SOC 2 Compliance Audits
Most enterprises today are accustomed to performing yearly compliance audits. Typically, these include annual audits to the ISO/IEC 27001 information security standard and/or the Trust Services Criteria for SOC 2. These programs ensure that a 3rd party auditor has examined an organization’s controls and has tested them for alignment with the published controls (in the case of ISO 27001) or that the organizational controls created are effective in implementing the service criteria (in the case of SOC 2).
These audits are thorough and usually span several days. A significant amount of time is usually used providing evidence to the auditors that your organizations’ procedures are aligned and effective. This process can be a bit of a chore if you can’t easily show meaningful evidence to an auditor on how you’re keeping your organization in compliance. You may find yourself having to fetch logs or showing screen layouts from systems that don’t necessarily make it easy for an auditor to understand how what you’re showing is fulfilling the requirements for the controls being audited. In this blog, I’ll examine a real-world scenario where Clumio’s data protection SaaS was used in such an audit context to demonstrate compliance.
This scenario focuses on the 2017 Trust Services Criteria for SOC 2, but is applicable in other audit contexts with similar requirements. TSC 2017 reference A 1.2 states: The entity authorizes, designs, develops or acquires, implements, operates, approves, maintains, and monitors environmental protections, software, data backup processes, and recovery infrastructure to meet its objectives. This sounds rather broad, but we’ll focus on the “data back-up processes” part of this language, notably, this point of focus: Performs Data Backup Procedures are in place for backing up data, monitoring to detect backup failures, and initiating corrective action when such failures occur. That’s quite a bit more concrete.
AWS RDS Backup
Like many organizations, Clumio uses Amazon Web Services’ Relational Database Service (hereinafter referred to as “RDS”) to provide relational database services throughout its cloud environment. While not the totality of data requiring backup resides in RDS, it often plays a critical role in data storage. Happily, Clumio’s data protection platform supports RDS as a first-class data source.
Primarily, the procedure for backing up data is the core of the point of focus. Setting up a RDS backup policy is easy:
The policy is detailed and clear; AWS snapshots are retained daily, AWS backups are retained weekly for a month. Then 12 monthly AWS backups per year, and an annual AWS backup retained for 7 years.
The guidance for this criteria also mentions monitoring to detect backup failures. Good news there for users of Clumio’s platform. In a few clicks, I can navigate to an AWS compliance report for my protected assets:
This view in the AWS compliance report makes it obvious there are 6 objects (in this case, they’re AWS RDS databases) that are covered by an AWS backup policy (shown below), and that they’re all in compliance for the time period selected. You can filter the display by data source or asset name, save the report, or email it to you on a selected schedule. More importantly, this is more than enough detail to satisfy an auditor’s requirement for evidence that AWS backups are monitored for failures.
When failures are detected, your data protection procedure should detail how your IT staff responds to failures. The Clumio platform provides handy, detailed alerts that can be routed via email to a monitored email address or email gateway for your favorite monitoring/incident management system:
Now if a failure occurs, you can be sure that corrective action is initiated based on the alert.
AWS RDS Data Recovery
Finally, what about data recovery? Backup frequency and integrity are critical, but in an event that requires a data restoration, you should have a well tested Business Continuity Plan and Disaster Recovery Plan. Let’s look at TSC 2017 reference A 1.3: The entity tests recovery plan procedures supporting system recovery to meet its objectives. A point of focus in that reference states: (The entity) Tests Integrity and Completeness of Back-Up Data—The integrity and completeness of back-up information is tested on a periodic basis. And how best to test your recovery plans? Click on a protected asset in the console, and you’re presented with a calendar showing your snapshots, rolling restore options, and even options for a granular record restore from your database (learn more about that here.)
Whether you’re testing your recovery plans, demonstrating evidence to an auditor that you can recover critical assets rapidly, or recovering from a data loss scenario, restoration will be at your fingertips.
Certainly, data backup and recovery isn’t the totality of demonstrating evidence of good data protection practice for a SOC 2 audit, but it is a critical component. Your data protection policies and procedures are important. Demonstrating their utility and compliance should be crisp and clear in an audit situation, and the Clumio platform can fill that need; but more importantly, it securely and efficiently protects your data.