SOC 2 Detection and Monitoring Procedures (CC7.1)

Overview:
To meet its objectives, the entity uses detection and monitoring procedures to identify (1) changes to configurations that result in the introduction of new vulnerabilities, and (2) susceptibilities to newly discovered vulnerabilities.

Action Items:
1) Create a threat and vulnerability management policy and related procedures and publish to the company intranet for employees to access and review.
2) Inspect the most recent vulnerability assessment to determine that vulnerability assessments are performed by third-party vendors at least annually to identify the functionality of control activities, and that any critical or high vulnerabilities detected are triaged by the information security team and monitored through resolution.
3) Inspect the security group monitoring configuration to determine that security group changes are logged by the SIEM application and reviewed by the security team as alerts are identified.
4) Inspect the file monitoring software configuration and dashboard to determine that FIM software is in place to monitor, detect, and alert the information security team, and track the alert through resolution upon unauthorized software installation or configuration changes to certain production systems.

Related Documents:
1) Threat and vulnerability management policy
2) Sample of recent vulnerability assessments
3) Security group configurations
4) File integrity monitoring software configurations

Additional Guidance:
The following points of focus highlight important characteristics related to this criterion:

1) Uses Defined Configuration Standards—Management has defined configuration standards.
2) Monitors Infrastructure and Software—The entity monitors infrastructure and software for noncompliance with the standards, which could threaten the achievement of the entity's objectives.
3) Implements Change-Detection Mechanisms—The IT system includes a change-detection mechanism (for example, file integrity monitoring tools) to alert personnel to unauthorized modifications of critical system files, configuration files, or content files.
4) Detects Unknown or Unauthorized Components—Procedures are in place to detect the introduction of unknown or unauthorized components.
5) Conducts Vulnerability Scans—The entity conducts vulnerability scans designed to identify potential vulnerabilities or misconfigurations on a periodic basis and after any significant change in the environment and takes action to remediate identified deficiencies on a timely basis.