SOC2 Type 2 Compliant - The Good, The Bad, The Ugly

Drawing an early line in the sand, an audit and security are NOT the same things. Even if a company does meet strong compliance does not necessarily mean it is secure.

Compliance relies on a solid set of standards and regulations that work on a set of assumptions. On the other side, security is an active practice of defending and protecting critical systems, intellectual property, and additional sensitive information from cyber-attacks.

Security Hubs Team - January 18, 2022
  • Compliance
  • SOC2 Type 2
JSOC2 Type 2 - The Good, The Bad, The Ugly
CONTEXT

During the last year, we have executed a couple of jobs that targeted clients in the process of raising additional investment rounds or going through a potential acquisition process. Some surprises came from a few who passed a recent SOC2 Type 2 audit.

Because of this, we have decided to invest time and learn more about the SOC2 Type 2 certification penetration testing requirements and where the inflection point resides.

In general, a company passing a SOC2 Type 2 audit provides an increased level of business operation systems maturity, generating more inbound business. Probably the best way to describe it is by making SOC2 Type 2 similar to a Chef's Michelin Star, an ultimate hallmark of culinary excellence.

At this point, every business serious enough about its cybersecurity posture should be aware of this.

We won't go too deep in the subject as many companies in the space can provide expert advice. Also, if you need advice on finding a good one we are partners with, probably the best in this space, let us know, and we can share some less-known hints with you. 😉

TACTICAL ASSESSMENT

The good

The SOC2 Type 2 is a must to have for sure in the long run. If you are pursuing it, do it, and do it right. It offers a competitive advantage, and to name a few:

  • - Brand reputation
  • - Marketing differentiator
  • - Assured security
  • - An easier path towards ISO 27001 certification
  • - Preference of SOC2 Certified Vendors Club


The bad

To be clear, we would like to draw an early line saying that an audit and security are NOT the same things!

Even if a company does meet robust compliance does not necessarily mean it is secure. Security is more an ongoing action, preferably reactive, than assumptions or fiction. Compliance relies on a solid set of standards and regulations that work on a set of assumptions.

In today's business operational context, the inflection point seems to be related to the over the permissive approach that defines the mandatory level of having/executing a pentest as part of a SOC2 Type 2 compliance audit. From what we understood, it is up to the individual audit firms (ACCPA companies) to decide whatever a pentest report is required or not as part of the client journey to comply with the Trust and Services Criteria requirements.

Actually, if you take the approach of a random user searching on the Internet, you will get this short answer.

SOC2 Type 2 Pentest Requirements - The Bad

So, to summarize, there are two points where the SOC2 Type 2 audit scope mentions something about the necessity of running an active security program:

- CC4.1 – Management uses various types of ongoing and separate evaluations, including penetration testing, independent certifications made against established specifications (for example, ISO certifications), and internal audit assessments.

- CC7.1 – The company uses detection and monitoring procedures to identify (1) changes to configurations that result in introducing new vulnerabilities and (2) susceptibilities to newly discovered vulnerabilities.

Asking left and right, we learned about three approaches the audited company might take here:

  • 1. The auditing company does not ask about the last pentest results, and a simple Nessus output is enough. Box checked.
  • 2. The company decides to execute a "fixed" pentest just to fulfill the compliance needs. In the market's eyes, a pentest report weighs more than a vulnerability scan, isn't that right? Box checked.
  • 3. The company takes its security posture seriously, and it does not make any compromises, engaging proper offensive security testing expertise.


The ugly

SOC2 Type 2 - The Ugly

Imagine this, your website displays the SOC2 Type 2 audited logo.

Then, on a rainy Monday, 7.04 AM, you get a cell call when watching the coffee brewing and pouring that fresh smell making your thoughts dance.

From all the words you get, only this, "...someone seems accessed our clients PII details from...we believe it happened through an OAuth2 implementation misconfiguration in the login form..."

How will this play for your company image?

If you have never been compromised before, the world can switch upside down faster than the 1967 Ford Mustang GT500 'Eleanor' from "Gone in 60 seconds" movie.

SOC2 Type 2 - The Ugly - Hackers will Hack

QUICK INTRO

Q. What is SOC?
A. The SOC acronym stands from Service Organization Control.

Q. Is there any difference between SOC2 and ISO27001
A. It seems so, but not that much. ISO27001 is well known in the EU, while SOC2 addresses the US market.

Q. How many levels of SOC2 are there?
A. SOC2 has two levels, Type I and Type II. And to get SOC2 Type 2, you have to go through SOC2 Type I first.

Q. Is there any scope defined for the SOC 2 audit?
A. Yes, it is. There are a couple of so-called "principles" that will be in scope as:

  • - Security - protects the system against unauthorized access, be it physical or logical.
  • - Availability - makes the system available for use as agreed upon in contracts with the clients.
  • - Processing Integrity - ensures the complete and timely processing of information.
  • - Confidentiality - protects any information deemed confidential with appropriate controls.
  • - Privacy - handles any personal information per audited organization's current privacy policy.


However, in practice, expert matter auditors are using those "principles" as guidance to determine and define the company's overall audit scope, based on its current business model and a couple of other things. And, sometimes, not all of those will be taken under consideration when the auditor is doing the audit.

TO SUM UP

For a company, the SOC2 Type 2 audit is a journey that should provide a substantial level of trust and operational maturity to current and future clients.

What seemed challenging to justify as a cyber dollar investment will pay off in the long run. As a business focused on growing, displaying and maintaining a strong cybersecurity posture is a must and an investment, not a feature. In the current market operational context, where everything is interconnected, cutting corners is a risk that is not worth taking.

And this is why, at Security Hubs, we are one of the best at helping businesses of all sizes understand and test their current security posture while also meeting audit requirements for SOC2 at the same time. We take a holistic approach by combining offensive penetration testing tactics, cultural analytic skills with behavioral science, and adversary tradecraft knowledge.

Ready or just curious?

Drop us a line and we will get back to you shortly.