When discussing if a company has implemented the necessary controls to meet the AICPA Trust Services Criteria for a SOC 2 engagement, one of the questions that often comes up is if an external penetration test is required. To aid in the discussion, this article will focus on the makeup of an external penetration test and its relevance to the AICPA Trust Services Criteria for a SOC 2 engagement.
What are the Main Goals of External Penetration Testing?
An external penetration test targets the external facing endpoints of an organization that can be found through a search on the internet. Examples are the company’s website, IP addresses allowing inbound traffic, company email addresses, domain names registered by the company, etc. There are several potential objectives of a penetration test:
- Validate the strength of the company’s security posture and perimeter controls that have been implemented.
- Determine if there are vulnerabilities that allow an unauthorized intruder to gain access and extract company data, modify company settings or programs, or hold a company hostage by gaining control of company operations.
- Determine the ability of the company’s security personnel and defined monitoring systems to detect and respond to an external attack. This includes identifying activity that is valid versus a false positive.
What are the 4 Main Phases of a Penetration Test?
- Defining scope and goals including depth and breadth of the project
- The pen test can be a general focus or specific to key operations or areas of concern.
- Identifying the external facing endpoints the company has that need to be included in the test. This can be performed independently as a discovery exercise or the company can provide the endpoints to be included in the scan.
- Scanning and attempting to access the environment from the company’s external-facing endpoints. During a penetration test, the individual conducting the test attempts to identify and exploit vulnerabilities in the computer system under review.
- Preparing a report that details activity attempted, any penetration obtained, vulnerabilities identified, and risk level of each vulnerability.
- Assessing the results to determine what risks are relevant, how they should be addressed, and any process or security changes required to aid in avoiding the vulnerability in the future (reoccurrence when changes are made to infrastructures such as firewalls and IDS systems).
- Remediation and Rescanning:
- Remediate relevant vulnerabilities. This may also be a risk-based approach as some vulnerabilities may not be found to pose a high risk or direct threat to the company.
- Rescan once remediation is complete to validate the vulnerability is no longer identified during the scanning process.
- Learn from the procedures performed such as what level of effort and sophistication was required to exploit a vulnerability.
It should be noted that a penetration test is a point in time test. Although the actual testing procedures may occur over a period of time such as a week or two, once the testing is complete, the results delivered, and needed remediation performed, the results of the review may lose their relevancy once changes are made to the environment by company personnel. Examples include adding new endpoints, modifying firewall rules, turnover of company security and architecture personnel, etc.
This is why the implementation of strong internal control regarding maintenance of the company’s security and infrastructure and performance of periodic external penetration tests are so important. Be ever vigilant. A fully developed, maintained, and tested incident response plan is an important part of the company’s security posture.
Penetration Testing & SOC 2
When considering the AICPA Trust Services Criteria (examples from this source are listed below) and a SOC 2 engagement, there are two control areas where penetration testing would be applicable:
- MONITORING ACTIVITIES
- CC4.1 COSO Principle 16: The entity selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning.
- Considers Different Types of Ongoing and Separate Evaluations — Management uses a variety of different types of ongoing and separate evaluations, including penetration testing, independent certification made against established specifications (for example, ISO certifications), and internal audit assessments.
- SYSTEM OPERATIONS
- CC7.1 To meet its objectives, the entity uses detection and monitoring procedures to identify (1) changes to configurations that result in the introduction of new vulnerabilities, and (2) susceptibilities to newly discovered vulnerabilities.
- Conducts Vulnerability Scans — The entity conducts vulnerability scans designed to identify potential vulnerabilities or misconfigurations on a periodic basis and after any significant change in the environment and takes action to remediate identified deficiencies on a timely basis.
Does SOC 2 Require Penetration Testing?
A SOC 2 report (both a Type I and a Type II) is not a certification that a company receives upon successful completion of the audit. It is a report where an independent CPA firm provides an opinion on the state of a company’s controls and operations against the SOC 2 criteria. The AICPA Trust Services Criteria for a SOC 2 report provides the criteria by which adequate controls are to be designed to meet such criteria and, for a Type II engagement, operating effectively over a period of time. The specific controls that must be met are not provided by the AICPA Trust Services Criteria. Suggestions, though, to meet the criteria are provided.
Given this, the performance of a vulnerability scan or penetration test, whether conducted as an internal or external facing activity is not required in order to meet the Trust Services Criteria for a SOC 2 report. The company must consider when identifying and developing controls to address the Trust Services Criteria if what has been designed and implemented will meet the criteria. The independent CPA firm performing the SOC 2 audit procedures must then audit these controls against the AICPA Trust Services Criteria and provide an opinion, as previously stated, whether adequate controls have been designed to meet such criteria and, for a Type II engagement, were operating effectively over a period of time.
Should An External Penetration Test Be Performed?
A company must consider its overall risk management program and how identified risks are addressed to determine if a penetration test is necessary. Is their security posture for protecting against external threats and identifying unauthorized attempts or actual intrusion robust enough that a penetration test is not considered to be necessary?
The current external environment of organized and knowledgeable hackers attempting to gain unauthorized access and cause harm or hold companies’ data and environments hostage must be considered as part of the risk assessment process. The method of such attacks is constantly changing. This can put stress on a company’s ability to maintain a secure environment. Having a controlled external penetration test periodically performed can help confirm strong points and identify potential vulnerabilities.
A SOC 2 engagement consists of the AICPA Trust Services that an organization must meet through controls designed and implemented by a company having a SOC 2 audit performed by an independent CPA firm. As the controls that meet the criteria are not specifically defined by the AICPA for a SOC 2 engagement, companies have leeway in implementing controls relevant to their environment. This includes the performance of an external penetration test. The independent CPA firm then audits against these controls to determine, by issuing an opinion, if the AICPA Trust Services Criteria have been met.
Although the performance of an external penetration test is not required, it is an important component of a company’s overall risk assessment to consider and can play a key role in establishing a strong security stance against the possible intrusion of the company’s environment by unauthorized parties.
Please reach out to speak to our team of experienced auditors if you would like to learn more about SOC 2 compliance requirements. If you are interested in any of our other audit services please feel free to contact us.
Lois started with Linford & Co., LLP in 2020. She began her career in 1990 and has spent her career working in public accounting at Ernst & Young and in the industry focusing on SOC 1 and SOC 2 and other audit activities, ethics & compliance, governance, and privacy. At Linford, Lois specializes in SOC 1 and SOC 2 audits. Lois’ goal is to collaboratively serve her clients to provide a valuable and accurate product that meets the needs of her clients and their customers all while adhering to professional standards.