Evaluate Detected Security Events

SOC 2 CC.3 requires organizations to evaluate security events to determine if they are security incidents that could result in a failure to meet system objectives. If they do pose a threat, the organization must take appropriate actions to prevent or address such failures.

During an audit, organizations typically demonstrate compliance by providing a system-generated summary list of closed tickets for identified and mitigated security events. Auditors will review samples of these tickets to verify that proper analysis and remediation details were documented.

A security event is any occurrence arising from actual or attempted unauthorized access that could impair systems or data. A security incident is a specific security event that requires action on the part of an entity in order to protect information assets and resources.

Organizations must develop and implement procedures to analyze security incidents, determine system impact, and communicate events to responsible individuals. They also need procedures to periodically evaluate the effectiveness of their response policies.

Security events must be reviewed and evaluated continuously as they are detected by IT operations personnel. Additionally, the overall effectiveness of the evaluation policies and procedures should be reviewed on a periodic basis.

Required documentation typically includes an incident response plan, logs of security events, and ticket histories showing the analysis and resolution of specific events. Records of communications to responsible management regarding these events are also necessary evidence.

For privacy engagements, detected security events must be explicitly evaluated to determine whether they could or did result in the unauthorized disclosure or use of personal information. The organization must also assess if the event resulted in a failure to comply with applicable privacy laws or regulations.

Ticketing systems, Security Information and Event Management platforms, and log analysis tools help IT operations personnel capture, track, and evaluate the impact of detected security events efficiently.

Detected security events are communicated to and reviewed by the individuals responsible for the management of the security program. This ensures that leadership is aware of potential threats and that necessary preventive or corrective actions are authorized and taken.

If an evaluation determines a security event is a true security incident, the organization must take actions to prevent or address failures. This involves recommending remediation, mitigating the active threat, and executing the formal incident response program.

WatchDog Security's Vulnerability Management module helps streamline the evaluation of detected security events by automatically ingesting and correlating data from multiple sources. This reduces the time and effort required to assess the severity of an event and provides security teams with real-time insights to act swiftly and accurately.