I run into many organizations who are evaluating if they should get a SOC 2. Typically, these are founders or executives of technology companies. Either they are cloud native or moving their on-premise solution stack into the cloud. Their customers are pushing them to improve their security posture and often specifically ask about SOC 2.

Many want to know if they should get a SOC 2. Whatever they decide, this blog post addresses four key SOC 2 technical controls that help organizations improve their security AND comply with SOC 2.

SOC 2 is a certification in which an auditor attests that an organization is following a prescribed set of controls surrounding cybersecurity.

File Integrity Monitoring – SOC 2 Technical Control

File integrity monitoring is the process of making sure the files are not tampered with – inspecting files for integrity on a regular basis. It seems so obvious to check the integrity of files in a system. Of course, this is one of the technical controls that is most often overlooked by companies. That is, until they start to prepare for an audit!

Many companies leverage the file integrity monitoring function of existing tools. For instance, file integrity tools that Azure provides. A company’s whole infrastructure is often not in Azure so organizations may have to rely on other tools as well.

Vulnerability Assessments

Many companies do something to assess the vulnerabilities in their organization. A best practice, however, is to constantly assess the state of vulnerabilities in your infrastructure. This includes laptops, servers, network equipment, applications and all of those devices that get attached to your network.

Making vulnerability assessments a regular part of your information security program will not only reduce your organization’s cybersecurity risk, but allow for you to comply with SOC 2.

Incident Response – SOC 2 Technical Control

Then there are incident response controls. This is your data breach response plan, your recovery plan, the way that the company is going to handle unanticipated threats and problems. Maybe a company has an incident response plan, but it’s just not very detailed.

It’s important for these plans to be staged, and to take into account the complexities of real, thorough incident response. The trick is think through some of the more likely incidents and have a step-by-step plan to follow in the event of such an occurrence. That means staging incident response with preparation, damage control and analysis, containment, eradication and recovery, along with post-incident research and upgrades.

It can also include informing relevant regulators or outside parties and detailing other key areas of response. It is important to include who you are going to bring in to help with the technical breach response, remediation and analysis of what happened. Without the technical expertise in place before a breach, it can leave companies in a bad state during and after. Companies need to line up the technical experts before an incident happens!

System Logging and Monitoring

Our last SOC 2 Technical Control is system logging and monitoring. Organizations need to log all key events. Of course, logging doesn’t help if you don’t monitor what goes into the logs! Organizations need to continuously monitor their infrastructure and applications for anomalies, so that they can head off potentially damaging issues.

SOC 2 Technical Control Summary

Now you know some of the key SOC 2 technical controls for getting a handle on your cybersecurity program and for SOC 2 compliance. Organizations like Cynet can help with these controls and more. They asked me to do a SOC 2 webinar with them which is scheduled for June 27 at 1 PM ET. Attend and learn more about SOC 2 technical controls!

About the Author

Rob Black, CISSP
Fractional CISO Managing Principal

Rob Black, CISSP, is the Founder and Managing Principal of Fractional CISO. He helps organizations reduce their cybersecurity risk as a Virtual CISO. Rob is an expert on assisting organizations with their SOC 2 certification. Rob is the inventor of three security patents. He consults, speaks, and writes on IoT and security.