Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk //

Compliance

10/7/2019
10:00 AM
Andrew Houshian
Andrew Houshian
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

10 Steps to Assess SOC Maturity in SMBs

Facing a system and organization controls audit doesn't have to be stressful for small and midsize businesses if they follow these guidelines.

Preparing for a system and organization controls (SOC) compliance audit for the first time can be challenging. Many organizations, especially small to midsize businesses (SMBs), underestimate the level of planning and effort that goes into completing a successful SOC audit, adding to their security-related stress.

Without proper preparation, SMBs risk missing milestones and deadlines, which can result in additional fees to complete a SOC audit. Addressing these 10 questions can help an organization prevent delays, determine their level of preparedness to complete an audit, and hopefully limit unnecessary work and effort from process owners and employees critical to the business.

1. Risk assessment: Has a risk assessment been completed?
Risk assessments should be performed annually in order to effectively identify, manage, and mitigate risks. As part of the risk assessment process, the organization should review the effectiveness of their current controls environment as well as consider the implementation of additional controls to further strengthen their internal controls environment.

2. Risk mitigation: Has management identified, selected, and developed risk mitigation activities for the risks identified during the risk assessment?
After identifying and assessing the severity of each risk, management should determine the risk mitigation strategy to be used for each identified risk based on the organization's risk appetite. Management can use several different strategies including to accept the risk, mitigate the risk through the implementation of controls, transfer the risk to another organization, or avoid the risk by choosing to discontinue the associated process or removing the associated assets.

3. Control activities: Have control activities been identified, documented, and implemented to mitigate risks to an acceptable level that enables the organization to achieve its business objectives?
As part of the risk assessment process, controls within the environment are modified and implemented to mitigate critical vulnerabilities, deviations, and control gaps identified as part of the various evaluations performed (e.g., risk assessments, internal audits, vulnerability scans, etc.). Management should document their internal controls environment including identifying all key controls, who operates those controls, how often they operate, and the type of control each one is (e.g., manual, automated, preventive, detective, or corrective). The implementation of controls should be prioritized based on the organization's business objectives and goals.

4. Vendor management: Are vendor management and oversight procedures formally defined and documented?
Organizations should formally define and document a third-party vendor management process annually that specifies the steps for evaluating the risks associated with vendors and business partners. Monitoring and oversight procedures include holding periodic discussions and performing site visits with vendors, independently testing vendor controls, reviewing attestation reports over services provided and monitoring external communications, such as customer complaints.

5. Monitoring: Does management have monitoring activities in place to evaluate the effectiveness of the internal control activities?
Management should implement monitoring procedures that require a formally documented management review on the effectiveness of the internal controls environment annually. Control activities to review include internal audits, metric reporting, vulnerability assessments, corrective actions for identified deficiencies or deviations, physical and logical access reviews, vendor management reviews, attestation report reviews and policy, compliance, and control and risk assessment reviews.

6. Control environment: Has management established key responsibilities, oversight structures, organization objectives, and a commitment to ethical values?
In order to effectively establish an organization's controls environment and motivate employees to follow the defined procedures regarding those controls, management should define and document the responsibilities of its employees, especially those performing critical functions or tasks relating to the control's environment in the employee handbook. If executive management exhibits a strong presence and positive tone to meet the organization's objectives, and displays good character and morale, its employees likely will too.

7. Defined processes: Have key processes and procedures been formally defined, communicated and distributed?
Regardless of size, an organization should prioritize formally documenting its key processes and procedures relevant to the business operations and objectives. Key process and data flow diagrams should be documented and updated as necessary, and should include processes and procedures relevant to IT, human resourcing, business operations and client services, transaction processing, privacy requirements, and storage and communication. Key policies and procedure documents, as well as process and data flow diagrams, should be easily accessible to employees and any changes should be communicated in a timely manner.

8. System and asset identification: Has management identified key systems and assets required to provide its services to clients?
An asset listing that includes relevant systems, tools, applications, hardware, infrastructure, data and people should be maintained by management with documented owners and criticality levels assigned to each asset. Controls should then be identified and documented to ensure assets are appropriately protected and secured. Key security areas include configuration standards, identify access management, intrusion-detection systems and intrusion-prevention systems, firewall and router rules, file integrity monitoring (FIM) software, incident response tracking, and data recovery.

9. Sufficiency of change control procedures: Has management defined and formally documented sufficient change control procedures, including addressing risks resulting from developer and promoter access not being segregated between people/teams?
A common struggle for many SMBs is the establishment of change control procedures that include segregating incompatible duties. Because of size, it can be challenging to enforce a segregation of developer and promoter access. Where possible, separate environments for production, test, and development should be maintained, as well as the ability to segregate those with access to develop and implement code changes. If job roles cannot be appropriately segregated, the organization should consider a detective control such as the implementation of a FIM software or reviewing change logs weekly for unauthorized changes.

10. Privacy: Has management established privacy policies and notices in accordance with applicable requirements, and are the privacy policies and notices communicated to data subjects?
Where personal information is collected, stored, transmitted, or processed by an organization, it is critical that the organization formally define and document both an internal privacy policy and procedures document, as well as a privacy notice meant for data subjects whose personal information is collected, stored, transmitted, or processed.

When SMBs prioritize preparing for a SOC audit, it increases their likelihood of finishing on time, staying within budget, increasing the efficiency during the testing phase, and decreasing the amount of additional auditor requests.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "Rethinking Cybersecurity Hiring: Dumping Resumes & Other 'Garbage.'"

Andrew Houshian is an Associate Director/Practice Lead of SOC and Attestation Services at A-LIGN. Andrew's responsibilities include supporting and managing the completion and review of SOC and attestation reports, building out practice content and materials, publishing ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
Why Cyber-Risk Is a C-Suite Issue
Marc Wilczek, Digital Strategist & CIO Advisor,  11/12/2019
DevSecOps: The Answer to the Cloud Security Skills Gap
Lamont Orange, Chief Information Security Officer at Netskope,  11/15/2019
Unreasonable Security Best Practices vs. Good Risk Management
Jack Freund, Director, Risk Science at RiskLens,  11/13/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-19010
PUBLISHED: 2019-11-16
Eval injection in the Math plugin of Limnoria (before 2019.11.09) and Supybot (through 2018-05-09) allows remote unprivileged attackers to disclose information or possibly have unspecified other impact via the calc and icalc IRC commands.
CVE-2019-16761
PUBLISHED: 2019-11-15
A specially crafted Bitcoin script can cause a discrepancy between the specified SLP consensus rules and the validation result of the [email protected] npm package. An attacker could create a specially crafted Bitcoin script in order to cause a hard-fork from the SLP consensus. All versions >1.0...
CVE-2019-16762
PUBLISHED: 2019-11-15
A specially crafted Bitcoin script can cause a discrepancy between the specified SLP consensus rules and the validation result of the slpjs npm package. An attacker could create a specially crafted Bitcoin script in order to cause a hard-fork from the SLP consensus. Affected users can upgrade to any...
CVE-2019-13581
PUBLISHED: 2019-11-15
An issue was discovered in Marvell 88W8688 Wi-Fi firmware before version p52, as used on Tesla Model S/X vehicles manufactured before March 2018, via the Parrot Faurecia Automotive FC6050W module. A heap-based buffer overflow allows remote attackers to cause a denial of service or execute arbitrary ...
CVE-2019-13582
PUBLISHED: 2019-11-15
An issue was discovered in Marvell 88W8688 Wi-Fi firmware before version p52, as used on Tesla Model S/X vehicles manufactured before March 2018, via the Parrot Faurecia Automotive FC6050W module. A stack overflow could lead to denial of service or arbitrary code execution.