Installing strong firewalls and keeping your antivirus software up-to-date serve as excellent protections to promote an effective security posture. However, it would be best if you had other safeguards in addition to these layers of defense. Information is, for instance, particularly vulnerable to attack when it is in transit. For that reason, it is advisable to focus on safeguarding data from endpoint to endpoint, whether it is “in transit” or “at rest.” End-to-end encryption scrambles all outgoing communications before the data packets leave the device, with only the target device able to make sense of it.
In Section CC6 of SOC Certification, where Logical and Physical Access are covered, it emphasizes data security and privacy and logical access to software, services, and infrastructure. Specifically, the standard mandates that a company set controls to prevent and detect malware injection and make corrections if such a security incident happens. Since hackers often take advantage of systems that are not secured, having end-to-end encryption in place is one of the best preventive strategies an organization can institute.
Encryption Requirements Found in SOC 2
Although SOC 2 standards can sometimes appear strict and intricate, they do not address encryption in any detail. There are no specific encryption requirements listed in the five trust criteria that make up the backbone of SOC 2. Therefore, your organization’s robust security posture is best served by focusing on thorough cybersecurity hygiene and best practices.
Recommended Best Practices Based on SOC 2 Security Criteria
As you construct your cybersecurity fortress, keep the following SOC 2-based guidelines in mind:
- Data should always be encrypted if it is “in transit” across public networks such as the internet.
- If data is “in transit” across non-public networks such as your internal systems, encryption is not required. However, it is highly recommended.
- Data “at rest,” information stored on removable media such as tape or USD drives, must be encrypted. Encryption is also required if the scope of the SOC 2 audit contains the confidentiality portion of the Trust Services criteria.
- Data on non-removable media such as servers is not required to be encrypted. However, encryption is highly recommended.
As the above recommendations suggest, your organization should always seek to encrypt all types of information whenever possible as the gold standard of cybersecurity.
Additional Considerations
Depending on the type of information your company manages or transmits, the following suggestions are also essential to keep in mind:
- The Health Insurance Portability and Accountability Act of 1996 (HIPAA) addresses the use and disclosure of protected health information (PHI). If the information you store or transmit is considered to be PHI under HIPAA, you should encrypt this data, whether “in transit” or at rest” unless you can demonstrate that you have put some other equally effective protective control in place.
- Any cardholder information associated with the major credit card brands (Discover, Mastercard, Visa, American Express, or JCB) is protected under the Payment Card Industry Data Security Standard (PCI DSS) and must always be encrypted. Even if it is “at rest.”
- Regardless of what type of data you encrypt, you should utilize cryptography based on industry-tested and accepted algorithms. The key lengths you use should provide a min 112-bits key strength. Examples of a suitable type are RSA – 2048 bits or higher, AES – 128 bits or higher, or TDES/TDEA – triple-length keys.
In tandem with your encryption strategies, your company should create, implement, demonstrate and regularly update a set of solid management and training practices that keep security at the forefront of your entire team’s awareness. By putting a comprehensive cyber safety and encryption program in place, your company stands prepared not only to pass a SOC 2 audit with flying colors but also to furnish your customers with a demonstrated commitment to end-to-end cybersecurity.