SOC 2 Compliance
Blumira’s security platform helps organizations easily meet multiple SOC 2 compliance requirements, including capturing data sources, processing data into information, detecting malicious software, monitoring for vulnerabilities, enabling threat and incident response, mitigating fraud risk and more.
SOC 2 Compliance
Service and Organization Controls (SOC 2) is a security framework developed by the American Institute of CPAs (AICPA). It mandates how organizations should manage customer data.
SOC 2 compliance covers five trust services criteria -- security, availability, processing integrity, confidentiality, and privacy. Certified public accounts are external auditors who can evaluate and verify compliance, providing reports demonstrating an organization's ability to protect its clients' data.
These reports provide detailed information and assurance about the controls at a service organization relevant to security, availability, and processing integrity of the systems the service organization uses to process users’ data and the confidentiality and privacy of the information processed by these systems, according to AICPA.
Read The Case StudyHow Blumira Helps With
-
Information and Communication
Requirement CC2.1: COSO Principle 13
The entity obtains or generates and uses relevant, quality information to support the functioning of internal control.
- Captures Internal and External Sources of Data--Information systems capture internal and external sources of data.
- Processes Relevant Data into Information--Information systems process and transform relevant data into information. (Source)
-
Logical and Physical Access
Requirement CC6.8:
The entity implements controls to prevent or detect and act upon the introduction of unauthorized or malicious software to meet the entity’s objectives.
- Uses a Defined Change Control Process—A management-defined change control process is used for the implementation of software.
- Uses Antivirus and Anti-Malware Software—Antivirus and anti-malware software is implemented and maintained to provide for the interception or detection and remediation of malware.
- Scans Information Assets from Outside the Entity for Malware and Other Unauthorized Software—Procedures are in place to scan information assets that have been transferred or returned to the entity’s custody for malware and other unauthorized software and to remove any items detected prior to its implementation on the network.
Requirement CC2.1: COSO Principle 13
The entity obtains or generates and uses relevant, quality information to support the functioning of internal control.
- Captures Internal and External Sources of Data--Information systems capture internal and external sources of data.
- Processes Relevant Data into Information--Information systems process and transform relevant data into information. (Source)
Requirement CC6.8:
The entity implements controls to prevent or detect and act upon the introduction of unauthorized or malicious software to meet the entity’s objectives.
- Uses a Defined Change Control Process—A management-defined change control process is used for the implementation of software.
- Uses Antivirus and Anti-Malware Software—Antivirus and anti-malware software is implemented and maintained to provide for the interception or detection and remediation of malware.
- Scans Information Assets from Outside the Entity for Malware and Other Unauthorized Software—Procedures are in place to scan information assets that have been transferred or returned to the entity’s custody for malware and other unauthorized software and to remove any items detected prior to its implementation on the network.
CC7 System Operations
-
Requirement CC7.1:
Requirement CC7.1:
To meet its objectives, the entity uses detection and monitoring procedures to identify (1) changes to configurations that result in the introduction of new vulnerabilities, and (2) susceptibilities to newly discovered vulnerabilities.
- Monitors Infrastructure and Software—The entity monitors infrastructure and software for noncompliance with the standards, which could threaten the achievement of the entity’s objectives.
- Implements Change-Detection Mechanisms—The IT system includes a change detection mechanism (for example, file integrity monitoring tools) to alert personnel to unauthorized modifications of critical system files, configuration files, or content files.
- Detects Unknown or Unauthorized Components—Procedures are in place to detect the introduction of unknown or unauthorized components.
- Conducts Vulnerability Scans—The entity conducts vulnerability scans designed to identify potential vulnerabilities or misconfigurations on a periodic basis and after any significant change in the environment and takes action to remediate identified deficiencies on a timely basis.
How Blumira Helps: Blumira automates the monitoring of an organization's environment 24/7, identifying any configuration changes or unknown processes running, or other anomalies that should be investigated to determine if they’re a real threat. Blumira alerts organizations on a timely basis and provides instructions and 24/7 security support to help with guided remediation.
-
Requirement CC7.2:
Requirement CC7.2:
The entity monitors system components and the operation of those components for anomalies that are indicative of malicious acts, natural disasters, and errors affecting the entity’s ability to meet its objectives; anomalies are analyzed to determine whether they represent security events.
- Implements Detection Policies, Procedures, and Tools—Detection policies and procedures are defined and implemented and detection tools are implemented on infrastructure and software to identify anomalies in the operation or unusual activity on systems. Procedures may include (1) a defined governance process for security event detection and management that includes provision of resources; (2) use of intelligence sources to identify newly discovered threats and vulnerabilities; and (3) logging of unusual system activities.
- Designs Detection Measures—Detection measures are designed to identify anomalies that could result from actual or attempted (1) compromise of physical barriers; (2) unauthorized actions of authorized personnel; (3) use of compromised identification and authentication credentials; (4) unauthorized access from outside the system boundaries; (5) compromise of authorized external parties; and (6) implementation or connection of unauthorized hardware and software.
- Implements Filters to Analyze Anomalies—Management has implemented procedures to filter, summarize, and analyze anomalies to identify security events.
How Blumira Helps: Blumira automates the monitoring of an organization’s environment to help identify anomalies indicative of malicious acts and operational errors, analyzing them with detection rules designed to determine if they are a security event. Blumira has rules that identify potential use of compromised credentials, unauthorized access, connection of unauthorized software and more.
-
Requirement CC7.3:
Requirement CC7.3:
The entity evaluates security events to determine whether they could or have resulted in a failure of the entity to meet its objectives (security incidents) and, if so, takes actions to prevent or address such failures.
- Communicates and Reviews Detected Security Events—Detected security events are communicated to and reviewed by the individuals responsible for the management of the security program and actions are taken, if necessary.
- Develops and Implements Procedures to Analyze Security Incidents—Procedures are in place to analyze security incidents and determine system impact.
- Assesses the Impact on Personal Information—Detected security events are evaluated to determine whether they could or did result in the unauthorized disclosure or use of personal information and whether there has been a failure to comply with applicable laws or regulations.
- Determines Personal Information Used or Disclosed—When an unauthorized use or disclosure of personal information has occurred, the affected information is identified.
How Blumira Helps: Blumira automates the monitoring of an organization’s environment to detect anomalies and analyze them with detection rules designed to determine if they are a security event. With Blumira Agent, the platform takes automated action to isolate (contain) affected devices and cut off network access to help prevent further attacker damage. Blumira sends alerts to organizations to notify their teams of prioritized and critical security events, with instructions on how to take action and respond.
-
Requirement CC7.4:
Requirement CC7.4:
The entity responds to identified security incidents by executing a defined incident-response program to understand, contain, remediate, and communicate security incidents, as appropriate.
- Mitigates Ongoing Security Incidents—Procedures are in place to mitigate the effects of ongoing security incidents.
- Ends Threats Posed by Security Incidents—Procedures are in place to end the threats posed by security incidents through closure of the vulnerability, removal of unauthorized access, and other remediation actions.
- Obtains Understanding of Nature of Incident and Determines Containment Strategy—An understanding of the nature (for example, the method by which the incident occurred and the affected system resources) and severity of the security incident is obtained to determine the appropriate containment strategy, including (1) a determination of the appropriate response time frame, and (2) the determination and execution of the containment approach.
- Remediates Identified Vulnerabilities—Identified vulnerabilities are remediated through the development and execution of remediation activities.
-
Requirement CC7.5:
Requirement CC7.5:
CC7.5 The entity identifies, develops, and implements activities to recover from identified security incidents.
- Determines Root Cause of the Event—The root cause of the event is determined.
- Implements Changes to Prevent and Detect Recurrences—Additional architecture or changes to preventive and detective controls, or both, are implemented to prevent and detect recurrences on a timely basis.
How Blumira Helps: Blumira supports security incident response programs by providing context and an analysis description of the event, along with automated containment options and playbooks for how to respond. Blumira also keeps a tamper-proof record of logs, providing a year of data retention, ideal for supporting incident investigation and meeting compliance/cyber insurance requirements. Blumira Investigate allows for easy and fast search of all logs to find data and help determine the scope of an incident, and assist with determining the root cause of the event.
Requirement CC7.1:
To meet its objectives, the entity uses detection and monitoring procedures to identify (1) changes to configurations that result in the introduction of new vulnerabilities, and (2) susceptibilities to newly discovered vulnerabilities.
- Monitors Infrastructure and Software—The entity monitors infrastructure and software for noncompliance with the standards, which could threaten the achievement of the entity’s objectives.
- Implements Change-Detection Mechanisms—The IT system includes a change detection mechanism (for example, file integrity monitoring tools) to alert personnel to unauthorized modifications of critical system files, configuration files, or content files.
- Detects Unknown or Unauthorized Components—Procedures are in place to detect the introduction of unknown or unauthorized components.
- Conducts Vulnerability Scans—The entity conducts vulnerability scans designed to identify potential vulnerabilities or misconfigurations on a periodic basis and after any significant change in the environment and takes action to remediate identified deficiencies on a timely basis.
How Blumira Helps: Blumira automates the monitoring of an organization's environment 24/7, identifying any configuration changes or unknown processes running, or other anomalies that should be investigated to determine if they’re a real threat. Blumira alerts organizations on a timely basis and provides instructions and 24/7 security support to help with guided remediation.
Requirement CC7.2:
The entity monitors system components and the operation of those components for anomalies that are indicative of malicious acts, natural disasters, and errors affecting the entity’s ability to meet its objectives; anomalies are analyzed to determine whether they represent security events.
- Implements Detection Policies, Procedures, and Tools—Detection policies and procedures are defined and implemented and detection tools are implemented on infrastructure and software to identify anomalies in the operation or unusual activity on systems. Procedures may include (1) a defined governance process for security event detection and management that includes provision of resources; (2) use of intelligence sources to identify newly discovered threats and vulnerabilities; and (3) logging of unusual system activities.
- Designs Detection Measures—Detection measures are designed to identify anomalies that could result from actual or attempted (1) compromise of physical barriers; (2) unauthorized actions of authorized personnel; (3) use of compromised identification and authentication credentials; (4) unauthorized access from outside the system boundaries; (5) compromise of authorized external parties; and (6) implementation or connection of unauthorized hardware and software.
- Implements Filters to Analyze Anomalies—Management has implemented procedures to filter, summarize, and analyze anomalies to identify security events.
How Blumira Helps: Blumira automates the monitoring of an organization’s environment to help identify anomalies indicative of malicious acts and operational errors, analyzing them with detection rules designed to determine if they are a security event. Blumira has rules that identify potential use of compromised credentials, unauthorized access, connection of unauthorized software and more.
Requirement CC7.3:
The entity evaluates security events to determine whether they could or have resulted in a failure of the entity to meet its objectives (security incidents) and, if so, takes actions to prevent or address such failures.
- Communicates and Reviews Detected Security Events—Detected security events are communicated to and reviewed by the individuals responsible for the management of the security program and actions are taken, if necessary.
- Develops and Implements Procedures to Analyze Security Incidents—Procedures are in place to analyze security incidents and determine system impact.
- Assesses the Impact on Personal Information—Detected security events are evaluated to determine whether they could or did result in the unauthorized disclosure or use of personal information and whether there has been a failure to comply with applicable laws or regulations.
- Determines Personal Information Used or Disclosed—When an unauthorized use or disclosure of personal information has occurred, the affected information is identified.
How Blumira Helps: Blumira automates the monitoring of an organization’s environment to detect anomalies and analyze them with detection rules designed to determine if they are a security event. With Blumira Agent, the platform takes automated action to isolate (contain) affected devices and cut off network access to help prevent further attacker damage. Blumira sends alerts to organizations to notify their teams of prioritized and critical security events, with instructions on how to take action and respond.
Requirement CC7.4:
The entity responds to identified security incidents by executing a defined incident-response program to understand, contain, remediate, and communicate security incidents, as appropriate.
- Mitigates Ongoing Security Incidents—Procedures are in place to mitigate the effects of ongoing security incidents.
- Ends Threats Posed by Security Incidents—Procedures are in place to end the threats posed by security incidents through closure of the vulnerability, removal of unauthorized access, and other remediation actions.
- Obtains Understanding of Nature of Incident and Determines Containment Strategy—An understanding of the nature (for example, the method by which the incident occurred and the affected system resources) and severity of the security incident is obtained to determine the appropriate containment strategy, including (1) a determination of the appropriate response time frame, and (2) the determination and execution of the containment approach.
- Remediates Identified Vulnerabilities—Identified vulnerabilities are remediated through the development and execution of remediation activities.
Requirement CC7.5:
CC7.5 The entity identifies, develops, and implements activities to recover from identified security incidents.
- Determines Root Cause of the Event—The root cause of the event is determined.
- Implements Changes to Prevent and Detect Recurrences—Additional architecture or changes to preventive and detective controls, or both, are implemented to prevent and detect recurrences on a timely basis.
How Blumira Helps: Blumira supports security incident response programs by providing context and an analysis description of the event, along with automated containment options and playbooks for how to respond. Blumira also keeps a tamper-proof record of logs, providing a year of data retention, ideal for supporting incident investigation and meeting compliance/cyber insurance requirements. Blumira Investigate allows for easy and fast search of all logs to find data and help determine the scope of an incident, and assist with determining the root cause of the event.
-
Risk Assessment
Requirement CC3.3: COSO Principle 8
The entity considers the potential for fraud in assessing risks to the achievement of objectives.
- Consider Various Types of Fraud—The assessment of fraud considers fraudulent reporting, possible loss of assets, and corruption resulting from the various ways that fraud and misconduct can occur.
- Assesses Opportunities—The assessment of fraud risk considers opportunities for unauthorized acquisition, use, or disposal of assets, altering the entity’s reporting records, or committing other inappropriate acts.
- Considers the Risks Related to the Use of IT and Access to Information—The assessment of fraud risks includes consideration of threats and vulnerabilities that arise specifically from the use of IT and access to information.
How Blumira Helps: Blumira helps support this control by identifying threats and vulnerabilities that may indicate fraud risk across an organization’s IT environment, including fraud attempts through email attacks, phishing, and otherwise. Blumira also analyzes access to information to detect suspicious behavior and possible attacks in progress to help organizations prevent fraud and stolen data and/or money through wire fraud and other fraudulent activity.
-
Monitoring of Controls
Requirement CC4.1: COSO Principle 16
The entity selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning.
- Considers a Mix of Ongoing and Separate Evaluations—Management includes a balance of ongoing and separate evaluations.
- Considers Rate of Change—Management considers the rate of change in business and business processes when selecting and developing ongoing and separate evaluations.
- Establishes Baseline Understanding—The design and current state of an internal control system
- Considers Different Types of Ongoing and Separate Evaluations—Management uses a variety of different types of ongoing and separate evaluations, including penetration testing, independent certification made against established specifications (for example, ISO certifications), and internal audit assessments.
How Blumira Helps: Blumira helps support this control by providing pre-built compliance reports that organizations can use to conduct internal audit assessments, or provide to external auditors. These reports can be scheduled to run and export periodically over time. This can help prove that internal controls are present and functioning, and allow organizations to evaluate the effectiveness of controls or use the data to help inform how they can improve their controls.
-
Control Activities
Requirement CC5.2: COSO Principle 11
The entity also selects and develops general control activities over technology to support the achievement of objectives.
- Establishes Relevant Technology Infrastructure Control Activities—Management selects and develops control activities over the technology infrastructure, which are designed and implemented to help ensure the completeness, accuracy, and availability of technology processing.
- Establishes Relevant Security Management Process Controls Activities—Management selects and develops control activities that are designed and implemented to restrict technology access rights to authorized users commensurate with their job responsibilities and to protect the entity’s assets from external threats.
- Establishes Relevant Technology Acquisition, Development, and Maintenance Process Control Activities—Management selects and develops control activities over the acquisition, development, and maintenance of technology and its infrastructure to achieve management’s objectives.
-
Risk Mitigation
Requirement CC9.1:
The entity identifies, selects, and develops risk mitigation activities for risks arising from potential business disruptions.
- Considers Mitigation of Risks of Business Disruption—Risk mitigation activities include the development of planned policies, procedures, communications, and alternative processing solutions to respond to, mitigate, and recover from security events that disrupt business operations. Those policies and procedures include monitoring processes, information, and communications to meet the entity's objectives during response, mitigation, and recovery efforts.
How Blumira Helps: To mitigate risk, Blumira automates threat detection and provides response playbooks with instructions on how to respond to specific events and help prevent further damage and future attacks.
Requirement CC3.3: COSO Principle 8
The entity considers the potential for fraud in assessing risks to the achievement of objectives.
- Consider Various Types of Fraud—The assessment of fraud considers fraudulent reporting, possible loss of assets, and corruption resulting from the various ways that fraud and misconduct can occur.
- Assesses Opportunities—The assessment of fraud risk considers opportunities for unauthorized acquisition, use, or disposal of assets, altering the entity’s reporting records, or committing other inappropriate acts.
- Considers the Risks Related to the Use of IT and Access to Information—The assessment of fraud risks includes consideration of threats and vulnerabilities that arise specifically from the use of IT and access to information.
How Blumira Helps: Blumira helps support this control by identifying threats and vulnerabilities that may indicate fraud risk across an organization’s IT environment, including fraud attempts through email attacks, phishing, and otherwise. Blumira also analyzes access to information to detect suspicious behavior and possible attacks in progress to help organizations prevent fraud and stolen data and/or money through wire fraud and other fraudulent activity.
Requirement CC4.1: COSO Principle 16
The entity selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning.
- Considers a Mix of Ongoing and Separate Evaluations—Management includes a balance of ongoing and separate evaluations.
- Considers Rate of Change—Management considers the rate of change in business and business processes when selecting and developing ongoing and separate evaluations.
- Establishes Baseline Understanding—The design and current state of an internal control system
- Considers Different Types of Ongoing and Separate Evaluations—Management uses a variety of different types of ongoing and separate evaluations, including penetration testing, independent certification made against established specifications (for example, ISO certifications), and internal audit assessments.
How Blumira Helps: Blumira helps support this control by providing pre-built compliance reports that organizations can use to conduct internal audit assessments, or provide to external auditors. These reports can be scheduled to run and export periodically over time. This can help prove that internal controls are present and functioning, and allow organizations to evaluate the effectiveness of controls or use the data to help inform how they can improve their controls.
Requirement CC5.2: COSO Principle 11
The entity also selects and develops general control activities over technology to support the achievement of objectives.
- Establishes Relevant Technology Infrastructure Control Activities—Management selects and develops control activities over the technology infrastructure, which are designed and implemented to help ensure the completeness, accuracy, and availability of technology processing.
- Establishes Relevant Security Management Process Controls Activities—Management selects and develops control activities that are designed and implemented to restrict technology access rights to authorized users commensurate with their job responsibilities and to protect the entity’s assets from external threats.
- Establishes Relevant Technology Acquisition, Development, and Maintenance Process Control Activities—Management selects and develops control activities over the acquisition, development, and maintenance of technology and its infrastructure to achieve management’s objectives.
Requirement CC9.1:
The entity identifies, selects, and develops risk mitigation activities for risks arising from potential business disruptions.
- Considers Mitigation of Risks of Business Disruption—Risk mitigation activities include the development of planned policies, procedures, communications, and alternative processing solutions to respond to, mitigate, and recover from security events that disrupt business operations. Those policies and procedures include monitoring processes, information, and communications to meet the entity's objectives during response, mitigation, and recovery efforts.
How Blumira Helps: To mitigate risk, Blumira automates threat detection and provides response playbooks with instructions on how to respond to specific events and help prevent further damage and future attacks.
Additional Compliance Resources
View moreGovernment Cybersecurity: Navigating Challenges and Seizing Opportunities
Read MoreSafeguarding Municipalities Against Rising Cyber Threats
Read MoreA Guide to Compliance for State and Local Governments
Read MoreGet Started for Free
Experience the Blumira Free SIEM, with automated detection and response and compliance reports for 3 cloud connectors, forever.