SOC 2 Academy: Movement of Data

by Joseph Kirkpatrick / February 15th, 2019

Common Criteria 6.7

When a service organization undergoes a SOC 2 audit, auditors will verify whether they comply with the common criteria listed in the 2017 SOC 2 Trust Services Criteria. Common criteria 6.7 says, “The entity restricts the transmission, movement, and removal of information to authorized internal and external users and processes, and protects it during transmission, movement, or removal to meet the entity’s objectives.” How does understanding the movement of data influence SOC 2 compliance? What will auditors be evaluating when assessing an organization’s compliance with common criteria 6.7? Let’s discuss.

How Does the Movement of Data Impact SOC 2 Compliance?

Service organizations need to assure their clients that their sensitive information is secure. Understanding the movement of data within the organization is key to making this happen. Why? Because if an organization doesn’t have clearly defined policies and procedures for transmitting, moving, and removing data, how will they be able to convince their customers that they are a secure service provider? Let’s say that an organization’s employees work remotely, and each employee has a company-supplied laptop. What processes are in place to ensure that the data stored on that laptop isn’t copied or removed? What security awareness training is used to educate employees on the correct protocols for transferring data? Or let’s say that a company uses a file-sharing platform. Can those files be accessed outside of the company network? Could they be copied onto a flash drive?

During a SOC 2 audit, an auditor will verify that the organization has such processes in place that allow for the secure transmission, movement, and removal of data. Auditors might ask questions such as, does the organization restrict the ability to perform transmission? Does the entity use encryption technologies or secure communication channels to protect data? How does the entity protect mobile devices? To demonstrate compliance, organizations should begin by showcasing that they do in fact have written policies and procedures, have trained their employees on those policies and procedures, and have then implemented additional security measures, such as data loss prevention technologies to ensure that the movement of data is secure.

More SOC 2 Resources

SOC 2 Academy

Understanding Your SOC 2 Report

SOC 2 Compliance Handbook: The 5 Trust Services Criteria

SOC 2 common criteria 6.7 restricts the transmission, movement, and removal of information from your systems by internal or external users. Let’s talk about what that looks like. As an organization, you don’t want people taking data outside of the boundaries you have set up and use it for some nefarious purpose. There was a famous case years ago where an IT person was allowed to take data home to do work and then when they terminated that particular employee, he successfully defended his right to not return the data because the organization he worked for did not have anything in writing with him that required him to return that data. They allowed him to take it to his house and that’s where it stayed. Every organization is concerned about information ending up in a place where it shouldn’t be. Let’s talk about transmission. First of all, if you are successfully transmitting data from your environment to an authorized outside environment, you want to do that via some encrypted technology. You would want to make sure that the proper level of encryption was being utilized, and employees understand that when information is being transferred properly, it is done over encrypted channels. Another way of looking at that is that you wouldn’t want to have an attacker on the inside be able to create this back channel or create an encrypted tunnel to exfiltrate information out of your environment. So, how do you do that? How can you identify that that is occurring? There are data loss prevention technologies that are out there and becoming more popular as a way to recognize abnormal events and try to identify traffic patterns that would indicate that someone is trying to take the data out a route that they shouldn’t be using. When we talk about the movement of data or the removal of data, that starts getting into how do you allow your employees to get to the data in the first place? Can they get to it from a laptop, which is easily carried out of the building? Do you allow people to put data on thumb drives or access Dropbox online? These kinds of things need to be considered and restricted if you’re concerned about someone copying data, moving it, and ultimately removing it from your environment. Putting policies and procedures into place whether initially by manual methods via a written policy, and you train people on it and make them sign a written agreement that they’ve reviewed it and acknowledge that they’re not supposed to use removable media to store data. That’s the first, obvious place to start. Beyond that, though, you can put enforceable domain policies in place and utilize other technologies that are out there to actually physically restrict people from moving data from that type of device to an unauthorized device. Think about what it is you want to protect and what kind of protections you would want to put on the transmission, movement, and removal of data out of your environment.