10 Most Common SOC 2 Gaps

In recent news, State Farm notified policyholders of a cybersecurity attack in the form of credential stuffing, a tactic often used by hackers that relies on a lack of password maintenance. State Farm took proper measures to reset passwords and notify affected parties of the attack, but what if State Farm employees were properly implementing multi-factor authentication practices from the start? Would this attack have even happened? How could State Farm have known its employees weren’t following logical access procedures? They could have watched out for common security gaps and implemented proper procedures before a hacker had any chance at locating their vulnerabilities. Proactive security practices are key to an information security program.

A SOC 2 audit is a form of proactively assessing your organization’s information security program. You’ll see how your organization stands up against SOC 2 standards and learn from an information security experts on where your vulnerabilities lie. But, how do you prepare for something as big of an undertaking as a SOC 2 audit? We believe that when organizations choose to undergo a SOC 2 audit for the first time, it’s important that they complete a SOC 2 gap analysis to determine areas of security improvement. The goal of a gap analysis is to identify areas of weakness in your systems that need to be remediated before completing a SOC 2 audit. This helps you improve your practices and gives you a better chance at gaining a SOC 2 attestation. If your organization is preparing for a SOC 2 audit and you want to understand the most common SOC 2 gaps to watch out for, you’ve come to the right place.

Watch Out For the Most Common SOC 2 Gaps

For most organizations completing a SOC 2 audit for the first time, the typical gap rate is 40-60%. This means that, on average, of the topics covered during a SOC 2 gap analysis, 40-60% contain gaps. The typical organization can expect to see a number of gaps in their information security procedures in places they may not have expected. How can you get ahead of the game? By learning about the most common SOC 2 gaps and assessing your organization’s policies and procedures against them. Based on our data, we believe the most common SOC 2 gaps address these requirements:

  • Risk Assessment: Organizations should have a formal risk assessment policy that is both implemented and documented. After a risk assessment is completed, the organizational risks must be maintained and addressed regularly.
  • Business Continuity Plan: A proper business continuity plan needs to be developed in case of an incident that needs an immediate response. After development, the business continuity plan needs to be tested and documented.
  • Network Scanning & Testing: It’s common for organizations to leave out network vulnerability scanning and penetration testing in their policies, but these tests should be implemented yearly.
  • Information Security Policy: Developing an information policy should be a practice that is reviewed regularly and implemented in daily employee activities. Organizations need to keep thorough documentation of any information security policy changes.
  • Change Management Policy: The procedures for notifying users or clients of system events should be addressed in change management policies and procedures.
  • Vulnerability Management Policy: Organizations can prepare for a SOC 2 audit by developing a vulnerability management policy that addresses patch management and immediate notification of breaches in vulnerable areas.
  • Vendor Management: Monitoring third-party vendors by reviewing their compliance with information security and confidentiality, access control, service definitions, and delivery agreements is often an overlooked security procedure. An organization should receive current audit reports from any critical third-party vendors.
  • Network Logging & Monitoring: Organizations should have proper documentation to define monitoring for alerts from intrusion-detection/intrusion-prevention, alerts from file-integrity monitoring systems, and detection of unauthorized wireless access points.
  • Logical Access: An organization’s Logical Access Policy should include roles and full password requirements.
  • Network Diagrams: Create network diagrams that illustrate all boundaries of the environment, network segmentation points, boundaries between untrusted networks, and all other applicable connection points.

Quick Wins to Jump Start the SOC 2 Audit

Those 10 most common SOC 2 gaps can seem daunting to identify and tackle when it comes to your own systems, so we’ve put together a few “quick wins” that you can start implementing right now. Quick wins are changes that will have a positive impact in two ways: they will resolve a gap, and they will provide momentum to your compliance effort. Multi-factor authentication is one quick win, which should be implemented as a means of creating a solid logical access security policy. Your organization should enforce MFA for every user in your system. Another area of momentum for your SOC 2 audit is physical security. Video surveillance is an integral security practice, and the surveillance footage should be retained for at least 30 days. Implementing a visitor log that requires all visitors to sign in before entering the office is another crucial element of physical security. Do you have required training programs that provide thorough explanations of security policies and procedures to all employees? Security awareness is an extremely accessible quick win. As part of training, all employees should receive the employee handbook that needs to include sections on information confidentiality, background & reference checks, and progressive discipline. A copy of each employee’s Daily Operational Security Procedures should remain updated and available by every employee.

These areas of implementation should give your organization the opportunity to have a few quick wins that help close your SOC 2 gaps. If you’re curious to know more about remediating the most common SOC 2 gaps or preparing for a SOC 2 audit, contact KirkpatrickPrice today to talk with our team of information security experts.

More SOC 2 Resources

What is a SOC 2 Audit?

Go Through a Gap Analysis Without the Stress

What is a Gap Analysis?

Sigstr’s Commitment to Security: The SOC 2 Journey

Sigstr helps the world’s best marketers do amazing things with their employees’ emails. The average person spends 6.3 hours in their inbox every day. Sigstr gives marketers the ability to serve targeted ads to their audience where they’re spending the majority of their time: the inbox. This connectivity between Sigstr and email clients presents information security risks that Sigstr must address. We sat down with Brent Mackay, Director of Product Management and Data Protection Officer at Sigstr, to discuss what their team learned through the SOC 2 audit process and how it gives Sigstr a competitive edge in the email and marketing application space.

The Need for SOC 2

What information security risks face email applications? Generally, we see spam, phishing, and malware. According to Symantec, in 2018, Microsoft Office files accounted for almost half of all malicious email attachments. 1 in 10 URLS sent in emails are malicious. Each hacked email account is worth between $5 and $10. Those types of risks led to Sigstr going above and beyond to ensure that their service will not leave a vulnerability open to unauthorized access. Sigstr knows that employee email is incredibly sensitive, which is why they decided to pursue SOC 2 Type I and Type II attestations.

Mackay comments, “At the beginning of 2019, we announced Sigstr’s SOC 2 Type I attestation with a commitment to continue moving our security program forward. In August, we announced the SOC 2 Type II attestation. An important part of SOC 2 compliance is the ongoing adherence and improvements made to security systems and processes. The standards for SOC 2 shift as the tech ecosystem changes, and ongoing improvements to controls are needed in order to stay up to date. Sigstr plans on annual SOC 2 Type II audits as a mission for customers to have confidence that their data is safe with us.”

Information security and compliance have a two-fold importance to Sigstr. To keep their applications safe from unauthorized access and maintain uptime, they have to be the best of the best – and compliance helps raise the bar. It’s also important to the growth of Sigstr’s business, aiding them in closing deals with enterprise-level organizations who demand that their vendors be held to a high standard of security and compliance.

Lessons Learned from the SOC 2 Audit Process

After gaining Type I and II attestations, Sigstr felt as though the SOC 2 audits were definitely worth the time, effort, and cost. Mackay says, “Going through the SOC 2 audit process is exciting and challenging. Since this was the first set of SOC 2 audits that Sigstr had gone through, there was somewhat of a fear of the unknown. KirkpatrickPrice did a great job to help us prepare and we are very glad to have gone through the process.”

The Sigstr team learned a lot along the way about how to be in a position to better secure customers’ email data. Mackay explained that their team had three main takeaways after going through the SOC 2 audit process, which include:

  1. Before going into a SOC 2 audit, it’s important to research what it entails and then measure your company’s preparedness. There are dozens of controls and policies that need to be in place prior to starting the audit, and it would be daunting to try to write and implement them during an audit. An easy place to start is to document the processes and controls you currently have in place.
  2. It is easy to underestimate the time the audit will take end to end. Audit timelines will vary based on your company size and scope of the engagement, but at Sigstr, we learned that it is a full-time job for a few people for approximately three months. We prepared our security team to allocate their time appropriately since the majority of the work was on them.
  3. When going through the process of creating controls and policies to govern your information security program, it can be very tempting to embellish and add aspirational controls. This can come around to bite you, because controls that you put into policies will be audited. Whatever you put into a policy, you will be asked to furnish evidence of that during your Type I and Type II audits. If you fail to do so, it will show up as an exception on your report. We followed a simple mindset of “do what you say and say what you do.”

Competitive Advantage Gained from SOC 2

Sigstr is the only company in their space that has gone through a SOC 2 audit – and they didn’t just go through the Type I. They completed both Type I and Type II within a year. That alone is a competitive advantage, but furthermore, Sigstr’s SOC 2 audits were measured against all five Trust Services Criteria. We see most organizations choose between one and three, so this choice shows Sigstr’s incredible commitment to securing the email data that they are responsible for.

Having a SOC 2 Type II report readily available has also helped Sigstr accelerate the vendor approval process with many of their customers. Without a SOC report, the vendor approval process can take much longer, and potentially lose the opportunity to do business with larger customers.

Sigstr’s compliance journey can teach others how valuable an information security audit can be – for your processes, your technology, your people, and your clients. Want to learn about how your organization could tackle the SOC 2 journey? Contact us today.

More About Sigstr

Sigstr makes employee email your new favorite ad channel. Run hundreds of simultaneous banners to intelligently target your audience by industry, geography, or opportunity stage. Gain deep account-based insights and buyer intent data based on the real relationships your team develops (all from email and calendar patterns). In addition to standardizing email signatures, Sigstr turns every email your employees send into a marketing campaign.

More SOC 2 Resources

SOC 2 Academy

SOC 2 Compliance Checklist

Was the Audit Worth It?

20 Ways MSPs Can Be Security Heroes

The role of an MSP is an important one. MSPs want to help their clients create and maintain a strong security posture – that’s why, as an MSP, your clients come to you with information security problems that need to be fixed, ranging from disaster recovery to risk assessment services. Who finds those problems? Auditors and pen testers. Who determines if those problems are risky gaps in the client’s security posture? Auditors and penetration testers. When your clients go through information security audits for the first time, they should also go through a gap analysis – a process that identifies any operational, reporting, and compliance gaps. Once an organization knows their gaps, they can begin the remediation process. That’s where you come in.

As an MSP, when you’re able to interpret gap analysis results, you can typically find more opportunities to grow your business with that client. How? By fixing the issues found during the gap analysis. Your clients walk away from audits and pen tests with information security problems that need to be fixed. Additionally, by encouraging your clients to undergo security testing and having a recommended vendor, you are seen as their trusted information security advisor. If you can speak from experience and have gone through an information security audit before, that’s even more valuable for your clients. They can trust your experience and be assured that you won’t bring more risk into their environment.

Clients trust you to cover their IT and information security needs – are you not serving them well by not being able to understand a gap analysis report or remediation plan? KirkpatrickPrice is here to educate and empower you to better serve your clients. Let’s take a look at 20 gaps that could be mitigated by the average MSP. Have more questions after reading? Contact us today and we’ll connect you with an expert on MSP services and partnerships.

5 Project Management Tips for Information Security Audits

When most people think of auditing, they automatically associate it with negative emotions such as stress or anxiety. At KirkpatrickPrice, we understand that undergoing an information security audit can be an overwhelming task for organizations, and we want to partner with you to ensure that we can alleviate as much of that stress as possible. However, while we have processes, personnel, and tools like our Online Audit Manager to help your organization succeed, an audit engagement is a two-way street, and your organization must be sure to manage the project efficiently. To do so, we’ve come up with a five tips for project management for information security audits.

Project Management Tips for Information Security Audits

1. Know What You’re Getting into Before the Audit Begins

Often times, organizations fail to thoroughly research and understand what exactly will be expected of them during an audit engagement. For many organizations, this is because it is their first time undergoing an information security audit. Before an audit engagement begins, organizations need to familiarize themselves with their audit firm’s audit processes and the framework(s) that they are going to be audited against. This might mean reviewing the actual framework itself, like the PCI DSS or HITRUST CSF, or referencing educational materials to prepare your organization, like KirkpatrickPrice’s SOC 2 Academy.

In addition to familiarizing your organization with the frameworks and audit processes, organizations must ensure that everyone in their organization is on board with the information security audit from the start and that they are willing to participate as needed. Gaining the buy-in from C-level executives all the way down to department heads or key team players will make the audit engagement more efficient because everyone knows and understands what’s at stake during the audit and how they can play a roll in ensuring the completion of the engagement.

2. Make an Audit Strategy

For every organization, the audit process is different depending on the time, personnel, and financial resources available. The audit process is also different based on what services you choose. Will you go through a gap analysis? Are you provided with a remediation plan? How long will it take you to remediate? Do you have multiple audits happening simultaneously? This is why establishing an audit strategy is essential to project management for information security audits. Organizations must determine who will oversee the engagement, how the progress of the engagement will be tracked, and other considerations that could impact the completion of the audit, such as what would happen if someone from the company (i.e. a Director of IT) left the company during the audit.

3. Select a Leader to Oversee the Project

Want to ensure a successful audit? Selected a leader to oversee the engagement. At KirkpatrickPrice, we call this person the executive sponsor. This is typically a C-level executive who will manage the project, serve at the point of contact between your organization and ours during the engagement, and ensure that the project remains on schedule. If a problem arises during the audit, this person should be able to effectively communicate those problems to other stakeholders in the audit and work with the audit partner to find solutions and get the engagement back on schedule. This component is especially important when it comes to project management for information security audits.

4. Stay on Top of Deadlines

By far and large, sticking to deadlines during an audit period seems to be one of the most pressing concerns for organizations. When prospects approach us about engaging in an information security audit, we’re often asked if we be able to complete the audit and report by a specific date or told about a hard deadline that compresses the timeline. Because most organizations do need an audit by a specific date, we have streamlined our audit process to ensure an efficient delivery system. However, this system only works the way it’s designed to if our clients are held accountable and complete the work they’re assigned on time. Why? Because even the smallest delay, such as not turning in artifacts or evidence when requested, can lead to receiving your report later than it’s needed, and it could also cost you in late fees, clients, or even legal penalties. Additionally, to ensure efficient project management of information security audits, organizations must analyze the availability of the key players in the engagement. For example, what holidays will impact your deadline? Are there any team member vacations scheduled during the engagement? If so, how will the workload be distributed or completed to ensure that no delays occur?

5. Utilize Your Audit Partner

Project management for information security audits may seem like a daunting task. If you feel unsure about your progress during the audit engagement, utilizing your audit partner is a great way to get back on track. At KirkpatrickPrice, our Client Success Team and experienced Audit Support Professionals are available to answer questions, provide time management help, and additional resources to ensure the successful completion of an audit engagement all year round. Unlike many other CPA firms who drop or neglect clients during the busy tax season, we won’t because we’re solely an information security auditing firm. Our clients can rest assured that if they have questions about their audit – no matter what time of year – we’ll be there to help.

Here’s the thing: whether done because it’s required or because your organization wants to be proactive, information security audits are an investment that should not be taken lightly. At KirkpatrickPrice, we’re committed to helping our clients get the most out of their investment, but our clients must understand the critical role project management plays into information security audits. Project management helps ensure the efficiency of the engagement, ensure that deadlines are met, and ensure that reports are delivered on time. Ready to get started on your audit? Want to learn more about project management for information security audits? Contact us today.

More Auditing Resources

When Will You See the Benefit of an Audit?

Leveraging Information Security as a Competitive Advantage

Getting Executives on Board with Information Security Audits

Celebrating Women’s History Month at KirkpatrickPrice

The Role of Women in Information Security

Women play critical roles in advancing science, medicine, human rights, social justice issues, and so much more, but there’s one industry where women are just getting their foot in the door: information and cybersecurity. While this growing industry has been long dominated by men, it’s quickly starting to change. In fact, according to Cybersecurity Ventures, the percentage of women in the industry is projected to grow from the long-reported 11% to 20% by the end of 2019. Although this number may seem small, the impact these women have made on securing some of the world’s most sensitive assets is tangible. In honor of Women’s History Month, we’d like to spotlight KirkpatrickPrice’s Information Security Specialists and Audit Support Professionals who work tirelessly to ensure that our clients are secure.

Meet Our Auditors – Lee and Lorna

Information Security Specialists at KirkpatrickPrice are responsible for not only performing various audit and consulting services, but they’re responsible for building lasting relationships with our clients by educating, empowering, and inspiring them to greater levels of assurance.

Although she has only been with KirkpatrickPrice for two years, Lee Sirotnak’s 35 years of experience in the information security industry has helped her excel in her current role and achieve Lead Practitioner status. Clients have referred to Lee as a “driving force” during an audit engagement, and claimed that calls with her are worth thousands of dollars based on the education they walk away with. Holding CISSP, CRISC, and CSNA certifications, Lee uses her background and education to conduct regulatory and security audits, as well as serve as a mentor to her audit team. Lee believes that women play an especially important role in the information security industry because “as in all things, women have a different perspective than men, and having a diversity of perspectives makes us a stronger team.”

Lorna Willard also recently joined the KirkpatrickPrice team as an Information Security Specialist. With more than 20 years of experience working in the information security industry, especially within the federal government and the Department of Defense, Lorna’s insight into the industry is telling. She explains that throughout her years working in IT, she’s grown used to working in a male-dominated industry and acknowledges that many opportunities have opened up for women. She feels that working in this industry satisfies her desire to learn, test herself constantly, and earn a living doing something that she really enjoys.

Meet Our Audit Support Professionals – Jodi, Selena, Jessica, Mary Beth, and Erin

Audit Support Professionals at KirkpatrickPrice play an integral role in delivering our audit services. They are responsible for serving as a client liaison, ensuring quality services before and during the audit process, and providing any necessary training for clients.

Jodi Carson is KirkpatrickPrice’s most veteran Audit Support Professional. She has a B.S. in Information Systems Security and holds the Security+ certification. Clients often comment on Jodi’s hardworking attitude and commitment to the project. Jodi especially enjoys helping clients become confident about security – something that many are reluctant to be because of the ever-changing threat landscape.

Selena Carlton has seven years of experience working in the information security industry.  She enjoys the problem-solving aspect of her position and is committed to providing a quality experience for clients.

Jessica Leo was one of three women in her program who graduated with their IT degree and was advised early on about entering a male-dominated industry. Thankfully, she has not experienced any adversity throughout her experience working in the industry. Instead, Jessica remains optimistic about the opportunities for women in the industry, saying that “women should work in information security because it has excellent opportunities for growth, empowerment, and an all-around lucrative and successful career.”

Erin Gregory has a B.S. in Computer and Information Technology, and will also pursue a Master’s in Engineering Technology Management. Although she is just beginning her career in the industry, Erin most enjoys that she is constantly learning and being challenged on the job. She sees the information security industry as a lucrative industry full of opportunities for women, especially because of the flexibility that many IT jobs offer.

Mary Beth Muniz is new to the information security industry but believes that women are the future of technology. Like Lee, Mary Beth believes that women can bring a fresh perspective to the industry and individual engagements. In her own experiences, her ability to engage her nurturing side can prove to be useful during high-stress audit engagements.

What is the Future for Women in Information Security?

When asked what the future looks like for women in the industry, one thing remained constant across the board from our female professionals: the importance of education and empowerment. Whether it’s joining or partnering with technology organizations, supporting STEM groups for women and girls, such as Girls Who Code, or participating in professional development activities through KirkpatrickPrice, our female professionals know that in order for women to be successful in the industry, they need to feel empowered and have access to the right resources.

At KirkpatrickPrice, our core mission is to educate, empower, and inspire our clients to greater levels of assurance, but we’re also committed to educating, empowering, and inspiring our personnel too. This means that the women who work at KirkpatrickPrice can know they’re supported and valued. In fact, Lee explains, “I can honestly say that I’ve never been so fully supported. KirkpatrickPrice is the first company at which I experienced absolutely no difference in treatment for being a woman – I am an auditor just like all of the other auditors.  I’ve not had to work harder – or less hard – because I’m a woman. In a positive way, this company is gender neutral, and the greatest strength in my opinion is that we are all supported very well.” KirkpatrickPrice is committed to delivering quality, thorough audit and advanced penetration testing services, and that would not be possible without the talented women on our team. As the roles and opportunities for women across the globe continue to grow, especially in the information security industry, we’re thankful for the female professionals that have chosen to dedicate their lives to securing the sensitive assets that fuel our businesses.