Demystifying SOC 2 Type II Compliance Audit - What a Pentester Needs to Know

Drawing an early line in the sand, an audit, and security are not the same. Even if a company meets the defined maturity of controls, that does not necessarily mean that it is secure.

Compliance frameworks rely on a solid set of standards and regulations. On the other hand, security is the active practice of protecting and defending critical systems, intellectual property, and other sensitive data from cyber-attacks and making sure your company has the proper security controls in place.

Syn Cubes Team - January 18, 2022
Demystifying SOC 2 Type II Compliance Audit

Context



During the last year, we have executed a couple of jobs that targeted clients in the process of raising additional investment rounds or going through a potential acquisition process. Some surprises came from a few who passed a recent SOC 2 Type 2 audit.

Since this was the case, we have decided to invest time and learn more about the SOC2 Type 2 certifications penetration testing requirements and where the inflection point resides.

In general, a company passing a SOC 2 attestation provides an increased level of business operation systems maturity, generating more inbound business, as part of a trusted service image.

At this point, every business serious enough about its cybersecurity posture should be aware of the importance of SOC 2 compliance requirements.

What is the scope of Service Organization Compliance: SOC 1, SOC 2, SOC 3 audit reports?



The SOC 1, SOC 2, and SOC 3 reports are used to assess the results of an organization's data management and risk mitigation efforts.

What is the difference between SOC 2 Type I and SOC 2 Type II Audits?



SOC 2 Type 1 focuses on the design of controls, while SOC 2 Type 2 focuses on the effectiveness of those controls. There are three levels of SOC audit for service organizations:

  • A SOC 1 audit deals with an organization ICFR (internal control over financial reporting).


  • A SOC 2 audit checks a service organization's security, availability, processing integrity, confidentiality, and privacy controls against the AICPA's TSCs (Trust Services Criteria). A SOC 2 report can be used for existing clients or prospective clients.


  • The reports of SOC 3 audits (these are always a Type 2) are intended to be more to the point addressing a general audience. At the bottom line they are meant to be shared with third-parties.


SOC 1 and SOC 2 audits are divided into two types:
  • Type 1(I) - an audit executed on a specified date


  • Type 2(II) - an audit conducted over a specified period, six months is the default period targeted.


Note: As an FYI, geographical-wise, rules are different. As an example, SOC 2 audits in the United Kingdom are conducted against ISAE 3000 standard If interested to explore more this subject please have a read of the AICPA document, Performing and Reporting on a SOC 2 Examination, that provides insights about how to use the ISAEs.

What are SOC 2 Type 2 Trust Service Principles?



There are six key requirements for passing the audit:

  • Security: The system must have appropriate security measures in place to protect user data.

  • Availability: The system must be available for use when needed.

  • Processing integrity: User data must be processed accurately and securely.

  • Confidentiality: User data must be kept confidential.

  • Privacy: The system must comply with applicable privacy laws and regulations.

  • Regulatory acquiescence: The system must comply with relevant regulatory requirements.

For how long is a SOC 2 Type 2 report valid for?



The report is valid for one year. Organizations Information Security (IT) departments would have to update it every year.

What are the differences between ISO 27001 and SOC 2 and HITRUST?



Organizations that have achieved Service Organization Control (SOC) 2 pass notification result from an accredited AICPA service provider auditor have demonstrated that they have implemented specific security controls and procedures to protect their data and systems. This includes ensuring the confidentiality, integrity, and availability of data, as well as protecting against unauthorized access or use. Achieving SOC 2 compliance should demonstrates to customers and other stakeholders that an organization takes its cybersecurity posture seriously and is committed to safeguard and protect internal & customer data.

SOC 2 Type 2 vs. ISO 27001



These security certifications are similar, but not the same. A SOC 2 report provides proof of a companies controls, and the final report offers an attestation — not a certification. ISO 27001 is a certification program for companies. It also requires an Informational Security Management System (ISMS), which is a framework focused on risk management. The ISMS details the specifications you'll take on an ongoing basis to mitigate risk and address security concerns.

ISO 27001 is a de facto certification for companies outside North America, and very popular in Europe. SOC2 reports must be attested by a licensed CPA firm. ISO 27001 uses accredited independent registrars to apostle their reports.

SOC 2 Type 2 vs. HITRUST



All these two security frameworks use different scoping factors. Trust's framework refers to 19 categories matching 156 controls that match the Health Insurance Portability and Accountability Act (HIPAA). HITRUST works across industries, but it focuses on handling electronic protected health information (ePHI).

HITRUST uses a maturity rating for each control requirement, while the SOC 2 assesses the design and operating effectiveness of the control. As part of the assessment, HITRUST also identifies Corrective Action Plans (CAPs) to help achieve certification. If customers want both kinds of reviews, companies can choose to combine a SOC 2 report plus HITRUST and HITRUST certification into a single report after both exams.

HITRUST certification is valid for two years, although the assessor will test a sample of at least one control from 19 categories for continued certification in the second year. A SOC 2 report requires a full-scope examination annually.

Considerations



1. The right path



For a business to be SOC compliant it is a necessary step to take in the long run. However, if you are pursuing it, you should do it right from the beginning. It offers a competitive advantage.

Here's just a few of these advantages:

  • It gives you trust from your customers. They know that you are a company that cares about the security of their data and will work to protect it, and you, as a business, have a risk management framework in place.

  • You can use the audit results as a marketing tool to show potential customers what your commitment is to security.

  • It forces you to develop processes and procedures around data security, which are necessary for any business handling sensitive customer information.

2. The grey lines



Again, to be clear, an audit and security are NOT the same thing!

Even if a company does meet robust compliance, it does not necessarily mean it is secure. Security is more an ongoing action, preferably reactive, than assumptions or fiction. Compliance relies on a solid set of standards and regulations that work on a set of assumptions.

It looks like the inflection point is connected to the over-permissive approach that makes pentests a mandatory part of an SOC 2 Type 2 compliance audit. As we understand it, it is up to individual firms (ACCPA companies) as part of their client journey to comply with Trust & Services Criteria to determine whether they require a penetration test. The decision will be based on what the company policy is.

If you approach this question from the perspective of a random user searching online, you will find a short answer.

SOC 2 Type 2 Pen Test Requirements

To summarize, there are two points where the SOC 2 scope mentions something about the necessity of running an active security program:
  • CC4.1 - Management uses various types of ongoing and separate evaluations, including penetration testing, independent certifications made against established specifications (for example, ISO certifications), and internal audit assessments.

  • CC7.1 - The company uses detection and monitoring procedures to identify (1) changes to configurations that result in introducing new vulnerabilities and (2) susceptibilities to newly discovered vulnerabilities.



The audited company might take three different approaches when it comes to auditing their security practices:

  • They do not ask about the last penetration testing results, which is sufficient for compliance purposes, but this approach does not provide an accurate picture of the organization's current security posture risk level.

  • The business has decided that a fixed penetration test is sufficient, simply because the market thinks this outweighs vulnerability scans.

  • Firms that have a no compromise policy regarding offensive testing are engaging proper outside offensive security experts.

Conclusion



For a company, the SOC 2 audit is a journey that should provide a substantial level of assurance about the controls and operational maturity to current and future clients.

What seemed challenging to justify as a cyber dollar investment will pay off in the long run. As a business focused on growing, displaying, and maintaining a strong cybersecurity posture is a must and an investment, not a feature. In the current market operational context, where everything is interconnected, cutting corners is a risk that is not worth taking.

How we can help?



The security posture of your business is an essential part of ensuring its long-term viability. That's why at SYN CUBES we work with you to understand and test the current level while also meeting audit requirements for SOC 2 compliance. This way, we make sure to look at everything when it comes to protecting what matters most!

What seemed challenging to justify as a cyber dollar investment will pay off in the long run. As a business focused on growing, displaying, and maintaining a strong cybersecurity posture is a must and an investment, not a feature. In the current market operational context, where everything is interconnected, cutting corners is a risk that is not worth taking.

Aknowledgements | References | Resources




Be the adversary - attack first