SOC 2 CC7.1 requires that your organisation uses detection and monitoring procedures to recognise:
(1) changes to configurations that result in the introduction of new vulnerabilities and
(2) susceptibilities to newly-discovered vulnerabilities.
CC7.1 highlights the following points of focus:
Uses Defined Configuration Standards
The management team should define and use configuration standards.
Monitors Infrastructure and Software
The organisation should monitor infrastructure and software for nonconformity with the standards, which could jeopardise the success of your organisation’s objectives.
Applies Change-Detection Mechanisms
The IT system should include a change detection mechanism, for example, file integrity monitoring tools, to alert personnel to unauthorised changes to vital system files, configuration files, or content files.
Detects Unknown or Unauthorised Components
The organisation should put procedures in place to identify the introduction of unknown or unauthorised elements.
Conducts Susceptibility Scans
Your organisation should periodically conduct vulnerability scans designed to identify potential vulnerabilities or misconfigurations. These scans should also be conducted after any substantial change in the environment. The organisation should take action to resolve identified deficiencies in a timely manner.
SOC 2 CC7.2 requires that your organisation monitors system components and the operation of those components for anomalies that are symptomatic of malicious acts, natural disasters, and errors affecting the entity's ability to meet its objectives. In addition, anomalies are analysed to determine whether they characterise security events.
CC7.2 highlights the following points of focus:
Implements Detection Policies, Procedures, and Tools
Your organisation should define and implement detection policies and procedures. Detection tools should be implemented on infrastructure and software to recognise anomalies in the function or unusual activity on systems.
Procedures may include: (1) a defined governance process for security event recognition and management that includes supply of resources; (2) use of intelligence sources to recognise newly discovered threats and vulnerabilities; and (3) recording of unusual system events.
Establishes Detection Measures
Detection measures should be established in order to identify anomalies that could result from actual or attempted (1) compromise of physical barriers; (2) unauthorised activities of authorised employees; (3) use of compromised identification and authentication credentials; (4) unauthorised access from outside your organisation’s system limits; (5) compromise of authorised external parties; and (6) execution or connection of unauthorised hardware and software.
Applies Filters to Analyse Anomalies
Management should implement procedures to filter, summarise and analyse irregularities to detect security events.
Monitors Detection Tools for Effective Operation
Management should implement processes to examine the effectiveness of detection tools.
SOC 2 CC7.3 requires that your organisation evaluates security events to determine whether they could or have resulted in a failure of the organisation to meet its objectives (security incidents) and, if so, takes actions to prevent or address such failures.
CC7.3 highlights the following points of focus:
Responds to Security Incidents
Procedures should be put in place for responding to security incidents and evaluating the effectiveness of those policies and procedures periodically.
Communicates and Reviews Detected Security Events
Detected security events should be communicated to and reviewed by the individuals responsible for the management of the security programme and actions should be taken if necessary.
Develops and Implements Procedures to Evaluate Security Incidents
Procedures should be put in place to evaluate security incidents and determine system impact.
Assesses the Impact on Personal Information
Detected security events should be evaluated to establish whether they could or did result in the unauthorised disclosure or use of personal information and whether there has been a failure to comply with applicable laws or regulations.
Determines Personal Information Used or Disclosed
When an unauthorised use or disclosure of personal information has occurred, the impacted information should be identified.
SOC 2 CC7.4 requires that your organisation responds to identified security incidents by implementing a defined incident-response programme to understand, contain, remediate, and communicate security incidents, as appropriate.
CC7.4 highlights the following points of focus:
Assigns Roles and Responsibilities
Roles and responsibilities for the design, implementation, maintenance, and execution of the incident response program should be assigned, including the use of external resources when necessary.
Limits Security Incidents
Procedures should be implemented to contain security incidents that actively jeopardise your organisation’s objectives.
Alleviates Ongoing Security Incidents
Procedures should be implemented to limit the effects of ongoing security incidents.
Ends Threats Caused by Security Incidents
Procedures should be implemented to end the threats posed by security incidents. This could be through closure of the vulnerability, elimination of unauthorised access, and other remedial actions.
Procedures should be implemented to restore data and business operations to an interim state that allows the achievement of your organisation’s objectives.
Creates and Applies Communication Conventions for Security Incidents
Protocols for conveying security incidents and actions taken to affected parties should be created and applied to meet your organisation’s objectives.
Achieves Understanding of Nature of Incident and Establishes Containment Strategy
An understanding of the type or nature and severity of the incident, for example, the method by which the incident occurred and the affected system resources, should be obtained to establish the appropriate containment strategy. This includes: (1) establishing the appropriate response time frame, and (2) establishing and executing the containment method.
Resolves Identified Vulnerabilities
Identified vulnerabilities should be resolved through the development and implementation of remediation activities.
Communicates Remediation Activities
Remediation activities should be documented and conveyed in accordance with the incident-response programme.
Assesses the Effectiveness of Incident Response
The design of incident-response activities should be periodically appraised for effectiveness.
Periodically Evaluates Incidents
On a periodic basis, your organisation’s management should review incidents related to security, availability, processing integrity, confidentiality, and privacy, and identify the need for system changes based on incident patterns and root causes.
Communicates Unauthorised Use and Disclosure
Events that resulted in unauthorised use or disclosure of personal information should be communicated to the data subjects, legal and regulatory authorities, and others as necessary.
Application of Sanctions
The conduct of personnel and organisations operating under the authority of your organisation and involved in the unauthorised use or disclosure of personal information should be evaluated and, if appropriate, sanctioned in accordance with your organisation’s policies as well as any legal and regulatory requirements.
SOC 2 CC7.5 requires that your organisation recognises, creates, and executes activities to recover from known security incidents.
CC7.5 highlights the following points of focus:
Restores the Affected Environment
The activities should restore the impacted environment to functional operation by rebuilding systems, updating software, installing patches, and changing configurations, as needed.
Conveys Information About the Event
Communications about the nature of the incident, recovery actions taken, and actions required for the prevention of future security events should be made to the organisation’s management and others as necessary, both internally and externally.
Determines Root Cause of the Event
The root cause of the event should be defined.
Applies Changes to Prevent and Detect Recurrences
Additional architecture or modifications to preventative and detective controls, or both, should be put in place to prevent and detect recurrences on a timely basis.
Improves Response and Recovery Procedures
Lessons learned should be analysed and the incident-response plan and recovery procedures should be improved.
Implements Incident-Recovery Plan Testing
Incident-recovery plan testing should be performed periodically. The testing includes (1) development of testing scenarios based on threat likelihood and magnitude; (2) consideration of applicable system components from across the organisation that can impair availability; (3) scenarios that consider the possibility of the lack of availability of key employees; and (4) revision of continuity strategies and systems based on test results.