By: Nirav Shah, Principal, IT Risk Assurance & Advisory Services
In 2020, as organizations began to adapt to the workplace requirements as a result of Covid-19, the foremost consideration was to ensure the health and safety of their workforce. Thereafter, leadership turned to managing how to continue to conduct business on a day-to-day basis with a remote or flexible workforce while also maintaining their SOC 2 compliance. Additional information security considerations are required for the protection of customer data and information. While these information security risks were already present, their impact with a remote or flexible workforce is amplified.
Employees are one of the greatest assets organizations have; however, many organizations struggle with employee awareness when it comes to information security policies and requirements. Several examples of these policies include:
- Limiting the use of corporate resources and equipment for personal use to reduce the risk of compromising corporate resources.
- Verifying email sender domains to ensure communication is not spoofed for phishing/malware.
- Utilizing both complex and eight+ character requirements for passwords different than those used for personal accounts.
- Not connecting a mass storage device.
- Performing a full shutdown of devices at end of the day for hard disk encryption.
- Ensuring mobile device management is configured.
To ensure employees are aware and subconsciously considering this in their day-to-day practice, organizations must run internal campaigns and share the results with their workforce.
From a technology perspective, there is no one-size-fits-all, as it is dependent upon the industry and/or infrastructure operated. The risk assessment process should be the first step in determining the highest and most impactful risks to an organization. Maintaining appropriate and consistent configurations is key to protecting customer data and information. Several examples of adequate controls that can limit exposure to security risks include:
- Implementing firewalls to restrict only approved types of packets and data.
- Requiring the use of dual factor authentication for users connecting to systems that maintain customer data and information.
- Performing consistent updates and patching to resolve known vulnerabilities.
- Performing a quality application/network penetration and vulnerability assessment from an experienced vendor.
- Automated asset inventorying.
- Implementing tools for monitoring/alerting the organization for intrusion prevention or detection.
As organizations contemplate and identify the right audit partner to work with for their SOC 2 needs, considerations should be given to years of experience, knowledge with similar technologies, availability and responsiveness for questions/clarifications and a clear understanding of how the audit partner can add value to the organization year round.
The Hancock Askew risk and advisory services team specializes in SOC 2 reporting and IT audits for start-ups to large multi-national organizations with a mature security posture. The practice leaders each have over 15 years of experience in the industry and have worked with many organizations successfully though the SOC 2 process.
Based in Georgia and Florida, Hancock Askew & Co. is a full-service tax, audit, accounting and advisory firm with more than 200 professionals. Hancock Askew also provides advisory services such as internal audit, IT risk assurance, SOC examinations, transaction advisory, business valuations and other critical business consulting services.