SOC 2 Academy: Preventing and Detecting Unauthorized Software

by Joseph Kirkpatrick / February 22nd, 2019

Common Criteria 6.8

During a SOC 2 audit, an auditor will validate that an organization complies with the common criteria listed in the 2017 SOC 2 Trust Services Criteria, which means that they will assess an organization’s compliance with common criteria 6.8. Common criteria 6.8 says, “The entity implements controls to prevent or detect and act upon the introduction of unauthorized or malicious software to meet the entity’s objectives.” What do organizations need to do to comply with this? What will an auditor be assessing?

How to Prevent and Detect Unauthorized Software

Knowing how to prevent and detect unauthorized software is critical if you want to position yourself as a secure service organization. If you can’t prevent and detect unauthorized software from accessing your network, why would customers want to partner with you? If organizations aren’t performing their due diligence and fail to prevent unauthorized software, they could face steep fines and penalties, a damaged reputation, and put their clients at risk. So, what needs to be done to demonstrate compliance with common criteria 6.8? During a SOC 2 audit, an auditor will assess that the organization does the following:

  1. Restricts who can install software on assets
  2. Detects unauthorized changes to your software and configuration parameters
  3. Uses a defined change control process
  4. Uses antivirus and anti-malware software
  5. Scans information assets from outside of your organization for malware and other unauthorized software

Why Do You Need to Prevent and Detect Unauthorized Software?

Let’s say that an employee requests that a software be installed on their laptop, which would allow them to more efficiently fulfill their job duties. Management denies the request because the software is too expensive, but the employee decides on their own accord to install the software anyways. This poses a significant risk to the organization’s security posture because the Internet source that the employee downloaded the software from might not be secure, or the software itself might contain malicious software, such as malware, spyware, or Trojans. If this employee goes through with downloading the software and it does contain malware, the organizations could face major financial, organizational, and reputational repercussions. On the other hand, let’s say that a software update pop-up comes up on an employees screen. They select “OK” and the software updates, but the software itself was not authorized to be on the device in the first place. Having processes in place to prevent and detect unauthorized software from being installed would be extremely useful in this case because it would give the employee steps to adhere to when installing or updating software. Regardless of their intention for installing software on an organization’s network, insiders and outsiders alike can be extremely cunning. Are you doing what’s necessary to prevent and detect unauthorized software from being installed in your information security system?

More SOC 2 Resources

SOC 2 Academy

Understanding Your SOC 2 Report

SOC 2 Compliance Handbook: The 5 Trust Services Criteria

Common criteria 6.8 for SOC 2 compliance there’s a few things to talk about, and in this video, I’d like to talk about how you prevent or detect unauthorized software from entering your environment. The first thing is not allowing people who aren’t authorized to install software on your asset. This would necessitate them not being an administrator. This poses a lot of problems for our clients, and many say that it’s a real pain not to have administrative access to the laptop that’s in the field because there are so many issues and problems that could come up where you would need administrator access. You have to think really long and hard about who you’re going to allow to be an administrator on those devices, because clearly by allowing someone to be an administrator, you’re making the risk greater that someone will take a short cut and will install something that maybe you haven’t authorized to be installed on there. At a minimum, if you do allow an employee to have administrative access to some type of a mobile device, you would want some way to detect that software has been installed. You would want some type of an alert and some type of log, so that someone else could understand what occurred and the proper evaluation could be performed. Ultimately, you want to start with preventing unauthorized software to be installed in your environment, so it’s not even allowing people to do the installs. Secondly, you would want to be able to detect it when it does happen. What if it’s an attacker and there’s malware introduced into your environment and has been installed? How would you detect that? You need a malware, antivirus, or some other log that’s generated from one of your security systems that’s able to monitor that and alert the proper security officer that this type of threat was introduced into your environment. Think about prevention and detection when it comes to new software that is unauthorized being introduced into your environment.