Skip to Content

SOC 2 Protecting Against External Threats (CC6.6)

238  Matthew Burdick September 26, 2022  Logical and Physical Access Controls

Overview:
The entity implements logical access security measures to protect against threats from sources outside its system boundaries.


Action Items:
1) Create a network security policy and procedures that address authorized network traffic, protocols, ports, TLS versions, and other network-related requirements. Then, publish this on the company intranet for employees to access and review.
2) Inquire of the director of security and engineering operations, or equivalent, regarding the IDS to determine that an IDS is utilized to analyze and report network events and to block suspected or actual network security breaches.
3) Inspect the security group configurations to determine that security groups are in place to filter unauthorized inbound network traffic from the Internet and configured to deny any type of network connection that is not explicitly authorized by a rule.
4) Inspect the TLS certificates for the in-scope web servers to determine that web servers utilize TLS encryption for web communication sessions.
5) Inspect the VPN encryption and authentication configurations to determine that an encrypted VPN is required for remote access to production and enforces two-factor authentication.
6) Inspect the IDS configurations to determine that an IDS is utilized to analyze and report network events and to block suspected or actual network security breaches.
7) Inspect the security group monitoring configuration to determine that security group changes are logged by the SIEM application and reviewed by the security team as alerts are identified.
8) Inspect the most recent vulnerability assessment to determine that vulnerability assessments are performed by third-party vendors on a periodic basis to identify the functionality of control activities, and that any critical or high vulnerabilities detected are triaged by the information security team and monitored through resolution.
9) Inspect the VPN configurations to determine that remote access to the production network require two-factor authentication.


Related Documents:
1) Network security policy
2) IDS / IPS configurations
3) Security group configurations
4) TLS certificates for in-scope web servers
5) VPN encryption and authentication configurations
6) Evidence of mandatory multi-factor authentication for remote access
7) Sample of recent vulnerability assessments


Additional Guidance:
The following points of focus highlight important characteristics related to this criterion:


1) Restricts Access—The types of activities that can occur through a communication channel (for example, FTP site, router port) are restricted.
2) Protects Identification and Authentication Credentials—Identification and authentication credentials are protected during transmission outside its system boundaries.
3) Requires Additional Authentication or Credentials—Additional authentication information or credentials are required when accessing the system from outside its boundaries.
4) Implements Boundary Protection Systems—Boundary protection systems (for example, firewalls, demilitarized zones, and intrusion detection systems) are implemented to protect external access points from attempts and unauthorized access and are monitored to detect such attempts.
Not Rated
Secure Code