SOC 2 Academy: Dealing with External Threats
Common Criteria 6.6
When a service organization undergoes a SOC 2 audit, auditors will verify whether they comply with the common criteria listed in the 2017 SOC 2 Trust Services Criteria. Common criteria 6.6 says, “The entity implements logical access security measures to protect against threats from sources outside its system boundaries.” How can organizations be sure that they’re complying with this criterion? Let’s discuss.
Dealing with External Threats During a SOC 2 Audit
Although human error is often viewed as one of the top risks that organizations must account for, dealing with external threats is just as important. What would be the impact if a disgruntled former employee was able to access sensitive company information because processes to revoke their credentials weren’t in place? Whether an employee quits, is terminated, or a malicious third party tries to access an organization’s network, businesses must have effective processes in place that assist them in dealing with external threats. When an auditor is reviewing an organization’s compliance with common criteria 6.6 during a SOC 2 audit, they’ll look to see if processes such as the following are in place:
- Restricting access to certain communication channels
- Protecting identification and authentication credentials when used outside system boundaries
- Requiring additional authentication information
- Implementing boundary protection systems
For example, implementing MFA is one proactive way that organizations can go about dealing with external threats. By requiring additional authentication information, organizations are more likely to mitigate the risk of a malicious outsider gaining access to their system. Likewise, organizations might also opt to utilize FTP servers or firewalls so they can monitor who is trying to gain access to their system and make sure that they are not successful in doing so. Ultimately, when pursuing SOC 2 compliance, it’s critical that organizations can demonstrate that they are dealing with external threats so that they can prove to their auditor and their clients that they provide.
More SOC 2 Resources
SOC 2 common criteria 6.6 talks about protecting your system from threats that are outside of your boundaries. So, rather than implementing password controls that are inside your network, we’re really talking about systems that can be accessed from outside your network. Obviously, the risks are greater and the threats are more extensive, because anyone in the world can access any publicly-facing IP, as opposed to there’s a more limited attack surface internally. When we look at common criteria 6.6 and external threats, we think about hackers or former employees whose access has been deleted from the system. How do you protect any type of threat that’s from the outside coming into your system? These might be web servers, firewalls, VPNs to your network, or anything that has a public-facing aspect to it. You want to think about not only requiring credentials but requiring additional methods of authentication. Think about multi-factor authentication, for example. There are three factors: something you know, something you have, and something you are. For instance, something you know (i.e. a password) and something you have (i.e. a code on your smart phone) are two methods of authentication you could require for access coming from the outside of your boundaries. You want to make sure that you have the proper monitoring controls and tools in place, because those are the systems that are going to produce the most data as far as unauthorized attempts go. If you have an FTP server or firewall, you’ll clearly see a lot of traffic that needs to be shunned or at least needs to be monitored in order to make sure that no one is successfully breaking into your system from the outside.