks like. As an organization, you don’t want people taking data outside of the boundaries you have set up and use it for some nefarious purpose. There was a famous case years ago where an IT person was allowed to take data home to do work and then when they terminated that particular employee, he successfully defended his right to not return the data because the organization he worked for did not have anything in writing with him that required him to return that data. They allowed him to take it to his house and that’s where it stayed. Every organization is concerned about information ending up in a place where it shouldn’t be. Let’s talk about transmission. First of all, if you are successfully transmitting data from your environment to an authorized outside environment, you want to do that via some encrypted technology. You would want to make sure that the proper level of encryption was being utilized, and employees understand that when information is being transferred properly, it is done over encrypted channels. Another way of looking at that is that you wouldn’t want to have an attacker on the inside be able to create this back channel or create an encrypted tunnel to exfiltrate information out of your environment. So, how do you do that? How can you identify that that is occurring? There are data loss prevention technologies that are out there and becoming more popular as a way to recognize abnormal events and try to identify traffic patterns that would indicate that someone is trying to take the data out a route that they shouldn’t be using. When we talk about the movement of data or the removal of data, that starts getting into how do you allow your employees to get to the data in the first place? Can they get to it from a laptop, which is easily carried out of the building? Do you allow people to put data on thumb drives or access Dropbox online? These kinds of things need to be considered and restricted if you’re concerned about someone copying data, moving it, and ultimately removing it from your environment. Putting policies and procedures into place whether initially by manual methods via a written policy, and you train people on it and make them sign a written agreement that they’ve reviewed it and acknowledge that they’re not supposed to use removable media to store data. That’s the first, obvious place to start. Beyond that, though, you can put enforceable domain policies in place and utilize other technologies that are out there to actually physically restrict people from moving data from that type of device to an unauthorized device. Think about what it is you want to protect and what kind of protections you would want to put on the transmission, movement, and removal of data out of your environment.

Common Criteria 6.6

When a service organization undergoes a SOC 2 audit, auditors will verify whether they comply with the common criteria listed in the 2017 SOC 2 Trust Services Criteria. Common criteria 6.6 says, “The entity implements logical access security measures to protect against threats from sources outside its system boundaries.” How can organizations be sure that they’re complying with this criterion? Let’s discuss.

Dealing with External Threats During a SOC 2 Audit

Although human error is often viewed as one of the top risks that organizations must account for, dealing with external threats is just as important. What would be the impact if a disgruntled former employee was able to access sensitive company information because processes to revoke their credentials weren’t in place? Whether an employee quits, is terminated, or a malicious third party tries to access an organization’s network, businesses must have effective processes in place that assist them in dealing with external threats. When an auditor is reviewing an organization’s compliance with common criteria 6.6 during a SOC 2 audit, they’ll look to see if processes such as the following are in place:

  • Restricting access to certain communication channels
  • Protecting identification and authentication credentials when used outside system boundaries
  • Requiring additional authentication information
  • Implementing boundary protection systems

For example, implementing MFA is one proactive way that organizations can go about dealing with external threats. By requiring additional authentication information, organizations are more likely to mitigate the risk of a malicious outsider gaining access to their system. Likewise, organizations might also opt to utilize FTP servers or firewalls so they can monitor who is trying to gain access to their system and make sure that they are not successful in doing so. Ultimately, when pursuing SOC 2 compliance, it’s critical that organizations can demonstrate that they are dealing with external threats so that they can prove to their auditor and their clients that they provide.

More SOC 2 Resources

SOC 2 Academy

Understanding Your SOC 2 Report

SOC 2 Compliance Handbook: The 5 Trust Services Criteria

SOC 2 common criteria 6.6 talks about protecting your system from threats that are outside of your boundaries. So, rather than implementing password controls that are inside your network, we’re really talking about systems that can be accessed from outside your network. Obviously, the risks are greater and the threats are more extensive, because anyone in the world can access any publicly-facing IP, as opposed to there’s a more limited attack surface internally. When we look at common criteria 6.6 and external threats, we think about hackers or former employees whose access has been deleted from the system. How do you protect any type of threat that’s from the outside coming into your system? These might be web servers, firewalls, VPNs to your network, or anything that has a public-facing aspect to it. You want to think about not only requiring credentials but requiring additional methods of authentication. Think about multi-factor authentication, for example. There are three factors: something you know, something you have, and something you are. For instance, something you know (i.e. a password) and something you have (i.e. a code on your smart phone) are two methods of authentication you could require for access coming from the outside of your boundaries. You want to make sure that you have the proper monitoring controls and tools in place, because those are the systems that are going to produce the most data as far as unauthorized attempts go. If you have an FTP server or firewall, you’ll clearly see a lot of traffic that needs to be shunned or at least needs to be monitored in order to make sure that no one is successfully breaking into your system from the outside.

Common Criteria 6.5

When a service organization pursues SOC 2 compliance, auditors will verify whether they comply with the common criteria listed in the 2017 SOC 2 Trust Services Criteria. Common criteria 6.5 says, “The entity discontinues logical and physical protections over physical assets only after the ability to read or recover data and software from those assets has been diminished and is no longer required to meet the entity’s objectives.” Let’s take a look at why disposing of physical devices is important.

Why is Disposing of Physical Devices Important to SOC 2 Compliance?

Common criteria 6.5 goes hand in hand with common criteria 6.1, which is about how to perform an inventory of assets. In order to perform an effective inventory, organizations must dispose of physical devices that are no longer in use or needed to help the entity meet their business objectives. Why? Because in order to properly manage the physical devices that an organization holds, they need to have an accurate inventory of which physical devices are currently in use. For example, let’s say that an organization has upgraded all of its employees’ laptops. What processes are in place to securely get rid of the old laptops? How will data and company information on those devices be wiped? Who will be wiping them? A third party or an IT administrator?

During the SOC 2 compliance journey, an auditor will want to validate that such processes are in place for securely disposing of physical devices and removing any sensitive data from physical devices that are no longer in use. Specifically, auditors will be using the following two points of focus to verify compliance with common criteria 6.5:

  • Does the entity have procedures in place to identify data and software that needs to be disposed of?
  • Does the entity have procedures in place to remove data and software from the physical control of the entity and render that data unreadable?

More SOC 2 Resources

SOC 2 Academy

Understanding Your SOC 2 Report

SOC 2 Compliance Handbook: The 5 Trust Services Criteria

SOC 2 common criteria 6.5 is really about the physical disposal of assets that you no longer need to keep. Let’s say that you upgraded your equipment, or you have damaged equipment and it’s just sitting around and piling up. Should you just throw it in the recycling bin? Do you take it to the dumpster? Do you take a shotgun and blow it up? What method are you using to dispose of that asset? You have to have a proper method of disposal so that you can be certain that you don’t have to protect that data any longer. You don’t just want to sell it on eBay or give it to an employee to throw away or take home to their kids. You want to be assured that even if a system is going to be functional when it leaves the building, that all of your sensitive data has been wiped off of it. There are tools that you can acquire if you simply just want to wipe off a hard drive if you want to sell it or give it to someone as a donation or to an employee. There are tools you can use that will apply Department of Defense methods to make sure that it’s a secure wiping method. You might also opt to just make sure that the asset is physically destroyed and would be unreadable that way. There are many third parties that will come to your location with a large shredding device on their truck that will destroy hard drives and other types of computer media. So, keep this in mind before you let something walk out of the door, and make sure that you’re properly disposing of the data you’re protecting.

Common Criteria 6.4

One of the first steps of the SOC 2 audit process is scoping the engagement, which tells auditors what people, processes, and technologies will be included in the assessment. Because auditors will assess an organization’s compliance with the 2017 Trust Services Criteria, organizations need to demonstrate that they comply with common criteria 6.4. Common criteria 6.4 says, “The entity restricts physical access to facilities and protected information assets (for example, data center facilities, backup media storage, and other sensitive locations) to authorized personnel to meet the entity’s objectives.” In order to comply with this criterion, organizations need to identify all people, processes, and technologies that impact the internal controls over physical security by taking inventory of physical devices. It’s no longer enough for organization’s to only identify physical devices within their office buildings. Instead, they’ll need to look at remote locations, such as home offices or coffee shops, as well as third-parties. Let’s discuss why taking inventory of physical devices is so important to SOC 2 compliance.

The Importance of Taking Inventory of Physical Devices

If you don’t know which physical devices your organization possesses, how can you possibly ensure that they aren’t stolen or breached? What would be the impact if your remote employee’s company-provided cell phone was stolen? Could sensitive company information be accessed? While taking inventory of physical devices within an office building is important, organizations must go a step further to identify absolutely all physical devices, including both hard and software, that could be compromised by a malicious hacker or employee. For example, let’s say that more than half of an organization’s employees work remotely. What physical security controls need to be employed to ensure that the physical devices they hold are protected? Are there processes in place to wipe an employee’s laptop remotely if it is stolen? When pursuing SOC 2 compliance, taking an accurate and realistic inventory of physical devices is critical for ensuring that the engagement is properly scoped and that the internal controls over physical device security are accurately assessed.

More SOC 2 Resources

SOC 2 Academy

Understanding Your SOC 2 Report

SOC 2 Compliance Handbook: The 5 Trust Services Criteria

It’s very important when you’re assessing your physical environment to take a good inventory of where you have not only electronic data, but physical devices that could potentially store that data or access that data through some remote technology. When I talk about inventory, I’m talking about not only the physical offices where your people operate, but also home offices, third-party locations where you might have employees do some work, backup media facilities or third-parties that pick up media, tapes, drives, etc. You want to include all of these places in your inventory of where you want to ensure that proper physical access controls are located. Too often, clients minimize the impact of where a physical location may or may not be in scope, and they forget about some of the locations where they should still consider physical controls. For example, if you have remote employees – people that work out of their car, coffee shops, or home or they travel with laptops and other removable media – you would want to think about other physical controls that you would put on those devices, so that you can make sure that they are protected and not stolen out of cars or in transit. When you think about physical security controls and where to implement them, make sure you first do a proper inventory of your locations so that you can then evaluate which controls are necessary.

Common Criteria 6.4

During a SOC 2 audit engagement, an auditor will validate that an organization complies with the common criteria listed in the 2017 SOC 2 Trust Services Criteria, which means that they will assess an organization’s compliance with common criteria 6.4. Common criteria 6.4 says, “The entity restricts physical access to facilities and protected information assets (for example, data center facilities, backup media storage, and other sensitive locations) to authorized personnel to meet the entity’s objectives.” How can organizations comply with this requirement? What kind of physical security controls should organizations implement?

Implementing Physical Security Controls

While malicious hackers often attack digitally, organizations must account for the risk that their physical environments could be compromised too. This means that implementing physical security controls in facilities or other locations that hold sensitive information needs to be a top priority for organizations. For example, if an organization distributes access cards to all employees, how are those access cards managed? Can you clearly identify who the access card belongs to? Is there a process in place for validating that the person using the card is the same person it belongs to? What processes are in place to revoke a card if an employee is terminated or quits? Social engineering is a serious threat to many organizations, but it’s often a thought that gets put on the back burner. If you’re pursuing SOC 2 compliance, consider implementing these physical security controls:

  • Locks, fences, or gates
  • Surveillance cameras
  • Access cards
  • Biometric access controls
  • Security guards

Physical Security and SOC 2 Compliance

We often have clients ask us if an onsite visit is necessary when undergoing an audit, and it absolutely is. Why? Because it’s essential for assessing an organization’s compliance with common criteria 6.4. How would an auditor be able to verify that your physical security controls are in place and working efficiently without physically testing them? During a SOC 2 audit, an auditor will physically need to validate that the physical security controls that you say are in place are actually working as intended.

More SOC 2 Resources

SOC 2 Academy

Understanding Your SOC 2 Report

SOC 2 Compliance Handbook: The 5 Trust Services Criteria

Common criteria 6.4 in the 2017 SOC 2 Trust Services Criteria deals with physical security. Let’s say that you have an access control card system. One of the things that we recommend is that you do your own internal audit of the cards that you have versus that cards that are active in the system. You need to make sure that any lost cards get deactivated and that you, in a very timely manner, remove employees or vendors who have been issued cards and are no longer employed by the organization. This is so there aren’t unauthorized people still in the system and the system is current. You also want to think about where all of the areas are where you need to have physical security controls. Too often, people think that just because they work in a corporate office, they shouldn’t care about physical security controls. However, the corporate office still has all the critical people who use their systems to log in to things such as production networks at a data center or resources in the cloud. You still wouldn’t want your physical security, even in an administrative area, to be compromised because someone might access a laptop, steal a piece of media, or gain access to paper records that are laying around. We have that happen a lot where clients say, “There’s nothing here that we’re trying to protect. Everything we have is in the cloud.” Yet, when you do a little bit of digging, we find that there are some hard copy materials, removable media, and clearly, systems that can be used to access the information in the cloud. You need to think about physical security controls, where they should be applied, and make sure that you find the best way to implement locks, card readers, and any other type of physical control that’s appropriate for your situation.