Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk //


10:00 AM
Andrew Houshian
Andrew Houshian
Connect Directly
E-Mail vvv

10 Steps to Assess SOC Maturity in SMBs

Facing a system and organization controls audit doesn't have to be stressful for small and midsize businesses if they follow these guidelines.

Preparing for a system and organization controls (SOC) compliance audit for the first time can be challenging. Many organizations, especially small to midsize businesses (SMBs), underestimate the level of planning and effort that goes into completing a successful SOC audit, adding to their security-related stress.

Without proper preparation, SMBs risk missing milestones and deadlines, which can result in additional fees to complete a SOC audit. Addressing these 10 questions can help an organization prevent delays, determine their level of preparedness to complete an audit, and hopefully limit unnecessary work and effort from process owners and employees critical to the business.

1. Risk assessment: Has a risk assessment been completed?
Risk assessments should be performed annually in order to effectively identify, manage, and mitigate risks. As part of the risk assessment process, the organization should review the effectiveness of their current controls environment as well as consider the implementation of additional controls to further strengthen their internal controls environment.

2. Risk mitigation: Has management identified, selected, and developed risk mitigation activities for the risks identified during the risk assessment?
After identifying and assessing the severity of each risk, management should determine the risk mitigation strategy to be used for each identified risk based on the organization's risk appetite. Management can use several different strategies including to accept the risk, mitigate the risk through the implementation of controls, transfer the risk to another organization, or avoid the risk by choosing to discontinue the associated process or removing the associated assets.

3. Control activities: Have control activities been identified, documented, and implemented to mitigate risks to an acceptable level that enables the organization to achieve its business objectives?
As part of the risk assessment process, controls within the environment are modified and implemented to mitigate critical vulnerabilities, deviations, and control gaps identified as part of the various evaluations performed (e.g., risk assessments, internal audits, vulnerability scans, etc.). Management should document their internal controls environment including identifying all key controls, who operates those controls, how often they operate, and the type of control each one is (e.g., manual, automated, preventive, detective, or corrective). The implementation of controls should be prioritized based on the organization's business objectives and goals.

4. Vendor management: Are vendor management and oversight procedures formally defined and documented?
Organizations should formally define and document a third-party vendor management process annually that specifies the steps for evaluating the risks associated with vendors and business partners. Monitoring and oversight procedures include holding periodic discussions and performing site visits with vendors, independently testing vendor controls, reviewing attestation reports over services provided and monitoring external communications, such as customer complaints.

5. Monitoring: Does management have monitoring activities in place to evaluate the effectiveness of the internal control activities?
Management should implement monitoring procedures that require a formally documented management review on the effectiveness of the internal controls environment annually. Control activities to review include internal audits, metric reporting, vulnerability assessments, corrective actions for identified deficiencies or deviations, physical and logical access reviews, vendor management reviews, attestation report reviews and policy, compliance, and control and risk assessment reviews.

6. Control environment: Has management established key responsibilities, oversight structures, organization objectives, and a commitment to ethical values?
In order to effectively establish an organization's controls environment and motivate employees to follow the defined procedures regarding those controls, management should define and document the responsibilities of its employees, especially those performing critical functions or tasks relating to the control's environment in the employee handbook. If executive management exhibits a strong presence and positive tone to meet the organization's objectives, and displays good character and morale, its employees likely will too.

7. Defined processes: Have key processes and procedures been formally defined, communicated and distributed?
Regardless of size, an organization should prioritize formally documenting its key processes and procedures relevant to the business operations and objectives. Key process and data flow diagrams should be documented and updated as necessary, and should include processes and procedures relevant to IT, human resourcing, business operations and client services, transaction processing, privacy requirements, and storage and communication. Key policies and procedure documents, as well as process and data flow diagrams, should be easily accessible to employees and any changes should be communicated in a timely manner.

8. System and asset identification: Has management identified key systems and assets required to provide its services to clients?
An asset listing that includes relevant systems, tools, applications, hardware, infrastructure, data and people should be maintained by management with documented owners and criticality levels assigned to each asset. Controls should then be identified and documented to ensure assets are appropriately protected and secured. Key security areas include configuration standards, identify access management, intrusion-detection systems and intrusion-prevention systems, firewall and router rules, file integrity monitoring (FIM) software, incident response tracking, and data recovery.

9. Sufficiency of change control procedures: Has management defined and formally documented sufficient change control procedures, including addressing risks resulting from developer and promoter access not being segregated between people/teams?
A common struggle for many SMBs is the establishment of change control procedures that include segregating incompatible duties. Because of size, it can be challenging to enforce a segregation of developer and promoter access. Where possible, separate environments for production, test, and development should be maintained, as well as the ability to segregate those with access to develop and implement code changes. If job roles cannot be appropriately segregated, the organization should consider a detective control such as the implementation of a FIM software or reviewing change logs weekly for unauthorized changes.

10. Privacy: Has management established privacy policies and notices in accordance with applicable requirements, and are the privacy policies and notices communicated to data subjects?
Where personal information is collected, stored, transmitted, or processed by an organization, it is critical that the organization formally define and document both an internal privacy policy and procedures document, as well as a privacy notice meant for data subjects whose personal information is collected, stored, transmitted, or processed.

When SMBs prioritize preparing for a SOC audit, it increases their likelihood of finishing on time, staying within budget, increasing the efficiency during the testing phase, and decreasing the amount of additional auditor requests.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "Rethinking Cybersecurity Hiring: Dumping Resumes & Other 'Garbage.'"

Andrew Houshian is an Associate Director/Practice Lead of SOC and Attestation Services at A-LIGN. Andrew's responsibilities include supporting and managing the completion and review of SOC and attestation reports, building out practice content and materials, publishing ... View Full Bio
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Our Endpoint Protection system is a little outdated... 
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-12-12
Octeth Oempro 4.7 allows SQL injection. The parameter CampaignID in Campaign.Get is vulnerable.
PUBLISHED: 2019-12-12
make_arrow in arrow.c in Xfig fig2dev 3.2.7b allows a segmentation fault and out-of-bounds write because of an integer overflow via a large arrow type.
PUBLISHED: 2019-12-12
The Work Time Calendar app before 4.7.1 for Jira allows XSS.
PUBLISHED: 2019-12-12
The Alias feature in SnakeYAML 1.18 allows entity expansion during a load operation, a related issue to CVE-2003-1564.
PUBLISHED: 2019-12-12
OpenBSD through 6.6 allows local users to escalate to root because a check for LD_LIBRARY_PATH in setuid programs can be defeated by setting a very small RLIMIT_DATA resource limit. When executing chpass or passwd (which are setuid root), _dl_setup_env in ld.so tries to strip LD_LIBRARY_PATH from th...