0 likes | 25 Views
ud835udc0cud835udc1aud835udc2cud835udc2dud835udc1eud835udc2bud835udc22ud835udc27ud835udc20 ud835udc12ud835udc0eud835udc02ud835udfd0 ud835udc02ud835udc28ud835udc26ud835udc29ud835udc25ud835udc22ud835udc1aud835udc27ud835udc1cud835udc1e: Here's Your Essential Checklist for Seamless Auditing! Dive into the key elements needed for successful SOC2 compliance, and ensure a smoother audit process. Swipe Left to Learn More
E N D
SOC 2 (Service Organization Control) Type 2 Checklist Part - 2 www.infosectrain.com
CC6.0: Logical and Physical Access Control CC6.1: The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives. Control Control Activity Specified by Organization Test Applied by Auditor Test Results The organization creates an access control policy and a user registration process to authorize individuals before granting them system access privileges. Examine and ensure that the organization developed an access control policy and a corresponding registration and authorization process for individuals. CC6.1.1 Examine user access to system components and ensure that the manager approves it. The organization restricts system access based on job roles or requires an approved access request form and manager's approval before granting access to relevant system components. CC6.1.2 Examine the organization's data classification policy and ensure it secures confidential data, restricting access solely to authorized personnel. The organization maintains a data classification policy to ensure that confidential information is securely protected and accessible only to authorized users. CC6.1.3 The organization limits access to encryption keys, which are considered privileged, to authorized users who have a legitimate business need. Examine the organization's cryptography policy to ensure that it confines privileged access to encryption keys to authorized users with valid business requirements. CC6.1.4 Remote access to the organization's production systems is exclusively permitted for authorized employees with a valid Multi-Factor Authentication (MFA) method. Examine the organization's production systems to ensure that only authorized employees with a valid Multi-Factor Authentication (MFA) method can access them remotely. CC6.1.5 www.infosectrain.com CC6.0: Logical and Physical Access Control
CC6.2: Prior to issuing system credentials and granting system access, the entity registers and authorizes new internal and external users whose access is administered by the entity. For those users whose access is administered by the entity, user system credentials are removed when user access is no longer authorized. Control Control Activity Specified by Organization Test Applied by Auditor Test Results The organization's access control policy specifies the protocols for adding, modifying, or revoking user access. Examine the organization's access control policy to ensure its existence, approval, and documentation of procedures for adding, modifying, and removing user access. CC6.2.1 Examine access reviews for the relevant system parts to ensure appropriate access restrictions and monitor required changes until they are finalized. The organization performs quarterly access assessments on system components within scope to guarantee proper access restrictions, with ongoing tracking of necessary changes until they are implemented. CC6.2.2 The organization uses termination checklists to make sure that access is promptly revoked for employees who have been terminated, meeting the defined Service Level Agreements (SLAs). Examine the termination checklist to ensure that access is promptly removed for employees who have been terminated. CC6.2.3 To access the production network, the organization mandates using either different usernames and passwords or authorized Secure Socket Shell (SSH) keys for authentication. Examine how the organization authenticates access to the production network and ensure it uses unique usernames and passwords or authorized Secure Socket Shell (SSH) keys. CC6.2.4 The firm ensures that users can access specific parts of the system based on their job role or by filling out a form and getting their manager's approval before getting in. Examine how users access the system to ensure it's either based on their job or by filling out a form and getting their manager's approval before they can access it. CC6.2.5 www.infosectrain.com CC6.0: Logical and Physical Access Control
CC6.3: The entity authorizes, modifies, or removes access to data, software, functions, and other protected information assets based on roles, responsibilities, or the system design and changes, giving consideration to the concepts of least privilege and segregation of duties, to meet the entity’s objectives. Control Control Activity Specified by Organization Test Applied by Auditor Test Results The organization maintains a matrix that specifies which system parts staff members can access according to their roles. Examine the staff access matrix. CC6.3.1 When staff members leave the organization, access to the firm's systems is promptly revoked as part of the off boarding process. Examine the employee's access removal process to ensure that a termination checklist is followed and access is adequately revoked when an employee leaves. CC6.3.2 Examine the infrastructure access and ensure it's restricted to individuals with job-related access requirements. The organization ensures that access to the infrastructure provider's environment, specifically the production console, is limited to individuals who need it for their job tasks. CC6.3.3 Examine the production database access and ensure it is accessible to individuals who require it to carry out their job tasks. The organization ensures that access to the production databases is granted only to individuals who need it to carry out their job responsibilities. CC6.3.4 The organization conducts quarterly access audits for in-scope system components, ensuring proper access controls and tracking needed changes until completion. Examine access reviews for in-scope system components to ensure appropriate access restrictions and monitor necessary changes until completed. CC6.3.5 www.infosectrain.com CC6.0: Logical and Physical Access Control
CC6.4: The entity restricts physical access to facilities and protected information assets (for example, data center facilities, backup media storage, and other sensitive locations) to authorized personnel to meet the entity’s objectives. Control Control Activity Specified by Organization Test Applied by Auditor Test Results The organization establishes procedures to authorize and manage physical access to its data centers, including granting, modifying, or terminating access, with authorization from control owners. Examine the system description to ensure that AWS is accountable for controlling access to the data center, allowing entry only to authorized personnel. CC6.4.1 Examine the system description to ensure that AWS is accountable for ensuring that only authorized personnel have access to the data center. The organization conducts annual assessments of data center access. CC6.4.2 Examine the physical security policy to ensure the presence of documented visitor management procedures, including sign-in, badge-wearing, escorting if required, access approval, and sign-out. Also, examine the system description to ensure AWS manages physical security controls. The organization mandates that visitors must sign in, wear a designated visitor badge, and be accompanied by an authorized employee when entering the data center or secure zones. CC6.4.3 Examine a quarterly access review, ensuring the presence of regular access reviews and access modifications aligned with business needs. Additionally, examine the access control and termination policy to ensure that access restrictions follow the principle of least privilege, requiring approval and documentation for changes. The organization performs access assessments on in-scope system components every quarter to verify that access is adequately limited. Any necessary changes are documented and monitored until they are fully implemented. CC6.4.4 www.infosectrain.com CC6.0: Logical and Physical Access Control
CC6.5: The entity discontinues logical and physical protections over physical assets only after the ability to read or recover data and software from those assets has been diminished and is no longer required to meet the entity’s objectives. Control Control Activity Specified by Organization Test Applied by Auditor Test Results The organization follows best practices to eliminate or destroy electronic media holding confidential information, and it issues certificates of destruction for each disposed device. Examine a data disposal log in secureframe and ensure the data retention and disposal policy documents procedures comply with NIST guidelines. CC6.5.1 Examine the procedure for removing an employee's access to ensure that they adhere to a termination checklist and that access is correctly revoked when an employee leaves the organization. The organization employs termination checklists to guarantee that access is promptly revoked for employees who have been terminated in accordance with agreed service level agreements (SLAs). CC6.5.2 Examine the data retention and disposal policy for documented processes, including secure data retention and deletion within 30 days upon customer request, and ensure the presence of a disposal log in secureframe for secure data disposal. The organization follows industry best practices by removing or purging customer data containing confidential information from the application environment when customers discontinue their service. CC6.5.3 Examine data retention policy for secure data handling and ensure secureframe for data disposal logs. The organization establishes formal procedures to guide the secure retention and disposal of company and customer data. CC6.5.4 www.infosectrain.com CC6.0: Logical and Physical Access Control
CC6.6: The entity implements logical access security measures to protect against threats from sources outside its system boundaries. Control Control Activity Specified by Organization Test Applied by Auditor Test Results The organization employs secure data transmission protocols to encrypt confidential and sensitive data when sending it across public networks. Examine the organization's secure data transmission protocols to ensure that they incorporate encryption for safeguarding confidential and sensitive data during transmission over public networks. CC6.6.1 Examine the organization's intrusion detection system to ensure its setup for ongoing network monitoring, ensuring the early identification of potential security breaches. The organization employs an intrusion detection system to continuously monitor its network and promptly identify potential security breaches. CC6.6.2 Examine the organization's network and system hardening standards to ensure that they align with industry best practices and undergo a yearly review for compliance. The organization documents network and system hardening standards, which align with industry best practices and undergo an annual review. CC6.6.3 Examine the firewall rulesets to confirm that they undergo annual reviews and any necessary changes are observed until they are fully implemented. The organization conducts annual reviews of its firewall rulesets and ensures that necessary changes are monitored until they are implemented. CC6.6.4 The organization includes regular maintenance and addressing identified vulnerabilities as part of its routine procedures for patching the infrastructure that supports the service. This practice helps fortify the security of the servers that underpin the service against potential threats. Examine the infrastructure supporting the service to ensure it undergoes routine maintenance and patching, addressing identified vulnerabilities to enhance server security against potential threats. CC6.6.5 www.infosectrain.com CC6.0: Logical and Physical Access Control
CC6.7: The entity restricts the transmission, movement, and removal of information to authorized internal and external users and processes, and protects it during transmission, movement, or removal to meet the entity’s objectives. Control Control Activity Specified by Organization Test Applied by Auditor Test Results The organization mandates encryption for all organization-owned endpoints to safeguard them from unauthorized access. Examine the encryption process to ensure its implementation across all endpoints, protecting unauthorized access. CC6.7.1 The organization ensures that user access to the organization's application is protected by utilizing the HTTPS protocol with the TLS algorithm and encryption methods that adhere to industry standards. Examine HTTPS (TLS algorithm) use and ensure that encryption techniques align with industry standards. CC6.7.2 The organization records production infrastructure assets and separates them from its staging and development assets. Examine the production infrastructure assets' records and ensure they have been clearly distinguished from the staging and development assets. CC6.7.3 Examine that both production and non-production environments maintain equal protection for customer data. The organization guarantees that customer data utilized in non-production environments receives an equivalent level of protection as that provided in the production environment. CC6.7.4 The organization possesses an encryption policy that is documented and accessible to all staff through the organization's intranet. Examine the encryption policy to ensure it has been provided to all organization staff through the firm's intranet. CC6.7.5 www.infosectrain.com CC6.0: Logical and Physical Access Control
CC6.8: The entity implements controls to prevent or detect and act upon the introduction of unauthorized or malicious software to meet the entity’s objectives. Control Control Activity Specified by Organization Test Applied by Auditor Test Results The organization installs anti-malware technology in environments often vulnerable to malicious attacks, ensuring regular updates, comprehensive logging, and deployment on all applicable systems. Examine the organization's anti-malware technology to ensure it is set up for regular updates, maintains complete logs, and is installed on all applicable systems. CC6.8.1 Examine the organization's SDLC methodology to ensure it oversees information system development, acquisition, implementation, modifications, and maintenance, including related technology needs. The organization establishes a structured Systems Development Life Cycle (SDLC) methodology that regulates the development, acquisition, implementation, modifications (including emergency changes) and maintenance of information systems and associated technology needs. CC6.8.2 Examine the service's infrastructure to ensure routine patching and vulnerability-based updates are applied to secure the supporting servers against security threats. The organization routinely applies patches to the infrastructure supporting the service, addressing identified vulnerabilities, as a proactive measure to fortify the security of the servers that underpin the service against potential threats. CC6.8.3 www.infosectrain.com CC6.0: Logical and Physical Access Control
CC7.0: System Operations CC7.1: To meet its objectives, the entity uses detection and monitoring procedures to identify (1) changes to configurations that result in the introduction of new vulnerabilities, and (2) susceptibilities to newly discovered vulnerabilities. Control Control Activity Specified by Organization Test Applied by Auditor Test Results The organization mandates that changes to the software and infrastructure components of the service must undergo authorization, formal documentation, testing, review, and approval processes before being implemented in the production environment. Examine the software and infrastructure components changes to ensure they go through authorization, formal documentation, testing, review, and approval before going into the production environment. CC7.1.1 Examine the organization's standard policies to delineate the criteria for IT-related operations, including vulnerability management and system monitoring. The organization's formal policies specify the requirements for IT/Engineering functions, encompassing vulnerability management and system monitoring. CC7.1.2 Examine the vulnerability scans to ensure they occurred quarterly for all external-facing systems and found that critical and high vulnerabilities were actively monitored and remediated. The organization conducts host-based vulnerability scans on all external-facing systems quarterly, focusing on identifying and addressing critical and high vulnerabilities. CC7.1.3 The organization conducts annual risk assessments that identify threats and changes (environmental, regulatory, and technological) affecting service commitments and formally assessed risks, including fraud's potential impact on objectives. Examine the organization's risk assessment documentation, ensure annual assessments, identify threats and service commitment changes, and formally evaluate risks, including fraud's potential impact on objectives. CC7.1.4 www.infosectrain.com CC7.0: System Operations
CC7.2: The entity monitors system components and the operation of those components for anomalies that are indicative of malicious acts, natural disasters, and errors affecting the entity's ability to meet its objectives; anomalies are analyzed to determine whether they represent security events. Control Control Activity Specified by Organization Test Applied by Auditor Test Results The organization employs an intrusion detection system to monitor its network and promptly identify potential security breaches continuously. Examine the utilization and configuration of IDS, ensuring its role in threat detection, continuous monitoring, and identifying security breaches. CC7.2.1 Examine log evidence through a screenshot, ensuring the maintenance of event logs to support attaining security objectives. The organization employs a log management tool to detect events affecting its ability to meet security objectives. CC7.2.2 The organization conducts annual penetration testing, with the development of a remediation plan and timely implementation of changes to address vulnerabilities within SLAs. Examine that penetration tests are conducted, identified vulnerabilities are tracked for remediation, and annual third-party penetration tests are in place as per the vulnerability and patch management policy. CC7.2.3 Examine that penetration tests are conducted with vulnerability tracking for remediation and ensure that patches are regularly installed as part of routine maintenance to enhance system resilience against vulnerabilities and threats. The organization ensures the servers supporting the service are fortified against security threats by incorporating routine maintenance and addressing identified vulnerabilities through infrastructure patching. CC7.2.4 The organization conducts host-based vulnerability scans on external-facing systems quarterly, focusing on monitoring and addressing critical and high vulnerabilities. Examine secureframe to verify the execution of vulnerability scans, assign severity ratings to findings, and track these findings for remediation. CC7.2.5 www.infosectrain.com CC7.0: System Operations
CC7.3: The entity evaluates security events to determine whether they could or have resulted in a failure of the entity to meet its objectives (security incidents) and, if so, takes actions to prevent or address such failures. Control Control Activity Specified by Organization Test Applied by Auditor Test Results The organization employs a continuous monitoring system, to monitor and communicate the status of the information security program to the Information Security Officer and other relevant parties. Examine the continuous monitoring system and ensure it consistently tracks and reports on the information security program's status. CC7.3.1 Examine the operating system version and ensure that it is current and up to date. The organization mandates quarterly audits of employee endpoints to verify that they are running the operating system's current or the second most recent version. CC7.3.2 The organization's infrastructure is set up to produce audit events for security-related actions of interest, which are then assessed and scrutinized for any unusual or suspicious behavior. Examine the internal audit logs to ensure that the organization utilizes a continuous monitoring system, for tracking and delivering updates on the status of the information security program. CC7.3.3 Examine the production assets to ensure that their alerting system operates promptly. The organization maintains constant surveillance of its production assets, enabling prompt alerts and immediate response when required. CC7.3.4 The organization identifies vulnerabilities within the firm's platform through annual penetration testing conducted by a certified third-party service provider. Examine and ensure that the organization performs the annual penetration testing exercise. CC7.3.5 www.infosectrain.com CC7.0: System Operations
CC7.4: The entity responds to identified security incidents by executing a defined incident response program to understand, contain, remediate, and communicate security incidents, as appropriate. Control Control Activity Specified by Organization Test Applied by Auditor Test Results The organization adheres to its security incident response policy and procedures, ensuring that security and privacy incidents are logged, monitored, resolved, and reported to the affected or relevant parties under management's guidance. Examine security and privacy incidents in the organization to ensure they are correctly logged, monitored, resolved, and reported to appropriate parties by management, following the company's security incident response policy and procedures. CC7.4.1 Examine the organization's incident response plan to ensure that it undergoes testing on an annual basis as a minimum requirement. The organization performs annual testing of its incident response plan as a minimum requirement. CC7.4.2 The organization has documented security and privacy incident response policies and procedures communicated to authorized personnel. Examine the organization's security policies to ensure that established security and privacy incident response policies and processes are in place, as well as that they are communicated to authorized users. CC7.4.3 Examine the service-supporting infrastructure to ensure patching for regular maintenance and identified vulnerabilities, enhancing server security against potential threats. The organization regularly patches its service-supporting infrastructure to support server security against threats, addressing routine maintenance and identified vulnerabilities. CC7.4.4 Examine the vulnerability scans to ensure they occur at a minimum quarterly frequency for all external-facing systems and that critical and high vulnerabilities are monitored and remediated as necessary. The organization conducts host-based vulnerability scans on all external-facing systems at a minimum frequency of quarterly intervals, with a specific focus on tracking and addressing critical and high vulnerabilities. CC7.4.5 www.infosectrain.com CC7.0: System Operations
CC8.0: Change Management CC8.1: The entity authorizes, designs, develops or acquires, configures, documents, tests, approves, and implements changes to infrastructure, data, software, and procedures to meet its objectives. Control Control Activity Specified by Organization Test Applied by Auditor Test Results The organization mandates that any modifications to software and infrastructure components of the service must undergo authorization, formal documentation, testing, review, and approval before they can be implemented in the production environment. Examine the organization's modifications to software and infrastructure components and ensure that they undergo authorization, formal documentation, testing, review, and approval before implementation in the production environment. CC8.1.1 Examine the organization's SDLC methodology, ensuring it oversees information system development, acquisition, implementation, modifications, and maintenance. The organization follows a formal SDLC methodology that oversees the entire lifecycle of information systems and related technology, including development, acquisition, implementation, changes (including emergencies), and maintenance. CC8.1.2 Examine the organization's service-supporting infrastructure, ensure patches are applied for routine maintenance, and address identified vulnerabilities to enhance server security against potential threats. The organization routinely patches its service-supporting infrastructure to bolster server security against potential security threats, addressing regular maintenance and identified vulnerabilities. CC8.1.3 The organization conducts annual penetration testing and implements changes to remediate vulnerabilities according to SLAs. Examine the organization's penetration testing to ensure it occurs at least once a year. CC8.1.4 Access to migrate changes to the production environment is exclusively granted to authorized personnel within the organization. Examine access rights for migrating production environment changes and ensure that only authorized personnel within the organization have privileged access. CC8.1.5 www.infosectrain.com CC8.0: Change Management
CC9.0: Risk Mitigation CC9.1: The entity identifies, selects,and develops risk mitigation activities for risks arising from potential business disruptions. Control Control Activity Specified by Organization Test Applied by Auditor Test Results The organization establishes business continuity and disaster recovery plans that include communication strategies to ensure information security continuity in case key personnel become unavailable. Examine the plans to ensure the organization outlines communication strategies for maintaining information security continuity if key personnel are unavailable. CC9.1.1 The organization performs annual risk assessments that identify threats and changes, formally assess service commitments risks, and consider fraud's potential impact on objectives. Examine the organization's risk assessment documentation to ensure it includes annual assessments, identification of threats and changes to service commitments with formal risk assessment, and consideration of fraud's potential impact on objectives. CC9.1.2 Examine the organization's risk management program to ensure it covers threat identification, risk assessment, and mitigation strategies. The organization establishes a documented risk management program that covers threat identification, risk significance rating, and mitigation strategies. CC9.1.3 www.infosectrain.com CC9.0: Risk Mitigation
CC9.0: Risk Mitigation CC9.2: The entity assesses and manages risks associated with vendors and business partners. Control Control Activity Specified by Organization Test Applied by Auditor Test Results The organization has formal agreements with vendors and relevant third parties encompassing confidentiality and privacy commitments tailored to the entity's requirements. Examine the organization's written agreements with vendors and related third parties, ensuring they incorporate confidentiality and privacy commitments tailored explicitly to the entity. CC9.2.1 The organization has a vendor management program that includes a critical third-party vendor inventory, security and privacy requirements for vendors, and annual reviews of essential vendors. Examine the organization's vendor management program to ensure that it establishes a structured process for documenting and managing vendor relationships. CC9.2.2 www.infosectrain.com CC9.0: Risk Mitigation
Found this useful? To Get More Insights Through ourFREE Course | Workshops | eBooks | White Paper Checklists | Mock Tests Press the Icon & www.infosectrain.com