SOC 2 Academy: Taking Inventory of Physical Devices

by Joseph Kirkpatrick / February 8th, 2019

Common Criteria 6.4

One of the first steps of the SOC 2 audit process is scoping the engagement, which tells auditors what people, processes, and technologies will be included in the assessment. Because auditors will assess an organization’s compliance with the 2017 Trust Services Criteria, organizations need to demonstrate that they comply with common criteria 6.4. Common criteria 6.4 says, “The entity restricts physical access to facilities and protected information assets (for example, data center facilities, backup media storage, and other sensitive locations) to authorized personnel to meet the entity’s objectives.” In order to comply with this criterion, organizations need to identify all people, processes, and technologies that impact the internal controls over physical security by taking inventory of physical devices. It’s no longer enough for organization’s to only identify physical devices within their office buildings. Instead, they’ll need to look at remote locations, such as home offices or coffee shops, as well as third-parties. Let’s discuss why taking inventory of physical devices is so important to SOC 2 compliance.

The Importance of Taking Inventory of Physical Devices

If you don’t know which physical devices your organization possesses, how can you possibly ensure that they aren’t stolen or breached? What would be the impact if your remote employee’s company-provided cell phone was stolen? Could sensitive company information be accessed? While taking inventory of physical devices within an office building is important, organizations must go a step further to identify absolutely all physical devices, including both hard and software, that could be compromised by a malicious hacker or employee. For example, let’s say that more than half of an organization’s employees work remotely. What physical security controls need to be employed to ensure that the physical devices they hold are protected? Are there processes in place to wipe an employee’s laptop remotely if it is stolen? When pursuing SOC 2 compliance, taking an accurate and realistic inventory of physical devices is critical for ensuring that the engagement is properly scoped and that the internal controls over physical device security are accurately assessed.

More SOC 2 Resources

SOC 2 Academy

Understanding Your SOC 2 Report

SOC 2 Compliance Handbook: The 5 Trust Services Criteria

It’s very important when you’re assessing your physical environment to take a good inventory of where you have not only electronic data, but physical devices that could potentially store that data or access that data through some remote technology. When I talk about inventory, I’m talking about not only the physical offices where your people operate, but also home offices, third-party locations where you might have employees do some work, backup media facilities or third-parties that pick up media, tapes, drives, etc. You want to include all of these places in your inventory of where you want to ensure that proper physical access controls are located. Too often, clients minimize the impact of where a physical location may or may not be in scope, and they forget about some of the locations where they should still consider physical controls. For example, if you have remote employees – people that work out of their car, coffee shops, or home or they travel with laptops and other removable media – you would want to think about other physical controls that you would put on those devices, so that you can make sure that they are protected and not stolen out of cars or in transit. When you think about physical security controls and where to implement them, make sure you first do a proper inventory of your locations so that you can then evaluate which controls are necessary.