SOC 2 Compliance: Do I need a pentest or vulnerability scanning?
If you’re a CTO, CISO, Director of IT, or any of these related titles, you may also have to be a developer, a security engineer, a project manager, a lawyer, a risk manager, and a compliance expert.
While compliance (SOC 2 compliance especially) is one of the most common reasons people first come to Red Sentry for cybersecurity, the framework can be confusing and we get a lot of questions around what is needed.
In my opinion, cyber security assessments will be like seatbelts before long. Seatbelts were invented in the 1800s, but very few people wore them until the government started requiring them (fun fact: New Hampshire is the only state in the US that does not require seat belts currently). While cyber security is growing rampantly, vulnerability assessments and security audits are still underused in many industries. Many people know they should do more, but because of budget, manpower, or other reasons, it gets put to the backburner… UNLESS their stakeholders require it. Because of the interconnectedness of business today, I believe that the government will impose minimum requirements for the majority of companies that touch the internet at some point. Whether that minimum requirement is an annual pentest, quarterly vulnerability scans, or just more defensive measures like increased firewalls, who knows.
But for now, there are common frameworks that regulate specific spaces, and they have unique, sometimes confusing, requirements. As a disclaimer, I am not a compliance auditor by any means, but I have been involved with the topic on behalf of our clients for years.
So let’s take a look into SOC 2 specifically, as this is one of the most common frameworks companies abide by.
Who gets SOC 2 compliance?
The most common organizations that undergo SOC 2 audits are SaaS companies and those that store client info in the cloud. One of the main purposes of a SOC 2 report is to show stakeholders and clients that a company has appropriate internal controls over data security and privacy.
SOC 2 Type I deals with policies and procedures that were in place at a specific point in time, whereas SOC 2 Type II looks at a time period of at least 6 months. Most companies seeking SOC 2 compliance are striving for the SOC 2 Type II Report.
What does SOC 2 require for cybersecurity?
A common misconception is that SOC 2 requires penetration testing. SOC 2 requires appropriate policies and procedures based on your specific environment and how data is stored there. Technically, the words “penetration test” are not in the requirements. However, it has become a standard practice to satisfy the audit and that's the reason why many people think it is a pen testing compliance.
Here are the specific SOC 2 controls that penetration testing and vulnerability management may have an influence on, with CC4.1 and CC7.1 being the main two:
CC4.1 - The entity selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning.
CC4.2 - The entity evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the board of directors, as appropriate.
CC7.1 - To meet its objectives, the entity uses detection and monitoring procedures to identify (1) changes to configurations that result in the introduction of new vulnerabilities, and (2) susceptibilities to newly discovered vulnerabilities.
CC7.2 - The entity monitors system components and the operation of those components for anomalies that are indicative of malicious acts, natural disasters, and errors affecting the entity’s ability to meet its objectives; anomalies are analyzed to determine whether they represent security events.
The American Institute of Certified Public Accountants (AICPA) developed SOC with regards to its Trust Services Criteria (TSC). These criteria are what the SOC 2 audit will actually look for. When it comes to cybersecurity, the AICPA has designated penetration testing as one of the options for satisfying the criteria. They also reference vulnerability scans satisfying other criteria, even though they do not specifically mandate what is required.
Basically, there is flexibility in the verbiage of the framework to allow for the uniqueness of companies, but the auditor will be looking to make sure these criteria are met, and penetration tests and vulnerability scans will play an important role.
So do you need a pentest and vulnerability scans?
Long story short, yes. While not specifically defined, penetration tests (at least annually) and a continuous vulnerability management platform are the easiest and best ways to satisfy these cybersecurity areas. Auditors will be looking for these things as they analyze your company.
What types of tests do you need? That again depends on your environment. If you have a web application, you will most likely need a web application penetration test. If you have both internal and external assets, you will probably need pentests for both of those areas. If you store your data in AWS, you may need a cloud pentest.
Red Sentry’s SOC 2 Package
If you’ve been through a SOC 2 audit, it can be excruciating, long, and expensive. And the last thing you need is to deal with months of pentesting and 5 different cybersecurity vendors on top of everything else. Red Sentry has created a unique offering to get you closer to your SOC 2 Report.
Red Sentry’s SOC 2 Package includes a penetration test (for whatever appropriate environments you need tested) as well as 12 months of our continuous monitoring platform for vulnerability management. This package will satisfy the cybersecurity requirements you need, at a fraction of the cost of others.
Contact us today to get your SOC 2 Cyber Security Package!