What are SOC 2 Monitoring Activities (CC4)?
Common Criteria (CC) 4 of the SOC 2 Common Criteria covers control monitoring activities recommended to be implemented. Do you have controls in place to perform proactive and reactive monitoring of your systems and controls? Are these proactive evaluations done in all your environments? These are questions you would want to be able to answer to be ready for CC4.
Monitoring Activities includes procedures and documentation related to monitoring both internal and external control activities that are key to the operation of the organization.
What are the Requirements for SOC 2’s CC4?
At a high level, CC4 within the SOC 2 standard is all about the development of evaluations, and their management and execution.
To optimize control monitoring, you should not rely on one type of evaluation to help you detect issues. Instead, keep multiple types of evaluations in mind including both ongoing and point in time evaluations.
With ongoing evaluations, control monitoring and active management takes place on a continuous basis. Evaluations should be in place, antivirus scans as an example, that constantly monitor the environment and provide real-time feedback.
Ongoing evaluations can take many non-automated, non-system-driven shapes and forms as well. Examples of common ongoing evaluation types include user access reviews and system change reviews.
Point in Time Evaluations
The other type of control activity evaluation would be the use of separate, point in time evaluations. Examples of these include things like vulnerability scans as well as penetration tests – they occur at one point in time whose frequency can be adjusted based on risk and past findings.
With vulnerability scanning, you can enable a tool to do a vulnerability review of the system of your choosing. Are there any weaknesses in the application? Do you have any gaps that need addressing? Based on the frequency of change of the system, a Company may choose to do these scans often.
Penetration testing focuses on doing reviews to identify vulnerabilities that might give someone the ability to break into the network and gain access into systems. This could be due to an open port or an open IP address for example.
Who Should Complete the Evaluations?
Ideally, personnel with extensive knowledge of the subject matter as well as the evaluation method to handle the results. The risk is completing an evaluation only to have the issues found go to waste due to not having someone knowledgeable in the subject matter handling resolution.
Expectations and Adjusting to Change
What is your baseline that you want to do these evaluations, whether they are ongoing or separate? On top of that, how do you plan to integrate these evaluations into the processes you do on a daily basis? Putting these criteria in place and documenting it all can help with your SOC 2 assessment and this common criteria area.
You also need to know when it is time to pivot and document your plans to do so. Systems will change and the scope and frequency of your evaluations will need alteration as well. Plan this out and document your approach to always meet the expectations of the assessment.
Deficiency Handling Covered as Part of CC4.2
CC4.2 of the SOC 2 has a focus on what you do when exceptions are identified. The evaluations have the purpose of finding gaps and issues with your security. Therefore, you need to be able to know what you will do when you identify exceptions.
Assessing the Results
Deficiency handling relates to assessment of the results of evaluations. It is one thing to do the evaluations, but you also need to react to their results. Your management team should have subject-matter experts in place to interpret the assessment results and react accordingly. It may be that your results are positive, and no action is necessary. It may also be that your results require remediation, present open and unmitigated risks. No matter the outcome, you want to communicate those results downstream to the rest of your organization.
Defining the Communication Plan
When there are things that the evaluations identify, which is inevitable, what is the communication plan for these? How do you intend to dispel this information down to the rest of the organization? You need to identify things with the evaluations, and then get the result in front of the right folks, so they can do their thing to close the gaps. Once management alerts personnel to correct issues from the evaluations, what is the process to ensure they are brought to closure? You need to monitor the corrective action so that it is complete and thorough. When a risk remediation plan is put in place, a target completion date gets documented. Tracking to that is key to the thoroughness of the closure process to ensure proper validation after remediation.
Quite frankly, this is one the more difficult Criteria to write about as there really aren’t any obvious and concrete things that you absolutely have to do in order to meet the requirements. That being said, we’ll sum it up as concisely as we can:
- Management should do various things to know that the controls are operating as designed.
- Get a third party to assist with monitoring controls, especially where you may not have the on-staff capabilities (i.e. penetration testing)
- Have a process to correct issues that your monitoring identifies and track through to resolution.
If you do these things and document that you do them, you’ll do just fine.