The first and the most common security audit I had to wrap my head around was SOC 2. System and Organization Controls (SOC) audits probably have the most plentiful bounty of information, guides, definitions, secrets, tools, and tricks of all the major security certifications I've seen. The tough part was sifting through it all to find the core content and key concepts (not to mention layperson explanations) I needed to fully outfit myself with the information needed. This would be my unicorn.
So, what did I learn about SOC 2?
A SOC 2 audit is typically found in North America, though it has been spotted in other regions of the world. There are two types with different lifespans: Type 1 and Type 2. Type 1 is a faster and cheaper variety, however, its lifespan is shorter. Type 2 is a slower, more expensive and thorough creature, but has the trait of assuring customers of greater security and has a much longer lifespan.
SOC 2 outlines a set of regulations designed to ensure organizations that store sensitive information (especially in the cloud) adhere to a common set of security best practices. Enter: my brain where unicorns are dancing in the skies. Much like unicorns that stand for principles of good in the world, there are five “Trust Services Principles” or “Trust Services Criteria” (TSP or TSC, depending on how fancy you want to get) that SOC stands for: Privacy, Security, Availability, Processing Integrity, and Confidentiality (here's a mnemonic to help you remember all of that)! As an organization that cares about its customers, you’ll need to demonstrate that you have the right security controls in place for the TSP that apply to your organization.
Keeping up with the unicorn analogy (stay with me here!), here’s how each TSP is broken down as if I were a knight seeking one out and needed the proper tools:
Privacy - The helm, or mask, of your controls. These controls protect the information and identity of your organization and customers (especially sensitive PII). Controls such as encryption, access control, and multi-factor authentication will be the helm of protections.
Security - The armour of your controls. These are the controls that stop attacks and damage from villains who would seek to do your organization or customers harm. Every software company needs armour these days! These are controls such as firewalls, intrusion detection, passwords, and multi-factor authentication.
Availability - The knight’s oath of your controls. These types of controls assure your customers that you are prepared for attack and will answer the call. A knight can’t be available for his people if he’s down for the count! Elements such as performance monitoring, having a plan of attack or protections for disasters, and handling incidents with grace.
Processing Integrity - The chivalry of your controls. Alertness, proactiveness, and assurance of your quality are the chivalrous codes of controls. If you process credit card payments, you need to do it right. These controls will encourage others that you have a dedication to quality assurance and monitoring of your processes.
Confidentiality - The shield of your controls. Some overlap with armour and helm exists as this includes protection for your organization. You better keep your customer’s data safe, or all is lost! This can include firewalls, encryption and elements like passwords so that the right people are allowed through while the villains are stopped at the door.
These main principles of SOC 2 are the key to finding your own personal unicorn in the world of security audits. And now that I have indulged my need for fantastical comparisons...I am off to discover more in the world of InfoSec! Tally-ho!