The Inner Circle

Expand all | Collapse all

SOC 2 Compliance framework

Jump to Best Answer
  • 1.  SOC 2 Compliance framework

    Posted 7 days ago
    Is there a SOC 2 control list available that I can use to validate against our cloud setup. I'm looking to map specific AWS config rules against the SOC 2 controls to automate the compliance.

    Thanks
    Saran

    ------------------------------
    Saravanan Rajan
    CTO
    COSI Consulting
    ------------------------------


  • 2.  RE: SOC 2 Compliance framework

    Posted 4 days ago
    Saran,
    Feel free to check out Hyperproof.  We've got sample controls built in to the product and have workflows for evidence collection, collaboration, integration with Jira/Slack/Teams and of course audit.
    https://www.hyperproof.io
    Thanks,
    Craig

    ------------------------------
    Craig Unger
    CEO
    Hyperproof
    ------------------------------



  • 3.  RE: SOC 2 Compliance framework

    Posted 4 days ago
    Hello Saran,
    You can refer CCM.

    Regards,
    Surbhi Misra

    ------------------------------
    Surbhi Misra
    Consultant
    Hcl
    ------------------------------



  • 4.  RE: SOC 2 Compliance framework

    Posted 4 days ago
    Shujinko and JupiterOne have some nice free tools.  Vanta and Tugboat also not sure if free. Hyperproof is great too!

    Some have example policy templates but if not you can typically find them online free (try comply-dm I think is open source) or very cheap for a bunch of templates.

    However - the problem isn't the one time effort of putting all the documentation together, the problem is actually LIVING by the rules you define.  That's a lot of work if you don't automate.  Automate everything or die :)

    check out for instance Cloud Custodian - open source/free.

    AWS and Azure both have tools to automate security checks and configuration - AWS Config and Audit Manager both have SOC2 templates (but note those are only looking at the controls in the shared responsibility that are cloud specific - SOC2 needs more than that (HR, BCP/DRP, risk assessment, incident response, etc etc)
    Lots of kubernetes tools that configure and check controls.

    Have fun! Compliance is a lifestyle not a project!

    ------------------------------
    Robert Ficcaglia
    CTO
    SunStone Secure, LLC
    ------------------------------



  • 5.  RE: SOC 2 Compliance framework
    Best Answer

    Posted 4 days ago
    Hi Saravanan -

    With regards to specific requirements for AWS configuration rules there are AWS tools that can be configured in your environment that can assist in the evidence collection process. This includes the use of AWS's audit manager and the creation of a SOC 2 assessment. The audit manager links config rules and the resulting evidence based on the SOC 2 criteria  https://docs.aws.amazon.com/audit-manager/latest/userguide/SOC2.html.  Other AWS evidence collection tools include the trusted advisor and credential reports.

    It's worth emphasizing that AWS's automated tools only cover a portion of the required controls to meet the SOC 2 trust services criteria.@Robert Ficcaglia's comments are spot on, AWS's tools are shared responsibility focused, and should not be considered all-inclusive.

    SOC 2 is a reporting framework, not a prescriptive compliance framework, and therefore specific control language is usually tailored based on the environment, and the industry and service/product in scope. If you're still developing your controls and are looking to get more familiar with how to describe your controls, I'd recommend you review AWS's audit manager and compare your mapped config rules with the points of focus listed in the trust services criteria (starting on page 13).  Often times, your auditor can help guide you in this process if you're just getting started.

    ------------------------------
    Daniel Rosenberg
    Cybersecurity & Compliance Manager
    Kaufman Rossin
    ------------------------------



  • 6.  RE: SOC 2 Compliance framework

    Posted 3 days ago
    Thank you everyone for great suggestions! Robert and Daniel, your suggestions had worked for me. I had enabled AWS audit manager and seems like that covers pretty much the required controlsets on SOC2 and rest will be manual assessment.

    ------------------------------
    Saravanan Rajan
    CTO
    COSI Consulting
    ------------------------------