SOC 2 Academy: Change Control Processes

by Joseph Kirkpatrick / February 22nd, 2019

Common Criteria 6.8

While understanding how to prevent and detect unauthorized software from being installed on your network is important, organizations pursuing SOC 2 compliance should also implement change control processes to mitigate any further risks of unauthorized software being installed. When an organization engages in a SOC 2 audit, an auditor will verify whether they comply with the common criteria listed in the 2017 SOC 2 Trust Services Criteria. Common criteria 6.8 says, “The entity implements controls to prevent or detect and act upon the introduction of unauthorized or malicious software to meet the entity’s objectives.” Let’s take a look at how implementing change control processes can help organizations comply with this criterion.

Using Change Control Processes

One of the points of focus for common criteria 6.8 says, “A management-defined change control process is used for the implementation of software.” What is a change control process? Why should it be used? A change control process is an approach to managing all changes made to a system. Change control processes should be used to ensure that all changes that are made are necessary, approved, documented, and effectively implemented. By doing so, organizations are able to mitigate the risk of unauthorized software being installed on their systems.

Change Control Processes and Remote Employees

Organizations should also make implementing change control processes for remote employees a priority. For example, if an organization provides company-supplied devices, then implementing change control processes for remote employees would be necessary. If a device is returned after an employee resigns or is terminated, organizations need to have processes in place to determine whether or not everything that’s supposed to be installed on the device is there before giving that asset to another employee. The threat that a malicious or disgruntled employee installed unauthorized software on a laptop or other mobile device is very real, so using change control processes for remote employees could prevent any unauthorized software from being installed and help ensure that the organization’s security posture remains strong.

More SOC 2 Resources

SOC 2 Academy

Understanding Your SOC 2 Report

SOC 2 Compliance Handbook: The 5 Trust Services Criteria

A second issue that is important for common criteria 6.8 is having a good change control process in place. You would want to have a record of software being installed. What’s your baseline configuration? What are the additional things that have been approved or changed to be installed on to a particular device? Having knowledge about that and having a formal process so that if an employee wants to install something that wasn’t previously approved, the request can be made, documented, and approved before that change occurs. That type of paper trail is important because especially after a data breach or some other type of security incident, when you’re going back through some type of forensics effort and you’re trying to understand when, how, and why something happened, you’ll identify in your change control process when certain things were approved or denied in terms of software being installed on these systems. You’ll also want to have a process of bringing in a system that’s been out of your control. Let’s say that a remote employee has been terminated, and they send the equipment back to you. Prior to just turning that equipment to another employee or connecting that equipment to your corporate environment, you’d want to have a process to stop and perform an evaluation to understand if everything installed on the system is what you’d expect, if anything new has been introduced, or if there’s any type of threat that would keep you from wanting to put it on your network. Identifying these changes and making sure that you stop and verify that these unauthorized changes haven’t occurred are very important issues for common criteria 6.8.