SOC 2 Certification. Your Security Passport.
By Cheri Hotman. Published May 9, 2021
The SolarWinds Breach
We’ve all heard about the recent SolarWinds breach, and for good reason. The massive software development company was hacked in 2019, leaving their clients vulnerable to attack. The company unknowingly sent out a software update this March with hidden malware embedded in it. Of their 33,000 clients, an estimated 18,000 downloaded and contracted the spyware making extremely valuable, highly sensitive information available to the hackers (Canales and Jibilian).
What Now?
The initial chaos has subsided, and the resounding question now is “how?” Surely a high-level company such as the one offering services to Fortune 500 companies and the U.S. Government would detect a breach in their system- right? Unfortunately, the answer isn’t quite so simple. Cybersecurity is a complex, multidimensional practice meant to protect against digital attacks. There are countless parts to it, but as a result of this breach, the importance of one particular part has been brought to light- SOC 2.
What Exactly is SOC 2?
SOC 2 is an intense cybersecurity, risk, and technical controls audit that must be performed by a CPA. It’s used to produce a report that provides either a green light or a bold, flashing red light in regard to the controls a company has set in place to protect the product/ service (and data) they offer. Companies use them to ensure their systems are secure and functioning properly, and potential clients use them to vet their vendors. Companies that have a CPA produce these reports make their company stand out by simplifying the process of deciding on a vendor, and make it cost-effective and confidence-building for potential clients.
There are two types of SOC 2 audits: Type 1, which determines whether a company’s cybersecurity and technical controls are designed appropriately as of a specific point of time (think: April 3, 2021- it could have been compromised the day before and could become compromised the day after, but this type of audit only attests to the date of the report). Next is Type 2, which measures a business’ control design and operation over a period of time (typically over the course of 12 months). Most companies and clients seek out Type 2 reports due to the detail and assurance made available. Here, more is more– companies and clients alike want little-to-no room for error in knowing the controls in place are reducing risk as they’re supposed to.
How to be Successful with SOC 2:
The SolarWinds breach has accounted for numerous companies seeking out their first SOC 2 report, which can be an overwhelming process. Fortunately, it doesn’t have to be daunting! SOC 2 is attainable for every company. First to know is that your commitment to managing your systems and risk will make or break the success of your SOC 2 audits, meaning it’s essential to have an ongoing program built into your company to effectively design and continuously monitor controls. The goal here is to be ready for an audit before the audit. Doing so leaves less room for failure, and results in less stress and scrambling to get things in place last-minute. There are several GRC tool options built to help you do this successfully! Use one to simply and continuously monitor your controls, communicate metrics, and produce evidence for it via documentation. As a part of these programs, you need to have corrective action processes for when you catch failures, because they will happen, and that’s okay- so long as you have a plan! Lastly, it is best to hire someone to help you design and run your control environment. Because it is an ongoing and complex process, this will save you time, hassle and error. Focus on what you excel at while allowing a SOC 2 expert to focus on what they do best- minimizing waste, guessing, and failures.
Words of Wisdom:
Although this is a completely attainable solution, there are a few things you’ll want to avoid when implementing your new SOC 2 program:
Published link: https://www.cb1security.com/soc-2-certification-your-security-passport/