SOC 2 Academy: How to Perform a Thorough Inventory
by Joseph Kirkpatrick / February 1st, 2019
Common Criteria 6.1
When a service organization undergoes a SOC 2 audit, auditors will verify whether they comply with the common criteria listed in the 2017 SOC 2 Trust Services Criteria. Common criteria 6.1 says, “The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity’s objectives.” While we have discussed many points of focus that organizations should consider when complying with common criteria 6.1, there’s still one critical component to review: performing a thorough inventory of your assets. Let’s discuss.
How to Perform a Thorough Inventory of Your Assets for SOC 2 Compliance
If an organization doesn’t know how to perform a thorough inventory of their assets, how will they be able to effectively monitor and protect them? Organizations must establish policies and procedures for device security in order to ensure that unauthorized or malicious users don’t gain access to information or environments that they have no legitimate need to access. If an organization provides employees with electronic devices, such as smartphones, laptops, or tablets, how are those devices being monitored and protected? Let’s say that an organization provides laptops for all remote employees. If the laptop is stolen, what processes are in place to make sure that the laptop is remotely wiped of all company information? If an employee is terminated or resigns, how will the organization ensure that the device is returned?
When put into the wrong hands, misuse of electronic devices could be the catalyst needed to cause organizations to face data breaches, amass steep fines and penalties, or lose client trust. Knowing how to perform a thorough inventory of your assets allows organizations to mitigate these risks. But how can it be done? Aside from identifying all devices used on the network, encryption methods should be utilized. In fact, encryption is such a large part of complying with common criteria 6.1 that two of the points of focus for the criterion are about encryption. They say, “The entity uses encryption to supplement other measures used to protect data-at-rest, when such protections are deemed appropriate based on assessed risk,” and “processes are in place to protect encryption keys during generation, storage, use, and destruction.”
Regardless of whether threats come from unauthorized internal employees or malicious outsiders, during a SOC 2 audit, organizations must make it a priority to know how to perform a thorough inventory of their assets in order to comply with common criteria 6.1.
More SOC 2 Resources
Understanding Your SOC 2 Report
SOC 2 Compliance Handbook: The 5 Trust Services Criteria
When it comes to complying with the logical access control requirements in common criteria 6.1 for SOC 2, there’s a couple of other points of focus to consider, including performing a thorough inventory of your assets. You have to understand what your assets are in order to understand how you’re going to protect them. You need to make sure that you’ve identified all of those devices on your network that might potentially provide access to a threat or a valid employee, so that you can manage and monitor who’s accessing that and removing access for anyone that shouldn’t have it. The other thing that you would want to look at is the encryption of the logins to all of these various devices. Are there security certificates in place in order to encrypt the traffic? Even internally, from your administrator on your network to that particular device? I know we see a lot of self-signed certificates and certificates that are not properly configured in order to keep those credentials secret and unable to be captured by a malicious entity who might want to steal a username and password.
