SOC 2 Academy: Using a Risk Assessment

Common Criteria 3.1

During a SOC 2 audit, auditors will validate that organizations comply with the common criteria listed in the 2017 SOC 2 Trust Services Criteria. When an auditor is assessing an organization’s compliance with common criteria 3.1, which states, “The entity specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives,” they will want to see that the entity not only conducts but uses their risk assessment. Let’s take a look at how organizations can go about using their risk assessment and why it’s so important.

The Importance of a Risk Assessment

Conducting a risk assessment is a proactive way that organizations can identify and assess organizational risk. However, another key element of a risk assessment is using the findings to prioritize the risks to the organization’s business continuity, reputation, financial health, and more. How can an organization’s management utilize their risk assessment? They can do so in a few ways, including:

  1. Managing day-to-day activities: Having a prioritized list of risks to an organization allows an entity’s management to have a better understanding of which risk needs more attention and how they can execute a plan of action to mitigate those risks during their day-to-day activities.
  2. Budgeting: When leadership understands where the organization’s risks lie, they will have more insight into how they need to budget and allocate funds to alleviate risks.
  3. Mitigating: Once management understands which risks are more important and they have allocated the necessary funds, they can begin mitigating the risks identified during the risk assessment.
  4. Monitoring: By conducting risk assessments on a regular basis, entities will be able to use their findings, compare them to past assessments, and monitor their progress.

Without conducting risk assessments on a regular basis, organizations will be unable to risk-rank threats to their organization, mitigate those risks efficiently, and ensure that their business objectives are met. For SOC 2 compliance, it’s absolutely necessary for organizations to perform risk assessments and demonstrate that they use their findings in a way that helps them meet their objectives.

More SOC 2 Resources

SOC 2 Academy

Understanding Your SOC 2 Report

SOC 2 Compliance Handbook: The 5 Trust Services Criteria

Video Transcription

While having a risk assessment is an important requirement for your SOC 2 compliance efforts, I also want to point out how important it is to utilize it on a day-to-day basis within your organization. The assessment of risk is something that you can use to manage your activities on an ongoing basis. For example, if you don’t know what your level of risk is on any particular day, you may not know what priority to place on certain activities. For example, in your budget, using your risk assessment is a way to allocate dollars to the areas that bring the best bang for the buck to make sure that you’re spending dollars in areas where you have the highest risks. Just make sure that you leverage your risk assessment and use it in the way that it is intended.

SOC 2 Academy: What Types of Risks Does Your Organization Face?

Common Criteria 3.1

When a service organization undergoes a SOC 2 audit, auditors will be looking to validate that they comply with the common criteria listed in the 2017 SOC 2 Trust Services Criteria. Common criteria 3.1 (CC3.1) states, “The entity specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives.” Why is common criteria 3.1 so critical for SOC 2 compliance? Let’s discuss.

Conducting a Risk Assessment

During a SOC 2 audit, your auditor will want you to conduct a risk assessment, especially if you haven’t done one in the last year. Conducting a risk assessment is especially critical to SOC 2 compliance because it allows an organization to determine the controls that will be evaluated during the SOC 2 audit. It also allows organizations to identify the different types of risks that they might face.

Types of Risks

Understanding the types of risks that your organization faces is critical in maintaining a strong security posture, avoiding fines and penalties, and safeguarding an organization’s reputation. It’s imperative that an organization’s leadership recognizes that there are risks that go beyond the threats to your information security systems. An organization must consider financial risks, market risks, operational risks, and risks associated with non-compliance with laws and regulations. During the SOC 2 audit process, the auditor will want to see that an organization has been thorough enough when performing their risk assessment. Have they considered various types of risks? Are the controls that are in place able to mitigate different types of risks? If an organization fails to recognize the different types of risk that the organization faces, the organization would be unable to achieve their business objectives.

More SOC 2 Resources

SOC 2 Academy

Understanding Your SOC 2 Report

SOC 2 Compliance Handbook: The 5 Trust Services Criteria

Video Transcription

The risk assessment requirement in common criteria 3.1 (CC3.1) is a very important element of the SOC 2 Trust Services Criteria. Whenever we bring up doing a risk assessment to people who maybe haven’t done one recently and they ask, “Do we really have to do this?” We say they do. We want you to do a risk assessment if you haven’t done one in the last year at least. A risk assessment is so critical to being SOC 2 compliant, because that’s really the basis on which you select the controls that are going to be audited in the engagement. We’re going to ask you: what are you trying to deal with by putting these controls in place? Have you been broad enough in the risks you’ve considered? Risk is not only IT; risk is not just information security. There are financial risks, market risks, operational risks, and risks that come from the non-compliance with laws and regulations. You really have to be very broad in your thinking and look for the risks that would cause your organization to not achieve the objectives that you have set out to achieve.

Been Breached? How to Report Consumer Risk with a Risk Assessment

Using a Risk Assessment to Report Consumer Risk

Because there are so many different laws that regulate how and when an organization must give notice if it has had a data security breach, understanding what the correct plan of action is for your organization or determining how to report consumer risk from breaches might be daunting. Nevertheless, the laws do have one major commonality: does the consumer suffer a significant risk of harm? Consider a Social Security number; if someone’s SSN was compromised, they’re at risk for true-name and account-takeover identity theft. This would be a significant risk of harm to that consumer. Or, for instance, let’s examine a patient whose medical records were compromised. What is the probability that patient would suffer some kind of embarrassment or identify left? The level of risk of harm may change based on the type of medical records, like a compromise of an HIV status versus dental records.

If an organization believes that a data security breach has occurred, they should try to remediate the problem at hand as soon as possible and report consumer risk. Conducting a risk assessment is a useful methodology used to identify, assess, and prioritize organizational risk and thus allows organizations to implement a plan of action quickly and efficiently. Risk assessments can be used for a variety of reasons such as locating gaps in security, understanding risks, evaluating how breaches occur, and remediating gaps and/or breaches.

Risk assessments also allow organizations to determine what the level of risk is relative to the final consumer – is it a significant or low risk? It’s also important to keep in mind the subjective nature of risk. We often use the example of a worn tire to better understand. When we just consider the tire, we can conclude that it is worn-out and in bad shape, and there is significant risk. However, when you picture the tire connected to a tire swing rather than on your car, the subjective nature changes and the tire is no longer a significant risk. This combination of factors is important to consider when you see an asset and then analyze how it is used. What if the rope holding the tire swing was frayed? Would that alter your opinion of the nature of risk? What if we implement a control here and position a group of people holding a rescue trampoline under the person on the tire swing with the frayed rope? Have we appropriately reduced the risk? Let’s complicate it more. Now, the rescue team with the trampoline is standing at the edge of a canyon. Does this change our opinion of significant risk once again?

When conducting a risk assessment, an organization needs to evaluate a wide range of factors with varying degrees of influence on the level of risk. You need all types of information about the data you’re trying to protect. Who has access to the data? What type of information was breached? How does it impact the consumer?

To learn more about how to use a risk assessment to report consumer risk, follow @BenjaminWright on Twitter. For more information about planning, conducting, and using a risk assessment, contact us today!

Video Transcript

The many different laws that require an organization to give notice if it’s had a data security breach are complex – they don’t all say the same thing. A common topic in these laws is whether the ultimate consumer suffers some significant risk of harm. So, the consumer would be the holder of a credit card or the person whose Social Security number had been compromised. If an organization sees that it may have an incident that might be a security breach, oftentimes the organization is wise to conduct a risk assessment.

A risk assessment evaluates exactly what happened and what the risk of harm is – whether it’s a significant risk or a low risk – relative to the final consumer. Significant risk of harm is a subjective idea and, therefore, if the organization is conducting a risk assessment, it has to evaluate a wide range of factors that might be rather subjective. For example, what’s the possibility that the patient would actually suffer some kind of embarrassment or suffer some kind of identity theft if her medical record was compromised?

In order to learn more about the course that I teach at the SANS Institute, you can click the link below. Also, another link below provides more information about me and my work in private practice.

6 Tips on How to Pass an Audit in Q4

The end of the year is rapidly approaching, and so is the deadline for those completing a Q4 audit! It’s not hard to imagine what Santa and his Elves feel like as they rush around to get everything in order and ready for their big day.

Just as the Elves help Santa to ensure everything gets done in time, our auditors are committed to helping you make sure you have everything in place working effectively to successfully complete your audit on schedule. Here are 6 tips on how to pass an audit in time for year-end.

How to Pass an Audit in Q4

To better prepare for your upcoming audit, here are six tips that companies across all industries can find helpful:

1. Perform a Risk Assessment

Risk Assessment. Risk Assessment. Risk Assessment.

It always starts with a Risk Assessment. What better way to identify your assets and prioritize your unique risks than by performing a regular risk assessment? Not sure if you have all of the necessary controls in place to properly protect your assets and mitigate risks? Don’t worry – your annual risk assessment will help you with that. Not only is a risk assessment mandated by most audit frameworks, but it’s also a critical component of any information security program.

2. Documentation Inventory

Are you maintaining audit logs? Do you have proof of employee acknowledgement of policies and procedures? Are you keeping all necessary records for your auditor to review?

Waiting until the last minute to pull all of your documentation together can make preparing to pass an audit seem much more tedious and stressful than is actually necessary. Veterans of the audit process will highly encourage companies to continuously collect and maintain necessary documentation in order to be prepared year-round for an audit.

3. Policy and Procedure Review

If it's not written down, it isn't happening.

Reviewing your policies and procedures on an annual basis is a good way to ensure that there are not any gaps in your controls and processes. It is also the perfect opportunity to be certain that everything you say you’re doing as an organization is formally documented and communicated to all relevant personnel.

When it comes to compliance, we’ve all heard the adage, “If it’s not written down, it isn’t happening”. This is good advice when it comes to preparing for an audit because your auditor won’t be interested in hearing about your processes, but rather will need to see them documented on paper and see evidence that they are a living a breathing document that continuously changes and matures with your organization’s environment.

4. Employee Training

Training Employees on Security Awareness

A strong defense is the best defense. Regularly training your employees on security awareness and the importance of security and compliance can help put your mind at ease when it comes to knowing they are taking the right steps and precautions to protect organizational assets. A culture of security awareness and compliance must start from the upper-management level and trickle down to the employee level in order to make the best impact. Security training programs should educate employees on policies and procedures as well as basic security awareness.

5. Vendor Compliance Management

Are you properly managing your vendors to verify that they are complying with information security and compliance requirements and best practices? Vendors pose a risk to every organization, so it’s imperative that you’re doing your due diligence to mitigate those risks. Do you have all of your documentation of proper vetting prepared and ready for your auditor to review? What is your onboarding process? Off-boarding? Do you have vendors sign a non-disclosure? Learn more vendor management best practices with our vendor compliance assessment.

These are the pieces you’ll want to have together in order to successfully pass your audit in Q4.

6. Work with your Auditor

When it comes to completing an information security or compliance audit, your auditor is your greatest resource and is not to be feared. Work with your auditor to show them you’re committed to the audit and remediation process and improving your environment. If they show you that a control you have in place is insufficient, work with them to make the appropriate changes for follow-up, and most importantly, be honest. A good auditor won’t work with you to simply check a box, they will work with you to ensure that your organization is secure and compliant.

So as you wrap up your Q4 audit this year, remember to not overcomplicate it. Gain audit participation from your entire organization by expressing the importance that security plays in your business operations. Working together with your organization and your auditor can help you achieve greater levels of security and compliance at your organization.

A Checklist to Prepare for Your SSAE 16 (SOC 1) Audit

If your customers rely on you to protect consumer information, chances are you may be asked to produce an SSAE 16 audit report. An SSAE 16 audit is a reporting on the controls at an organization that are relevant to, or may affect a client’s financial statements. This standard is designed to demonstrate that an organization has proper internal controls and processes in place to address information security and compliance risks. It’s not uncommon to have a million questions the first time you decide to engage in an SSAE 16 (SOC 1) audit. Where do we start? What does this entail? Will we fail? Here are 10 things you can do to begin preparing for your SSAE 16 audit.

1. Risk Assessment

If you look at any compliance or information security framework, audit, or standard, they all require a risk assessment. That being said, performing a formal risk assessment is the best starting point in preparing for your upcoming SSAE 16 audit. A risk assessment helps you understand what you’re doing as an organization and can help identify any risks in your environment. Based on your assessment, the implementation of controls should be reasonable and feasible. A written, formal risk assessment should be performed by a cross-section of departments and employees.

2. Evaluate Client Requirements

Who are you serving as a market? Are you providing services to retail organizations? Healthcare organizations? Federal government? Financial services organizations? Based on your answers, that will determine the laws and regulations that apply to you and how you deliver your services. What do your clients expect from you? What does your contract say you’re providing? As a service provider, your audit’s scope is shaped by your service delivery methods and client requirements should be evaluated in order to understand what is expected and reasonable. Don’t forget to evaluate contracts and service packages to ensure that expectations have been properly documented.

3. Regulatory Implications

In order to prepare for your SSAE 16 audit, you must determine what your regulatory responsibilities are based on your locale and the customers you service. For example, if you’re serving the healthcare market, you’ll be responsible to comply with relevant sections of the HIPAA/HITECH Act. If you’re serving the financial marketing, then GLBA is relevant. If you’re serving publicly traded companies, SOX is relevant. If you’re serving the Federal government, you must comply with FISMA. Taking into consideration each regulatory framework that applies to you will help determine what’s important to consider when preparing for your SSAE 16 audit.

4. Service Delivery Controls

Possibly one of the biggest risks that businesses may overlook (since it’s not a security breach) are operational risks. As auditors, we look for things that deal with operational efficiency, catching errors, and quality assurance. These are all important factors that will help make up a set of service delivery controls. What controls do you have set up along the service delivery process? A helpful way to manage service delivery controls is by creating a data flow diagram of the life-cycle of your service delivery model. Take us step-by-step through the entire process.

5. Written Policies & Procedures

This isn’t the first time you’ve heard us say this, and it won’t be the last. The most important thing to remember when developing policies and procedures to prepare for any audit is “if it’s not written down, it didn’t happen.” Having a formally written and fully documented set of policies and procedures is paramount for an SSAE 16 audit because these are what we audit against. If your policy says you do X, Y, Z, we will perform a test against that policy to verify that you do, in fact do X, Y, Z. Having a formal set of written policies and procedures also helps guide employees on company expectations and consequences and provide guidance on the proper execution of service delivery. Policies and procedures should be fully endorsed by senior management, and updated by the authorized individual at least annually.

6. Training

When trying to prepare for your SSAE 16 audit, policies and procedures and training often can go hand in hand. It’s essential that employees receive job-specific training to ensure full compliance with all company policies and procedures. Did all employees attend? Did all employees comprehend? Is there some kind of acknowledgement form that was signed saying they have been presented with and understand what’s expected of them as an employee? Since, for example, HR, IT, and Production are all responsible for different aspects of the business, training should be as job specific as possible. Another type of training that is critical in this current threat-landscape is security awareness training. Employees should be trained annually to keep them vigilant in understanding the types of threats that are out there.

7. Vendor Management

Vendors represent a risk to every organization. Your vendor requirements for each vendor may vary based on the risk that vendor poses to your organization. For example, a VPN-connected vendor introduces different risks than a cleaning service. As far as managing your vendors, on-boarding and off-boarding procedures are just as critical for vendors as they are for employees. What are you going to require for the on-boarding process? A Signed non-disclosure? Ask to verify that they perform a background check on employees? Verify that they are in compliance with any relevant information security and regulatory compliance requirements? Effective policies, training, and monitoring can greatly reduce your vendor risk. Be sure to include the right-to-audit clause in your contract.

8. Physical Controls

Your physical controls talk about restricting access to your physical environment. These controls cover things like controlling how someone comes in and out of your facility, tracking visitors, and keeping a log. Access controls can generate logs to verify access granted and denied. Video footage can be helpful after an incident to determine the impact. Visitor procedures are important for documenting historical events. Are there additional checkpoints or limited access once inside? Sensitive areas should be controlled to restrict access on a strictly business-justified basis. Assessing your physical controls is important when you prepare for an SSAE 16 audit.

9. Security Controls

When we talk about controls that affect “security”, we are talking about CIA: Confidentiality, Integrity, and Availability. If an important document containing sensitive information is stolen, then the confidentiality of that document has been compromised. If you’re storing an important hardcopy document that has gotten wet and is now unreadable, then the integrity of that document has been compromised. If something has gone missing, like an important filing cabinet full of sensitive documents, but hasn’t been taken by an unauthorized person, then the availability of those documents inside the filing cabinet has been compromised. Placing Administrative, Technical, and Physical controls in place can help you address each of those areas of security.

10. Availability Controls

Availability controls include things such as Business Continuity and Disaster Recovery Plans. These are critical for maintaining availability to your customers. Other availability controls to consider when preparing for an SSAE 16 audit are data backups, network monitoring, and cross-training employees.

Companies are looking to do business with vendors who understand these issues. Being proactive about undergoing your SSAE 16 audit can mean the difference in winning your next big deal and earning the trust and respect of the clients you serve.

KirkpatrickPrice strives to be your partner. Engaging in an SSAE 16 Audit doesn’t have to be a scary thing and we are here to offer help every step of the way with recommendations and resources to help strengthen your environment. If you’re ready to get some help, contact us today.