SOC 2 Audits to Analyze Policies, Procedures and Technology for Data Protection

By: Terri Hurley   |   Updated: 2024-12-02   |   Comments   |   Related: > Auditing and Compliance

Problem

At some point in your career, you may be asked to provide specific information regarding production SQL Servers for SOC 2 purposes to an Auditor. Now, if you haven't worked with an Auditor before, you may be asking yourself: what is a SOC 2 Audit? Does it have anything to do with Change Management? What is my role in an Audit? First, let's understand what the SOC 2 audit is and why it's important.

Solution

What is a SOC 2 Audit?

A SOC 2 audit is an analysis of the policies, procedures, and technology that a company uses to protect their data. Companies that undergo a SOC 2 audit need to provide documentation around their security program and proof of internal controls to an Auditor. Typically, the Auditor will ask you to run one or more security reports on a SQL Server that has been identified as housing a SOC 2-related database. The results are sent back to them in the form of a screenshot that also includes a timestamp showing when the picture was taken, or it may include a file that contains a report.

Another possibility is that they may ask to watch you run the report through screen sharing so they can take a screenshot themselves. I've had Auditors even ask permission to record a video of me running a security report. So, there are multiple ways that they may ask to receive a screenshot of the report results.

In my experience, the Auditor requests information on SQL Servers housing SOC 2 databases typically about the same time every year. The Auditor will only request to see information specifically about a SQL Server that was identified as having a SOC 2 related database.

Who Can Perform a SOC 2 Audit?

Only a licensed CPA firm or agency can perform a SOC 2 audit. There are several controls that they usually look at, so they will request samples to review during a specific timeframe. The controls and samples they review may include:

1. New hire onboarding.
2. Access and removal of terminated employees.
3. Background checks.
4. Security awareness training.
5. Code reviews for application/database changes.

Looking at the Controls listed above, your involvement as the DBA is important because you typically grant users access to databases, remove terminated users, as well as apply production database changes using Change Management procedures. So, you have a very important part in a SOC 2 Audit. You are the enforcer of security policies as well as the source of all production database changes through Change Management.

Change Management and the SOC 2 Audit Objectives

The objective of Change Management in SOC 2 is to maintain transparency, accuracy, and accountability within internal controls. Auditors are mainly concerned with information systems processes, related business processes, and the controls over those processes.

So, you have nothing to fear from an audit. They are not out to find you guilty of something, but rather to verify that internal controls are working. For example, if last year you had a user with Sysadmin rights to a SQL Server and that employee has since left the company, the Auditor will take note if that employee has not been removed from a SQL Server. If that terminated user has not been removed, then an internal control may have failed, and corrective action needs to be implemented.

What to Expect from an Audit

Usually, the Auditor will schedule a walk-through meeting with you so they can obtain an understanding of existing controls through observation. They may ask you to share your screen, connect to a SQL Server, and run one or more SQL scripts that produce a report. The information they typically look for is a list of users who have Sysadmin rights and may also include the current data encryption status of databases.

During the review process, they may also ask for clarification on the evidence that you already provided or request additional evidence. After you provide all the necessary information to the Auditor, they will review the evidence for each in-scope control.

Once you have provided the information they have requested, you need to keep a copy of everything you sent to the auditor (all scripts, reports, and screenshots) to keep track of everything you sent. This will also allow you to compare this year's audit to last year's audit to see if anything is out of order. Keeping a copy of everything you send each year also keeps the history of data sent to Auditors.

After the CPA firm completes their audit, they'll issue their findings in a SOC 2 audit report. This report details the auditor's opinion on your company's security, availability, integrity, confidentiality, and privacy controls. It takes an average of four to eight weeks to compile a final audit report, which is usually sent to management.

Best Practices

1. Remove Terminated Users from All SQL Servers. If you receive internal notices of terminated employees, you should regularly remove each terminated user from all existing SQL Servers, not just the ones housing SOC 2 related databases, as soon as you are notified. Simply, this is just good DBA practice.
2. Check Encrypted Databases Periodically. Verify all SQL Servers where databases that should be encrypted, are encrypted. This is especially important if your company houses data owned by other companies.
3. Implement Strong Passwords. A strong SA account password on a SQL Server in vital. Ensure that the SA account doesn't include a dictionary word, is at least 15 characters long, and includes symbols.

Next Steps

• Be sure to set all SQL Servers to log successful and failed logins. This will be useful for capturing future security reports and SQL tracing.
• Set up your SQL services to use Managed Service Accounts (MSA) accounts instead of an actual domain user account. This will provide tight security since a password is not needed to set up in SQL services. This will also prevent any possibility of an account becoming locked, which will result in the SQL Server services shutting down.
• Read these previous change management articles:
  • What is Change Management and the SQL Server DBAs Role
  • Database Change Management and Separation of Duties Guide

About the author

Terri Hurley is a Sr. SQL DBA with over 20 years of extensive database administration experience.

This author pledges the content of this article is based on professional experience and not AI generated.

View all my tips