10 Most Common SOC 2 Gaps
by Sarah Harvey / November 12th, 2019
In 2019, State Farm notified policyholders of a cybersecurity attack in the form of credential stuffing, a tactic often used by hackers that relies on a lack of password maintenance. State Farm took proper measures to reset passwords and notify affected parties of the attack, but what if State Farm employees were properly implementing multi-factor authentication practices from the start? Would this attack have even happened? How could State Farm have known its employees weren’t following logical access procedures? They could have watched out for common security gaps and implemented proper procedures before a hacker had any chance at locating their vulnerabilities. Proactive security practices are key to an information security program.
A SOC 2 audit is a form of proactively assessing your organization’s information security program. You’ll see how your organization stands up against SOC 2 standards and learn from information security experts about where your vulnerabilities lie. But, how do you prepare for something as big of an undertaking as a SOC 2 audit? One of the most important SOC 2 audit preparation steps is a compliance gap analysis.
What is a SOC 2 Compliance Gap Analysis?
A compliance gap analysis, also known as a compliance gap assessment, compares an organization’s internal operations and controls with requirements described in regulations and standards. In the case of SOC 2 compliance gap analysis, the organization scrutinizes internal controls and operations to assess whether they conform to the SOC 2 Trust Services Criteria. A gap analysis report is not as thorough or detailed as a SOC 2 report. However, gap assessments help organizations prepare for an audit by identifying and mitigating likely compliance blockers while improving internal security practices.
We believe that when organizations choose to undergo a SOC 2 audit for the first time, it’s important that they complete a SOC 2 gap analysis to determine areas of security improvement. The goal of a gap analysis is to identify areas of weakness in your systems that need to be remediated before completing a SOC 2 audit.
A process of gap analysis may have helped State Farm to understand its vulnerability to credential stuffing and the likely impact on compliance. When your company conducts a SOC 2 gap analysis, it will have the information it needs to improve information security practices and have a better chance of gaining a SOC 2 attestation.
If your organization is preparing for a SOC 2 audit and you want to understand the most common SOC 2 gaps to watch out for, you’ve come to the right place.
Watch Out For The Most Common SOC 2 Gaps
For most organizations completing a SOC 2 audit for the first time, the typical gap rate is 40–60%. This means that, on average, of the topics covered during a SOC 2 gap analysis, 40–60% contain gaps. The typical organization can expect to see a number of gaps in their information security procedures in places they may not have expected. How can you get ahead of the game? By learning about the most common SOC 2 compliance gaps and assessing your organization’s policies and procedures against them. Based on our data, we believe the most common SOC 2 gaps address these requirements:
Risk Assessment
Organizations should have a formal risk assessment policy that is both implemented and documented. After a risk assessment is completed, the organizational risks must be maintained and addressed regularly.
Business Continuity Plan
A proper business continuity plan needs to be developed in case of an incident that needs an immediate response. After development, the business continuity plan needs to be tested and documented.
Network Scanning and Testing
It’s common for organizations to leave out network vulnerability scanning and penetration testing in their policies, but these tests should be implemented yearly.
Information Security Policy
Developing an information security policy should be a practice that is reviewed regularly and implemented in daily employee activities. Organizations need to keep thorough documentation of any information security policy changes.
Change Management Policy
The procedures for notifying users or clients of system events should be addressed in change management policies and procedures.
Vulnerability Management Policy
Organizations can prepare for a SOC 2 audit by developing a vulnerability management policy that addresses patch management and immediate notification of breaches in vulnerable areas.
Vendor Management
Monitoring third-party vendors by reviewing their compliance with information security and confidentiality, access control, service definitions, and delivery agreements is often an overlooked security procedure. An organization should receive current audit reports from any critical third-party vendors.
Network Logging & Monitoring
Organizations should have proper documentation to define monitoring for alerts from intrusion-detection/intrusion-prevention, alerts from file-integrity monitoring systems, and the detection of unauthorized wireless access points.
Logical Access
An organization’s Logical Access Policy should include roles and full password requirements.
Network Diagrams
Create network diagrams that illustrate all boundaries of the environment, network segmentation points, boundaries between untrusted networks, and all other applicable connection points.
Quick Wins to Jump-Start the SOC 2 Audit
Those 10 most common SOC 2 compliance gaps can seem daunting to identify and tackle when it comes to your own systems, so we’ve put together a few “quick wins” that you can start implementing right now. Quick wins are changes that will have a positive impact in two ways: they will resolve a gap, and they will provide momentum to your compliance effort. Multi-factor authentication is one quick win, which should be implemented as a means of creating a solid logical access security policy. Your organization should enforce MFA for every user in your system. Another area of momentum for your SOC 2 audit is physical security. Video surveillance is an integral security practice, and the surveillance footage should be retained for at least 30 days. Implementing a visitor log that requires all visitors to sign in before entering the office is another crucial element of physical security. Do you have required security awareness training programs that provide thorough explanations of security policies and procedures to all employees? Security awareness is an extremely accessible quick win. As part of the training, all employees should receive the employee handbook that needs to include sections on information confidentiality, background & reference checks, and progressive discipline. A copy of each employee’s Daily Operational Security Procedures should remain updated and available by every employee.
These areas of implementation should give your organization the opportunity to have a few quick wins that help close your SOC 2 compliance gaps. If you’re curious to know more about remediating the most common SOC 2 gaps or preparing for a SOC 2 audit, contact KirkpatrickPrice today to talk with our team of information security experts.
