Monitoring Your Sensitive Data for SOC 2 Compliance
SOC 2 Compliance is a framework for organizations that handle their customer’s data on the cloud. It has become an increasingly important certification for SaaS companies to build trust with their customers and partners.
SOC (System and Organization Controls) is an infosec and privacy framework developed by the American Institute of Certified Public Accountants (AICPA). There are three kinds of compliance reports, SOC 1, 2, and 3, but in this article we will only focus on SOC 2 which is the most involved of the three. Within SOC 2, there are two report types:
- Type 1 report where auditors assess the organizations documentation and proposed controls
- Type 2 looks at the documentation and the longitudinal effectiveness of those controls.
In order to prove compliance with SOC 2 Type 2, your organization must go through a technical audit. This audit will assess your infrastructure against the Trust Services Criteria, which consist of the five categories illustrated below:
The only mandatory category is Security, so choosing which of the other four categories to include is an important decision for the organization. An organization should try to limit the scope to those categories that are necessary to deliver their business. Within each of the categories, there is a list of criteria. As Security is the only required category, the list of criteria under this category are referred to as the Common Criteria.
The five Common Criteria are:
SOC 2 Audit preparation
Preparation for the audit will involve preparing policies and controls around the following:
- Infrastructure
- Software
- People
- Procedures
- Data
In the diagram above, we have the simplest illustration of these five components. The people are users of your system (employees, contractors, third party vendors) and are governed by the Procedures and Policies around training, on-boarding, access management and authorization. Infrastructure controls monitor the organizations network and environment using tools like network security software or UEBA solutions.
The Risk of Internal Users within your Organization
When it comes to managing the risk associated with people, an organization must look at important topics like specific privacy training and monitoring users activity when dealing with customer’s sensitive data. As users are the most unpredictable part of the organizations environment, malicious or negligent users pose a high risk. A recent study shows that 79% of CIOs believe that employees have put company data at risk in the past 12 months.
Monitoring Activities means that you have established a process to provide oversight to how data is used within your organization. This includes anomaly detection and proactive alerting.
Therefore, adding a control tomonitor how users interact with sensitive data is becoming more relevant for organizations. In the diagram above, this means adding a Control to the connection highlighted in yellow between the Software and the Data.
Most organizations rely on the logs generated by the Software developers to audit this interaction with the data. Logs are generally only reviewed during a forensic audit and unusual user behaviour rarely alerts the infosec team within the company.
Privata.ai — A tool to monitor users risk profile
At Privata.ai, we have developed a tool to monitor how users are interacting with data from within web applications. We integrate with your existing applications using a minimal SDK to collect the relevant de-identified information. Once we capture this information, we can identify anomalous user behaviour and alert your infosec team.
From a SOC 2 perspective, this means you can add a control for monitoring against internal data breaches as close to the data as possible. Data stored on databases are generally only accessed two ways, with a direct connection to the database from inside the server or through an application that connects to the database. The first threat can be minimized by restricting administrative server access to a small number of responsible people. The second would be to actively monitor how users interact with your data from within the web application — this is where Privata.ai comes in.
Privata.ai helps flag the most sensitive data within your database. This removes much of the noise that comes from database standard logs where there are requests for non-sensitive data such as application preferences. We then track how users interact with this sensitive data and present it in an easy to understand dashboard. Alerting can be triggered based on unusual behaviour by a user compared with other similar users within the organization or specific users groups.
If you are currently planning or in the process of preparing for SOC 2 compliance, feel free to reach out to us at Privata.ai to see how we can help.
