SOC 2: Extending Compliance

TL;DR

You’ve got SOC 2 compliance with your hosting provider – great! Now let’s build on that to secure *your* data and systems. This guide shows you how to map your controls, implement key security practices, and prepare for your own audit.

1. Understand Your Hosting Provider’s Controls

Your hosting provider has already addressed many core SOC 2 criteria (security, availability, processing integrity, confidentiality, privacy). You need to know *exactly* what they cover.

• Request their SOC 2 report: Specifically ask for the Type II report – this includes testing over a period of time.
• Control Mapping Document: Ask if they have a document that maps their controls to the Trust Services Criteria (TSC). This is invaluable.
• Identify Gaps: Compare their coverage with what *you* need to secure your applications and data. What are they doing, and what’s left for you?

2. Define Your In-Scope Systems

What systems and data are covered by *your* SOC 2 compliance effort? Be specific.

• Applications: List all applications handling customer data or critical business processes.
• Databases: Identify the databases storing sensitive information.
• Infrastructure: Include servers, networks, and any cloud services you directly manage (even if using your hosting provider).
• Data Types: Categorize the data you handle (e.g., PII, financial data, health records). This impacts control requirements.

3. Implement Key Security Controls

These are essential controls to build upon your hosting provider’s foundation.

3.1 Access Control

• Principle of Least Privilege: Grant users only the minimum access necessary.
• Multi-Factor Authentication (MFA): Enforce MFA for all accounts, especially privileged ones.
• Regular Access Reviews: Periodically review user permissions and revoke unnecessary access.

3.2 Data Encryption

• Data at Rest: Encrypt sensitive data stored on servers and databases. Consider tools like database encryption features or full-disk encryption.
• Data in Transit: Use TLS/SSL for all network communication. Ensure your applications are configured to use secure protocols (HTTPS).

3.3 Logging and Monitoring

• Centralized Logging: Collect logs from all systems in a central location. Tools like ELK Stack or Splunk can help.
• Security Information and Event Management (SIEM): Implement a SIEM to analyze logs for security threats.
• Alerting: Configure alerts for suspicious activity, such as failed login attempts or unusual data access patterns.

3.4 Vulnerability Management

• Regular Scanning: Scan your systems for vulnerabilities using tools like Nessus or OpenVAS.
• Patch Management: Apply security patches promptly to address identified vulnerabilities. Automate this process where possible.

3.5 Backup and Disaster Recovery

• Regular Backups: Perform regular backups of all critical data.
• Offsite Storage: Store backups in a separate location from your primary systems.
• Disaster Recovery Plan: Develop and test a plan to restore your systems in the event of a disaster.

4. Document Your Controls

Documentation is crucial for SOC 2.

• Policies and Procedures: Create written policies and procedures for each security control.
• System Diagrams: Diagram your systems to show data flow and security boundaries.
• Evidence Collection Plan: Define how you will collect evidence to demonstrate compliance.

5. Prepare for Your Audit

Once you’ve implemented controls and documented everything, it’s time to prepare for the audit.

• Choose an Auditor: Select a qualified SOC 2 auditor.
• Pre-Audit Questionnaire: Complete any pre-audit questionnaires provided by the auditor.
• Evidence Gathering: Collect all necessary evidence to support your controls.
• Audit Process: Cooperate with the auditor and answer their questions honestly.