Welcome to part three of SOC 2 Bootcamp, covering everything involved in evidence collection! Quick Bootcamp recap—we borrowed Bluth Company and Associates from Arrested Development. Monica works for Bluth Company and is getting their SaaS product, Banana Stand, SOC 2 compliant.
In SOC 2 Bootcamp Part 1: Scoping and Auditor Selection, the Bluth Company kicked off its SOC 2 journey. Monica has internal buy-in, selected an auditor, defined Trust Service Categories, completed scoping and wrote their Service Organization’s Description of Controls.
The second webinar, SOC 2 Bootcamp Part 2: Policies and Controls, focused on the meat of SOC 2, the policies and controls. We dove into a handful of policies required for SOC 2, what’s involved and the necessary controls to stay compliant.
This third webinar is all about collecting evidence to show you’re compliant with your controls and policies.
Again, we’re taught by Jitendra Juthani, InfoSec risk and compliance expert at Tugboat Logic! He assists Monica and Bluth Company through evidence collection both manually and automatically. They explore the differences between collecting evidence for a Type 1 vs. a Type 2 SOC 2 audit and look at SOC 2 penetration test requirements. And a special guest is joining the team, Billens Crow from Illumant. Illumant has conducted thousands of assessment and compliance engagements, helping over 1,000 clients protect themselves from cyber-attacks.
Basically, evidence is an artifact to prove that your controls are doing what they’re supposed to do. For example, when adding someone new to your system, you need approval from the business owner or whoever the application owner is. You need to collect evidence that proves this process. From an audit perspective, the auditor wants to know that what you’re saying is what you’re doing.
Evidence collection is a lot of work but it’s important. It proves that you’re compliant over the audit period. Some controls need to be operated weekly, while others may show up towards the end of the observation period. Some evidence you can show the auditor, like the password policy. When you walk through the audit online with your auditor, they can see what you see. But they still need documents for their records.
There are 162 possible pieces of evidence to collect, but don’t worry. They may not all apply to your organization. In Tugboat Logic, there’s a scoping survey that’s completed at the beginning of your journey. It will tell you which controls are within your scope, so you don’t spend time doing work out of your scope. Then for each control, there’s one or multiple pieces of evidence you’re required to collect to show the implementation of that policy. Something to keep in mind. One of the 162 pieces of evidence is about database encryption. If you have 10 databases, you’re going to need to collect evidence for each one.
Automated and Manual Evidence Collection
Technology can sure make life easier and automated evidence collection for SOC 2 can save you time. However, there are always parts of the process completed manually.
Within Tugboat Logic, several integrations allow you to collect evidence at a requested frequency and monitor them to ensure you are staying compliant. Like a set it and forget it function. There’s also a screenshot tool for Google Chrome to assist with manual collection. An example of manual collection is board of director meetings. Whether quarterly or semi-annual, you need to include this presentation to management as evidence. So attach meeting minutes and accompanying documents to the corresponding evidence task
Bluth Company, Tugboat Logic and Manual Evidence Collection
Jumping into Bluth Company’s readiness project, there are 34 policies to work with and each one has multiple controls connected to it. For this example, they’re focusing on their business continuity and disaster recovery policy.
Policy: Business Continuity and Disaster Recovery
This plan covers all areas within the organization considered critical tools to run your business in the event of a disruption.
Control: Business Continuity Plan
The control wording states that you have a business continuity plan documented and you test it annually.
Evidence Task: Business Continuity Plan
The way that you demonstrate this is by providing the auditor your business continuity plan.
From an audit perspective, the auditor wants to see a few things. They want to see how current it is, how often it’s updated, reviewed and tested. They also want assurance that employees can access the most up-to-date version at any time. A piece of paper won’t cut it. This can be a screenshot of a document attachment.
Bluth Company, Tugboat Logic and Automated Evidence Collection
Policy: Key Management and Cryptography
This policy is designed to prevent the attacker from accessing the unencrypted data by ensuring data is encrypted and protected at all times.
Control: Encryption at Rest
This control ensures you encrypt data when it is on a disk (at rest) using strong encryption technologies.
Evidence Task: Business Continuity Plan
Bluth Company uses AWS and they set up the Tugboat Logic integration. It pulls evidence once a week from all AWS databases to show encryption at rest.
Vulnerability Scans and Penetration Testing
A penetration test, or pen test, demonstrates the security of a product or system. Basically, you pay someone to hack your system. The pentester discovers how someone could access your system and do all the stuff you’re trying to protect your data from. Then you get a report describing all of the ways you could go about remediating or fixing issues they found.
Billens Crow from Illumant, mentions different purposes for pen testing and the importance of letting testers know it’s for SOC 2, so the scope is correct. In addition, it helps differentiate between external-facing targets like networks and firewalls or if their focus should be the product itself.
If you’re pursuing SOC 2, having your pen testing report in hand in the last three months of an audit period is ideal. That way, if there are any serious findings, you can take action to address them before the audit is complete.
But how does a penetration test work for companies in their early stages still developing their products? What if your organization is going through a significant migration or big changes in their product? Well, it’s a bit of a grey area. Suppose you have an unlimited budget and concerns about security. In that case, it might make sense to do some security testing earlier. But, as Billens explains, if you’re like most organizations, simply wait till your migration or major changes are complete. Testing the new developments makes more sense. What’s meaningful is the findings on something live, not an old version, because that’s what clients or customers will see.
Selecting a Pen Testing Solution
Like selecting an auditor, shopping around and doing your due diligence in choosing a pentester is essential. Meet with multiple firms, solicit recommendations from your peers and even your auditor. And always ask for references. References are critical because they can speak to the quality of work, project management styles and reporting capabilities.
SOC 2 Type 1 and Type 2 Evidence Collection
Evidence collections for SOC 2 Type 1 and Type 2 are essentially the same. While SOC 2 Type 1 covers a point in time, and SOC 2 Type 2 covers a period of time, the evidence provided is the same. So, for Type 1 you might need to provide the most recent Board of Directors meeting minutes. But for Type 2, you would need to show those minutes for every quarter in your observation period. There’s a greater volume of evidence collection for a Type 2 but it’s identical content to Type 1.
To learn more, watch the entire SOC 2 Bootcamp Recap Part 3: Evidence Collection, or schedule a walkthrough with Tugboat Logic!