System and Organization Controls (SOC) 2 Reporting (SOC 2 Report)
Disclaimer: Organizations are not required by law to comply with this document, unless legislation, or a direction given under legislation or by some other lawful authority, compels them to comply. This document does not override any obligations imposed by legislation or law. Furthermore, if this document conflicts with legislation or law, the latter takes precedence.
The System and Organization Controls (SOC) 2 reporting standard is defined by the American Institute of Certified Public Accountants (AICPA). The System and Organization Control reporting standard includes a number of standardized internal control reports on the services provided by an organization, which allows consumers of those services to obtain valuable information that users need to assess and address the risks associated with a service entity. Specifically, SOC 2 demonstrates that controls stated in the description operated effectively to provide reasonable assurance that the System and Organization's service commitments and system requirements were achieved based on the criteria relevant to the security, availability, or processing integrity of the System and Organization's system or based on the criteria relevant to the system's ability to maintain the confidentiality or privacy of the information processed for user entities.
In regards to controls and objectives, the SOC 2 framework is made up of what the AICPA call the Trust Service Criteria (TSC), broken down into five categories:
- Security
- Information and systems are protected against unauthorized access, unauthorized disclosure of information, and damage to systems that could compromise the availability, integrity, confidentiality, and privacy of information or systems and affect the entity's ability to meet its objectives.
- Availability
- Information and systems are available for operation and use to meet the entity's objectives.
- Processing integrity
- System processing is complete, valid, accurate, timely, and authorized to meet the entity's objectives.
- Confidentiality
- Information designated as confidential is protected to meet the entity's objectives.
- Privacy
- Personal information is collected, used, retained, disclosed, and disposed of to meet the entity's objectives
A SOC 2 report can include coverage of one or more of these categories.
The LogRhythm platform enables your organization to meet many SOC 2 guidelines by collecting, managing, and analyzing log data. LogRhythm AI Engine (AIE) rules, alarms, reports, investigations, and general SIEM functionality also help your organization satisfy certain IT security elements outlined by SOC 2.
LogRhythm understands that organizations may be at different points of compliance maturity; the SOC 2 Controls module is intended to assist organizations in implementing a baseline level of security controls, as is consistent with the intention of Implementation Group 1 of the SOC 2 Controls framework. The SOC 2 Controls module is focused on the Control Recommendations traditionally used for baseline best practice purposes. LogRhythm supports some SOC 2 recommendations and decreases the cost of meeting others through pre-built content and functionality. Using advanced LogRhythm functionality such as NetMon, TrueIdentity, SysMon, Threat Research content, and Case Management may enhance pre-built content to better support an organization's compliance efforts.
IT environments consist of heterogeneous devices, systems, and applications, all reporting log data. Millions of individual log entries can be generated daily, if not hourly. The task of organizing this information can be overwhelming. Additional recommendations to analyze and report on log data render manual processes or homegrown remedies inadequate and cost-prohibitive for many organizations. LogRhythm delivers log collection, archiving, and recovery across the entire IT infrastructure and automates the first level of log analysis. Log data is categorized, identified, and normalized for easy analysis and reporting. LogRhythm’s powerful alerting capabilities automatically identify the most critical issues and notify relevant personnel. The SOC 2 Controls module and associated reporting package work out of the box with some level of customization available. Utilizing the SOC 2 Controls module assists in building and maintaining a sound compliance program.
This document contains the following sections: