5 Key Security Controls That Should Be in Your SOC 2
You want to grow your business, but your customers want to be sure that you have taken steps to prevent unauthorized access to their sensitive data and personal information. One effective way to demonstrate that your organization has the right security controls in place is through a Service Organization Control 2 (SOC 2).
Developed by the American Institute of Certified Public Accountants (AICPA), SOC 2 is an auditing procedure that checks the security controls that service providers and third parties have in place. The SOC 2 report provides an overview of how companies manage customer data based on five categories of trust: security, availability, processing integrity, confidentiality and privacy. Achieving a SOC 2 attestation means that you have demonstrated effective security controls design.
What are some of the important security controls that should be included in your SOC 2? Here are five important considerations:
1. Data Access
It’s important to assess the amount and the critical nature of the data that employees can access. For example, an HR manager that interacts with unauthorized entities may not have the right training to identify a phishing attempt, and so should not necessarily be granted access.
Therefore, it’s vital for companies to conduct periodic reviews of users and permissions, modify user access and even make sure to fully erase obsolete laptops before disposal. By limiting access to critical data, companies can reduce the threat of an attacker accessing the corporate network.
Encryption is another proven security technique that can greatly reduce the risk of unauthorized access. Simply put, it’s a method by which information is converted into code that hides the true meaning of the information. To be effective, encryption should be implemented both for data at rest (on disk/storage) as well as for data in transit.
Despite its effectiveness, not all organizations implement encryption. In fact, in a 2019 Ponemon study of nearly 6,000 individuals in 14 countries/regions, less than half said their organizations have an overall encryption plan that is applied consistently across the entire enterprise. Moreover, Panorays’ research found that many companies fail to update their encryption. This is why it’s important to make sure that encryption is up and running in your organization.
3. Two-Factor Authentication
Two-factor authentication (2FA) requires users to provide a secondary authentication like a security token or biometric factor, as well as a password. Essentially, the requirement is to provide “something you know” along with “something you have.” This adds an additional layer of security and greatly reduces the risk of hackers accessing sensitive data. In fact, Microsoft has said that users who enable multi-factor authentication for their cloud accounts block 99.9% of account hacks.
While 2FA is a requirement in some cases, such as when accessing a US government website, not all companies have it. Since it has proven to be a powerful deterrent, using 2FA is a sure sign that your company is taking security seriously.
4. Disaster Recovery
Part of demonstrating your company’s security involves providing evidence that you’ve planned for the worst. Whether you experience a natural disaster or a cyberattack, you need to show that there’s a realistic process in place to resume business quickly, and without major losses to revenue or operations.
Creating a disaster recovery plan begins with a thorough risk assessment so that your organization can identify vulnerabilities to your IT infrastructure. It should include a statement of the main goals of the plan, contact information for key personnel, a description of emergency response actions after a disaster, a list of license keys and software that will be used to restore operations, a testing plan, alternate facilities and/or remote work planning.
5. Third-Party Security Management
Because cyber risk can be increased through third parties, your SOC 2 should include third-party cybersecurity risk controls. For this reason, it’s important to demonstrate that you have a solid third-party security management process. But assessing and monitoring your third parties can take lots of time and effort.
Panorays works with your third parties to check that they are secure, both through its automated questionnaire and by performing an external attack surface assessment. Panorays also continuously monitors your third parties to check for any changes to cyber posture. Because the entire process is automated, your company can greatly reduce the time spent on third-party security management and simplify SOC 2 audits.
Interested in simplifying your third-party SOC 2 process? Learn more here.