Top 8 Challenges to Becoming SOC 2 Certified
Originally published on CloudOps’ blog.
Cyberattacks are growing in size, frequency, and scope. In the past year alone, the proportion of businesses targeted increased from 38% to 43%, with over a quarter experiencing five attacks or more (Hiscox Cyber Readiness Report 2021). The internet is still the Wild West when it comes to security.
Cybersecurity has traditionally been taken most seriously by organizations in the healthcare and financial sectors. With stringent compliance requirements in place, it is not uncommon for hefty fines to be levied against organizations that fail to safeguard sensitive patient and customer information. However, security is a concern in all kinds of industries.
As more and more businesses move to SaaS-based delivery models, customers want assurances the supply chains they depend on are protected. Hackers have recently been directing more attention towards the operations side of businesses, choosing blackmailing and disruptive attacks over stealing credit cards. JBS SA, the largest meat producer globally, was forced to shut down almost all its meat plants in Canada, the US, and Australia after a cyberattack in March 2021. As the Internet of Things grows, hackers will have access to a wider attack surface and more opportunities to disrupt businesses.
Cybersecurity needs to climb higher on the agenda of business leaders. A high-quality audit report can be the best way to ensure and prove secure tools and processes are in place. There are several audits organizations can pursue to demonstrate good practices. ISO 27001 is common globally, but SOC 2 is more common in the North American market for commercial enterprises. SOC 2 in some ways exceeds the controls of ISO 27001, particularly in mandating tests to demonstrate operating effectiveness over time. As such, SOC 2 has become the de facto North American standard for demonstrating mitigated and managed information-related risk.
SOC 2 (System and Organization Controls) is a system developed by the American Institute of Certified Public Accountants as an auditing procedure that defines criteria for securely managing customer services and data. It provides regular independent attestation of the controls an organization has implemented to continually mitigate information-related risk.
In short, an organization with a SOC 2 report from a CPA firm has demonstrated that its systems have been effectively designed and verified to keep data secure. A Type 1 report indicates an audit performed at a specific point in time. A Type 2 report covers a period of time and therefore ensures controls are followed routinely. Once attained, a report is valid for one year.
A SOC 2 audit provides organizations with an assurance they can securely operate customer services and manage customer data across technical and business areas. It ensures the traceability of operational transactions (routine event logging and monitoring and ticketing result in fully auditable systems), which reduces security and operational risk and provides the data to facilitate forensic analysis in the event it is required. It satisfies the needs of customers that require their mission-critical service suppliers to be SOC 2 compliant in order to maintain their own compliance.
SOC 2 audits report on a long list of controls that are based on five trust service criteria.
- 1. Security protects against unauthorized access, unauthorized disclosure, or damage to systems.
- 2. Availability keeps systems operational and available at a level that meets stated business objectives.
- 3. Processing integrity ensures systems perform in a predictable manner, free of accidental or unexplained errors.
- 4. Confidentiality protects confidential information throughout its life cycle from collection and processing to disposal.
- 5. Privacy protects personal information, especially when captured from customers.
When pursuing a SOC 2 report, while the Security criteria is required, organizations may choose to be audited on one, several, or all of the other trust service criteria.
While important, SOC 2 compliance is not necessarily easy or straightforward to pursue. Here are eight challenges we’ve seen many organizations encounter on their SOC 2 journeys.
1. Defining which services will be included in the system defined in the SOC 2 report
The audit scope should ideally be limited to the systems and data that are essential to delivering the service(s) you wish to audit. While it may appear simple enough to include all your systems in the audit scope, there are potential ramifications for doing so. Are you including any (soon-to-be) deprecated legacy systems with technologies no longer supported by the vendor? Are you unnecessarily increasing the workload to manage and maintain these systems to the higher standards required by SOC 2? Are any of the ‘systems’ actually services delivered by external third parties? Don’t be afraid to rely on their SOC 2 report for applicable systems and controls (assuming it’s verified to be in good standing prior to your audit). Make sure the boundaries of the audit scope are clear.
2. Understanding control requirements
The individuals writing the controls (Compliance Managers, Auditors, etc.) are likely not those assessing and remediating compliance gaps. It is important that all parties are clear on each control requirement to prevent ‘misunderstandings’ from surfacing during audit interviews and becoming qualifications in your audit report. Lean on the expertise of your auditor to understand the criteria and control objectives and to design effective controls. If possible, enlist the services of a SOC 2 advisor like Securis to perform a gap analysis early on.
3. Competing priorities for human resources
Your business and operations don’t stop for audit preparation, and operational issues or working projects with tight deadlines and customer commitments will often take priority over performing gap analysis and remediation. Nonetheless, it is important to dedicate individuals (or at a minimum strictly enforce ‘other work’ reductions) when preparing for SOC 2. Otherwise, you risk a report noting control exceptions or a delay in the audit itself.
4. Consistent adherence to policy and process
Your adherence to policies and processes will be rigorously tested by the audit team. A failure (evidence of policy or process not being followed) could be the result of any number of reasons but is often because of poor communication with stakeholders, policies, and processes that are overly simple and lead to gaps, policies, and processes that are overly complicated and lead to confusion or insufficient time to iron out any kinks.
5. Complete and up-to-date documentation
Auditors will want to see up-to-date documentation of the design infrastructure software data and information used by the system being audited. Part of reducing security and operational risk is ensuring your systems are well documented (such as solution architectures and network designs). Unfortunately, maintaining documentation is often an afterthought. As part of your change management processes, you may want to include such documentation updates as prerequisites.
6. Balanced focus on process and technical
Being prepared for a SOC 2 audit is about ensuring that you have policies and processes in place to meet the control requirements as well as technical solutions to support those policies and processes. All too often, technical teams focus on deploying a technology before thinking about its process. The result is a process that meets the needs of the technology, not the team.
7. Insufficient preparation
It is crucial to invest time to perform a gap analysis prior to beginning both your Type 1 and Type 2 audit periods. If you are performing a Type 1 audit, it is likely the first time your systems and processes are undergoing this level of scrutiny. It is better to understand and remediate the gaps you have in meeting the control requirements prior to your audit period. If you are performing a Type 2 audit, were your processes held together with bandaids when you crossed your Type 1 finish line? If so, you may find these same processes won’t stand the test of time and may fail you under the scrutiny of a long Type 2 audit period. In either case, identify the gaps early on — you will thank yourself later.
8. Understanding SOC 2 is a journey, not a destination
Attaining a SOC 2 audit report is a great achievement, but you should not view it as the ultimate end. Maintaining a valid SOC 2 Type 2 attestation means finding yourself in a continuous audit period. There should be no gaps in audit period coverage. Remaining SOC 2 compliant means consistently reevaluating and improving on your policies, processes, and tools. It is not a destination but a journey.
Managing an operations team has its challenges, especially when integrating security into DevOps practices. CloudOps Managed Services have undergone a SOC 2 audit and will help you along your SOC 2 journey. We partner with Securis for expertise in governance, information risk management, compliance, incident response, and other areas of cybersecurity technologies and services. Whatever your cloud or network setup, our experienced team will help you tackle your day-to-day operations in a secure and compliant manner. Contact us to learn how we can support your organization.