SOC 1, SOC 2, SOC Red, SOC Blue – photo courtesy of Cool Socks
There has been a huge trend in the US for technology companies to get their SOC 2 attestation report. How do we know? We’ve helped a number of companies achieve their compliance.
This blog
post explores many of the considerations that our clients go through in their
quest for a SOC 2.
Why SOC 2?
Supply chain risk is one of the areas that companies are working hard to protect against. Customers are only as secure as their suppliers. Larger companies are asking their suppliers to be more secure. A SOC 2 attestation (certification) can help demonstrate the security of the organization.
What is a
SOC 2?
SOC stands for Service Organization Controls. It is an AICPA report. There is a SOC 1 which is focused on financial controls and a SOC 2 which is focused on security controls.
Difference between different SOC reports
A CPA firm
performs an audit based on a large number of controls. Organizations that have
all of the controls in place pass the audit.
SOC 2 Type
1 vs Type 2
To add to the confusion there is a SOC 2 Type 1 and SOC 2 Type 2. A Type 1 measures a moment in time. Often companies get this report to start. It indicates that at the moment of report issuance the company followed all of the controls. The Type 2 measures the organization over a period of six months to a year. It indicates that the firm consistently follows the principles. If an auditor finds any irregularities they are indicated in the Type 2 report as exceptions.
Trust Service Criteria
Five Trust Service Criteria are
the backbone of SOC 2 – this jargon is also confusing, mostly because these five
things used to be known as “Trust Principles:”
The Trust Service Criteria are
as follows:
Let’s go over each of these
briefly.
Security generally involves how
systems are protected – that covers elements like data breach response plans,
firewalls and browser isolation tools, and anything that generally prevents
unauthorized access to networks.
Availability, on the other hand,
is related to system uptime and how the system can be accessed by authorized
users.
Processing Integrity involves
whether the system offers complete, valid, accurate, timely and authorized data
to users.
The other two criteria are
important in today’s business world with new privacy and confidentiality
standards being imposed at a regional level, as well as by industry standards –
think the European General Data Protection Regulation or GDPR, or California
standards.
Confidentiality evaluates
whether the information in protected classes is well protected from abuse.
Privacy governs how personal
information is collected, used, disclosed and finally disposed of in an entire data
life cycle.
While the first four Criteria
are often used by all companies, the Privacy Criteria is typically implemented
for Business to Consumer organizations.
Choosing an Auditor
In some ways, choosing an
auditor is relatively straightforward, but it pays to keep in mind that not all
auditors are the same.
Obviously, one factor is cost.
As with any consulting or service, it’s important to make sure that costs are
covered in the budget, and to preserve buy-in for any expenses. Remember, you
will be paying for an audit, every year!
There’s also the issue of SOC 2
experience – all things being equal, it’s best to rely on an auditor that has
specialized history in this area.
In addition, you want auditors
who can commit to a time frame in order to keep everything running smoothly,
with key reporting or other benchmarks being done when they are expected.
Then there’s the Readiness Assessment
that enhances an eventual audit.
Some firms provide a pre-planning
Readiness Assessment to evaluate how ready the enterprise is for the SOC 2
audit. You want to make sure that the auditor will roll the results of the
readiness assessment into the audit and not make you redo all of that work!
Getting Ready for a SOC 2 Audit
Some general guidelines help
businesses to proceed toward a successful SOC 2 audit.
One of the first items in
brainstorming this process is figuring out the scope of the audit itself.
In general, businesses want to
include all relevant products and services – because having this audit apply to
more eligible aspects of your business is better than unnecessarily restricting
it.
One great tip is that B2B
companies need to select their ‘value services’ and address those in the audit.
In other words, if you’re going to be selling a particular cloud or software as
a service benefit to your customers, it definitely pays to have that within the
scope of the SOC 2.
In deciding whether to pursue
Type 1 or Type 2 SOC 2 audits, be aware that SOC 2 Type 2 is the eventual
destination. While Type 1 provides a snapshot and can be handy for introductory
purposes, the SOC 2 Type 2 is preferred.
Additionally, be ready to
update policies and control documentation to prepare for the audit.
It helps to “get in the audit
mindset” and have a look over current policies and controls to see where
improvement is needed.
Here’s another important tip –
businesses will typically want to evaluate whether they have strong internal
controls on four key concepts – access control, change control, risk management
and internal audit benchmarking.
In terms of staffing and
management, you’ll need point people to spend significant time on SOC 2 audit
preparation – having these people designated helps the business properly
prepare for the audit.
Consultants can also be extremely
helpful in audit preparation.
What Do SOC 2 Consultants Do?
Three things that consultants
typically do for businesses in audit programs include creating content,
acquiring technical controls and adjusting policies and procedures.
Create content – The content that’s created is going to be key documentation for
a SOC 2 audit. Part of the audit procedure is explaining what’s in place, and
the content that gets created provides that orientation.
Acquire technical controls – if there’s a deficit,
consultants help companies acquire those needed controls to be successful and
benefit from a successful audit resolution.
Adjust policies and procedures – like we just talked about, the
policies and procedures may not be quite up to speed, or in other words, audit-ready.
Project manage – there’s a lot to be said for domain expert project managers.
Perform risk assessments – if this is not something that you were doing before you will
now!
Perform vendor evaluations – evaluating your key vendors
is really important. If this is not a current regular practice it can valuable
to outsource the activity.
Perform “External Internal Audit” – External Internal Audit
might sound like an oxymoron. But hey who doesn’t love “Jumbo Shrimp”?
Some firms don’t have an
internal audit function. There is a lot to keep up with to successfully
maintain a SOC 2 program. An External Internal Auditor is familiar with the
standards and can keep the organization accountable to successfully maintain
their SOC 2 program.
Key Aspects of Audit
There are a lot of aspects of
the audit. Here we focus on the items that require your attention and will
undoubtedly generate additional work. Of course, for the most part these will
lead to your organization being more secure.
Access Control
Access control has to do with
who has access, and what each user’s level of access is.
Included items may include
permissions, account status, and tiered access.
You will need to review your
access controls for all of your key systems. This will include your Identity
and Access Management (IAM) system, cloud services, networking equipment,
servers, VPNs and anything else that you have that’s important.
We regularly find users that
don’t belong when we review clients’ systems. Might as well check it out before
it is found in an audit!
Change Control
Another important aspect of the
audit process is change control.
This aspect works very
similarly to the process of change control in any major project, for instance,
an architect designing a building, or a contractor building one.
In essence, every change needs
to be properly documented – for the purposes of the SOC 2, in applying this
principle to the business client’s operations, that involves documenting
changes to software, configuration, networking or customer requests.
How do you consistently
document changes?
A ticketing system provides one
of the best ways to make sure documentation of every change is consistent and
thorough.
Risk Management and Vendor Management
Don’t forget about risk management
and vendor management.
For the same reason that your
customers are asking you for details about your security program, the same can
be applied to your suppliers.
You need to make sure that your
vendors that are performing key functions don’t cause an upstream compromise of
your customers’ data. That would be bad. Guess who will get blamed?
You need a program to ensure
that you are monitoring your suppliers. This program should be differentiated
by vendor because you don’t want to spend the same amount of time on your paper
towel vendor as you do for cloud vendors that are processing your customer’s
data.
You also need to write and maintain a risk assessment for your organization. It needs to be part of a formalized process for your management team to make deliberate decisions around risk. They will want to decide whether to avoid, mitigate, transfer or accept the risk.
It’s important to have a
customized risk management setup, because every business is different. What works in one industry will not work in another. That is why
you will need a program inside your organization to manage risk.
Internal Audit
Lastly, there’s the need to
have internal audit structures in place.
The idea is that even without
an outside audit, there is somebody monitoring and evaluating internal
controls.
What’s important here is that
the internal auditor has to be independent.
The reason has to do with
office politics.
There’s the idea that nobody
will point out deficiencies in systems that they have created or helped to
maintain.
That’s why it’s important to
make the internal audit process interdepartmental, or even use a consultant –
because if the internal auditor is not independent, that presents a problem.
SOC 2 Technical
Security Controls
There are a lot of technical
controls as part of a SOC 2 audit. There are a bunch that most organizations
already have in place. Here are four that they often have to do something about
in preparation for the SOC 2 audit.
File Integrity Monitoring
File Integrity Monitoring is how
companies ensure their files have not been maliciously altered by regularly
checking files for integrity. This is often overlooked by companies because it
seems quite obvious. Although, this is one of the main technical controls often
missed by companies. This generally happens before they even begin to prepare
for an audit.
Many organizations do not have
file monitoring tools in place. This is probably one of the biggest technical
gaps that we’ve observed. Often, organizations are already licensed to use one
of their vendor’s existing tools. If they are not then they will need to
acquire additional software.
Vulnerability Assessments – SOC 2 Technical Control
It is common practice for
companies to occasionally evaluate their organization’s vulnerabilities. Most
cybersecurity professionals agree that it is best to continuously evaluate your
firm’s entire infrastructure. A complete assessment includes laptops, servers,
network equipment, applications and all devices connected to the firm’s
network.
Vulnerability evaluation is an
essential part of your daily cybersecurity procedures. If your organization
fixes what it finds, it will lower your firm’s cybersecurity risk. Also, it will
make your organization SOC 2 compliant.
Incident Response
There are controls used to
respond to specific cybersecurity incidents. These controls are essentially
your response and recovery plan to how your firm handles unanticipated threats
and breaches. The problem with many companies is that they may have a plan, but
it is not detailed enough to adequately respond and recover from an incident.
It is essential that these
plans are exercised regularly to be able to account for the various
complexities of real-life incidents along with a comprehensive incident
response. The best way to prepare for common incidents is to have a
step-by-step plan in place in the event an incident occurs. These steps for
staging an event should include preparation, damage control and analysis,
containment, eradication and recovery, complete with a thorough post-incident
research and all enhancements.
Outside relevant regulators or
third-parties should also be informed by detailing other important areas of
response. Your plan should include who you will bring in to help with a
technical breach response, solutions and a complete analysis of how the
incident occurred. If a company does not have proper technical expertise in
place prior to a breach or incident, it can be disastrous for companies both
during and after the event. This is why is it essential for companies to have
technical expertise prior to incidents occurring.
System Logging and Monitoring – SOC 2 Technical Control
The final SOC 2 Technical
Control that we are covering here is the logging and monitoring of your
company’s system. It is critical that organizations log all key security
events. However, it is essentially pointless, if you do not monitor what goes
into the logs. To be able to actively avoid potential complications,
organizations ought to constantly monitor their infrastructure and applications
for inconsistencies.
Summary
Getting a SOC 2 is a lot of work! Use the guidelines above or give us a call to help you successfully plan for and execute your SOC 2 program.
If you would like help with
your cybersecurity strategy or program, give Fractional CISO a call for a
complimentary consultation. We can be reached at (617) 658- 3276 or by email
at [email protected].