10 Most Common SOC 2 Gaps

In recent news, State Farm notified policyholders of a cybersecurity attack in the form of credential stuffing, a tactic often used by hackers that relies on a lack of password maintenance. State Farm took proper measures to reset passwords and notify affected parties of the attack, but what if State Farm employees were properly implementing multi-factor authentication practices from the start? Would this attack have even happened? How could State Farm have known its employees weren’t following logical access procedures? They could have watched out for common security gaps and implemented proper procedures before a hacker had any chance at locating their vulnerabilities. Proactive security practices are key to an information security program.

A SOC 2 audit is a form of proactively assessing your organization’s information security program. You’ll see how your organization stands up against SOC 2 standards and learn from an information security experts on where your vulnerabilities lie. But, how do you prepare for something as big of an undertaking as a SOC 2 audit? We believe that when organizations choose to undergo a SOC 2 audit for the first time, it’s important that they complete a SOC 2 gap analysis to determine areas of security improvement. The goal of a gap analysis is to identify areas of weakness in your systems that need to be remediated before completing a SOC 2 audit. This helps you improve your practices and gives you a better chance at gaining a SOC 2 attestation. If your organization is preparing for a SOC 2 audit and you want to understand the most common SOC 2 gaps to watch out for, you’ve come to the right place.

Watch Out For the Most Common SOC 2 Gaps

For most organizations completing a SOC 2 audit for the first time, the typical gap rate is 40-60%. This means that, on average, of the topics covered during a SOC 2 gap analysis, 40-60% contain gaps. The typical organization can expect to see a number of gaps in their information security procedures in places they may not have expected. How can you get ahead of the game? By learning about the most common SOC 2 gaps and assessing your organization’s policies and procedures against them. Based on our data, we believe the most common SOC 2 gaps address these requirements:

  • Risk Assessment: Organizations should have a formal risk assessment policy that is both implemented and documented. After a risk assessment is completed, the organizational risks must be maintained and addressed regularly.
  • Business Continuity Plan: A proper business continuity plan needs to be developed in case of an incident that needs an immediate response. After development, the business continuity plan needs to be tested and documented.
  • Network Scanning & Testing: It’s common for organizations to leave out network vulnerability scanning and penetration testing in their policies, but these tests should be implemented yearly.
  • Information Security Policy: Developing an information security policy should be a practice that is reviewed regularly and implemented in daily employee activities. Organizations need to keep thorough documentation of any information security policy changes.
  • Change Management Policy: The procedures for notifying users or clients of system events should be addressed in change management policies and procedures.
  • Vulnerability Management Policy: Organizations can prepare for a SOC 2 audit by developing a vulnerability management policy that addresses patch management and immediate notification of breaches in vulnerable areas.
  • Vendor Management: Monitoring third-party vendors by reviewing their compliance with information security and confidentiality, access control, service definitions, and delivery agreements is often an overlooked security procedure. An organization should receive current audit reports from any critical third-party vendors.
  • Network Logging & Monitoring: Organizations should have proper documentation to define monitoring for alerts from intrusion-detection/intrusion-prevention, alerts from file-integrity monitoring systems, and detection of unauthorized wireless access points.
  • Logical Access: An organization’s Logical Access Policy should include roles and full password requirements.
  • Network Diagrams: Create network diagrams that illustrate all boundaries of the environment, network segmentation points, boundaries between untrusted networks, and all other applicable connection points.

Quick Wins to Jump Start the SOC 2 Audit

Those 10 most common SOC 2 gaps can seem daunting to identify and tackle when it comes to your own systems, so we’ve put together a few “quick wins” that you can start implementing right now. Quick wins are changes that will have a positive impact in two ways: they will resolve a gap, and they will provide momentum to your compliance effort. Multi-factor authentication is one quick win, which should be implemented as a means of creating a solid logical access security policy. Your organization should enforce MFA for every user in your system. Another area of momentum for your SOC 2 audit is physical security. Video surveillance is an integral security practice, and the surveillance footage should be retained for at least 30 days. Implementing a visitor log that requires all visitors to sign in before entering the office is another crucial element of physical security. Do you have required training programs that provide thorough explanations of security policies and procedures to all employees? Security awareness is an extremely accessible quick win. As part of training, all employees should receive the employee handbook that needs to include sections on information confidentiality, background & reference checks, and progressive discipline. A copy of each employee’s Daily Operational Security Procedures should remain updated and available by every employee.

These areas of implementation should give your organization the opportunity to have a few quick wins that help close your SOC 2 gaps. If you’re curious to know more about remediating the most common SOC 2 gaps or preparing for a SOC 2 audit, contact KirkpatrickPrice today to talk with our team of information security experts.

More SOC 2 Resources

What is a SOC 2 Audit?

Go Through a Gap Analysis Without the Stress

What is a Gap Analysis?

Sigstr’s Commitment to Security: The SOC 2 Journey

Sigstr helps the world’s best marketers do amazing things with their employees’ emails. The average person spends 6.3 hours in their inbox every day. Sigstr gives marketers the ability to serve targeted ads to their audience where they’re spending the majority of their time: the inbox. This connectivity between Sigstr and email clients presents information security risks that Sigstr must address. We sat down with Brent Mackay, Director of Product Management and Data Protection Officer at Sigstr, to discuss what their team learned through the SOC 2 audit process and how it gives Sigstr a competitive edge in the email and marketing application space.

The Need for SOC 2

What information security risks face email applications? Generally, we see spam, phishing, and malware. According to Symantec, in 2018, Microsoft Office files accounted for almost half of all malicious email attachments. 1 in 10 URLS sent in emails are malicious. Each hacked email account is worth between $5 and $10. Those types of risks led to Sigstr going above and beyond to ensure that their service will not leave a vulnerability open to unauthorized access. Sigstr knows that employee email is incredibly sensitive, which is why they decided to pursue SOC 2 Type I and Type II attestations.

Mackay comments, “At the beginning of 2019, we announced Sigstr’s SOC 2 Type I attestation with a commitment to continue moving our security program forward. In August, we announced the SOC 2 Type II attestation. An important part of SOC 2 compliance is the ongoing adherence and improvements made to security systems and processes. The standards for SOC 2 shift as the tech ecosystem changes, and ongoing improvements to controls are needed in order to stay up to date. Sigstr plans on annual SOC 2 Type II audits as a mission for customers to have confidence that their data is safe with us.”

Information security and compliance have a two-fold importance to Sigstr. To keep their applications safe from unauthorized access and maintain uptime, they have to be the best of the best – and compliance helps raise the bar. It’s also important to the growth of Sigstr’s business, aiding them in closing deals with enterprise-level organizations who demand that their vendors be held to a high standard of security and compliance.

Lessons Learned from the SOC 2 Audit Process

After gaining Type I and II attestations, Sigstr felt as though the SOC 2 audits were definitely worth the time, effort, and cost. Mackay says, “Going through the SOC 2 audit process is exciting and challenging. Since this was the first set of SOC 2 audits that Sigstr had gone through, there was somewhat of a fear of the unknown. KirkpatrickPrice did a great job to help us prepare and we are very glad to have gone through the process.”

The Sigstr team learned a lot along the way about how to be in a position to better secure customers’ email data. Mackay explained that their team had three main takeaways after going through the SOC 2 audit process, which include:

  1. Before going into a SOC 2 audit, it’s important to research what it entails and then measure your company’s preparedness. There are dozens of controls and policies that need to be in place prior to starting the audit, and it would be daunting to try to write and implement them during an audit. An easy place to start is to document the processes and controls you currently have in place.
  2. It is easy to underestimate the time the audit will take end to end. Audit timelines will vary based on your company size and scope of the engagement, but at Sigstr, we learned that it is a full-time job for a few people for approximately three months. We prepared our security team to allocate their time appropriately since the majority of the work was on them.
  3. When going through the process of creating controls and policies to govern your information security program, it can be very tempting to embellish and add aspirational controls. This can come around to bite you, because controls that you put into policies will be audited. Whatever you put into a policy, you will be asked to furnish evidence of that during your Type I and Type II audits. If you fail to do so, it will show up as an exception on your report. We followed a simple mindset of “do what you say and say what you do.”

Competitive Advantage Gained from SOC 2

Sigstr is the only company in their space that has gone through a SOC 2 audit – and they didn’t just go through the Type I. They completed both Type I and Type II within a year. That alone is a competitive advantage, but furthermore, Sigstr’s SOC 2 audits were measured against all five Trust Services Criteria. We see most organizations choose between one and three, so this choice shows Sigstr’s incredible commitment to securing the email data that they are responsible for.

Having a SOC 2 Type II report readily available has also helped Sigstr accelerate the vendor approval process with many of their customers. Without a SOC report, the vendor approval process can take much longer, and potentially lose the opportunity to do business with larger customers.

Sigstr’s compliance journey can teach others how valuable an information security audit can be – for your processes, your technology, your people, and your clients. Want to learn about how your organization could tackle the SOC 2 journey? Contact us today.

More About Sigstr

Sigstr makes employee email your new favorite ad channel. Run hundreds of simultaneous banners to intelligently target your audience by industry, geography, or opportunity stage. Gain deep account-based insights and buyer intent data based on the real relationships your team develops (all from email and calendar patterns). In addition to standardizing email signatures, Sigstr turns every email your employees send into a marketing campaign.

More SOC 2 Resources

SOC 2 Academy

SOC 2 Compliance Checklist

Was the Audit Worth It?

What Makes a SOC 2 Audit Successful?

What happens after you receive your SOC 2 report? You’ve just used many resources – maybe even some that you were strapped to allocate – to go through a gap analysis, remediate the findings, and then begin the SOC 2 Type I and/or Type II audit. It’s a massive project that you should be proud to finish…but what now? What makes a SOC 2 audit successful? How do you make the most out of your compliance? Let’s take a look at four ways to prove that your SOC 2 audit was successful using one of our client’s SOC 2 audit journey as an example.

iPost’s SOC 2 Compliance Journey

iPost is a flexible and dynamic marketing automation solution for email and mobile needs, built for marketers by marketers. Like many others in the marketing industry, iPost was being asked by clients and prospects for evidence of their commitment to data security. When iPost decided to pursue SOC 2 compliance, it felt nerve-wracking to begin such a big project. After completing a SOC 2 Type I audit, though, iPost’s CEO, Cameron Kane, said, “The real value in the SOC 2 audit is that we’ve become a better company. The audit forced us to grow, and that’s not an easy thing – but we did it.”

So, how did iPost know that their SOC 2 audit was successful? How can you know that your SOC 2 audit was successful? We’ll give you four key ways.

How Do You Prove Your SOC 2 Audit was Successful?

1. C-Level Support

During a SOC 2 audit, it’s incredibly important that C-level executives and stakeholders understand and support the audit and the organization’s overall information security needs. Without their support, how can any policies or procedures be implemented? Who will approve funding? Who will care about the outcome of the audit?

iPost’s CEO supported and understood the SOC 2 audit and its purpose, and that made all the difference in making their SOC 2 audit successful. Kane and his team interacted with an Information Security Specialist and the President of KirkpatrickPrice, Joseph Kirkpatrick. When Kane met with Kirkpatrick, the tone for the SOC 2 audit was set: Kane knew that it would be a long process, but also understood that the auditor’s intention was not to find sensitive areas and pour salt in the wound. Instead, the auditor was there to help, point, and direct iPost into stronger security practices. Right away, iPost’s CEO knew that their SOC 2 engagement wasn’t going to be stereotypical audit and helped his team understand that there was no reason to be guarded. Kane knew that the KirkpatrickPrice team and iPost team were all working towards the same goal: to make iPost the best organization it can be. With that C-level support from iPost, it made their SOC 2 audit much more successful.

2. Seeing Real Change Within Your Company

SOC 2 audits are meant to strengthen and enhance your business, yet many organizations are fearful of the process, rather than seeing the benefits. At KirkpatrickPrice, we believe a SOC 2 audit is successful when you see real change at your company. This means that the audit isn’t something to be checked off of a list every year, or just another IT thing to include in the budget. Instead, the audit is an opportunity to improve your business processes and organization as a whole. At iPost, almost immediately following their SOC 2 Type I audit, they already felt a change within their employees. Phishing attempts were being reported like never before and their procedures were being followed; all because they had buy-in from their staff.

3. Using Compliance as a Competitive Advantage

When an organization leverages compliance achievements as a competitive edge, they are taking full advantage of the achievement. After all, you just used a lot of time and resources to complete a SOC 2 audit – why not use it in marketing materials and sales conversations?

One of the reasons why a SOC 2 attestation was so valuable to iPost is because it provided them with bigger, better sales opportunities. The opportunities are endless when you can demonstrate that you care about your customers’ data and have the evidence to prove it. iPost knows their competitors and others in their industry are being pushed towards a SOC 2 audit, and their proactivity has paid off. When they received their SOC 2 report, they were immediately able to close deals that depended on a SOC 2 attestation, use that achievement in sales conversations, and incorporate it into their marketing strategy.

4. Continuing the SOC 2 Journey

Many of our clients have the same feeling after completing an audit for the first time: it was a difficult process, but one that helped their company. After completing a SOC 2 Type I audit, iPost headed towards the next step: a Type II audit. They know that the next audit will still be difficult, but by following remediation guidance, they plan to become as prepared as possible for the SOC 2 Type II audit. When asked what he would say to other organizations considering pursuing SOC 2 compliance, Kane said, “First, it’s not going to be as bad as you think it’s going to be, even if you feel strapped for time and resources. Second, you really can use it in a sales environment. Lastly, your auditor is not there to ‘get you’ – they’re there to help you!”

So, what makes a SOC 2 audit successful? If you’ve gained C-level support that cultivates a culture of compliance, if you see real change within your company that supports security and privacy standards, if you utilize your compliance in sales and marketing, and if you want to continue the SOC 2 compliance journey, then you know you’re making the most out of your compliance efforts.

Are you considering pursuing SOC 2 compliance, but don’t know if it applies to your business or where to start the process? Contact us today to talk through your compliance objectives.

More SOC 2 Resources

SOC 2 Academy

Was the Audit Worth It?

Was the Gap Analysis Worth It?

Why Quality Audits Will Always Pay Off: You Get What You Pay For

SOC 2 vs. ISO 27001: Which One Do You Need?

SOC 2 and ISO 27001 audits are similar in intention; they both help organizations protect the data that they are responsible for. How are they different, though, and which one meets your organization’s needs?

What is a SOC 2 Audit?

A SOC 2 audit evaluates internal controls, policies, and procedures that directly relate to the AICPA’s Trust Services Criteria. This means that a SOC 2 audit report focuses on a service organization’s internal controls as they relate to security, availability, processing integrity, confidentiality, and privacy of a system. The Trust Services Criteria are relevant to the services of organizations in these ways:

  • Security – Is the system protected against unauthorized access?
  • Availability – Is the system available for operation and use as agreed?
  • Processing Integrity – Is the system processing complete, valid, accurate, timely, and authorized?
  • Confidentiality – Is the information that’s designated as confidential protected as agreed?
  • Privacy – Is personal information collected, used, retained, disclosed, and destroyed in accordance with the entity’s privacy notice?

The result of a SOC 2 audit is a report validating the organization’s commitment to delivering high quality, secure services to clients. This compliance can be a powerful market differentiator.

What is an ISO 27001 Audit?

ISO 27001 is the only internationally-accepted standard for governing an organization’s information security management system (ISMS). The ISMS preserves the confidentiality, integrity, and availability of information by applying a risk management process and gives confidence to interested parties that risks are adequately managed.

The ISO 27001 standard regulates how organizations create and run an effective ISMS through policies and procedures and associated legal, physical, and technical controls supporting an organization’s information risk management processes. An ISMS preserves the confidentiality, integrity, and availability of information by applying a risk management process and gives confidence to interested parties that risks are adequately managed. It’s vital that an ISMS is integrated with the organization’s processes and overall management structure, and that information security is considered in the design of processes, information systems, and controls.

Sections four through ten of the ISO 27001:2013 requirements provide the core guidelines for compliance with the standard.

  • Section 4: Context of the Organization
  • Section 5: Leadership
  • Section 6: Planning
  • Section 7: Support
  • Section 8: Operation
  • Section 9: Performance evaluation
  • Section 10: Improvement

Organizations may choose to perform an internal audit against the ISO 27001 standard and not pursue certification. Like many other frameworks, certification is possible but not mandatory. If an organization wants a professional, independent auditing firm to perform the ISO 27001 audit, be sure to perform due diligence to verify they have the knowledge and expertise to do so. ISO 27001 certification does require an accredited certification body to issue certification. Undergoing an ISO 27001 audit, even if certification isn’t pursued, can be an effective way to meet the requirements of your international business partners.

What Type of Compliance Do I Need?

No one wants to work with an at-risk vendor. Do you want to give consumers a reason to trust your services? Both ISO 27001 and SOC 2 compliance can help your organization maintain loyal clients and attract new ones, operate more efficiently, avoid fines for non-compliance or from breaches, and most importantly: assure clients that their sensitive data is protected. But which one meets your organization’s needs?

It all comes down to who your clients are, where your clients are, and what they require of you. If you are proactively pursuing compliance and the majority of your client base is in the United States, we recommend starting with a SOC 2 audit. If you are operating internationally or have a specific requirement from a client to undergo an ISO 27001 audit, then that internationally-accepted standard would be a better fit for your organization.

Both of these audits provide a competitive advantage that is priceless in today’s threat landscape. If you need help deciding which audit meets your organization’s needs, we are here to help. Contact us today.

More Assurance Resources

ISO 27001 FAQs

What’s the Difference Between SOC 2 Type I and SOC 2 Type II?

SOC 2 Compliance Handbook: The 5 Trust Services Criteria

What Type of Compliance is Right for You?

Why Would a Healthcare Organization Need a SOC 2?

No one wants to work with an at-risk healthcare provider. If someone is looking to use your services, they want to know how secure your healthcare organization actually is. You may think that you have a secure healthcare organization, but does an auditor? With more and more healthcare security breaches being reported to the HHS, it’s more important than ever for covered entities and business associates to demonstrate their commitment to keeping protected health information (PHI) secure, providing quality healthcare services, and putting their patients’ well being first. Let’s look at how a SOC 2 audit could bring value to your organization’s reputation, marketing initiatives, and competitive advantage.

What is a SOC 2?

A SOC 2 is perfect for both covered entities and business associates that want to reassure their clients that their information is secure, available, and confidential. It’s become increasingly common for organizations to request that their vendors become SOC 2 compliant so they can ensure that the healthcare organizations they work with have strong security postures.

A SOC 2 audit addresses third-party risk concerns by evaluating internal controls, policies, and procedures that directly relate to the AICPA’s Trust Services Criteria. This means that a SOC 2 audit report focuses on a service organization’s non-financial reporting controls as they relate to security, availability, processing integrity, confidentiality, and privacy of a system. When determining which Trust Services Criteria apply to your organization, consider the following questions:

  • Security – Is the system protected against unauthorized access?
  • Availability – Is the system available for operation and use as agreed?
  • Processing Integrity – Is the system processing complete, valid, accurate, timely, and authorized?
  • Confidentiality – Is the information that’s designated as confidential protected as agreed?
  • Privacy – Is personal information collected, used, retained, disclosed, and destroyed in accordance with the entity’s privacy notice?

While the responsibilities of covered entities and business associates vary, typically a healthcare organization will choose to be evaluated against the security, availability, and confidentiality categories. If a client can’t be assured that you have reliable, secure processes for securing protected health information, why would they choose to work with you?

Why Should Healthcare Organizations Include the Privacy Category?

Aside from choosing the security, availability, and confidentiality categories, it might make sense for a healthcare organization to include the privacy category in their SOC 2 audit. Consider a doctor’s office – what’s one of the first items that the receptionist hands you? A Notice of Privacy Practices. Why? You’re about to disclose personal information about your medical conditions to a medical provider, as well as provide them with other personal information like your data of birth, insurance information, and list of medications that you’re on. What if the office shares that personal information with a marketing company so it can advertise new prescriptions to you? What if they share it with a research organization that’s conducting research about treatments for your condition? What if they give that information to other medical providers who are providing services to you, or to an insurance company? That Notice of Privacy Practices must fully inform you of who your personal information will be shared with. By including the privacy category in your SOC 2 audit report, you’ll be able to ensure that your organization is handling client data in accordance with any commitments in the privacy notice as committed or agreed upon.

Benefits of SOC 2 Compliance for Healthcare Organizations

Undergoing a SOC 2 audit demonstrates that your healthcare organization is invested in providing secure services and remains committed to keeping not only your PHI secure, but ensuring that your patients receive quality healthcare services. Your reputation, business continuity, competitive advantage, branding, and most importantly, patients’ health all depend on the quality and security of your systems and can benefit from SOC 2 compliance.

The healthcare industry is based on customer trust. If a client can’t trust your services, why would they choose to use it? If a patient is victimized as the result of your lack of due diligence, what would be the impact to their health and livelihood? If your organization suffers from a data breach, the negative impact to your reputation would be a ripple effect. Once your healthcare organization has been successfully attacked and patients’ PHI has been exposed, you’ve put your organization on a path full of obstacles and fragmented security. Your reputation will be permanently changed. Clients will stop trusting you, larger, educated prospects won’t want to work with you, lawsuits and fines will begin to surface, and patients could face life-threatening consequences. The continuity of your business and your patients’ well being depends on securing your systems.

On the other hand, however, if you do pursue SOC 2 compliance and achieve attestation, your healthcare organization will have a new branding tool. You can market your organization has having reliable, secure services. There are so many possible ways to incorporate your compliance into branding methodology, too. We always recommend that our clients leverage their compliance as marketing material, and we strive to help them find ways to do so.

When you partner with an auditing firm that educates you and performs a quality, thorough audit, you gain a valuable competitive advantage. Does your competition have a SOC 2 audit report? If not, you’re ahead of the game. Even if they have gone through a SOC 2 audit, was it a quality audit? You want to be educated on what a quality audit looks like so you can explain to prospects why your SOC 2 audit report holds more value than a competitor’s. Having a SOC 2 audit report from a licensed, quality-driven firm also opens you up to a whole new marketplace of prospects who are knowledgeable about security and are looking for a vendor with SOC 2 compliance.

Even with all of these benefits, you may be wondering what the penalties are of not pursuing SOC 2 compliance. These questions may help you understand the scope of implications if you don’t invest in SOC 2 compliance:

  • How would your organization’s reputation be damaged if you suffered from a data breach?
  • Would your clients stay loyal to you if they know that your healthcare organization couldn’t secure their information?
  • What future sales would you lose if your healthcare organization suffered from a data breach?
  • How are you validating that your security and privacy practices are in place and effective?
  • How happy would your competition be if you suffered from a data breach?
  • What’s your potential exposure to lawsuits if you suffered from a data breach? What fines would you pay?
  • How much would it cost to investigate a data breach and notify clients who were impacted?

While the potential loss of business from a breach far outweighs the cost of SOC 2 compliance, a breach poses potentially life-threatening consequences for patients. Isn’t that enough to pursue SOC 2 compliance? We think so. Our Information Security Specialists want to be your audit partner, your second set of eyes validating that your security and privacy practices are effective. Let’s start planning your SOC 2 audit today.

More SOC 2 Resources

SOC 2 Academy

Understanding Your SOC 2 Report

What is the Purpose of the SOC 2 Privacy Category?

SOC 2 Compliance Handbook: The 5 Trust Services Criteria