The SOC 2 audit: What, how, and why?

We explain what an SOC 2 audit is, why we passed it, and how it was performed.

Update: May 18, 2022

In 2022, Kaspersky once again completed a Service Organization Control for Service Organizations (SOC 2) Type 1 audit, which the company first underwent in 2019. The independent assessment was carried out by an international Big Four accounting firm.
Launched in late January 2022, the reassessment was successfully completed in late April and confirmed that the development and release process of Kaspersky’s antivirus bases are protected against unauthorized changes by security controls. During the examination, Big Four auditors among other things checked the company’s policies and procedures related to the development and release of antivirus (AV) bases, the network and physical security of the infrastructure involved in this process and the monitoring tools used by the Kaspersky team.
The scope of the current audit has been expanded compared to the 2019 assessment, as Kaspersky has since introduced new security tools and controls. The full report can be provided to our customers upon request.

As you may already know from Eugene Kaspersky’s blog or our official press release, we recently passed our SOC 2 audit. In case you do not know what that is and why it was necessary, we will fill in the details now.

What is an SOC 2 audit?

The Service and Organization Controls 2 (SOC 2) is an audit of control procedures at IT organizations that provide services. In essence, it is an international reporting standard for cybersecurity risk management systems. This standard, developed by the American Institute of Certified Public Accountants (AICPA), was updated in March 2018.

This post is about the SOC 2 Type 1 audit (which we passed), which certifies that security control mechanisms have been effectively established in a single system. That is, third-party auditors came to us and examined our risk-management system, looking at what practices we have implemented, how closely we follow the stated procedures, and how we record changes in the process.

Why do we need to undergo audits?

Any company that provides any services has the potential to pose a threat to its customers. Even a totally legitimate company could become a link in a supply chain through which an attack is conducted. But companies working in the field of information security have an even greater responsibility: Their products must be allowed the highest level of access to user information systems.

Therefore, from time to time, customers, particularly large corporations, may have legitimate questions, such as: How much can we trust these services? What kind of internal policies do we have for the services we use? Could someone harm us with their products or corresponding services?

Here’s the twist: The answers we provide do not matter, because the answers we, or any company, provide can always sound convincing. That’s why we turn to external auditors for an outside expert opinion. It is important to us that our customers and partners have no doubt our products and services are reliable. We also believe that it is important that our internal processes comply with international standards and best practices.

What did the auditors examine?

The biggest concern is always the mechanism for delivering information to client computers. Our solutions cover various market segments and industries, and most of them use an antivirus engine as a core defensive technology to scan objects for signs of cyberthreats. Among its many technologies, the engine uses superfast hashes, emulation in an isolated environment, and machine-learning mathematical models that are highly mutation-resistant, all of which  require regular updates of antivirus databases to be effective against modern cyberthreats.

Independent auditors have studied our system for managing those databases and our methods for monitoring the integrity and authenticity of updates for antivirus product databases for Windows and Unix servers. They ascertained that our control methods are functioning correctly, and they also checked the development and release process of antivirus databases for any possibilities of unauthorized tampering.

How did they conduct their study?

The auditors look at how vendor processes comply with each of the five fundamental principles of security: protection (is the process protected against unauthorized access?), availability (is the process generally functional?), process integrity (is the data delivered to the client kept safe?), confidentiality (can anyone else access this data?), and privacy (is personal data stored on our side, and if so, then how?)

In our case, the auditors examined:

  • What our services offer,
  • How our systems interact with users and potential partners,
  • How we implement process control, and what its limitations are,
  • What control tools users have, and how they interact with our control tools,
  • What risks our service faces, and what control tools minimize these risks.

To understand all of that, they studied our organizational structure, mechanisms, and personnel. They were interested in how we conduct background checks when hiring new employees. They analyzed our procedures for dealing with changing security requirements. They studied the source code of the mechanism we use to deliver antivirus database updates automatically and, most important, they were interested in what opportunities exist for making unauthorized changes to this code. They also looked at many other things. If you are interested in the details of the audit, use the link at the bottom of this post to download the full report.

Who conducted the study, and where can I read the report?

The audit was conducted by a Big Four company. As you may have noticed, we do not state anywhere which one it is. But that doesn’t mean the auditors were anonymous. It is simply customary to control any mentions of their name. The report, of course, is signed.

In the end, the auditors concluded that our antivirus database development and release processes are sufficiently protected against unauthorized tampering. For more detailed conclusions, a description of the research process, and other details, you may familiarize yourself with the full text of the report (free signup required).