Category Archives: IT Policy Set

SOC 2 and NIST 800-53

SOC 2 and NIST 800-53

Both SOC 2 and NIST 800-53 play a large role in regulatory compliance. Both aim to protect data in the cloud and are critical in today’s environments to ensure information security. The SOC 2 Framework and NIST 800-53 Publication go hand- in- hand, and adhering to both sets of controls will provide your company with sufficient data protection.

In order to assess our information systems, we first need to take a closer look at both SOC 2 and NIST 800-53.

SOC 2

SOC 2 is a framework created by the American Institute of Certified Public Accountants (AICPA). SOC 2 is one of the most used frameworks in the technology industry and applies to all organizations and enterprises where customer data is stored and processed in the cloud. SOC 2 is unique to each individual organization and can be lined up with specific business practices. SOC 2 also aligns with requirements of today’s cloud environment.

Trust Service Criteria (TSC)

The Trust Service Criteria (TSC) serve as the control areas for managing a reporting on information and systems. The five TSC are as follows:

  1. Security: Protection of resources against unauthorized access. Examples include multifactor authentication and an intrusion detection system.
  2. Availability: The accessibility of system, products, or services as stated in the Service Level Agreement (SLA). An example would be a failover cluster.
  3. Processing integrity: Whether or not a system achieves its purpose. Assessing if the system processing is complete, accurate, timely and authorized.
  4. Confidentiality: The information is restricted to a specified set of persons or organizations, as stated in the agreement. For example, using encryption and network security tools.
  5. Privacy: Personal information is collected, used, retained, disclosed and destroyed in conformity with the commitments in the service organization’s privacy notice, and with criteria set forth in generally accepted privacy principles issued by the AICPA.

Type 1 and Type 2

A SOC 2 Type 1 Audit assesses systems at one point in time. It tests to see whether the system’s design is suitable to meet the relevant trust principles. A SOC 2 Type 2 Audit tests the operational effectiveness of systems over a period of time. Most companies will start with a SOC 2 Type 1 and then follow with an annual SOC 2 Type 2 audit. 

Requirements

The main requirement for SOC 2 is that the organization must develop written policies and procedures that are followed by everyone. The organization must also actively monitor all systems and information, ensuring that there is no unusual activity or access. It is also crucial that the organization sets up automatic alerting for anomalies when accessing data.

NIST 800- 53

NIST 800- 53 is a publication providing comprehensive security controls for federal information systems, published by the National Institute of Standards and Technology (NIST). NIST 800-53 covers steps in Risk Management Framework. It includes 8 control families and over 900 requirements. Organizations may also adhere to controls which apply to them and the security level of the data they store (Low, medium, or high). These controls can be tested during a SOC 2 audit. NIST provides guidance for complying with FISMA.

FISMA

To demonstrate compliance with NIST 800-53, organizations should look to becoming compliant with the Federal Information Security Management Act (FISMA). FISMA is a requirement for federal agencies to develop, document, and implement an information security and protection program.

Some specific goals of FISMA include:

  • Implementing a risk management program
  • Protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction
  • Ensure the integrity, confidentiality and availability of sensitive information

FISMA requires organizations to do the following:

  • Maintain an inventory of information systems.
  • Categorize information and information systems according to risk level.
  • Maintain a system security plan.
  • Implement security controls
  • Conduct risk assessments.
  • Certification and accreditation.
  • Conduct continuous monitoring.

Best practices for FISMA are geared towards federal agencies that protect sensitive data. Best practices and requirements include encrypting everything, keeping up to date with FISMA standards, classifying information as it is created, and maintaining documentation of FISMA compliance efforts.

Compliance with both SOC 2 and NIST 800-53 provide organizations with a number of benefits, especially increasing data security. The main difference between the two is that SOC 2 is part of the System and Organizational Controls (SOC) framework, and NIST 800-53 is a publication. A full mapping of SOC 2 and NIST 800- 53 can be found on the AICPA website.

The Importance of IT Security Policies

The Importance of IT Security Policies

IT security policies are necessary in organizations as they define who has responsibility of what information within the company. Policies are the baseline of all procedures and should be maintained regularly.

Why Do Organizations Need Security Policies?

IT security policies outline rules for user and IT personnel behavior. These policies also identify consequences for not adhering to them. Policies are also crucial in ensuring compliance with regulations such as NIST and HIPAA. Policies should define risks within the organization and provide guidelines on how to reduce these risks. They should be modified to fit the company’s need.

Writing an Effective IT Security Policy

  1. Conduct a Security Risk Assessment to identify all your critical assets, vulnerabilities, and controls in your company. Use this assessment to determine ways to reduce or eliminate these risks.
  2. Determine the scope of the policy including who the policy will address and what assets will be covered.
  3. Ensure your policy is written to be easily understood by employees and enforced by management. Employees need to be explicitly aware of the consequences of not complying with the policy. These policies will help with the development of procedures, so it is important to write the policies clearly.
  4. Update your policies at least once a year to keep them up to date with your company’s procedures and security concerns.

Common IT Security Policies:

  • Access Authorization
  • Acceptable Use
  • Breach Notification
  • Change Management
  • Data Backup Plan
  • Employee Screening
  • Employee Training
  • Encryption and Decryption
  • Media Security
  • Network Security
  • Password Management
  • Secure Development
  • Security Incident Response
  • Vendor Management
  • Vulnerability Management

The need for certain IT security policies is dependent on the company data itself. For example, if a company handles customer health data, they should consider implementing a HIPAA Acceptable Use Policy.

Top 10 Overlooked Security Risks: 3 of 10

Data Destruction and Disposal

Companies often forget about data once they stop using it day-to-day. Leaving outdated data on sunsetted systems increases your potential exposure in the event of a data breach. Ensure that data no longer actively used is properly disposed of and devices that contain data, such as laptops, old hard drives and USB drives are properly DoD data wiped or destroyed. Retired company laptops may still retain recoverable data on their hard drives even after formatting. A policy-driven culture enforcing proper destruction and disposal of retired equipment is best practice.