The Inner Circle

Is there a SOC 2 control list available that I can use to validate against our cloud setup. I'm looking to map specific AWS config rules against the SOC 2 controls to automate the compliance.

Thanks
Saran

------------------------------
Saravanan Rajan
CTO
COSI Consulting
------------------------------

Saran,
Feel free to check out Hyperproof.  We've got sample controls built in to the product and have workflows for evidence collection, collaboration, integration with Jira/Slack/Teams and of course audit.
https://www.hyperproof.io
Thanks,
Craig

------------------------------
Craig Unger
CEO
Hyperproof
------------------------------

Original Message:
Sent: Jul 16, 2021 09:40:12 AM
From: Saravanan Rajan
Subject: SOC 2 Compliance framework

Is there a SOC 2 control list available that I can use to validate against our cloud setup. I'm looking to map specific AWS config rules against the SOC 2 controls to automate the compliance.

Thanks
Saran

------------------------------
Saravanan Rajan
CTO
COSI Consulting
------------------------------

Hello Saran,
You can refer CCM.

Regards,
Surbhi Misra

------------------------------
Surbhi Misra
Consultant
Hcl
------------------------------

Original Message:
Sent: Jul 16, 2021 09:40:12 AM
From: Saravanan Rajan
Subject: SOC 2 Compliance framework

Is there a SOC 2 control list available that I can use to validate against our cloud setup. I'm looking to map specific AWS config rules against the SOC 2 controls to automate the compliance.

Thanks
Saran

------------------------------
Saravanan Rajan
CTO
COSI Consulting
------------------------------

Shujinko and JupiterOne have some nice free tools.  Vanta and Tugboat also not sure if free. Hyperproof is great too!

Some have example policy templates but if not you can typically find them online free (try comply-dm I think is open source) or very cheap for a bunch of templates.

However - the problem isn't the one time effort of putting all the documentation together, the problem is actually LIVING by the rules you define.  That's a lot of work if you don't automate.  Automate everything or die :)

check out for instance Cloud Custodian - open source/free.

AWS and Azure both have tools to automate security checks and configuration - AWS Config and Audit Manager both have SOC2 templates (but note those are only looking at the controls in the shared responsibility that are cloud specific - SOC2 needs more than that (HR, BCP/DRP, risk assessment, incident response, etc etc)
Lots of kubernetes tools that configure and check controls.

Have fun! Compliance is a lifestyle not a project!

------------------------------
Robert Ficcaglia
CTO
SunStone Secure, LLC
------------------------------

Original Message:
Sent: Jul 16, 2021 09:40:12 AM
From: Saravanan Rajan
Subject: SOC 2 Compliance framework

Is there a SOC 2 control list available that I can use to validate against our cloud setup. I'm looking to map specific AWS config rules against the SOC 2 controls to automate the compliance.

Thanks
Saran

------------------------------
Saravanan Rajan
CTO
COSI Consulting
------------------------------

Hi Saravanan - 

With regards to specific requirements for AWS configuration rules there are AWS tools that can be configured in your environment that can assist in the evidence collection process. This includes the use of AWS's audit manager and the creation of a SOC 2 assessment. The audit manager links config rules and the resulting evidence based on the SOC 2 criteria  https://docs.aws.amazon.com/audit-manager/latest/userguide/SOC2.html.  Other AWS evidence collection tools include the trusted advisor and credential reports.

It's worth emphasizing that AWS's automated tools only cover a portion of the required controls to meet the SOC 2 trust services criteria.@Robert Ficcaglia's comments are spot on, AWS's tools are shared responsibility focused, and should not be considered all-inclusive.

SOC 2 is a reporting framework, not a prescriptive compliance framework, and therefore specific control language is usually tailored based on the environment, and the industry and service/product in scope. If you're still developing your controls and are looking to get more familiar with how to describe your controls, I'd recommend you review AWS's audit manager and compare your mapped config rules with the points of focus listed in the trust services criteria (starting on page 13).  Often times, your auditor can help guide you in this process if you're just getting started.

------------------------------
Daniel Rosenberg
Cybersecurity & Compliance Manager
Kaufman Rossin
------------------------------

Original Message:
Sent: Jul 16, 2021 09:40:12 AM
From: Saravanan Rajan
Subject: SOC 2 Compliance framework

Is there a SOC 2 control list available that I can use to validate against our cloud setup. I'm looking to map specific AWS config rules against the SOC 2 controls to automate the compliance.

Thanks
Saran

------------------------------
Saravanan Rajan
CTO
COSI Consulting
------------------------------

Thank you everyone for great suggestions! Robert and Daniel, your suggestions had worked for me. I had enabled AWS audit manager and seems like that covers pretty much the required controlsets on SOC2 and rest will be manual assessment.

------------------------------
Saravanan Rajan
CTO
COSI Consulting
------------------------------

Original Message:
Sent: Jul 19, 2021 11:53:22 AM
From: Daniel Rosenberg
Subject: SOC 2 Compliance framework

Hi Saravanan -

With regards to specific requirements for AWS configuration rules there are AWS tools that can be configured in your environment that can assist in the evidence collection process. This includes the use of AWS's audit manager and the creation of a SOC 2 assessment. The audit manager links config rules and the resulting evidence based on the SOC 2 criteria  https://docs.aws.amazon.com/audit-manager/latest/userguide/SOC2.html.  Other AWS evidence collection tools include the trusted advisor and credential reports.

It's worth emphasizing that AWS's automated tools only cover a portion of the required controls to meet the SOC 2 trust services criteria.@Robert Ficcaglia's comments are spot on, AWS's tools are shared responsibility focused, and should not be considered all-inclusive.

SOC 2 is a reporting framework, not a prescriptive compliance framework, and therefore specific control language is usually tailored based on the environment, and the industry and service/product in scope. If you're still developing your controls and are looking to get more familiar with how to describe your controls, I'd recommend you review AWS's audit manager and compare your mapped config rules with the points of focus listed in the trust services criteria (starting on page 13).  Often times, your auditor can help guide you in this process if you're just getting started.

------------------------------
Daniel Rosenberg
Cybersecurity & Compliance Manager
Kaufman Rossin

Original Message:
Sent: Jul 16, 2021 09:40:12 AM
From: Saravanan Rajan
Subject: SOC 2 Compliance framework

Is there a SOC 2 control list available that I can use to validate against our cloud setup. I'm looking to map specific AWS config rules against the SOC 2 controls to automate the compliance.

Thanks
Saran

------------------------------
Saravanan Rajan
CTO
COSI Consulting
------------------------------