Updates to SOC 2 Framework

  • Updated

Vanta released an update to a SOC 2 control. As part of our continuous improvement process to ensure our frameworks’ audit readiness, we have improved by adding one additional piece of evidence to the SOC 2 CC 6.6 Network firewalls reviewed control. 


What changed? 

  • A new document request was added to the Network Firewall reviewed control to provide evidence of the Firewall ruleset review results.

What actions should I take?

Depending on your compliance journey, you might want to take the following steps:

  • If you are just getting started with SOC 2, there is no immediate action for you
  • If you are currently building your SOC 2 compliance program, you might want to plan for an upcoming Firewall ruleset review
  • If you are currently undergoing an audit and are in the observation window, you should conduct a firewall ruleset review to ensure that you meet compliance with Network firewalls reviewed

What is a firewall ruleset review?

  • A firewall ruleset review involves evaluating the configuration and rules of a firewall to ensure they effectively control traffic, are logically ordered, and comply with security policies and regulations. It includes identifying redundant rules, documenting configurations, and verifying logging and monitoring mechanisms to enhance security posture and compliance.


Examples of the content of the firewall review report are:

  • Reviewer Information and Timing: Who conducted the review, and when the review was conducted
  • Review Coverage: Detail the firewalls, networks, or segments that were examined.
  • Ruleset Overview: The total number of rules reviewed, as well as any grouping or segmentation used within the ruleset (e.g., by function, network segment, or application).
  • Rule Description: For each rule or a representative sample of rules, include: Rule ID, Action (allow/block), Source and destination IP addresses, Ports and protocols involved.
  • Purpose/Justification: Explain each rule's intended function and necessity for business operations or security posture.
  • Compliance Status: Evaluate the compliance of each rule with organizational policies and best practices in firewall management. Identify any deviations or areas of concern.
  • Recommendations: Based on the findings, suggest actions for each rule or set of rules. Recommendations may include:
  • Modification of existing rules to tighten security without impacting necessary business functions. Deletion of obsolete, unused, or overly permissive rules.
  • Add new rules to address uncovered security gaps or to enhance compliance with best practices and organizational policies.