SOC 2 Common Criteria 7.1 Configuration and Vulnerability Management

The SOC 2 Audit Reports provide documentation to help demonstrate compliance with the Trust Services Criteria established by the American Institute of Certified Public Accountants (AICPA). The SOC 2 CC7.1 Configuration and Vulnerability Management report describes how to access file integrity monitoring, scan scheduling, and vulnerability reporting features in the Alert Logic console that help demonstrate compliance with Common Criteria (CC) 7.1.

To access the SOC 2 CC7.1 Configuration and Vulnerability Management report:

  1. In the Alert Logic console, click the menu icon (), and then click Validate.
  2. Click Reports, and then click Compliance.
  3. Under SOC 2 Audit, click VIEW.
  4. Click SOC 2 CC7.1 Configuration and Vulnerability Management.

To refine your findings, you can filter your report by date range and customer account.

By default, Alert Logic includes (All) filter values in the report.

To add or remove filter values:

  1. Click the drop-down menu in the filter, and then select or clear values.
  2. Click Apply.

The report summary page displays two columns. Points of Focus lists points of focus, specifically related to all engagements using the trust services criteria, that highlight important characteristics relating to CC7.1. Available Documentation and Artifacts describes, and contains links to, the documentation and compliance artifacts that can demonstrate compliance with each point of focus.

Available Documentation and Artifacts

This report provides access to AWS Center for Internet Security (CIS) Benchmark and Azure CIS Benchmark reports, File Integrity Monitoring section, the File Integrity Monitoring dashboard, vulnerability scan schedules, discovery scanning, vulnerability variance reports, and PCI scanned reports that help you demonstrate compliance with CC7.1.

This criteria requires that to meet its objectives, the entity uses detection and monitoring procedures to identify (1) changes to configurations that result in the introduction of new vulnerabilities, and (2) susceptibilities to newly discovered vulnerabilities.

Uses Defined Configuration Standards

The Uses Defined Configuration Standards point of focus requires you to demonstrate tha management has defined configuration standards.

Alert Logic does not provide data for this point of focus. You must provide the policy and procedure documents for this audit.

Monitors Infrastructure and Software

The Monitors Infrastructure and Software point of focus requires you to demonstrate that the entity monitors infrastructure and software for noncompliance with the standards, which could threaten the achievement of the entity's objectives.

This section provides you with a link for quick access to the CIS AWS Foundation Benchmark in the Alert Logic console where you can review how your AWS conforms to CIS Benchmarks.

This section also provides you with a link for quick access to the CIS Microsoft Azure Foundation Benchmark in the Alert Logic console where you can review how your Azure conforms to CIS Benchmarks.

Implements Change-Detection Mechanisms

The Implements Change-Detection Mechanisms point of focus requires you to demonstrate that the IT system includes a change-detection mechanism (for example, file integrity monitoring tools) to alert personnel to unauthorized modifications of critical system files, configuration files, or content files.

This section provides you with a link for quick access to the Get Started with Alert Logic Deployments page in the Alert Logic console, where you can select a deployment to view the File Integrity Monitoring section for configured monitoring software and file paths. You can use this information to demonstrate that your IT system includes a change-detection mechanism.

This section also provides you with a link for quick access to the File Integrity dashboard in the Alert Logic console, where you can view or export changes to your monitored software and configuration files. You can use this information to demonstrate that the IT system includes a change-detection mechanism.

Detects Unknown or Unauthorized Components

The Detects Unknown or Unauthorized Components point of focus requires you to demonstrate that procedures are in place to detect the introduction of unknown or unauthorized components.

This section provides you with a link for quick access to the Get Started with Alert Logic Deployments page in the Alert Logic page where you can select a deployment to review vulnerability scan schedules. You can use this information to demonstrate that procedures are in place to detect the introduction of unknown or unauthorized components.

Conducts Vulnerability Scans

The Conducts Vulnerability Scans point of focus requires you to demonstrate that the entity conducts vulnerability scans designed to identify potential vulnerabilities or misconfigurations on a periodic basis and after any significant change in the environment and takes action to remediate identified deficiencies on a timely basis.

This section provides you with the following links for quick access to appropriate pages in the Alert Logic console:

  • The Get Started with Alert Logic Deployments page, where you can select a Data Center deployment to review the discovery scan schedules.
  • TheVulnerability Variance Reports in the Alert Logic console where, you can review summary, trending and detailed lists for new, resolved and unresolved vulnerabilities your environment.
  • PCI scanning page to review the latest 25 internal vulnerability scan reports for the most recent 12-month period.