Most Common SOC 1 Gaps

by Sarah Harvey / November 21st, 2019

If you knew a hurricane or car accident was going to happen, wouldn’t you do your best to prepare for it? You’d want to know every detail of its likelihood so your plan of action would prevent as much damage as possible. The same principle applies to information security breaches – that’s why it’s important for your organization to be aware of and remediate common security gaps so you can avoid the vulnerabilities that hackers use to breach data systems. Each type of audit comes with different security gaps to be aware of, even if the frameworks are similar, like SOC 1 and SOC 2. No matter the audit, it’s valuable to know how to avoid unnecessary security risks by catching these common gaps in your system. Even by reading this blog post, you’re already far ahead of many organizations in securing your systems.

Most Common SOC 1 Gaps

The most common SOC 1 gaps include gaps in change management, risk assessment, application development, vulnerability testing, logical access, networking monitoring, physical security, and organization overview. Organizations that don’t place a priority on mitigating these security gaps are faced with costly breaches after hackers infiltrate their systems. You don’t want to be caught in the same situation. Let’s talk about a few of these common SOC 1 gaps by looking into some massive security breaches.

  • Risk Assessment: Establishing a formal risk assessment process allows organizations to do their due diligence and prioritize risk. Risk assessments often lead to an understanding the types of risks that your vendors carry into your environment. Earlier this year, FEMA exposed over two million disaster victims’ data with a vendor. Could a risk assessment have detected the 11 vulnerabilities on that vendor’s network?
  • Application Development: The ICIT says that software security is national security – and a lack of software security is a national threat. First American Corporation was breached after a vulnerability in a product application was found, compromising over 885 million records because of a design defect in the application. Had First American Corporation known about that application development was an extremely common SOC 1 gap, would it have recognized the vulnerability during the development phase?
  • Vulnerability Testing: SOC 1 audits within AWS environments often reveal a gap in vulnerability testing. Organizations must test their S3 buckets for vulnerabilities in order to prevent a system breach. The Democratic Senatorial Campaign Committee knows this firsthand after their misconfigured s3 bucket was exposed. More than 6 million email addresses were exposed on the internet, able to be viewed by any person with a free AWS account. Testing for vulnerabilities and misconfigurations is invaluable to your information security program.
  • Networking Monitoring: When Timehop was breached in 2018, their engineers responded to the event within 2 hours of discovering the network intrusion. Although the hacker had access to Timehop’s cloud for about six months, when the active attack actually occurred, Timehop’s network monitoring tools reported that the service was down, and Timehop engineers worked to restart services. If not for network monitoring, how much time could’ve passed before Timehop recognized the attack?
  • Physical Security: In April 2018, a New Jersey man was found to have infiltrated two companies’ physical security systems to install a hardware keylogger. The breach was orchestrated for over 2 years after the man fraudulently gained access with an employee badge. He was able to breach the system and access personal information, intellectual property, and plans for new technology that each company was developing. If these companies had properly disposed of unused access badges and limited access to secure areas, they might have prevented major breaches.

Other common SOC 1 gaps to be prepared for are Change Management, Logical Access, and Organization Overview. You can remediate gaps by ensuring all company employees understand the company’s security and ethics expectations and are using MFA on company equipment. Having a structured plan of action for system changes can lead to more security when your organization implements both small-scale and large-scale adjustments.

Learning to Remediate the Gaps

The first step to avoiding common hacker tactics is to remediate your gaps. What gaps should you look for? You can start reviewing common SOC 1 gaps in areas of change management, risk assessment, application development, vulnerability testing, logical access, networking monitoring, physical security, and organization overview.

If you want to avoid fines, loss of customers, and everything else these companies have to face after a massive security breach, you need to ensure your organization is taking every precaution against hackers. Contact KirkpatrickPrice today to learn more about remediating your SOC 1 gaps and staying one step ahead of hackers.

More SOC 1 Resources

Understanding Your SOC 1 Report: What is a Gap Analysis?

7 Reasons Why You Need a Manual Penetration Test

SOC 1 Compliance Checklist