SOC 2 Academy: Incident Response Best Practices
Common Criteria 7.3
When an organization undergoes a SOC 2 audit, auditors will be looking to validate that they comply with the common criteria listed in the 2017 SOC 2 Trust Services Criteria. Common criteria 7.3 says, “The entity evaluates security events to determine whether they could or have resulted in a failure of the entity to meet its objectives (security incidents) and, if so, takes actions to prevent or address such failures.” What will an auditor look for when assessing this criterion? What do organizations need to do to comply with common criteria 7.3? Let’s take a look.
Incident Response Best Practices for SOC 2 Compliance
The first step in following incident response best practices is learning how to accurately identify an incident, so that an organization knows when it’s necessary to implement an incident response plan. According to Verizon’s 2018 DBIR, a security incident is a security event that compromises the integrity, confidentiality, or availability of an information asset. So, for example, if you have personnel performing daily log reviews and they notice that an unauthorized user or source has gained access to your systems or data, activating your incident response plan would be necessary.
During a SOC 2 audit, an auditor will want to verify that an organization follows incident response best practices. They’ll typically do this by asking questions, such as:
- Does the entity have procedures in place for responding to security incidents?
- Does the entity have procedures in place for evaluating the effectiveness of the incident response plan?
- Does the entity communicate effectively when an incident is discovered and throughout the incident response plan?
- Does the entity have procedures in place to analyze security incidents and their impact?
More Incident Response Resources
Common criteria 7.3 for SOC 2 compliance is really getting into incident response, because the requirement is about taking action after you’ve analyzed a particular security event. Is this a real security event? Is this something that could impact your organization negatively and prevent you from achieving your objectives? If so, it is an incident, it should rise to the level of an incident, and you need to activate your incident response plan in order to take the proper action to respond to it. Being able to define what an incident is is important, first of all. You want to clearly know what rises to the level of an incident and when it is that the incident response team activates. That team needs to go through practices, scenarios, and training in order to know how to respond appropriately to not only contain the incident, but resolve it, learn from it, and develop further procedures so that you’re even better prepared for the next time you face one of those incidents.