SOC 2 Monitoring for Anomalies (CC7.2)
Overview:
The entity monitors system components and the operation of those components for anomalies that are indicative of malicious acts, natural disasters, and errors affecting the entity's ability to meet its objectives; anomalies are analyzed to determine whether they represent security events.
Action Items:
1) Create a logging and monitoring policy and related procedures and publish on the company intranet for employees to access and review.
2) Inquire of the director of security and engineering operations, or equivalent, regarding the IDS to determine that an IDS is utilized to analyze and report network events and to block suspected or actual network security breaches.
3) Inquire of the senior manager of compliance, or equivalent, regarding monitoring applications to determine that monitoring applications are utilized to monitor system performance and are configured to send automated alerts to IT personnel when predefined thresholds have been exceeded.
4) Inspect the security monitoring system to determine that a security monitoring system is configured to monitor the availability of production sites, servers, and devices and access events including, but not limited to: Account logon; Account logout; Privileged use.
5) Inspect the IDS configurations to determine that an IDS is utilized to analyze and report network events and to block suspected or actual network security breaches.
6) Inspect the most recent vulnerability assessment to determine that vulnerability assessments are performed by third-party vendors at least annually to identify the functionality of control activities, and that any critical or high vulnerabilities detected are triaged by the information security team and monitored through resolution.
7) Inspect the monitoring dashboard and alert configurations dashboard to determine that enterprise monitoring applications are utilized to monitor system performance and are configured to send automated alerts to IT personnel when predefined thresholds had been exceeded.
Related Documents:
1) Logging and monitoring policy
2) Security monitoring system configurations
3) Monitoring and alerting configurations
4) IDS/IPS configurations
5) Sample of recent vulnerability assessments
6) Threat and vulnerability management policy
Additional Guidance:
The following points of focus highlight important characteristics related to this criterion:
1) Implements Detection Policies, Procedures, and Tools—Detection policies and procedures are defined and implemented, and detection tools are implemented on Infrastructure and software to identify anomalies in the operation or unusual activity on systems. Procedures may include (1) a defined governance process for security event detection and management that includes provision of resources; (2) use of intelligence sources to identify newly discovered threats and vulnerabilities; and (3) logging of unusual system activities.
2) Designs Detection Measures—Detection measures are designed to identify anomalies that could result from actual or attempted (1) compromise of physical barriers; (2) unauthorized actions of authorized personnel; (3) use of compromised identification and authentication credentials; (4) unauthorized access from outside the system boundaries; (5) compromise of authorized external parties; and (6) implementation or connection of unauthorized hardware and software.
3) Implements Filters to Analyze Anomalies—Management has implemented procedures to filter, summarize, and analyze anomalies to identify security events.
4) Monitors Detection Tools for Effective Operation—Management has implemented processes to monitor the effectiveness of detection tools.