About Corticare

Corticare is a California based tele-Electroencephalogram (EEG) company with a premise to help technicians determine real brain functionality and abnormality in a timely and cost-effective manner. Corticare has redefined remote EEG monitoring in critical care and the Epilepsy Monitoring Unit (EMU), expanded the use of in-home ambulatory EEG and provides support for clinical trials. Corticare continues to serve as the industry leader in neuro-telemetry by setting the standard for processes, personnel, and innovation.

The Challenge

Corticare was faced with the challenge of providing evidence to current and prospective customers that it had undergone thorough security due diligence and data protection measures against cyber-attacks. Corticare quickly decided it would pursue compliance with a security framework, but a subsequent challenge was finding a compliance standard that was most appropriate for accomplishing the goal. After consulting Jacobian Engineering for expert advice, both parties decided on Service Organization Control 2 (SOC 2) as the most appropriate solution.

Service Organization Control (SOC) is a compliance standard for service organizations which was developed by the American Institute of CPAs (AICPA) and specifies how organizations should manage customer data. The standard is based on the following trust criteria: security, availability processing integrity, confidentiality and privacy.

The SOC 2 framework is built on five Trust Services Criteria (formerly called the Trust Services Principles), defined by AICPA. These Trust Services Criteria are the basic elements of your cybersecurity posture. They include organization controls, risk assessment, risk mitigation, risk management, and change management. Security is the only TSC required for every SOC 2 audit. Additional criteria are optional.

The five Trust Services Criteria are:

• Security: Protecting information from vulnerabilities and unauthorized access. The Security Trust Criteria is all about protecting information from unauthorized disclosure.
• The Security Criteria are also known as the Common Criteria. They prove that a service organization's systems and control environment are protected against unauthorized access and other risks.
• Availability: Ensuring employees and clients can rely on your systems to do their work
• Processing integrity: Verifying that company systems operate as intended
• Confidentiality: Protecting confidential information by limiting its access, storage, and use
• Privacy: Safeguarding sensitive personal information against unauthorized users

Partner Solution

The Security TSC is all about protecting information and systems. Is data secure during its collection or creation? Is it secure during its use, processing, transmission, and/or storage? How does a company prevent and monitor any vulnerabilities in its systems? The SOC 2 Common Criteria list, also known as the CC-series, includes nine subcategories

Corticare chose to report on the Common Criteria only and Jacobian Engineering worked with Corticare to develop controls in each of the subcategories. Amazon Web Service platform and infrastructure services helped Corticare rapidly implement controls and meet or exceed the standards outlined by the AICPA. Certain control subcategories are largely administrative, such as:

• CC1 — Control environment – Does the organization value integrity and security?
• CC2 — Communication and Information – Are policies and procedures in place to ensure security? Are they communicated well to both internal and external partners?
• CC5 — Control Activities – Are the proper controls, processes, and technologies in place to reduce risk?

But most of the control subcategories are supported by AWS services including:

• CC3 — Risk Assessment –Does the organization analyze risk and monitor how changes impact that risk?
  Amazon Detective and Inspector help Corticare understand its risk profile by allowing system engineers to mine telemetry data and report on risks using these two platform services.
• CC4 — Monitoring Controls – Does the organization monitor, evaluate, and communicate the effectiveness of its controls?
  Amazon CloudWatch provides observability metrics and data and with EventBridge and SNS, allows operators to receive alerts when resources need attention. Amazon CloudWatch also collects and aggregates log data from some platform services such as CloudTrail and Corticare's custom built applications and EC2 instances for alerting and observability.
• CC6 – Logical and Physical Access Controls
  Physical access to the facility housing the Platform is restricted to Amazon personnel. Physical assets are destroyed when no longer required. Access to data and software is restricted to authorized personnel and provisioned with logical security controls. Access to data and software is restricted through the use of logical access security measures. Data is encrypted at rest.
  Amazon S3 encryption and EBS encryption allow Corticare to encrypt data at rest using AES-256. Cryptographic key material is securely managed by Amazon KMS allowing Corticare to control access to cryptographic services and leverage server side and platform-integrated encryption of its data at rest.
• CC7 – System Operations
  Infrastructure and software are monitored for anomalies and changes. Amazon CloudTrail, GuardDuty, Config and Amazon Directory Services support system operations. CloudTrail, GuardDuty and Config all help Corticare monitor account operations, detect anomalous behavior and enforce enterprise policies across all services. Amazon Directory Services enable Corticare to centrally manage user identities across supported systems by integrating Microsoft Active Directory as a platform service.
• CC8 – Change Management
  Amazon Config helps Corticare detect drift and track changes to its Amazon account services over time. Amazon System Manager automates patching of EC2 instances and provides system operators with console access without the need to use a VPN solution.
• CC9 – Risk Mitigation
  Controls are in place to mitigate risks arising from potential business disruptions. Amazon Relational Database Services (RDS) provides a platform service for hosting a multi-availability zone (Multi-AZ) instance of its SQL data, providing Corticare with high availability and access to critical data. Amazon Backup allows Corticare to mitigate risks such as data integrity and supports Corticare's disaster recovery plan. Amazon File Transfer Service provides a secure mechanism to transfer sensitive customer data into the Corticare account for processing and storage with minimal management overhead.

Result and Benefits

Jacobian Engineering's compliance auditors completed the readiness for SOC 2 and submitted all documents for the Audit firm chosen by Corticare. Through the entire process, Jacobian Engineering continued working and assisting Corticare with responding to questions and requests from the Audit firm. Corticare achieved SOC 2 compliance.

This SOC 2 achievement has improved the overall security posture of Corticare, increased growth opportunities and helped Corticare maintain its competitive edge.

About Jacobian Engineering

Jacobian Engineering is an information security company and an advanced consulting partner of Amazon Web Services (AWS). Jacobian Engineering works with customers in several industries including healthcare, biotechnology, energy, financial services, construction and has strong competencies in cloud security, software development, migrations, governance, risk, and compliance.