In recent news, State Farm notified policyholders of a cybersecurity attack in the form of credential stuffing, a tactic often used by hackers that relies on a lack of password maintenance. State Farm took proper measures to reset passwords and notify affected parties of the attack, but what if State Farm employees were properly implementing multi-factor authentication practices from the start? Would this attack have even happened? How could State Farm have known its employees weren’t following logical access procedures? They could have watched out for common security gaps and implemented proper procedures before a hacker had any chance at locating their vulnerabilities. Proactive security practices are key to an information security program.
A SOC 2 audit is a form of proactively assessing your organization’s information security program. You’ll see how your organization stands up against SOC 2 standards and learn from an information security experts on where your vulnerabilities lie. But, how do you prepare for something as big of an undertaking as a SOC 2 audit? We believe that when organizations choose to undergo a SOC 2 audit for the first time, it’s important that they complete a SOC 2 gap analysis to determine areas of security improvement. The goal of a gap analysis is to identify areas of weakness in your systems that need to be remediated before completing a SOC 2 audit. This helps you improve your practices and gives you a better chance at gaining a SOC 2 attestation. If your organization is preparing for a SOC 2 audit and you want to understand the most common SOC 2 gaps to watch out for, you’ve come to the right place.
Watch Out For the Most Common SOC 2 Gaps
For most organizations completing a SOC 2 audit for the first time, the typical gap rate is 40-60%. This means that, on average, of the topics covered during a SOC 2 gap analysis, 40-60% contain gaps. The typical organization can expect to see a number of gaps in their information security procedures in places they may not have expected. How can you get ahead of the game? By learning about the most common SOC 2 gaps and assessing your organization’s policies and procedures against them. Based on our data, we believe the most common SOC 2 gaps address these requirements:
- Risk Assessment: Organizations should have a formal risk assessment policy that is both implemented and documented. After a risk assessment is completed, the organizational risks must be maintained and addressed regularly.
- Business Continuity Plan: A proper business continuity plan needs to be developed in case of an incident that needs an immediate response. After development, the business continuity plan needs to be tested and documented.
- Network Scanning & Testing: It’s common for organizations to leave out network vulnerability scanning and penetration testing in their policies, but these tests should be implemented yearly.
- Information Security Policy: Developing an information policy should be a practice that is reviewed regularly and implemented in daily employee activities. Organizations need to keep thorough documentation of any information security policy changes.
- Change Management Policy: The procedures for notifying users or clients of system events should be addressed in change management policies and procedures.
- Vulnerability Management Policy: Organizations can prepare for a SOC 2 audit by developing a vulnerability management policy that addresses patch management and immediate notification of breaches in vulnerable areas.
- Vendor Management: Monitoring third-party vendors by reviewing their compliance with information security and confidentiality, access control, service definitions, and delivery agreements is often an overlooked security procedure. An organization should receive current audit reports from any critical third-party vendors.
- Network Logging & Monitoring: Organizations should have proper documentation to define monitoring for alerts from intrusion-detection/intrusion-prevention, alerts from file-integrity monitoring systems, and detection of unauthorized wireless access points.
- Logical Access: An organization’s Logical Access Policy should include roles and full password requirements.
- Network Diagrams: Create network diagrams that illustrate all boundaries of the environment, network segmentation points, boundaries between untrusted networks, and all other applicable connection points.
Quick Wins to Jump Start the SOC 2 Audit
Those 10 most common SOC 2 gaps can seem daunting to identify and tackle when it comes to your own systems, so we’ve put together a few “quick wins” that you can start implementing right now. Quick wins are changes that will have a positive impact in two ways: they will resolve a gap, and they will provide momentum to your compliance effort. Multi-factor authentication is one quick win, which should be implemented as a means of creating a solid logical access security policy. Your organization should enforce MFA for every user in your system. Another area of momentum for your SOC 2 audit is physical security. Video surveillance is an integral security practice, and the surveillance footage should be retained for at least 30 days. Implementing a visitor log that requires all visitors to sign in before entering the office is another crucial element of physical security. Do you have required training programs that provide thorough explanations of security policies and procedures to all employees? Security awareness is an extremely accessible quick win. As part of training, all employees should receive the employee handbook that needs to include sections on information confidentiality, background & reference checks, and progressive discipline. A copy of each employee’s Daily Operational Security Procedures should remain updated and available by every employee.
These areas of implementation should give your organization the opportunity to have a few quick wins that help close your SOC 2 gaps. If you’re curious to know more about remediating the most common SOC 2 gaps or preparing for a SOC 2 audit, contact KirkpatrickPrice today to talk with our team of information security experts.