How do you prepare for a SOC 2® audit? Many businesses look to Pratum for help with SOC 2®, so we put together this overview to help provide insight into our process. We also discuss what YOU need to do to prepare for a successful SOC 2® report.
SOC 2® is an externally validated report. Companies are often asked by their clients to provide some form of cybersecurity compliance report to prove they have adequate security controls in place to protect data/information shared between the two organizations.
SOC 2® reports must be completed by an AICPA firm. The CPA will conduct the audit over several months and deliver the report at the end. There are two Types of SOC 2® reports, Type I and Type II. Type I examines the design of controls at a specific point in time. Type II assesses the operating effectiveness of controls over a period of time.
Once you decide to pursue SOC 2®, there are a few things to keep in mind before getting started. You need to first determine if you want assistance preparing for the audit. Pratum offers readiness assessments to examine whether your business is adequately prepared for a SOC 2® engagement. And where businesses fall short of preparedness,we assistance them in getting there.
One big misconception about SOC 2® is the amount of time it will take. While this varies depending on your business’s size and the scope of the audit, the typical Type II audit usually takes a minimum of 8 months for the entirety of the engagement. This includes the opinion period, audit fieldwork, and time for the auditors to develop and deliver the report. The readiness process with Pratum before the audit can also take an additional 2 to 3 months, depending on the preparedness of the company. If your company is looking for a quicker turn around, starting with a Type I audit may be the best path.
At Pratum, we have a process established to make the experience smoother for you. Here’s a brief overview of what you can expect from the first call to the final report.
During the initial conversations, our Client Engagement team will get to know your business and walk you through the basics of a SOC 2® report. A consultant may also join the call to ask more detailed questions and help with scoping the engagement. Some initial questions include:
After we compile the information from discovery, we build the customized SOC 2® completion plan for your business. This includes the details for the readiness process, the cost, and a timeline for the work.
Once the Statement of Work is signed, we can begin the process of preparing your company for a SOC 2®. This includes gathering more information that will be included in the SOC 2® and a list of who within your organization needs to be prepared for the process. Your lead consultant will hold a kick-off call with your team to discuss the process, set expectations and answer any initial questions. Pratum will request any supporting documentation you have at this time. And a consultant will be assigned to your project based on your SOC 2® needs and their expertise.
The fieldwork during your SOC 2® preparation is how we get a first-hand look at the work ahead. During the fieldwork phase, interviews are conducted with your staff, and current security controls are reviewed to determine maturity level. Where any gaps are identified, the consultant will provide guidance on what should be in place, and how to get there. This is more than just a yes or no Q&A; it is a conversation. Your consultant will ask detailed questions to fully understand the operations and needs of the organization. At the end of the engagement, Pratum will deliver a control listing with the status of each control, supporting documentation and audit evidence needed, as well as recommendations where appropriate.
After preparation for the audit is complete and your company and Pratum feel confident in your readiness, the ‘as of’ date for a Type I audit can be set or the opinion period can begin for a Type II. Most audit firms prefer a minimum of a 6-month opinion period for a Type II audit. If you haven’t selected a CPA firm to perform the audit yet, Pratum can provide recommendations of firms with whom we have close relationships. If you already have a firm in mind, we’re happy to work with the auditor of your choice as well. The earlier you can get the auditors involved, the better.
During fieldwork of the audit, your Pratum consultant will engage with the auditors to answer any questions and help mediate any concerns that may arise. Your consultant is there as a representative for YOUR organization and will ensure the auditors stay within scope and reason. The fieldwork for the audit can take several months to complete. The more prepared and dedicated your team, the faster the process will go and the sooner you will receive the report.
Once you complete your SOC 2® report, the work isn’t finished. You will need to keep up with yearly audits to re-validate your controls. The best way to ensure continual compliance is to maintain your security standards and evaluate and adapt to any changes within your business. SOC 2® isn’t a one and done. Continual monitoring and activity are needed to ensure success.
Preparing for a SOC 2® may seem daunting, but it doesn’t have to be! Pratum is ready to help make the process less stressful for you. To learn more, contact Pratum today.
An employee’s first day presents them with a flood of new information—and delivers with it a message of what the company values most. In a few quick hours, an employee receives directions about when to start work each day, which technology communication platform to use, what to wear and more. But where does cybersecurity land on your organization’s priority list? Is it talked about on the first day?
Information security policies and procedures should be an onboarding priority for every Human Resource (HR) department. And a strong relationship with the IT department will help HR develop and implement a productive, consistent onboarding process that prioritizes your business’s cybersecurity practices. Here’s how you can begin fostering a cybersecure work environment from the moment the offer letter is signed.
Create an “onboarding checklist” that includes the tasks of everyone involved in the process. This reduces the risk of making common security mistakes and may be vital in maintaining your company’s compliance.
After the employee clears the background check and arrives for their first day, it is time to explain and complete a few critical documents. Many compliance audits require these, so follow accurate filing and tracking procedures.
Confidentiality (or Non-Disclosure) Agreements
Employees gain access to various levels of sensitive and confidential company information such as company trade secrets, client information, financials, and employee lists. It is your responsibility to define which information is classified as confidential and communicate how employees are to handle the information.
Information Security Policies
The onboarding process provides a great opportunity to introduce key information security topics to employees. It is very important for employees to read and understand any information security policies your organization has that will be pertinent to their specific role. Employees should sign and acknowledge these policies on their first day of employment.
Bring Your Own Device Contract
If your employees access company data through their personal devices, a Bring Your Own Device (BYOD) contract, though not required, is best practice. A BYOD contract can help protect sensitive company information if a device is lost or stolen. It enables your company to enforce security controls such as password protection and remote wiping of sensitive information. These security functions are necessary for companies to ensure data confidentiality, security, and integrity.
The moment an employee receives access to the company network, cybersecurity becomes part of their responsibility. By providing information security awareness and training you can deliver insight into real world cyberthreats and explain why policies are in place, what consequences come with not following them, and whom to contact with compliance or security questions. Don’t rush through this process. Taking the time to stress the importance of cybersecurity produces vigilant employees who actively participate in protecting your organization.
Best practices suggest using a concept called “least privileged access,” which means users receive access to only the information needed to do their specific job and no more. A process known as provisioning user access ensures proper configuration of each user’s least privileged access. The following controls help with this process:
Provisioning user access should be accurate and consistent across all new hires – especially if your company is subject to compliance requirements such as SOC 2, HITRUST, ISO 27001, etc.
Consider the relationship between HR and IT during onboarding (and beyond). An effective onboarding checklist is consistent and clearly communicates expectations for each person involved in the process. This alleviates many of the risks that can be introduced by missing important onboarding processes. And it ensures proper provisioning and information security practices are being followed.
If you’re ready to evaluate your current HR processes and implement an improved set of industry standard cyber security practices, reach out to a Pratum representative today!
Quality cybersecurity team members are hard to find in today’s market, which has led many organizations to consider engaging a virtual chief information security officer (vCISO) to lead their strategy. Engaging a fractional vCISO solves many of issues that accompany hiring a full-time employee, by letting you sidestep soaring salaries, high turnover and competition for the best talent.
But just as with any professional service, the market is full of people who market themselves as a vCISO without having the qualifications you want in an executive-level leader guiding your cybersecurity program. In this blog, we summarize key traits to look for to ensure that you choose a vCISO qualified to set a strategy that’s cost-effective, efficient and in line with relevant compliance frameworks.
Cybersecurity strategy must align with your overall business goals. So you’ll want a vCISO who truly understands how your organization makes money, what makes it different from competitors and where leadership wants to go. Benchmarking your status against other organizations within your industry can be beneficial. But if you get the sense that a vCISO candidate delivers the same templated advice to every client, keep shopping.
Certifications are meaningful and a good differentiator among candidates. But hands-on experience trumps training among two similar-sounding vCISOs. If a vCISO has worked on an in-house security team before, they have firsthand knowledge of selling ideas to executives, working within budgets and getting team members to catch the security vision.
Nearly every job listing throws this requirement in at the end. But with a vCISO, it’s mission-critical. A vCISO typically serves as the liaison between the IT leaders and the C-suite and sometimes the board of directors. They need to be able to make the business case for security investments in plain English. The vCISO will also represent you with auditors and regulators, so your success often rides on their ability to build relationships and persuasively explain your position.
No single company or industry has a monopoly on best practices for cybersecurity. So the best vCISOs have worked in multiple areas, giving them broad exposure to ideas they can apply to your situation.
Much of your cybersecurity strategy will focus on preparing an incident response plan and effectively dealing with breaches when they happen. Find out how much your potential vCISO has worked in this area. Ask for specific examples of when they’ve handled a breach.
A vCISO will help you choose one core information security framework to guide your strategy. NIST 800-171 is one of the most popular, for example. But your specific business and industry may point you to another framework. Your vCISO should have broad expertise in following several widely accepted frameworks.
Some industries, such as healthcare and banking/finance, have significant requirements under regulations such as HIPAA or Sarbanes-Oxley. And nearly every organization has to understand its obligations for laws governing handling of personally identifiable information (PII) or credit card information (covered by PCI-DSS). Your vCISO should be able to accurately determine your requirements and help you meet them.
Hackers change tactics constantly, and lawmakers pass new information security regulations every year. Your vCISO should be on top of an ever-changing industry. If they only talk about threats and tactics from 10 years ago, that’s a red flag.
The fee for quality vCISO service should include staples such as an annual risk assessment; an annual tabletop exercise; regular meetings with your team; and more. The vCISO isn’t just on call when you need them. They set the agenda and manage annual milestones in your program. Part of a Team – A one-person vCISO operation can bring a wealth of insight—but they’re still just one person. If you choose a vCISO who works within a larger organization, they can tap the knowledge of other vCISOs around them. And in a dedicated information security firm like Pratum, vCISOs have access to experts from the digital forensics team and SOC team when they need it.
Pratum's team of vCISO's are ready to talk about their work in all of the areas covered in this blog.
If you need help with your cybersecurity strategy, contact us today.
Get our blog articles delivered
to your inbox: