CIS Completes SOC 2 Type II Audit Using CIS Best Practices
System and Organization Controls (SOC) 2 is a reporting framework that sets benchmarks for managing customer and user data. It was created by the American Institute of Certified Public Accountants (AICPA), and is based on the institute's five Trust Services Criteria – privacy, confidentiality, security, availability, and processing integrity. SOC 2 Type II compliance assures existing and potential customers that your organization has instituted the proper security, privacy, and compliance controls in place to manage its data.
Building Customer Trust
SOC 2 Type II applies to any service provider or service organization that stores, processes, or transmits information. In the face of evolving cyber threats, the attestation is more important than ever and tells your customers that you're serious about protecting them and their information.
Driven by members and government contracts that require external assessments and certifications, the Center for Internet Security (CIS) recently completed the SOC 2 Type II audit for its CIS SecureSuite and MS- and EI-ISAC membership services. CIS's SOC 2 Type II compliance ensures our members’ data and associated information is protected at all times, within all compliance requirements.
Undergoing the attestation process is not easy, but it's well worth the effort, as we can assure our customers that CIS products and services align with the most rigorous security and privacy standards in the industry.
Applying Our Own Best Practices to the Process
At CIS, we performed an initial gap assessment, both internally and externally, to identify areas that needed special attention. The gap assessments help organizations to understand the status of their current environment relative to security controls and best practices, so those gaps can be minimized. For example, at a high level, some areas to look at during the assessment may include, but are not limited to: tone at the top, data management, vendor management, risk management, change control, vulnerability management, and separation of duties. With the gap assessment completed, we reviewed our organizational policies, standards, and processes to ensure they were accurate and appropriate for our environment. Policies, standards, and processes are the foundation of any successful security program.
Once the policies, standards, and processes reflected the current environment, we reviewed our technical controls. This included establishing new controls, refining existing ones, and removing those that were not appropriate. This is where applying our own CIS Critical Security Controls (CIS Controls) was most beneficial in our SOC 2 process. We mapped the CIS Controls to the SOC 2 framework and aligned them where necessary. It was not strictly a one-for-one alignment, but it assisted in defining potential gaps within the organization.
With the technical controls in place, we began defining audit cadences based on risks and compensating controls. With the internal audits and reviews in place, we gathered the necessary documentation and evidence from CIS's business units. Once we felt comfortable with our processes, we scheduled the SOC 2 Type I review. The SOC 2 Type I differs from the Type II, as it is a point-in-time review focused on design only. Once we successfully completed the SOC 2 Type I, we began preparing for the Type II review.
Things to consider when preparing for your SOC 2 attestation
Of course, every organization is different. However, there is a set of standard items that virtually every team should address when preparing for SOC 2 attestation.
- Determine why you want to obtain SOC 2 attestation
- Perform a gap assessment, either internally, externally or both
- Review organizational policies, standards, and processes for completeness
- Define your technical security controls
- Gather the necessary documentation and evidence
- Find an external firm that is able to complete the SOC 2 attestation
Advice for organizations
CIS's experience identified a number of critical success factors that apply to any SOC 2 attestation.
- Communication. It is important to communicate roles and responsibilities to the business units that are impacted by the review.
- Time commitment. SOC 2 Type II differs significantly in terms of the overall time commitment when an external party is performing the review. It will be longer and more in-depth than the Gap Assessment and Type I. In addition, the time commitment lasts beyond the completion of the attestation. It requires time from the organization to build a culture that supports the SOC 2 Type II framework into the future.
- Understanding the ask. It is important for the organization to clarify and work in a collaborative environment with the external party. Evidence requests can oftentimes be confusing or may not fit perfectly with your defined controls. Being able to talk through the process and perform demonstrations can assist in clarifying the ask.
- Compliance does not equal security. Compliance is a byproduct of good security practices.
SOC 2 is not a one-time event, and it requires a real commitment. For CIS, this commitment is the foundation for continuous improvement, enabling us to improve upon the security and privacy of our members and their data, and move forward with other attestations and certifications in the future.