Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk //


10:00 AM
Andrew Houshian
Andrew Houshian
Connect Directly
E-Mail vvv

10 Steps to Assess SOC Maturity in SMBs

Facing a system and organization controls audit doesn't have to be stressful for small and midsize businesses if they follow these guidelines.

Preparing for a system and organization controls (SOC) compliance audit for the first time can be challenging. Many organizations, especially small to midsize businesses (SMBs), underestimate the level of planning and effort that goes into completing a successful SOC audit, adding to their security-related stress.

Without proper preparation, SMBs risk missing milestones and deadlines, which can result in additional fees to complete a SOC audit. Addressing these 10 questions can help an organization prevent delays, determine their level of preparedness to complete an audit, and hopefully limit unnecessary work and effort from process owners and employees critical to the business.

1. Risk assessment: Has a risk assessment been completed?
Risk assessments should be performed annually in order to effectively identify, manage, and mitigate risks. As part of the risk assessment process, the organization should review the effectiveness of their current controls environment as well as consider the implementation of additional controls to further strengthen their internal controls environment.

2. Risk mitigation: Has management identified, selected, and developed risk mitigation activities for the risks identified during the risk assessment?
After identifying and assessing the severity of each risk, management should determine the risk mitigation strategy to be used for each identified risk based on the organization's risk appetite. Management can use several different strategies including to accept the risk, mitigate the risk through the implementation of controls, transfer the risk to another organization, or avoid the risk by choosing to discontinue the associated process or removing the associated assets.

3. Control activities: Have control activities been identified, documented, and implemented to mitigate risks to an acceptable level that enables the organization to achieve its business objectives?
As part of the risk assessment process, controls within the environment are modified and implemented to mitigate critical vulnerabilities, deviations, and control gaps identified as part of the various evaluations performed (e.g., risk assessments, internal audits, vulnerability scans, etc.). Management should document their internal controls environment including identifying all key controls, who operates those controls, how often they operate, and the type of control each one is (e.g., manual, automated, preventive, detective, or corrective). The implementation of controls should be prioritized based on the organization's business objectives and goals.

4. Vendor management: Are vendor management and oversight procedures formally defined and documented?
Organizations should formally define and document a third-party vendor management process annually that specifies the steps for evaluating the risks associated with vendors and business partners. Monitoring and oversight procedures include holding periodic discussions and performing site visits with vendors, independently testing vendor controls, reviewing attestation reports over services provided and monitoring external communications, such as customer complaints.

5. Monitoring: Does management have monitoring activities in place to evaluate the effectiveness of the internal control activities?
Management should implement monitoring procedures that require a formally documented management review on the effectiveness of the internal controls environment annually. Control activities to review include internal audits, metric reporting, vulnerability assessments, corrective actions for identified deficiencies or deviations, physical and logical access reviews, vendor management reviews, attestation report reviews and policy, compliance, and control and risk assessment reviews.

6. Control environment: Has management established key responsibilities, oversight structures, organization objectives, and a commitment to ethical values?
In order to effectively establish an organization's controls environment and motivate employees to follow the defined procedures regarding those controls, management should define and document the responsibilities of its employees, especially those performing critical functions or tasks relating to the control's environment in the employee handbook. If executive management exhibits a strong presence and positive tone to meet the organization's objectives, and displays good character and morale, its employees likely will too.

7. Defined processes: Have key processes and procedures been formally defined, communicated and distributed?
Regardless of size, an organization should prioritize formally documenting its key processes and procedures relevant to the business operations and objectives. Key process and data flow diagrams should be documented and updated as necessary, and should include processes and procedures relevant to IT, human resourcing, business operations and client services, transaction processing, privacy requirements, and storage and communication. Key policies and procedure documents, as well as process and data flow diagrams, should be easily accessible to employees and any changes should be communicated in a timely manner.

8. System and asset identification: Has management identified key systems and assets required to provide its services to clients?
An asset listing that includes relevant systems, tools, applications, hardware, infrastructure, data and people should be maintained by management with documented owners and criticality levels assigned to each asset. Controls should then be identified and documented to ensure assets are appropriately protected and secured. Key security areas include configuration standards, identify access management, intrusion-detection systems and intrusion-prevention systems, firewall and router rules, file integrity monitoring (FIM) software, incident response tracking, and data recovery.

9. Sufficiency of change control procedures: Has management defined and formally documented sufficient change control procedures, including addressing risks resulting from developer and promoter access not being segregated between people/teams?
A common struggle for many SMBs is the establishment of change control procedures that include segregating incompatible duties. Because of size, it can be challenging to enforce a segregation of developer and promoter access. Where possible, separate environments for production, test, and development should be maintained, as well as the ability to segregate those with access to develop and implement code changes. If job roles cannot be appropriately segregated, the organization should consider a detective control such as the implementation of a FIM software or reviewing change logs weekly for unauthorized changes.

10. Privacy: Has management established privacy policies and notices in accordance with applicable requirements, and are the privacy policies and notices communicated to data subjects?
Where personal information is collected, stored, transmitted, or processed by an organization, it is critical that the organization formally define and document both an internal privacy policy and procedures document, as well as a privacy notice meant for data subjects whose personal information is collected, stored, transmitted, or processed.

When SMBs prioritize preparing for a SOC audit, it increases their likelihood of finishing on time, staying within budget, increasing the efficiency during the testing phase, and decreasing the amount of additional auditor requests.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "Rethinking Cybersecurity Hiring: Dumping Resumes & Other 'Garbage.'"

Andrew Houshian is an Associate Director/Practice Lead of SOC and Attestation Services at A-LIGN. Andrew's responsibilities include supporting and managing the completion and review of SOC and attestation reports, building out practice content and materials, publishing ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Former CISA Director Chris Krebs Discusses Risk Management & Threat Intel
Kelly Sheridan, Staff Editor, Dark Reading,  2/23/2021
Security + Fraud Protection: Your One-Two Punch Against Cyberattacks
Joshua Goldfarb, Director of Product Management at F5,  2/23/2021
Cybercrime Groups More Prolific, Focus on Healthcare in 2020
Robert Lemos, Contributing Writer,  2/22/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-02-25
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.
PUBLISHED: 2021-02-25
An integer overflow issue was found in the vmxnet3 NIC emulator of the QEMU for versions up to v5.2.0. It may occur if a guest was to supply invalid values for rx/tx queue size or other NIC parameters. A privileged guest user may use this flaw to crash the QEMU process on the host resulting in DoS s...
PUBLISHED: 2021-02-25
A flaw was found in keylime 5.8.1 and older. The issue in the Keylime agent and registrar code invalidates the cryptographic chain of trust from the Endorsement Key certificate to agent attestations.
PUBLISHED: 2021-02-25
A specific version of the Node.js mongodb-client-encryption module does not perform correct validation of the KMS server’s certificate. This vulnerability in combination with a privileged network position active MITM attack could result in interception of traffic between the Node....
PUBLISHED: 2021-02-25
Specific versions of the Java driver that support client-side field level encryption (CSFLE) fail to perform correct host name verification on the KMS server’s certificate. This vulnerability in combination with a privileged network position active MITM attack could result in inte...