SOC 2 Evidence Gathering

This document provides guidance on how to gather the evidence needed for SOC 2 certification purposes. We will cover the types of evidence that our auditors typically request for the controls that are not monitored by Drata, as well as best practices for collecting and organizing the evidence.

Evidence Repository

We keep the evidence we gather in the following places:

In the Evidence Repository under <control-id>/YYYY-MM-DD to keep a record of the evidence we previously gathered
We upload it in Drata under the appropriate control to make it available for auditors

DCF-7: Separate Testing and Production Environments

Drata Example Evidence for Not Monitored Controls Sheet suggests the following evidence for this control:

Screenshots from test and production environments for the application

How to gather the evidence:

Screenshot app-dev.narrative.io
Screenshot app.narrative.io

DCF-11: Annual Access Control Review

Drata Example Evidence for Not Monitored Controls Sheet suggests the following evidence for this control:

Tickets documenting the access control lists that were reviewed for in scope cloud environments, SaaS applications, infrastructure as code tools, and security protection tools (as applicable)
Tickets should be marked as completed/closed and the reviewer should provide comments on the results of the reviews.

How to gather the evidence:

Follow the System Access Review Process
Print/sreenshot the resulting ticket. Example access review ticket from April 2023.

DCF-12: Hardening Standards in Place

Drata Example Evidence for Not Monitored Controls Sheet suggests the following evidence for this control:

Evidence from infrastructure as code tools showing configurations that would be implemented when new infrastructure is deployed.
Any type of document that formally documents the configurations that should be implemented for newly deployed infrastructure.

How to gather the evidence:

Screenshot the marketplace ASG config showing that no SSH key is configured
Screenshot the open-api IAM S3 policy showing that app-specific access controls are in place
Screenshot the open-api config showing that SSM is used for retrieving secrets
Screenshot the open-api load_balancer module instantiation showing that different VPCs are used based on the environment (using main-vpc-lookup)
Print the System Hardening Guide that formally documents the configurations that should be implemented for newly deployed infrastructure

DCF-22: Network segmentation in place

Drata Example Evidence for Not Monitored Controls Sheet suggests the following evidence for this control:

Formal, documented network/architecture diagram evidencing network segmentation of your cloud environments.

How to gather the evidence:

Network Segmentation diagram

DCF-35: Security Team Communicates in a Timely Manner

Drata Example Evidence for Not Monitored Controls Sheet suggests the following evidence for this control:

Screenshots from communication tools (Slack, PagerDuty) showing the process for security events to be communicated to appropriate personnel.

How to gather the evidence:

Screenshot the #auto-security Slack channel

DCF-43: Termination/Offboarding Checklist

Drata Example Evidence for Not Monitored Controls Sheet suggests the following evidence for this control:

Formal documented termination checklist/help desk ticket for a recent terminated employee.

How to gather the evidence:

Print the Offboarding procedure
Print the Account Deprovisioning procedure

DCF-56: Vendor Agreements Maintained (TODO: Seth)

DCF-56: Vendor Agreements Maintained

Drata Example Evidence for Not Monitored Controls Sheet suggests the following evidence for this control:

Executed Agreement/contract between the entity and key vendors.

How to gather the evidence:

TODO: Seth

DCF-57: Vendor Compliance Reports (TODO: Seth)

DCF-57: Vendor Compliance Reports

Drata Example Evidence for Not Monitored Controls Sheet suggests the following evidence for this control:

Screenshots from the vendor directory showing that vendors are categorized based on impact /risk.
Review documents showing that vendors' SOC2 reports were reviewed (Drata can provide a review template for this).

How to gather the evidence:

TODO: Seth

DCF-58: Authentication Protocol

Drata Example Evidence for Not Monitored Controls Sheet suggests the following evidence for this control:

If SSO is an option, screenshots of a user logging in with SSO.
If username and password is an option, screenshots of a user logging in with a username and password.
Screenshots of MFA being required for employee users.
If customer users have the option to enable MFA, screenshots showing they are provided the option to enable MFA.

How to gather the evidence:

Screenshot app.narrative.io login screen

DCF-59: Role-Based Security Implementation

Drata Example Evidence for Not Monitored Controls Sheet suggests the following evidence for this control:

Screenshots from the application showing how users are assigned roles.

How to gather the evidence:

Screenshot the AWS IAM config granting role-based access to developers

DCF-60: Password Storage

Drata Example Evidence for Not Monitored Controls Sheet suggests the following evidence for this control:

If username and password is required, screenshots from the database showing that password are stored using a salted hash.

How to gather the evidence:

Execute the following query and screenshot the result

$ nio-db connect -d marketplace -s dev
marketplace> select password from users order by random() limit 10;

DCF-61: Customer Data Segregation

Drata Example Evidence for Not Monitored Controls Sheet suggests the following evidence for this control:

Screenshots from the database showing that customers are assigned separate IDs.
Screenshots from the application showing that a customer cannot see data of another customer (attempt to show one customer trying to access data of another customer). How to gather the evidence:

Execute the following query and screenshot the result

$ nio-db connect -d marketplace -s dev
marketplace> select id,name from companies order by id limit 10;

Screenshot the Datasets page for two different companies

DCF-62: Inactivity and Browser Exit Logout (TODO: Marko)

DCF-62: Inactivity and Browser Exit Logout

Drata Example Evidence for Not Monitored Controls Sheet suggests the following evidence for this control:

Screenshots of users being logged out of the application when browser/tab is closed and being forced to reauthenticate upon next login.
Screenshots showing that a user is logged out after pre-defined activity timeout and being forced to reauthenticate upon next login.

How to gather the evidence:

TODO: Marko

DCF-63: Accepting The Terms of Service (TODO: Marko)

DCF-63: Accepting The Terms of Service

Drata Example Evidence for Not Monitored Controls Sheet suggests the following evidence for this control:

Screenshots of the new account creation process showing that new users must explicitly or implicitly accept the terms of service.

How to gather the evidence:

TODO: Marko

DCF-69: System Access Granted

Drata Example Evidence for Not Monitored Controls Sheet suggests the following evidence for this control: 1.Formal, documented access request form/help desk ticket for a recent new hire.

How to gather the evidence:

Follow the Onboarding procedure
Screenshot/Print the resulting tickets

DCF-72: Unique SSH

Drata Example Evidence for Not Monitored Controls Sheet suggests the following evidence for this control:

Screenshots of a user logging into the production systems, showing that they have to use a unique SSH account.
Screenshot of the setting from the production servers showing that the "root" account cannot be used to login to production.

How to gather the evidence:

Screenshot access to a production machine using SSM
Add additional explanation:
We use AWS SSM instead of SSH to access production machines. Additionally, all machines are hidden behind a VPC and connecting to the VPC is done through a VPN using SSO. https://aws.amazon.com/blogs/mt/vr-beneficios-session-manager/

DCF-74: Customers Informed of Changes (TODO: Seth)

DCF-74: Customers Informed of Changes

Drata Example Evidence for Not Monitored Controls Sheet suggests the following evidence for this control:

Example emails communicating changes to customers.
Screenshots of banners warning customers of downtime prior to system maintenance.

How to gather the evidence:

TODO: Seth

DCF-79: Logs Centrally Stored

Drata Example Evidence for Not Monitored Controls Sheet suggests the following evidence for this control:

Screenshots from the location where logs of system activity are stored.

How to gather the evidence:

Screenshot AWS CloudWatch Log Groups

DCF-80: Log Management System

Drata Example Evidence for Not Monitored Controls Sheet suggests the following evidence for this control:

Screenshots from the location where logs of system activity are stored.

How to gather the evidence:

Screenshot AWS CloudWatch Log Groups

DCF-86: Operational Audit

Drata Example Evidence for Not Monitored Controls Sheet suggests the following evidence for this control:

Screenshots from the systems used to monitor for system availability issues.
Screenshots showing how personnel would be alerted of availability issues and who would be alerted.

How to gather the evidence:

Screenshot AWS CloudWatch Alarms
Screenshot sample alerts sent to the #auto-techops Slack channel
Screenshot the #auto-techops Slack channel user list

DCF-92: VPN Required for Production Access

Drata Example Evidence for Not Monitored Controls Sheet suggests the following evidence for this control:

screenshots of a user trying to access production systems without being connected to a VPN and providing access is denied.
Screenshots of a user accessing production after connecting to a VPN to show a successful connection.

How to gather the evidence:

Screenshot access to the marketplace database with and without the VPN connection
```
nio-db connect -d marketplace -s prod
```

DCF-105: Employee Non-Disclosure Agreement (NDA) (TODO: Seth)

DCF-105: Employee Non-Disclosure Agreement (NDA)

Drata Example Evidence for Not Monitored Controls Sheet suggests the following evidence for this control:

Example new hire employee agreement, with NDA included.

How to gather the evidence:

TODO: Seth

DCF-108: Storage of Sensitive Data on Paper (TODO: Seth)

DCF-108: Storage of Sensitive Data on Paper

Drata Example Evidence for Not Monitored Controls Sheet suggests the following evidence for this control:

Pictures of secure storage bins from office locations.

How to gather the evidence:

TODO: Seth

DCF-109: Disposal of Sensitive Data on Hardware

Drata Example Evidence for Not Monitored Controls Sheet suggests the following evidence for this control:

Data Deletion Policy or equivalent policy documenting this policy and procedure.

How to gather the evidence:

Print Disposal of Sensitive Data on Hardware: Formal, documented hard disk drive destruction process
Print Hiring - Offboarding procedure: Employee termination checklist includes properly destroying hard disks

DCF-143: Board Oversight Briefings Conducted (TODO: Seth)

DCF-143: Board Oversight Briefings Conducted

Drata Example Evidence for Not Monitored Controls Sheet suggests the following evidence for this control:

Meeting minutes from the Board of Directors meeting showing that the state of cybersecurity and privacy risks were discussed.

How to gather the evidence:

TODO: Seth

DCF-144: Board Charter Documented (TODO: Seth)

DCF-144: Board Charter Documented

Drata Example Evidence for Not Monitored Controls Sheet suggests the following evidence for this control:

Copy of Board Charter

How to gather the evidence:

TODO: Seth

DCF-145: Board Expertise Developed (TODO: Seth)

DCF-145: Board Expertise Developed

Drata Example Evidence for Not Monitored Controls Sheet suggests the following evidence for this control:

Board of Directors Backgrounds

How to gather the evidence:

TODO: Seth

DCF-146: Board Meetings Conducted (TODO: Seth)

DCF-146: Board Meetings Conducted

Drata Example Evidence for Not Monitored Controls Sheet suggests the following evidence for this control:

Board of Directors Bios
Meeting minutes from Board meetings

How to gather the evidence:

TODO: Seth

DCF-149: Board Meetings Conducted (TODO: Seth)

DCF-149: Board Meetings Conducted

Drata Example Evidence for Not Monitored Controls Sheet suggests the following evidence for this control:

If removable media devices are issued by the company to employees, provide evidence that removable media devices are encrypted.

How to gather the evidence:

TODO: Seth

DCF-152: Virtual Machine OS are Patched Monthly (TODO: Sami)

DCF-152: Virtual Machine OS are Patched Monthly

Drata Example Evidence for Not Monitored Controls Sheet suggests the following evidence for this control:

Evidence from servers or patching systems showing that operating systems were patched monthly.

How to gather the evidence:

TODO: Sami

DCF-153: Conduct Control Self-Assessments (TODO: Seth)

DCF-153: Conduct Control Self-Assessments

Drata Example Evidence for Not Monitored Controls Sheet suggests the following evidence for this control:

Screenshots of how Drata is used for continuous monitoring of controls.

How to gather the evidence:

TODO: Seth

DCF-154: Annual Incident Response Test (TODO: Seth)

DCF-154: Annual Incident Response Test

Drata Example Evidence for Not Monitored Controls Sheet suggests the following evidence for this control:

Most recently completed incident response tabletop test.

How to gather the evidence:

TODO: Seth

DCF-155: Code Changes are Tested

Drata Example Evidence for Not Monitored Controls Sheet suggests the following evidence for this control:

Screenshots from the ticketing system for a few changes showing that changes were tested.

How to gather the evidence:

Take a screenshot of the latest Github Actions CI run showing that some tests have run
If the automated tests end up not being considered enough evidence by the auditor, ask the Product Manager for recent tickets showing that product changes have been tested and undergone bugfixes before being rolled out to production.

DCF-156: Production Code Released by Appropriate Personnel

Drata Example Evidence for Not Monitored Controls Sheet suggests the following evidence for this control:

Screenshots from the ticketing system for a few changes showing that changes were approved by appropriate personnel.

How to gather the evidence:

Print the content of the Product Strategy and Strategic Roadmap showing the changes that have been approved by management
Print the content of the Product Backlog showing the changes that have been approved by management

DCF-157: Cybersecurity Insurance Maintained (TODO: Seth)

DCF-157: Cybersecurity Insurance Maintained

Drata Example Evidence for Not Monitored Controls Sheet suggests the following evidence for this control:

Cybersecurity insurance certificate.

How to gather the evidence:

TODO: Seth

DCF-160: Continuous Control Monitoring (TODO: Seth)

DCF-160: Continuous Control Monitoring

Drata Example Evidence for Not Monitored Controls Sheet suggests the following evidence for this control:

Screenshots of how Drata is used for continuous monitoring of controls.

How to gather the evidence:

TODO: Seth

PlaybooksResponsible Disclosure

PlaybooksSoftware Develoment Life Cycle (SDLC)