A clean SOC 2 audit report assures customers that their data is secure with your organization. But failing to pass a SOC 2 audit, or receiving a qualified report, can scare customers away.
The difference between maintaining customers or losing them depends on whether you comply with the Service Organization Controls (SOC) set by the American Institute of Certified Public Accountants (AICPA).
SOC 2 audits review the controls in place at a service organization relevant to the following five trust service principles, or criteria, as outlined by the AICPA:
- Security: Information and systems are protected against unauthorized access, unauthorized disclosure of information, and damage that could compromise the availability, integrity, confidentiality, and privacy of that information or those systems.
- Availability: Information and systems are available for operation and use.
- Processing integrity: System processing is complete, valid, accurate, timely, and authorized.
- Confidentiality: Information designated as confidential is protected.
- Privacy: Personal information is collected, used, retained, disclosed, and disposed of properly.
Though access to a SOC 2 report is limited to the service organization and its customers, it can be used for such important purposes as:
- Oversight of the organization
- Vendor management programs
- Internal corporate governance and risk management processes
- Regulatory oversight
Passing a SOC 2 audit is particularly important if you are a large banking, retail, healthcare, or software as a service (SaaS) company that is responsible for your clients’ data. Customers want verification that you’re protecting their data, especially as losses from data breaches mount.
A clean SOC report is not a given, however. Your organization must prove that you have the required protections in place. Don’t let these common pitfalls derail your SOC 2 audit.
1) Lack of Support
You may have the best policies and procedures written, but if you don’t have all relevant parties following them, they do you no good. Your auditors will want proof that your team adheres to your standards.
Confirm that your team understands your security plan and each of its components. Stress the importance of following the plan, as well. Explain how a data breach could devastate your company, noting the financial and reputational damages that could result.
Prepare to demonstrate that procedures are being followed. For example, share logs that track access to secured areas.
2) Unsecured External Communication
Protecting data-in-flight is vital in ensuring that your sensitive data is secure while in transit. If 3rd party vendors are not using SFTP, TLS 1.1 (or greater), or other secure methods, your data could be stolen at any time.
Unfortunately, 11 percent of internet hosts still support TLS’s predecessor, SSL 3.0. This protocol is now prohibited by the Internet Engineering Task Force (IETF), according to The 2017 TLS Telemetry report, which was based on a sampling of more than 20 million SSL/TLS hosts worldwide. Eighteen percent of HTTP page loads are clear text, researchers noted.
Avoid potential problems with your SOC 2 audit by ensuring that your data is secure while in transit.
3) No Clear Separation of Duties
Data could be at risk if access to it is not clearly delineated. You should document your policy for data access, apportioning privileges so that no single person has too much control, thus creating separate duties.
In Recommendation for Key Management – Part 2, the National Institute of Standards and Technology (NIST) defines “separation of duties” as “A security principle that divides critical functions among different staff members in an attempt to ensure that no one individual has enough information or access privilege to perpetrate damaging fraud.”
Auditors will want to confirm that you have separated duties per your policy.
4) Poor Documentation
Documentation is the key to explaining how your security program works, according to a SearchSecurity article on surviving an audit. Auditors will review and measure your security program based on the documents you provide.
Don’t make auditors hunt for commonly requested audit documents such as operational procedures, network and system diagrams, process charts, or logs. SearchSecurity suggests compiling documentation in an easy-to-use binder to smooth your SOC 2 audit.
5) Competing Priorities
Business doesn’t stop for an audit, but compliance is important and requires dedicated attention.
If competing priorities pull you away from the SOC 2 audit, the resulting delays could derail the project. Ensure that you respond to auditors’ requests in a timely manner by assigning team members to the audit. Adjust their other responsibilities accordingly for the duration of the project.
A clean SOC 2 report can help you attract and retain clients by assuring them that their data is secure. Don’t let these mistakes cost you business by derailing your audit.