What Makes a SOC 2 Audit Successful?

What happens after you receive your SOC 2 report? You’ve just used many resources – maybe even some that you were strapped to allocate – to go through a gap analysis, remediate the findings, and then begin the SOC 2 Type I and/or Type II audit. It’s a massive project that you should be proud to finish…but what now? What makes a SOC 2 audit successful? How do you make the most out of your compliance? Let’s take a look at four ways to prove that your SOC 2 audit was successful using one of our client’s SOC 2 audit journey as an example.

iPost’s SOC 2 Compliance Journey

iPost is a flexible and dynamic marketing automation solution for email and mobile needs, built for marketers by marketers. Like many others in the marketing industry, iPost was being asked by clients and prospects for evidence of their commitment to data security. When iPost decided to pursue SOC 2 compliance, it felt nerve-wracking to begin such a big project. After completing a SOC 2 Type I audit, though, iPost’s CEO, Cameron Kane, said, “The real value in the SOC 2 audit is that we’ve become a better company. The audit forced us to grow, and that’s not an easy thing – but we did it.”

So, how did iPost know that their SOC 2 audit was successful? How can you know that your SOC 2 audit was successful? We’ll give you four key ways.

How Do You Prove Your SOC 2 Audit was Successful?

1. C-Level Support

During a SOC 2 audit, it’s incredibly important that C-level executives and stakeholders understand and support the audit and the organization’s overall information security needs. Without their support, how can any policies or procedures be implemented? Who will approve funding? Who will care about the outcome of the audit?

iPost’s CEO supported and understood the SOC 2 audit and its purpose, and that made all the difference in making their SOC 2 audit successful. Kane and his team interacted with an Information Security Specialist and the President of KirkpatrickPrice, Joseph Kirkpatrick. When Kane met with Kirkpatrick, the tone for the SOC 2 audit was set: Kane knew that it would be a long process, but also understood that the auditor’s intention was not to find sensitive areas and pour salt in the wound. Instead, the auditor was there to help, point, and direct iPost into stronger security practices. Right away, iPost’s CEO knew that their SOC 2 engagement wasn’t going to be stereotypical audit and helped his team understand that there was no reason to be guarded. Kane knew that the KirkpatrickPrice team and iPost team were all working towards the same goal: to make iPost the best organization it can be. With that C-level support from iPost, it made their SOC 2 audit much more successful.

2. Seeing Real Change Within Your Company

SOC 2 audits are meant to strengthen and enhance your business, yet many organizations are fearful of the process, rather than seeing the benefits. At KirkpatrickPrice, we believe a SOC 2 audit is successful when you see real change at your company. This means that the audit isn’t something to be checked off of a list every year, or just another IT thing to include in the budget. Instead, the audit is an opportunity to improve your business processes and organization as a whole. At iPost, almost immediately following their SOC 2 Type I audit, they already felt a change within their employees. Phishing attempts were being reported like never before and their procedures were being followed; all because they had buy-in from their staff.

3. Using Compliance as a Competitive Advantage

When an organization leverages compliance achievements as a competitive edge, they are taking full advantage of the achievement. After all, you just used a lot of time and resources to complete a SOC 2 audit – why not use it in marketing materials and sales conversations?

One of the reasons why a SOC 2 attestation was so valuable to iPost is because it provided them with bigger, better sales opportunities. The opportunities are endless when you can demonstrate that you care about your customers’ data and have the evidence to prove it. iPost knows their competitors and others in their industry are being pushed towards a SOC 2 audit, and their proactivity has paid off. When they received their SOC 2 report, they were immediately able to close deals that depended on a SOC 2 attestation, use that achievement in sales conversations, and incorporate it into their marketing strategy.

4. Continuing the SOC 2 Journey

Many of our clients have the same feeling after completing an audit for the first time: it was a difficult process, but one that helped their company. After completing a SOC 2 Type I audit, iPost headed towards the next step: a Type II audit. They know that the next audit will still be difficult, but by following remediation guidance, they plan to become as prepared as possible for the SOC 2 Type II audit. When asked what he would say to other organizations considering pursuing SOC 2 compliance, Kane said, “First, it’s not going to be as bad as you think it’s going to be, even if you feel strapped for time and resources. Second, you really can use it in a sales environment. Lastly, your auditor is not there to ‘get you’ – they’re there to help you!”

So, what makes a SOC 2 audit successful? If you’ve gained C-level support that cultivates a culture of compliance, if you see real change within your company that supports security and privacy standards, if you utilize your compliance in sales and marketing, and if you want to continue the SOC 2 compliance journey, then you know you’re making the most out of your compliance efforts.

Are you considering pursuing SOC 2 compliance, but don’t know if it applies to your business or where to start the process? Contact us today to talk through your compliance objectives.

More SOC 2 Resources

SOC 2 Academy

Was the Audit Worth It?

Was the Gap Analysis Worth It?

Why Quality Audits Will Always Pay Off: You Get What You Pay For

The Dangers of End-of-Support Operating Systems

Computer hardware and software is not built to last forever. End-of-support operating systems are one of the most common vulnerabilities discovered on enterprise networks. Why? Typically, it’s for one of two reasons. First, the organization could just lack a refresh of technology. But, end-of-support vulnerabilities could also occur because organizations need legacy software that will only function on an older operating system.

Do You Have End-of-Support Operating Systems?

What’s classified as an “end-of-support” or “end-of-life” operating system? End-of-support means that the developer of the operating system will no longer provide technical support, and more importantly, will no longer provide updates to the operating system. No more automatic updates, no patches, no help line to call – serious security issues begin to occur because of this.

Take end of support for Windows 7, for example. After January 14, 2020, Microsoft will no longer provide security updates or support for PCs running Windows 7. They’ve given their users plenty of time and warning of this change, but still, some will stay on the end of support operating system. Microsoft does their due diligence by explicitly telling their users, “You can continue to use Windows 7, but once support ends, your PC will become more vulnerable to security risks. Windows will operate but you will stop receiving security and feature updates,” and encouraging them to transition to Windows 10.

During the infamous WannaCry attack, which spread to 150 countries in May 2017, the National Health Service was victimized because of outdated operating systems. BBC reported that before the attack, there was no formal mechanism for assessing whether NHS organizations complied with security guidance from NHS Digital. Critical alerts from NHS Digital and other warnings about the vulnerability of end of support operating systems were ignored. Amyas Morse, Comptroller and Auditor-General of the National Audit Office, said, “WannaCry was a relatively unsophisticated attack and could have been prevented by the NHS following basic IT security best practices. There are more sophisticated cyber-threats out there than WannaCry, so the Department and the NHS need to get their act together to ensure the NHS is better protected against future attacks.”

End-of-Support Vulnerabilities in Action

So what happens when organizations use end-of-support or end-of-life operating systems? Hackers know how to exploit these vulnerabilities, and also know how hard it is to keep an end-of-support operating system secure. End-of-support software brings issues like these to your organization:

  • More Security Vulnerabilities – By using end-of-support software and hardware, you’re putting your organization at a higher risk for exploitation by malicious hackers.
  • Technology Incompatibility – Holding onto end-of-support technology forces you to hold onto legacy software. The newest, more secure applications and software aren’t optimized for end-of-support or end-of-life.
  • Higher Cost – If you’re holding out on switching to a new operating system or away from legacy software because of operating costs, you’ve got the wrong mindset.
  • Poor Performance and Availability – Is critical application downtime worth the cost of a software or hardware upgrade?
  • Non-Compliance Issues – Using end-of-support or end-of-life products could endanger the data you are responsible for. How will an auditor or regulator view that lack of effort?

When using an end-of-support operating system, the end user doesn’t have many options to mitigate the threat to their network other than upgrading the operating system. We recommend keeping operating systems up-to-date by performing regular inventory and planning ahead for technology refreshes, so that legacy software migration or other unforeseen issues don’t pose a problem. It’s also helpful to check with vendors and keep up with any news about upcoming changes to the support status of their operating systems.

Want more information on how to secure your network? Contact us today.

More Assurance Resources

What is Cybersecurity?

Compliance is Never Enough: Secure Software Development

4 Ways to Ensure Security and Maintain Compliance

5 Strategies to Keep You From Wasting Time on Security Questionnaires

If you’re a start-up trying to win new clients, the dreaded security questionnaires are coming your way. Or, let’s say you’re a midsize business who’s been in business for years that’s bidding on an enterprise-level prospect – a security questionnaire request is in your future. Even we, as an information security auditing firm, are frequently asked about the security of our Online Audit Manager.

The questions may seem irrelevant, repetitive, and unreasonable. Or – maybe you know that you don’t have good answers. For start-ups, a security questionnaire may prompt the first time they’ve truly evaluated their security practices. For a midsize business, it may be a frustrating process to constantly fill out similar, but slightly custom questionnaires for every prospect. The intention behind security questionnaires, though, is a good one. Because so much responsibility lies in the hands of vendors and business partners, an organization has to complete its due diligence to protect its reputation, operability, and financial health.

Compliance from the Start

A client recently told us, “Compliance cannot be an afterthought. If you’re starting a business, please think about information security first.” We completely agree with this sentiment. A business that is driven by security and integrity will create a quality service or product.

One of our auditors, Shannon Lane, says it best. “A compliance program is usually viewed as a cost center, an impediment to business practices, and a headache that seems to get worse year after year. And yet as auditors, we know that a system built with compliance in mind isn’t usually more expensive than a faster, easier solution. A business process or IT solution is hard to change, especially once it becomes core to the enterprise and its operations. Every shortcut taken in the design process, technology solution, or internal system haunts the company forever. It’s always lurking there, waiting to interrupt just when you think you’re prepared. That’s why creating a culture of compliance throughout your organization is so important. A compliance program must be made a priority from the beginning.”

Security questionnaires are tedious, but they’re trying to determine whether you’re an organization that values security, availability, confidentiality, integrity, and privacy. Are you going to bring more risks into a prospect’s environment? Are you going to provide them with a secure service? Will you hinder their business objectives or facilitate more opportunities?

Saving Time on Security Questionnaires

It’s difficult to know whether the company sending you a security questionnaire will take stock in the answers and how much they will impact the outcome of the deal. Or – what if you refuse to answer the security questionnaire, and they still choose to work with your organization?

Many organizations adopt the approach of refusing to release any information about their security practices, even during an audit. They tend to think, “By not sharing information, we’ll be more secure. Just trust us.” It’s the ultimate security paradox. The truth is, the more you isolate yourself, the less secure you are. You never have the internal blinders removed to get a new perspective. You never get to hear new strategies based on your practices. Even AWS provides information on their compliance programspenetration testing practices, cloud security, and data privacy practices. AWS isn’t saying, “Just trust us.” They’re giving evidence of how they serve their customers best.

Alternative approaches to satisfy a security questionnaire request may include:

  • SOC 1 and SOC 2 reports contain an independent service auditor’s report, which states the auditor’s opinion regarding the description of a service organization’s systems, whether the systems were presented fairly, and whether the controls were suitably designed. As a result of the additional risks that vendors bring to their business partners, more and more organizations are asking for SOC 1 or SOC 2 attestations.
  • An FAQ on your organization’s internal security practices, summarizing your commitment to security and the actions you take to implement controls at your organization, could go a long way in demonstrating your “compliance from the start” attitude.
  • Allowing a potential business partner to review your breach notification policy, incident response plan, disaster recovery plan, or internal information security policy may be enough evidence to satisfy their request.
  • Formal risk assessments allow organizations to identify, assess, and prioritize organizational risk. By proactively undergoing a risk assessment, you may prove that you’ve evaluated the likelihood and impact of threats and have an effective defense mechanism against a malicious attack.
  • If your organization knows it’ll be filling out a lot of security questionnaires in the future, try filling out one of the many security questionnaire templates available online to formulate your answers and potentially see where your gaps are.

If you’d like more information on how to tackle security questionnaires, contact us today. We can provide many ways for your organization to demonstrate your commitment to secure practices.

More Resources

How to Read Your Vendor’s SOC 1 and SOC 2 Report

Getting Executives on Board with Information Security Needs

The First Step in Vendor Compliance Management: Risk Assessments

How Can a SOC 2 Bring Value to Your SaaS?

Auditor Insights: Compliance from the Start

Why Don’t Organizations Start with Compliance?

At its core, business is a function of time, vision, service, and money. What do we provide? How do we intend to provide it? What takes precedence – the opportunity now or the infrastructure to support things tomorrow? How do we do what we do in a way that makes sense with the resources we have? I’ve found that compliance tends to be one of those things that’s sacrificed due to the time it takes – time that could be spent elsewhere. After all, there’s always more business to pursue, more contracts to sign, more growth to focus on, and more client issues to address. A compliance program is usually viewed as a cost center, an impediment to business practices, and a headache that seems to get worse year after year. And yet…

As auditors, the secret we know is that a system built with compliance in mind isn’t usually more expensive than the fast, easy solution. A business process or IT solution has inertia; it’s hard to change, especially once it becomes core to the enterprise and its operation. Every shortcut taken during the design processes, technology solutions, or internal systems haunts us forever. It’s always lurking there, waiting to come back and bite us just when we think we’re okay. That’s why creating a culture of compliance throughout your organization is so important. A compliance program must be made a priority from the beginning.

Tone from the Top

When building a foundation for a culture of compliance, you must start from the top. Your leadership team, management, senior executives, stakeholders, board of directors – whatever your organization calls it, start there. Senior management’s support will fuel a compliance program.

In many gap analyses, it’s often revealed that what senior management thinks is going on, and the actual process that’s been implemented, are completely separate and unrelated things. I’ve had CISOs tell me about how their employees would never send credit card information over email, only to have their accountants say that this was just normal business practice and they didn’t see the problem with it.

A compliance program isn’t an optional step. It has to be included from the start, as early in the process as possible. In today’s age, where information is the most valuable commodity that we possess, understanding how we use, secure, and manage that information should be ingrained in us.

Compliance is a way of existenceSecurity can be simple, but not when it’s ignored and slapped on at the last minute, when the auditors are on their way. Compliance is a way of existence, something that should be embedded into corporate cultures. Designing secure systems around business needs ensures that compliance and security are not an inconvenience.

Is your organization struggling to get management’s approval on compliance programs? Are you confused about the cost vs. the benefits of an audit? Do you have a compliance program, but can’t seem to effectively train your employees? Contact us today, we’re here to help!

About Shannon Lane

Shannon Lane of KirkpatrickPriceShannon Lane has over 20 years of experience in information services, including healthcare IT, e-commerce data extrapolation, network administration, database administration, and external audit work. Lane now serves as an Information Security Auditor at KirkpatrickPrice, represents KirkpatrickPrice on the 2018 HITRUST CSF Assessor Council, and holds CISSP, CISA, QSA, MSDBA, and CCSFP certifications.

More Security and Compliance Resources

Creating a Culture of Compliance

4 Ways to Ensure Security and Maintain Compliance

Chief Compliance Officers: It’s Your First Day on the Job, What’s Next?

The Importance of a Culture of Compliance: CompuMail’s Insights

The Need for Security

CompuMail began pursuing comprehensive audits in 2009 to ensure efficient, compliant business operations and to maintain a strong multi-industry reputation. Since then, they’ve achieved many compliance goals and excelled to greater levels of assurance. In 2010, they achieved PCI and HIPAA compliance, and soon after, became compliant with FISMA, GLBA, and ISO 27002. Most recently, CompuMail completed further auditing and achieved SOC 1 and SOC 2 attestations. The time, financial investments, and company-wide dedication that CompuMail gives to security shows their perspective on how important security and compliance is.

CompuMail has gained invaluable insight while undergoing the audit process. CompuMail has gained invaluable insight while undergoing the audit process. CompuMail’s Chief Security Officer tells us, “We believe that undergoing annual internal and third-party audits is crucial to our business. Simply stating that you have the controls in place is unacceptable for the industries we focus on and the clients we serve.”

How to Create a Culture of Compliance

Creating a positive culture of compliance and driving cultural change within your organization requires strong leadership skills and a clear strategy. Does your organization have a person or team directly responsible for security and compliance management system (CMS)? Having this in place can make a significant difference for your organization. CompuMail’s strategy for involves an internal team dedicated to creating a culture of compliance.

Christine Fribley, CompuMail’s Chief Security Officer, is responsible for managing all data and physical security efforts across the organization. Her duties include, but are not limited to: management of CompuMail’s security certifications, conducting internal risk assessments and auditing, facilitation of vendor management function, and ensuring that security training requirements are met. The information security component of CompuMail’s CMS program is extremely vital to protecting the integrity and reputation of the organization and its clients. Leona Augerlavoie, CompuMail’s Compliance Officer, is responsible for establishing and maintaining CompuMail’s CMS. Her duties include, but are not limited to: oversight of the development, implementation and success of all required CMS elements, promotion of compliance activities in accordance with both internal and client core values, maximizing organizational integrity and quality of service, coordination of onsite audits, and maintaining current knowledge of regulatory/legal updates specific to the financial, healthcare and collection industries. This team allows CompuMail to continuously evaluate and add to their list of externally-validated certifications and standards to ensure ongoing compliance with the highest industry standards.

In addition to the above roles and responsibilities,CompuMail’s culture of compliance is reinforced through documentation. The Chief Security Officer and Compliance Officer continuously assess compliance needs and plan for risk mitigation, but they also create, modify, and uphold policies and procedures. This comprehensive documentation standard across the organization reinforces CompuMail’s culture of compliance and has allowed the establishment of strong continuous quality improvement practices.

When establishing your organization’s culture of compliance, communication and training is crucial for employee engagement. CompuMail’s Compliance Officer tell us, “CompuMail employees understand that their commitment to and cooperation with security and compliance, as well as established controls, is a critical component to their job and to our business. All CompuMail employees receive data security and compliance training immediately upon hiring and then on a annual mandatory basis. Security and compliance tips and updates are shared in monthly internal newsletters and in emails to keep compliance at the forefront.”

How Can Security and Compliance Benefit Your Clients?

Every organization wants their clients to be satisfied with the services they receive and confident that their sensitive data is secure. By achieving compliance with so many standards and frameworks, CompuMail demonstrates that they are accountable for upholding high standards of confidentiality and integrity while hosting, processing and printing clients’ data.

CompuMail’s Chief Security Officer states, “Without a doubt, the greatest security risks that we face are data breaches and identity theft. In this day and age, data security is not optional, as data breaches have become front page news stories, and identity theft and phishing scams are constant threats. CompuMail recognizes that there are numerous factors that can impact an organization’s risks, including but not limited to: culture, technology, innovation, new services, laws, rules, and regulations, as well as the existence and sufficiency of policies covering all areas of risks. Our security and compliance team is dedicated to protecting our assets and the assets of our clients, and our compliance achievements attest to the high standards that we have committed to upholding.”

More About CompuMail

CompuMail Official LogoSince 1994, CompuMail has been delivering innovative communication solutions and print and mail services to clients that span across multiple industries. They offer a robust list of solutions with unique platforms for service delivery that can meet all of your business essentials; physical and digital communications, data protection and secure portals, coupled with superior customer service and support. CompuMail cultivates lasting partnerships with their valued customers to ensure that they see the best possible results under the highest level of data security, at the most competitive price.  Technology changes and business changes, but CompuMail’s commitment to service does not.

Find CompuMail on LinkedIn, Twitter, and Facebook.

More About Cultures of Compliance

Chief Compliance Officer Webinar Series

Creating a Culture of Compliance Within Your Organization

The Keys to a Successful Audit