August 2019 - Fractional CISO

SOC 1, SOC 2, SOC Red, SOC Blue – photo courtesy of Cool Socks

There has been a huge trend in the US for technology companies to get their SOC 2 attestation report. How do we know? We’ve helped a number of companies achieve their compliance.

This blog post explores many of the considerations that our clients go through in their quest for a SOC 2.

Why SOC 2?

Supply chain risk is one of the areas that companies are working hard to protect against. Customers are only as secure as their suppliers. Larger companies are asking their suppliers to be more secure. A SOC 2 attestation (certification) can help demonstrate the security of the organization.

What is a SOC 2?

SOC stands for Service Organization Controls. It is an AICPA report. There is a SOC 1 which is focused on financial controls and a SOC 2 which is focused on security controls.

Difference between different SOC reports

A CPA firm performs an audit based on a large number of controls. Organizations that have all of the controls in place pass the audit.

SOC 2 Type 1 vs Type 2

To add to the confusion there is a SOC 2 Type 1 and SOC 2 Type 2. A Type 1 measures a moment in time. Often companies get this report to start. It indicates that at the moment of report issuance the company followed all of the controls. The Type 2 measures the organization over a period of six months to a year. It indicates that the firm consistently follows the principles. If an auditor finds any irregularities they are indicated in the Type 2 report as exceptions.

Trust Service Criteria

Five Trust Service Criteria are the backbone of SOC 2 – this jargon is also confusing, mostly because these five things used to be known as “Trust Principles:”

The Trust Service Criteria are as follows:

Security

Availability

Processing integrity

Confidentiality

Privacy

Let’s go over each of these briefly.

Security generally involves how systems are protected – that covers elements like data breach response plans, firewalls and browser isolation tools, and anything that generally prevents unauthorized access to networks.

Availability, on the other hand, is related to system uptime and how the system can be accessed by authorized users.

Processing Integrity involves whether the system offers complete, valid, accurate, timely and authorized data to users.

The other two criteria are important in today’s business world with new privacy and confidentiality standards being imposed at a regional level, as well as by industry standards – think the European General Data Protection Regulation or GDPR, or California standards.

Confidentiality evaluates whether the information in protected classes is well protected from abuse.

Privacy governs how personal information is collected, used, disclosed and finally disposed of in an entire data life cycle.

While the first four Criteria are often used by all companies, the Privacy Criteria is typically implemented for Business to Consumer organizations.

Choosing an Auditor

In some ways, choosing an auditor is relatively straightforward, but it pays to keep in mind that not all auditors are the same.

Obviously, one factor is cost. As with any consulting or service, it’s important to make sure that costs are covered in the budget, and to preserve buy-in for any expenses. Remember, you will be paying for an audit, every year!

There’s also the issue of SOC 2 experience – all things being equal, it’s best to rely on an auditor that has specialized history in this area.

In addition, you want auditors who can commit to a time frame in order to keep everything running smoothly, with key reporting or other benchmarks being done when they are expected.

Then there’s the Readiness Assessment that enhances an eventual audit.

Some firms provide a pre-planning Readiness Assessment to evaluate how ready the enterprise is for the SOC 2 audit. You want to make sure that the auditor will roll the results of the readiness assessment into the audit and not make you redo all of that work!

Getting Ready for a SOC 2 Audit

Some general guidelines help businesses to proceed toward a successful SOC 2 audit.

One of the first items in brainstorming this process is figuring out the scope of the audit itself.

In general, businesses want to include all relevant products and services – because having this audit apply to more eligible aspects of your business is better than unnecessarily restricting it.

One great tip is that B2B companies need to select their ‘value services’ and address those in the audit. In other words, if you’re going to be selling a particular cloud or software as a service benefit to your customers, it definitely pays to have that within the scope of the SOC 2.

In deciding whether to pursue Type 1 or Type 2 SOC 2 audits, be aware that SOC 2 Type 2 is the eventual destination. While Type 1 provides a snapshot and can be handy for introductory purposes, the SOC 2 Type 2 is preferred.

Additionally, be ready to update policies and control documentation to prepare for the audit.

It helps to “get in the audit mindset” and have a look over current policies and controls to see where improvement is needed.

Here’s another important tip – businesses will typically want to evaluate whether they have strong internal controls on four key concepts – access control, change control, risk management and internal audit benchmarking.

In terms of staffing and management, you’ll need point people to spend significant time on SOC 2 audit preparation – having these people designated helps the business properly prepare for the audit.

Consultants can also be extremely helpful in audit preparation.

What Do SOC 2 Consultants Do?

Three things that consultants typically do for businesses in audit programs include creating content, acquiring technical controls and adjusting policies and procedures.

Create content – The content that’s created is going to be key documentation for a SOC 2 audit. Part of the audit procedure is explaining what’s in place, and the content that gets created provides that orientation.

Acquire technical controls – if there’s a deficit, consultants help companies acquire those needed controls to be successful and benefit from a successful audit resolution.

Adjust policies and procedures – like we just talked about, the policies and procedures may not be quite up to speed, or in other words, audit-ready.

Project manage – there’s a lot to be said for domain expert project managers.

Perform risk assessments – if this is not something that you were doing before you will now!

Perform vendor evaluations – evaluating your key vendors is really important. If this is not a current regular practice it can valuable to outsource the activity.

Perform “External Internal Audit” – External Internal Audit might sound like an oxymoron. But hey who doesn’t love “Jumbo Shrimp”?

Some firms don’t have an internal audit function. There is a lot to keep up with to successfully maintain a SOC 2 program. An External Internal Auditor is familiar with the standards and can keep the organization accountable to successfully maintain their SOC 2 program.

Key Aspects of Audit

There are a lot of aspects of the audit. Here we focus on the items that require your attention and will undoubtedly generate additional work. Of course, for the most part these will lead to your organization being more secure.

Access Control

Access control has to do with who has access, and what each user’s level of access is.

Included items may include permissions, account status, and tiered access.

You will need to review your access controls for all of your key systems. This will include your Identity and Access Management (IAM) system, cloud services, networking equipment, servers, VPNs and anything else that you have that’s important.

We regularly find users that don’t belong when we review clients’ systems. Might as well check it out before it is found in an audit!

Change Control

Another important aspect of the audit process is change control.

This aspect works very similarly to the process of change control in any major project, for instance, an architect designing a building, or a contractor building one.

In essence, every change needs to be properly documented – for the purposes of the SOC 2, in applying this principle to the business client’s operations, that involves documenting changes to software, configuration, networking or customer requests.

How do you consistently document changes?

A ticketing system provides one of the best ways to make sure documentation of every change is consistent and thorough.

Risk Management and Vendor Management

Don’t forget about risk management and vendor management.

For the same reason that your customers are asking you for details about your security program, the same can be applied to your suppliers.

You need to make sure that your vendors that are performing key functions don’t cause an upstream compromise of your customers’ data. That would be bad. Guess who will get blamed?

You need a program to ensure that you are monitoring your suppliers. This program should be differentiated by vendor because you don’t want to spend the same amount of time on your paper towel vendor as you do for cloud vendors that are processing your customer’s data.

You also need to write and maintain a risk assessment for your organization. It needs to be part of a formalized process for your management team to make deliberate decisions around risk. They will want to decide whether to avoid, mitigate, transfer or accept the risk.

It’s important to have a customized risk management setup, because every business is different. What works in one industry will not work in another. That is why you will need a program inside your organization to manage risk.

Internal Audit

Lastly, there’s the need to have internal audit structures in place.

The idea is that even without an outside audit, there is somebody monitoring and evaluating internal controls.

What’s important here is that the internal auditor has to be independent.

The reason has to do with office politics.

There’s the idea that nobody will point out deficiencies in systems that they have created or helped to maintain.

That’s why it’s important to make the internal audit process interdepartmental, or even use a consultant – because if the internal auditor is not independent, that presents a problem.

SOC 2 Technical Security Controls

There are a lot of technical controls as part of a SOC 2 audit. There are a bunch that most organizations already have in place. Here are four that they often have to do something about in preparation for the SOC 2 audit.

File Integrity Monitoring

File Integrity Monitoring is how companies ensure their files have not been maliciously altered by regularly checking files for integrity. This is often overlooked by companies because it seems quite obvious. Although, this is one of the main technical controls often missed by companies. This generally happens before they even begin to prepare for an audit.

Many organizations do not have file monitoring tools in place. This is probably one of the biggest technical gaps that we’ve observed. Often, organizations are already licensed to use one of their vendor’s existing tools. If they are not then they will need to acquire additional software.

Vulnerability Assessments – SOC 2 Technical Control

It is common practice for companies to occasionally evaluate their organization’s vulnerabilities. Most cybersecurity professionals agree that it is best to continuously evaluate your firm’s entire infrastructure. A complete assessment includes laptops, servers, network equipment, applications and all devices connected to the firm’s network.

Vulnerability evaluation is an essential part of your daily cybersecurity procedures. If your organization fixes what it finds, it will lower your firm’s cybersecurity risk. Also, it will make your organization SOC 2 compliant.

Incident Response

There are controls used to respond to specific cybersecurity incidents. These controls are essentially your response and recovery plan to how your firm handles unanticipated threats and breaches. The problem with many companies is that they may have a plan, but it is not detailed enough to adequately respond and recover from an incident.

It is essential that these plans are exercised regularly to be able to account for the various complexities of real-life incidents along with a comprehensive incident response. The best way to prepare for common incidents is to have a step-by-step plan in place in the event an incident occurs. These steps for staging an event should include preparation, damage control and analysis, containment, eradication and recovery, complete with a thorough post-incident research and all enhancements.

Outside relevant regulators or third-parties should also be informed by detailing other important areas of response. Your plan should include who you will bring in to help with a technical breach response, solutions and a complete analysis of how the incident occurred. If a company does not have proper technical expertise in place prior to a breach or incident, it can be disastrous for companies both during and after the event. This is why is it essential for companies to have technical expertise prior to incidents occurring.

System Logging and Monitoring – SOC 2 Technical Control

The final SOC 2 Technical Control that we are covering here is the logging and monitoring of your company’s system. It is critical that organizations log all key security events. However, it is essentially pointless, if you do not monitor what goes into the logs. To be able to actively avoid potential complications, organizations ought to constantly monitor their infrastructure and applications for inconsistencies.

Summary

Getting a SOC 2 is a lot of work! Use the guidelines above or give us a call to help you successfully plan for and execute your SOC 2 program.

If you would like help with your cybersecurity strategy or program, give Fractional CISO a call for a complimentary consultation. We can be reached at (617) 658- 3276 or by email at [email protected].

Monthly Archives: August 2019