Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk //


10:00 AM
Andrew Houshian
Andrew Houshian
Connect Directly
E-Mail vvv

10 Steps to Assess SOC Maturity in SMBs

Facing a system and organization controls audit doesn't have to be stressful for small and midsize businesses if they follow these guidelines.

Preparing for a system and organization controls (SOC) compliance audit for the first time can be challenging. Many organizations, especially small to midsize businesses (SMBs), underestimate the level of planning and effort that goes into completing a successful SOC audit, adding to their security-related stress.

Without proper preparation, SMBs risk missing milestones and deadlines, which can result in additional fees to complete a SOC audit. Addressing these 10 questions can help an organization prevent delays, determine their level of preparedness to complete an audit, and hopefully limit unnecessary work and effort from process owners and employees critical to the business.

1. Risk assessment: Has a risk assessment been completed?
Risk assessments should be performed annually in order to effectively identify, manage, and mitigate risks. As part of the risk assessment process, the organization should review the effectiveness of their current controls environment as well as consider the implementation of additional controls to further strengthen their internal controls environment.

2. Risk mitigation: Has management identified, selected, and developed risk mitigation activities for the risks identified during the risk assessment?
After identifying and assessing the severity of each risk, management should determine the risk mitigation strategy to be used for each identified risk based on the organization's risk appetite. Management can use several different strategies including to accept the risk, mitigate the risk through the implementation of controls, transfer the risk to another organization, or avoid the risk by choosing to discontinue the associated process or removing the associated assets.

3. Control activities: Have control activities been identified, documented, and implemented to mitigate risks to an acceptable level that enables the organization to achieve its business objectives?
As part of the risk assessment process, controls within the environment are modified and implemented to mitigate critical vulnerabilities, deviations, and control gaps identified as part of the various evaluations performed (e.g., risk assessments, internal audits, vulnerability scans, etc.). Management should document their internal controls environment including identifying all key controls, who operates those controls, how often they operate, and the type of control each one is (e.g., manual, automated, preventive, detective, or corrective). The implementation of controls should be prioritized based on the organization's business objectives and goals.

4. Vendor management: Are vendor management and oversight procedures formally defined and documented?
Organizations should formally define and document a third-party vendor management process annually that specifies the steps for evaluating the risks associated with vendors and business partners. Monitoring and oversight procedures include holding periodic discussions and performing site visits with vendors, independently testing vendor controls, reviewing attestation reports over services provided and monitoring external communications, such as customer complaints.

5. Monitoring: Does management have monitoring activities in place to evaluate the effectiveness of the internal control activities?
Management should implement monitoring procedures that require a formally documented management review on the effectiveness of the internal controls environment annually. Control activities to review include internal audits, metric reporting, vulnerability assessments, corrective actions for identified deficiencies or deviations, physical and logical access reviews, vendor management reviews, attestation report reviews and policy, compliance, and control and risk assessment reviews.

6. Control environment: Has management established key responsibilities, oversight structures, organization objectives, and a commitment to ethical values?
In order to effectively establish an organization's controls environment and motivate employees to follow the defined procedures regarding those controls, management should define and document the responsibilities of its employees, especially those performing critical functions or tasks relating to the control's environment in the employee handbook. If executive management exhibits a strong presence and positive tone to meet the organization's objectives, and displays good character and morale, its employees likely will too.

7. Defined processes: Have key processes and procedures been formally defined, communicated and distributed?
Regardless of size, an organization should prioritize formally documenting its key processes and procedures relevant to the business operations and objectives. Key process and data flow diagrams should be documented and updated as necessary, and should include processes and procedures relevant to IT, human resourcing, business operations and client services, transaction processing, privacy requirements, and storage and communication. Key policies and procedure documents, as well as process and data flow diagrams, should be easily accessible to employees and any changes should be communicated in a timely manner.

8. System and asset identification: Has management identified key systems and assets required to provide its services to clients?
An asset listing that includes relevant systems, tools, applications, hardware, infrastructure, data and people should be maintained by management with documented owners and criticality levels assigned to each asset. Controls should then be identified and documented to ensure assets are appropriately protected and secured. Key security areas include configuration standards, identify access management, intrusion-detection systems and intrusion-prevention systems, firewall and router rules, file integrity monitoring (FIM) software, incident response tracking, and data recovery.

9. Sufficiency of change control procedures: Has management defined and formally documented sufficient change control procedures, including addressing risks resulting from developer and promoter access not being segregated between people/teams?
A common struggle for many SMBs is the establishment of change control procedures that include segregating incompatible duties. Because of size, it can be challenging to enforce a segregation of developer and promoter access. Where possible, separate environments for production, test, and development should be maintained, as well as the ability to segregate those with access to develop and implement code changes. If job roles cannot be appropriately segregated, the organization should consider a detective control such as the implementation of a FIM software or reviewing change logs weekly for unauthorized changes.

10. Privacy: Has management established privacy policies and notices in accordance with applicable requirements, and are the privacy policies and notices communicated to data subjects?
Where personal information is collected, stored, transmitted, or processed by an organization, it is critical that the organization formally define and document both an internal privacy policy and procedures document, as well as a privacy notice meant for data subjects whose personal information is collected, stored, transmitted, or processed.

When SMBs prioritize preparing for a SOC audit, it increases their likelihood of finishing on time, staying within budget, increasing the efficiency during the testing phase, and decreasing the amount of additional auditor requests.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "Rethinking Cybersecurity Hiring: Dumping Resumes & Other 'Garbage.'"

Andrew Houshian is an Associate Director/Practice Lead of SOC and Attestation Services at A-LIGN. Andrew's responsibilities include supporting and managing the completion and review of SOC and attestation reports, building out practice content and materials, publishing ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/31/2020
Block/Allow: The Changing Face of Hacker Linguistics
Seth Rosenblatt, Contributing Writer,  7/27/2020
Out-of-Date and Unsupported Cloud Workloads Continue as a Common Weakness
Robert Lemos, Contributing Writer,  7/28/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-07-31
There is an issue on grub2 before version 2.06 at function read_section_as_string(). It expects a font name to be at max UINT32_MAX - 1 length in bytes but it doesn't verify it before proceed with buffer allocation to read the value from the font value. An attacker may leverage that by crafting a ma...
PUBLISHED: 2020-07-31
There is an issue with grub2 before version 2.06 while handling symlink on ext filesystems. A filesystem containing a symbolic link with an inode size of UINT32_MAX causes an arithmetic overflow leading to a zero-sized memory allocation with subsequent heap-based buffer overflow.
PUBLISHED: 2020-07-31
Spring Integration framework provides Kryo Codec implementations as an alternative for Java (de)serialization. When Kryo is configured with default options, all unregistered classes are resolved on demand. This leads to the "deserialization gadgets" exploit when provided data contains mali...
PUBLISHED: 2020-07-31
VMware Tanzu Application Service for VMs (2.7.x versions prior to 2.7.19, 2.8.x versions prior to 2.8.13, and 2.9.x versions prior to 2.9.7) contains an App Autoscaler that logs the UAA admin password. This credential is redacted on VMware Tanzu Operations Manager; however, the unredacted logs are a...
PUBLISHED: 2020-07-31
VMware GemFire versions prior to 9.10.0, 9.9.1, 9.8.5, and 9.7.5, and VMware Tanzu GemFire for VMs versions prior to 1.11.0, 1.10.1, 1.9.2, and 1.8.2, contain a JMX service available to the network which does not properly restrict input. A remote authenticated malicious user may request against the ...