SOC 2 Basics

A SOC 2 is an audited report of an organization's data security controls. The audit covers a list of criteria that an auditor uses to evaluate that controls are correctly implemented in an information security program.

The auditor's role is to confirm that security controls are working as described, by the companies Information Security Program documentation. They do not prescribe what kind of security tools should be used. Rather, they ask the company to provide evidence that the security controls exist and are operating as designed.

A SOC 2 is broken into 5 categories called "Trust Service Criteria" (TSC). The Security TSC (also known as "Common Criteria") is included in every SOC 2 report. JumpWire can operate as a control to fulfill criteria included in the sections Logical and Physical Access Controls (CC6) and System Operations (CC7).

Security Criteria

With built-in encryption and audit policies, JumpWire implements controls that fulfill the criteria corresponding to Logical and Physical Access Controls (CC6) and System Operations (CC7). These are capabilities for securing data with encryption, managing the lifecycle of cryptographic keys, and auditing requests that access sensitive data.

JumpWire's extensive monitoring features make audit preparedness and evidence collection a snap. It's easy to collect logs and alerts generated by JumpWire, in a format that can be uploaded directly to data rooms during the evidence collection period.

CC6.1 - The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives.

Uses Encryption to Protect Data — The entity uses encryption to protect data (at rest, during processing, or in transmission), when such protections are deemed appropriate based on the entity's risk mitigation strategy.

JumpWire's encryption policy ensures all data with a given label is encrypted in the database, while being queried from the database, or requested through HTTP APIs. JumpWire can scan existing database and API endpoints for data that is at risk for violating encryption policies.

Protects Cryptographic Keys — The entity protects cryptographic keys during generation, storage, use, and destruction. Cryptographic modules, algorithms, key lengths, and architectures are appropriate based on the entity's risk mitigation strategy

JumpWire manages the full lifecycle of encryption keys. It hooks into key management services (KMS) to generate master and intermediate keys, rotates keys on schedule or demand, and re-encrypt data when keys are deprovisioned.

CC6.5 — The entity discontinues logical and physical protections over physical assets only after the ability to read or recover data and software from those assets has been diminished and is no longer required to meet the entity’s objectives.

Removes Data and Software for Disposal — Procedures are in place to remove, de- lete, or otherwise render data and software inaccessible from physical assets and other devices owned by the entity, its vendors, and employees when the data and software are no longer required on the asset or the asset will no longer be under the control of the entity.

JumpWire's capabilities for rotating and revoking encryption keys will "render data... inaccessible", using cryptographic deletion. By removing the keys used to encrypt the data initially, the data can no longer be accessed in its original form. This is especially useful for large data sets in append-only storage systems, such as log streams or data warehouses, where deleting individual records is not possible or inefficient.

CC6.7 — The entity restricts the transmission, movement, and removal of information to authorized internal and external users and processes, and protects it during transmission, movement, or removal to meet the entity's objectives.

Uses Encryption Technologies or Secure Communication Channels to Protect Data — Encryption technologies or secured communication channels are used to protect transmission of data and other communications beyond connectivity access points

JumpWire encrypts sensitive fields of data at the API edge or when written in databases. Data stays protected even when loaded into internal tools or third-party SaaS, reducing the risk of unauthorized access to the original data.

CC7.2 — The entity monitors system components and the operation of those components for anomalies that are indicative of malicious acts, natural disasters, and errors affecting the entity's ability to meet its objectives; anomalies are analyzed to determine whether they represent security events.

Implements Detection Policies, Procedures, and Tools — Detection policies, procedures, and tools are defined and implemented on infrastructure and software to identify potential intrusions, inappropriate access, and anomalies in the operation of or unusual activity on systems. Procedures may include … (3) logging of unusual system activities.

JumpWire adds metadata to query logs, including the application executing the query and the classification of data returned in the result. Using your existing observability tools, alerts can be created for classifications of data that should not be widely accessible to internal tools, or shared with third-parties through an API integration.

Processing Integrity Criteria

The following criteria only applies to organizations that are attesting to the Processing Integrity TSC. Controls in this TSC are designed to ensure the correctness of outputs or services delivered by the products that the organization is distributing.

PI1.4 — The entity implements policies and procedures to make available or deliver output completely, accurately, and timely in accordance with specifications to meet the entity’s objectives.

Protects Output — Output is protected when stored or delivered, or both, to prevent theft, destruction, corruption, or deterioration that would prevent output from meeting specifications.

Encrypting individual fields or entire records ensures that outputs are protected. JumpWire uses encryption schemes that are resistant to tampering, so corrupted or deteriorated data cannot be returned as output.

Distributes Output Only to Intended Parties — Output is distributed or made available only to intended parties.

JumpWire's HTTP proxy can be configured to provide data egress protection, for example only decrypting data for authorized parties. This gives an organization a layer of control for APIs being used to share data. JumpWire policies are explicit in defining which parties can receive unencrypted or unredacted data fields.

Creates and Maintains Records of System Output Activities — Records of system output activities are created and maintained completely and accurately in a timely manner.

All requests are logged with the requestor, recipient, and classification of data being exchanges. JumpWire publishes these logs in a format that interoperates with observability or SIEM systems.

PI1.5 — The entity implements policies and procedures to store inputs, items in processing, and outputs completely, accurately, and timely in accordance with system specifications to meet the entity's objectives.

Protects Stored Items — Stored items are protected to prevent theft, corruption, destruction, or deterioration that would prevent output from meeting specifications

Encrypting individual fields or entire records ensures that stored items are protected. If theft of data items occurs, they remain encrypted, unusable by the thief. JumpWire uses encryption schemes that are resistant to tampering, so corrupted or deteriorated data cannot be returned as output.