SOC 2 Readiness Assessment Case Study
Shutlingsloe Ltd develops and provides e-assessment applications. These applications are hosted within a Microsoft Azure cloud environment.
Shutlingsloe contacted Romano Security Consulting in October 2021 as Shutlingsloe had been asked by one of their US clients to undergo a SOC 2 Type 1 audit in line with the AICPA Trust Services Criteria.
The AICPA Trust Services Criteria and the subsequent audit examines and reports on controls at a service organisation relevant to security, availability, processing integrity, confidentiality and privacy.
Romano Security Consulting held an initial scoping call with Shutlingsloe’s Information Security Manager to establish the SOC 2 audit requirements. Following the scoping call it was decided that the Romano Security Consulting SOC 2 Readiness Assessment audit would be the service that would best fit the needs of Shutlingsloe and help them prepare for a SOC 2 audit.
The Romano Security Consulting SOC 2 Readiness Assessment examines the organisations current level of compliance with the AICPA TSC requirements, examines the risks to the organisation and provides a detailed report and roadmap on the current level of compliance and focuses areas that need to be addressed prior to a SOC 2 audit taking place.
The contract agreement was signed off and the SOC 2 Readiness Assessment was conducted at Shutlingsloe’s head office in Manchester, October 2021.
The SOC 2 Readiness Assessment began with a detailed overview of the organisation, its systems and services, IT infrastructure and internal functions. Interviews were conducted with the IT Security Manager, Quality Manager, HR Manager, IT Manager and Development Manager and with the Operations Director.
The following areas were reviewed during the readiness assessment:
Audit scope to establish the boundaries of the audit and the internal and external interfaces and responsibilities
The documented service or system description, which describes the services/systems/products it provides and include information on the infrastructure, software, people, processes and data that support these services
The applicability and scope of the 5 TSC’s security, availability, processing integrity, confidentiality and privacy, relating to the risks to the organisation
Risk management and risk assessment
Control selection, design and implementation
Control monitoring and measurement
Following a discussion with the Senior Management Team and the Information Security Manager, it was decided that 3 of the 5 TSC’s would be included within the scope of the SOC 2 audit and these controls selected would adequately mitigate the risks to the organisation.
The 3 TSC’s selected to mitigate the organisations risks were security, availability and confidentiality.
The privacy TSC wasn’t selected as personal identifiable information wasn’t being processed by the system and the processing integrity TSC wasn’t selected as the system didn’t process the client information but reported on the information clients input into the system.
Following the selection of the applicable TSC’s the readiness assessment examined Shutlingsloe’s compliance with the criteria of the 3 applicable TSC’s.
These included the following criteria :
Control Environment, Communication and Information, Risk Assessment, Monitoring Activities, Control Activities, Logical and Physical Access Controls, System Operations, Change Management, Risk Mitigation, Additional Criteria for Availability and the Additional Criteria for Confidentiality.
Findings and recommendations were made during the Readiness Assessment as and when they were identified and discussed with the interviewees and the Senior Management Team.
The SOC 2 Readiness Assessment Report concluded that Shutlingsloe did not meet the requirements of the AICPA TSC’s at the time of the assessment and therefore would not meet the requirements of a SOC 2 Type 1 audit.
The following describes the high-level roadmap that was recommended that Shutlingsloe should consider in its efforts to achieve compliance with the requirements of the SOC 2 TSC.
Define the scope and boundaries of the audit
Compile the service/system description and obtain management attestation of the accuracy of the service/system description
Compile a complete asset register covering hardware, software, people, processes, intangibles and data
Document the information security risk management framework and risk acceptance criteria
Carry out and document a formal risk assessment, review current threats and vulnerabilities and select any excluded TSC focus point controls based on the results of a risk assessment
Design and document controls (including definition of metrics, measures of effectiveness, records supporting operation, etc.)
Produce a risk treatment plan and implement additional TSC controls/enhance existing controls
Produce the required policy and procedural documentation
Define control effectiveness measurements and metrics and gather evidence of control effectiveness (records)
Monitor and measure and evaluate control effectiveness
Review metrics, reports, etc. to ensure controls remain effective
Reassess risks on a regular and planned basis taking the effectiveness of controls into consideration and where necessary, design and implement additional controls or enhance existing controls
Control monitoring and measurement should be an ongoing cyclical process.
Following the readiness assessment, a detailed Readiness Assessment report was produced, and a follow up visit was carried out to present the findings to Shutlingsloe’s Senior Management Team.
Following on from the readiness assessment Romano Security Consulting assisted Shutlingsloe with their remediation work. The first phase of this remediation work was to optimise the security controls within the Microsoft Azure hosting environment.
Microsoft have a SOC 2 Type 2 report available to their customers that covers the Microsoft Azure control environment and this makes things a lot simpler when we included Microsoft as a sub service organisation in the Shutlingsloe SOC 2 audit scope.
Microsoft Azure provides really secure architecture and we were able to utilise what Microsoft Azure has on offer to help us comply with SOC 2.
We followed Microsoft’s security guidelines. Microsoft adheres to strict security requirements, and using Azure services that satisfy SOC 2 is crucial. For security and compliance, Azure Active Directory, Azure Key Vault, and Azure Monitor was used.
We set up access controls: Access to sensitive data should be restricted to those who require it, with a mechanism in place for granting, cancelling, and monitoring access. This was enforced using Azure role-based access restrictions and Azure AD.
We encrypted sensitive customer data: To prevent unwanted access, we encrypted all sensitive data at rest and in transit. Azure Key Vault was used for managing encryption keys and encrypting data in Azure services.
We set up continuously monitoring on the Azure infrastructure for security events and responded accordingly. Azure Monitor was used to configure alerts and notifications, as well as produce security-related data.
We conducted frequent security audits to discover any vulnerabilities in the Azure environment, regular security assessments and penetration tests were undertaken.
Azure has different tools that we could use to ensure compliance.
Azure Active Directory (AAD): It is a cloud-based identity and access management service. Companies can apply it in managing their users’ access to cloud resources, enforcing MFA and detecting possible security breaches in users’ activities.
Azure Security Centre: This is a unified security management platform, which delivers live security threat detection and best-practice suggestions. It works in tandem with other Azure services to create a holistic security solution. The tool provides assistance to enterprises in preparing for a SOC 2 assessment by ensuring that security best practices are followed.
Azure Monitor: Log collection and analysis is an integral part of SOC 2 audit preparation. Companies can leverage Azure Monitor to gather and analyse logs to gain insight on Azure resources’ health and performance. The application was used to monitor resource activity, gather logs, and identify security events.
Azure Policy: When using Azure services, this tool aids in the enforcement of compliance rules like SOC 2. It helps in detecting misconfigurations and resources that are non-compliant. Also, it helps in the enforcing of best practices like the encryption of sensitive data.
Microsoft Azure also has lots of features available for optimizing the Soc 2 Audit Process:
Azure Automation: Azure Automation is an important tool for optimizing SOC 2 audit process. The tool allows organizations to automate repetitive processes. Using the tool to automate operations like monitoring, reporting, and compliance checks saves time, hence optimizing the SOC 2 audit process. Needless to mention that it also minimizes the effort needed to execute common routine tasks.
Azure Log Analytics: Azure Log Analytics can be used to collect, consolidate, analyse, and display log data from numerous sources. This tool may be used to identify possible security events and enhance overall security posture. Thus, it assists enterprises in maintaining SOC 2 compliance by providing the essential information to show compliance.
Azure DevOps: Azure DevOps is used to automate processes and manage environment changes. Applying it in SOC 2 audit, it helps to streamline the process through automation of operations like documentation and change management. It also acts as a unified solution for tracking and managing changes.
Microsoft Azure also has lots of features available for maintaining SOC 2 Compliance.
Azure Information Protection (AIP): The AIP is a solution for categorizing, tagging, and securing sensitive data. This tool may be used to guarantee that sensitive data is appropriately safeguarded and maintaining SOC 2 compliance by satisfying the required procedures for sensitive data protection.
Azure Compliance Manager: As the name suggests, the Compliance Manager is a solution for tracking and evaluating compliance with various rules and standards. This tool may be used to track and analyse SOC 2 compliance, providing companies with the information they need to meet compliance.
Azure Key Vault: The Key Vault is Azure’s service offering for storing and managing sensitive data like passwords, tokens, and encryption keys, securely. The tool is SOC 2 compliant. Hence, companies use it to secure their sensitive information, thereby maintaining their compliance with SOC 2.
Using Microsoft Azure solutions for SOC 2 compliance significantly assisted us in the SOC 2 compliance process and hopefully ensures that data is safeguarded in accordance with the most recent security requirements.
The second phase of this remediation work was to produce the requirement information security management system documentation with the help and input from the Shutlingloe’s SME’s. This included producing the following documentation:
Acceptable Use Policy
Information Security Policy
Data Management Policy
Incident Management Policy
Physical Security Policy
Access Control Policy
Business Continuity and Disaster Recovery Plans
Romano Security Consulting were very pleased to announce that Shutlingsloe Ltd achieved their SOC 2 Type 1 audit report and are now working towards a SOC 2 Type 2 audit report which will provide their clients with the added level of assurance that a SOC 2 Type 2 audit report provides, as the CPA auditor examines and tests the effectiveness of the controls in place. Romano Security Consulting are providing ongoing assistance for Shutlingsloe Ltd in their pursuit of the SOC 2 Type 2 audit report.