An executive briefing for the Board, the C-Suite, and Owners.
Cyberwatch Security Controls & SOC 2 Compliance — An Executive Briefing
Audience: CEO, CFO, CSO/CISO, Owners, and Board Members
Author: Northern Data Solutions, Office of the CTO
Service Line: Cyberwatch — Independent Third-Party Analysis. The foundation for Cyberwatch Advanced and every CyberSecureID enforcement program that follows.
“Sensitive data is about people, and we take our responsibility to protect this information very seriously. Cyberwatch is focused on playing its best game every day.”
1. Executive Summary
Every cybersecurity assessment program touches sensitive data. The question your Board needs answered is not whether a third-party assessor will encounter sensitive data — they will — but how that data is protected from the moment it leaves your endpoint to the moment it is destroyed. This briefing documents the security controls, encryption architecture, key management, separation of duties, and SOC 2 compliance posture that govern every Cyberwatch engagement.
Cyberwatch was engineered with a single guiding assumption: the data we collect to assess our customers is exactly the data attackers want to steal from those same customers. Every architectural decision — from 4096-bit vaults on the endpoint, to Azure-resident transient keys that never touch our AWS data plane, to a two-analyst separation that prevents anyone from seeing both the data and the rules — flows from that assumption.
2. What Cyberwatch Analyzes
Cyberwatch analyzes organizations for vulnerabilities that hackers could use to gain access to a network or to further an in-progress attack. The Security Operations Center (SOC) team uses attack vectors based on forensics performed during and after real cyberattacks across many organizations. This is critical: it gives the customer empirical insight into what an attacker would actually gain access to if the network were breached.
During every analysis, the SOC Security Advisors review:
Cyberwatch SOC Security Advisor Review Areas Security Patches CVE coverage Patch latency End-of-life software Perimeter Defenses Firewall config Edge controls Exposed services Password Hygiene Cracked credentials Policy enforcement Reuse detection Data Loss Prevention PII / CUI exposure Egress visibility DLP rule efficacy Malware Defenses — EDR / XDR / SOC efficacy verification
Figure 1. The five security domains every Cyberwatch engagement reviews.
This depth of analysis necessarily uncovers sensitive information. The remainder of this briefing documents how that information is protected at every step.
3. The Cyberwatch Data Protection Architecture
The architecture is built around three principles: encrypt early, encrypt always, and isolate the keys.
Cyberwatch Encryption Architecture — End to End 1. WORKSTATION Data collected Encrypted in vault: 4096-bit RSA + 512-bit AES Public-key locked 2. TRANSIT Secure socket to Portal TLS 1.3 X25519 / AES-256 Identity: PKCS #1 SHA-256 / RSA 3. STORAGE Amazon Elastic Container Service Vault remains encrypted until processing Keys are NOT here 4. KEY MANAGEMENT Hosted by Azure (separate cloud) Transient memory only Never persisted Two-cloud isolation 5. PROCESSING — Two-Analyst Separation Analyst A unlocks the vault. Analyst B runs rules and writes the report. Neither analyst sees both the raw data and the rule output.
Figure 2. The end-to-end encryption and key-isolation architecture.
3.1 Encryption at the Endpoint
While analyzing a network, Cyberwatch runs several processes on individual workstations. As data is collected it is encrypted in place inside a 4096-bit RSA / 512-bit AES vault. The vault is locked using public-key encryption: it is computationally infeasible to determine the private decryption key from only the algorithm and the public key. Either of the two keys can be used for encryption, with the other used for decryption.
3.2 Encryption in Transit
Once tests on the workstation are complete, the encrypted vault is transmitted to the Cyberwatch Portal over a secure socket connection that follows current best practice: TLS 1.3, X25519, AES-256, with site identity confirmed using PKCS #1 SHA-256 with RSA Encryption.
3.3 Storage
Once delivered, the vault is stored in a secure Amazon Elastic Container Service bucket. The vault remains encrypted until the moment processing begins.
3.4 Key Management on a Separate Cloud
When all data for an organization has been collected, an analysis is requested. An analyst initiates the unlocking process using a mechanism hosted by a secondary cloud provider, Azure. The vault key is securely requested and lives only in the transient memory of Azure — never persisting on any permanent storage. This dual-cloud architecture is intentional: vault keys are never entered into or stored within the infrastructure that houses the vaults. Isolating keys from the data they protect shields against the realistic scenario in which an attacker compromises one environment.
4. Separation of Duties — The Two-Analyst Model
Architectural controls are necessary but not sufficient. Cyberwatch enforces a strict separation of duties between the people who can see the data and the people who write the analysis.
Two-Analyst Separation of Duties ANALYST A Initiates vault unlock via Azure Holds key access Has visibility into the raw data Cannot run rules. Cannot author the report. ANALYST B Runs detection rules on Portal data Sees only rule output Authors the customer report Cannot access raw data. Cannot decrypt the vault. no shared visibility
Figure 3. Neither analyst can see both the raw data and the rule output.
Rules are run on the data in the Portal by a second analyst who does not have access to the data — only the rule output. This division of labor is a critical safeguard designed to ensure private data remains compartmentalized. Restricting access prevents any single individual from accessing full datasets, significantly reducing the risk of insider threat and ensuring the highest level of data protection.
4.1 Defense-in-Depth at the Database Layer
The data stored in the database contains only small segments of sensitive information. For example, Cyberwatch retains only the first four characters of a password plus a one-way hash — never the full credential. Anything considered sensitive is also stored in an encrypted database field, layering encryption on top of segmentation.
4.2 Personnel Controls
All Cyberwatch analysts are U.S.-based and have completed thorough background checks.
4.3 Report Delivery
A notification is sent to the customer indicating a report is ready to be viewed. Cyberwatch does not send reports out via email, eliminating the most common cause of accidental data disclosure: a misaddressed message. As a defense-in-depth control, even if a wrong link were sent to the wrong customer, that customer would not be able to open it.
5. SOC 2 Compliance
SOC 2 is a rigorous, independent audit framework covering security, availability, processing integrity, confidentiality, and privacy.
The Cyberwatch Security Advisors team adheres to SOC 2 standards. SOC 2 involves a rigorous independent auditing process that ensures Cyberwatch meets the highest levels of security, availability, processing integrity, confidentiality, and privacy. Compliance demonstrates Cyberwatch’s ongoing commitment to protecting client information.
5.1 The Seven SOC 2 Standards Cyberwatch Adheres To
Standard | How Cyberwatch Implements It |
|---|---|
Access Controls | Strict access management ensures only authorized personnel can access sensitive data, with role-based segmentation enforced across the platform. |
Data Encryption | Advanced encryption methods protect data at rest (4096-bit RSA / 512-bit AES vaults; encrypted database fields) and in transit (TLS 1.3, X25519, AES-256). |
Incident Response | A formal incident-response plan provides for the rapid detection of and response to security breaches, with documented playbooks and assigned ownership. |
System Monitoring | Continuous monitoring of systems for unusual activity or vulnerabilities to prevent potential security incidents before they escalate. |
Audit Trails | Comprehensive logs of system activities are maintained to support forensic analysis and compliance audits. |
Risk Management | Regular risk assessments identify and mitigate potential threats to system security and integrity, feeding back into roadmap decisions. |
Vendor Management | Third-party vendors are required to comply with Cyberwatch’s security standards to protect client data when handled externally. |
6. Important Components of Cyberwatch Data Privacy & Security
Beyond the SOC 2 control families, several Cyberwatch-specific design choices materially raise the bar for client data protection:
Two parallel infrastructures | Cyberwatch maintains two different sets of infrastructure — the data plane and the key plane — on separate cloud providers (AWS for data, Azure for keys). |
Keys off the server infrastructure | Encryption keys are never resident on the infrastructure that holds the encrypted data. Compromise of one plane does not yield access to the other. |
Separation of personnel access | Personnel who hold key access do not hold server access, and vice versa. Insider threat requires multiple independent compromises. |
Monthly security training | Non-technical team members receive monthly security training. Technical team members receive a second monthly training specifically for system administrators. |
7. Recurring Self-Assessment — We Get Audited Too
Cyberwatch operates on the principle that you cannot proofread your own work. Three independent recurring assessments validate that principle:
Cyberwatch Self-Assessment Cadence QUARTERLY RED TEAM Internal red team uses the same tools and tactics we use on customer networks Continuous validation SEPARATION OF DUTIES Infrastructure-support team is separate from the team that tests the infrastructure Independent challenge ANNUAL THIRD-PARTY Independent third party performs a full pen test of the Cyberwatch environment External assurance
Figure 4. Three independent assurance loops — we apply our own program to ourselves.
Quarterly internal red-team assessment. Cyberwatch’s red team performs an analysis of our own environment every quarter using the same tools and tactics we use to analyze customer networks.
Structural separation of duties. The team that supports the infrastructure is separate from the team that tests it — ensuring genuine independent challenge rather than self-attestation.
Annual independent third-party penetration test. An external third party performs a full pen test of the Cyberwatch environment annually, in addition to the quarterly internal red-team assessment.
In short: yes, we get assessed too.
8. Compliance Framework Alignment
The Cyberwatch security control set is engineered to satisfy the third-party-assessor obligations of every framework an executive team is realistically accountable to.
Framework | Why Cyberwatch’s Controls Matter |
|---|---|
SOC 2 (Type I and Type II) | Direct alignment with all five Trust Services Criteria; underpins customer attestation when Cyberwatch findings are used as part of a SOC 2 evidence package. |
CMMC 2.0 / NIST SP 800-171 | Independent third-party assessor obligation, plus encryption-in-transit and at-rest controls aligned with 3.13.x (System and Communications Protection). |
HIPAA Security Rule | 164.312(a)(2)(iv) (encryption), 164.312(e)(1) (transmission security), and 164.308(a)(4) (information access management) are all directly satisfied. |
PCI DSS 4.0.1 | Requirement 3 (protect stored cardholder data), Requirement 4 (encrypt transmission), and Requirement 7 (least privilege) evidence flows through the architecture. |
GDPR / CCPA / state privacy laws | Article 32 security-of-processing requirements: encryption, key management, integrity, and continuous validation. |
NYDFS Part 500 | 500.15 encryption, 500.07 access privileges, 500.05 penetration testing, and 500.11 third-party service-provider security. |
FTC Safeguards Rule | Encryption-in-transit/at-rest, access controls, and qualified-individual oversight obligations under 16 CFR 314. |
ISO/IEC 27001:2022 | Annex A.5, A.8 (asset and cryptographic controls), A.12 (operations), and A.18 (compliance) artifacts. |
9. Cyber Liability Insurance
Cyber liability underwriters are increasingly skeptical of providers that hold sensitive client data without demonstrable controls. Cyberwatch’s SOC 2 alignment, dual-cloud key isolation, two-analyst separation of duties, U.S.-based background-checked staff, and recurring third-party penetration testing of our own environment are exactly the controls underwriters now require to extend or increase coverage. Cyberwatch reports are accepted by major U.S. cyber-insurance carriers as continuous-assessment evidence, and our control posture supports our customers’ own underwriting submissions when they document the third parties that touch their data.
10. Where Cyberwatch Fits in the Northern Data Solutions Portfolio
From Identification to Enforcement CYBERWATCH Identify & quantify risk SOC 2-aligned controls Board-ready evidence CYBERWATCH ADVANCED CyberSecureID + Verify Zero Trust & Least Privilege Continuous enforcement COMPLIANCE-AS-A-SERVICE Program management Auditor-ready evidence VCSO executive oversight One partner, one program, end-to-end.
Figure 5. Cyberwatch is the foundation; Cyberwatch Advanced and Compliance-as-a-Service complete the program.
Cyberwatch Advanced — CyberSecureID Identity Access Management, CyberSecureID Verify adaptive MFA, principles of least privilege, Zero Trust architecture, attack-surface visibility, password management, and the cybersecurity awareness training platform with employee attestation.
Compliance-as-a-Service — the platform that manages your full compliance program and converts Cyberwatch findings into auditor-ready evidence for every framework above.
Virtual CSO (VCSO) — an executive-grade security leader who sits at your board and audit committee, owns the Cyberwatch outcomes, and reports in business terms.
11. Recommended Next Steps for the Board
Add Cyberwatch’s control documentation to the vendor due-diligence file. The architecture, key isolation, and SOC 2 alignment described here are exactly the artifacts your audit committee, regulators, and cyber liability broker will ask for.
Approve a Cyberwatch Level 1 Free Test within 30 days to validate the baseline against 3–5 representative users.
Commit to a Level 2 Full Comprehensive Assessment within 60 days, including the M365 Mothership analysis.
Adopt the quarterly Level 3 cadence. Receive the Executive Summary & Dashboard at every audit committee meeting; receive the Monthly External Vulnerability Report between meetings.
Plan the graduation to Cyberwatch Advanced. Once the remediation backlog is moving, layer on CyberSecureID enforcement to convert “known risks” into “eliminated risks.”
12. Conclusion
The single hardest question to answer in vendor due diligence is, “How do you protect my data when you’re inside my environment?” Cyberwatch was engineered with a complete answer to that question: dual-cloud key isolation, 4096-bit vaults, transient Azure-resident keys, two-analyst separation of duties, encrypted database fields with credential-segment retention, U.S.-based background-checked personnel, no email-based report delivery, full SOC 2 alignment across seven control families, monthly role-based security training, quarterly internal red-team assessment, and an annual independent third-party penetration test of our own environment.
Cyberwatch is the foundation. Cyberwatch Advanced — with CyberSecureID Identity Access Management and CyberSecureID Verify — is the enforcement that closes the loop. Compliance-as-a-Service and the VCSO offering convert the entire program into a defensible, board-reportable, auditor-ready posture.
Let’s secure your future. Schedule a 26-minute executive briefing with Northern Data Solutions.
Get Your Free Assessment Now · Schedule a Call · Connect With Us
Ready to strengthen your cybersecurity posture and ensure compliance? Our experts will assess your needs and provide a tailored plan to protect your organization. We look forward to partnering with you on your journey to comprehensive security maturity. To schedule an executive briefing or readiness review, contact your Northern Data Solutions account executive or the Office of the CTO.