This article was written by Jessica Ramirez, Senior Consultant at FoxPointe Solutions.
Many organizations understand that SOC compliance has become an invaluable resource in providing assurance to your clients that you are doing everything possible to keep their data and systems safe in a world were threats of cyberattacks loom at every front.
Before you begin your process in engaging in a SOC Audit, it is important for an organization to understand the nuances of the SOC audit process when it comes to anticipating the areas of common deficiencies that auditors typically identified in first year clients.
User Deprovisioning Was Not Completed within a Timely Manner
Many client’s deficiencies in this area are due failure to remove or disable access to terminated users in a timely manner according to their company’s policies and procedures. To prevent this, make sure to have strong procedures in place to document the termination process. Following best practices, users’ access should be disabled immediately after departure and the organization should have a policy in place on timeliness of when the account should be removed.
Policy Acknowledgement and Security Training Were Not Completed
Many organizations overlook their processes on assuring that employees are completing their policy acknowledgment and security awareness training. Although it may seem small in stature, policies acknowledgment and security awareness trainings play a big role in assuring that employees in the organization understand the security procedures in place to protect the organization and customer data. There are many ways that that an organization can assure that its employees are completing their security training and policy acknowledge such as implementing a third-party module to automatically send notifications to employees as reminders to complete training and acknowledgements as well as tracking and documenting the process as well.
Lax Vulnerability Scanning
Organizations understand the importance having a vulnerability scanning tool in place, but the issue arises when there are lax procedures in place on how often they should perform the scans. Vulnerability scans are a proactive approach to helping organization identify weakness in their infrastructure. If possible, organizations should strive to have continuous vulnerability scanning to monitor every aspect of their network in order to remediate any critical issues identified.
The exceptions above are just a subset of many deficiencies that auditors find during a SOC audit. Depending on the size and nature of the organization, there is a possibility that other types of exceptions could be identified, but these represent the most common types of exceptions SOC auditors have come across during these engagements.