Security and Compliance
Inside Recast Software: SOC 2 Security Report and ISO 27001 Certification
Topics: Security and Compliance
Recast Software launched its information security program a couple of years ago. One of the earliest goals for the program was to get a SOC 2 report for our products. SOC 2 is a report on organizational controls including security, availability, processing integrity, confidentiality, and privacy. After a push deploying information security policies, procedures, and controls, we are nearing the start of the SOC 2 Type 2 audit period after a successful Type 1 audit.
Next, we start our ISO 27001:2022 certification. Where SOC 2 is product focused, ISO 27001:2022 is an international standard for best practice ISMS (Information Security Management System). Fortunately, SOC 2 and ISO 27001:2022 both share many policies and controls. Recast did not have to start from scratch.
Read on to learn how our journey can help you simplify your own path to compliance.
Leveraging Recast Software for SOC 2 Security Report and ISO 27001 Certification
Building an information security program isn’t a walk in the park. It’s about establishing governance, setting standards, and implementing security controls. How has Recast Software been able to utilize its own products along the way on this security journey? Here are some examples from ISO 27001 Annex A and from SOC 2 Trust Service Criteria (TSC), and how Recast meets the requirements. Annex A and TSC are general guidelines for what organizations can do to meet the compliance criteria.
Recast Software’s Compliance Controls in Action
Framework | Control Environment (SOC 2) Annex A Control (ISO) | Points of Focus (SOC 2) Description (ISO) | Explanation |
SOC 2 | Common Criteria 6.1 | Restricts Logical Access | Windows operating system is not intended to be constantly operated with local administrator privileges. Privilege Manager helps manage logical access to Windows 10 and Windows 11 endpoints. |
SOC 2 | Common Criteria 6.2 | – Controls Access Credentials to Protected Assets – Removes Access to Protected Assets When Appropriate – Reviews Appropriateness of Access Credentials | Endpoints are protected assets. With Privilege Manager, manage local user groups for Windows endpoints and review access to these groups. |
SOC 2 | Common Criteria 6.3 | – Creates or Modifies Access to Protected Information Assets – Removes Access to Protected Information Assets – Uses Role-Based Access Controls | Endpoints are protected information assets. Fine tune role-based access on Windows workstations with Privilege Manager. |
SOC 2 | Common Criteria 6.8 | Restricts Application and Software Installation | One of the core “principle of least privilege” principles for endpoints. With Privilege Manager, control the admin roles so application installations can also be controlled. With Application Manager, reduce the need for employees to actively install software. |
ISO 27001:2022 | Annex A.8.2 | The allocation and use of privileged access rights should be restricted and managed. | This ISO requirement is an exact match for Privilege Manager. |
ISO 27001:2022 | Annex A.8.8 | Information about technical vulnerabilities of information systems in use should be obtained, the organization’s exposure to such vulnerabilities should be evaluated and appropriate measures should be taken. | Vulnerability remediation is a crucial task. Application Manager manages and delivers 3rd party patches (and more). Removing permanent local administrator privileges with Privilege Manager is a great mitigation against numerous vulnerabilities requiring elevated access. |
ISO 27001:2022 | Annex A.8.9 | Logs that record activities, exceptions, faults, and other relevant events should be produced, stored, protected, and analyzed. | This requirement is very extensive, but endpoint logging is important part of it. With Privilege Manager, keep log of privilege account escalations. |
ISO 27001:2022 | Annex A.8.32 | Changes to information processing facilities and information systems should be subject to change management procedures. | Change management is big part of 27001. It must reach all systems and facilities in the scope. Endpoints and 3rd party software can be considered as information systems. Therefore, Application Manager and its extensive test and deployment capabilities and processes helps tremendously here. |
As you can see, adhering to compliance standards doesn’t have to be overwhelming when you have the right tools in place.
Smooth your Compliance Journey with Recast
While no single tool can cover all compliance requirements, integrating Recast Software into existing systems helps fill critical gaps, making the journey towards compliance smoother. Trust Service Criteria and Annex A introduce numerous points of focus and control descriptions. There is no one tool that can automatize all of them for you.
Every organization should reflect their needs and compliance requirements carefully. Choosing the right tools makes the challenging task of compliance manageable. Recast Software offers specific, targeted solutions to streamline this process.
Ready to simplify your compliance journey? Get in touch with us to see how we can help.