< Back to Blog
5 Key Security Controls That Should Be in Your SOC 2
Standards & Regulations

5 Key Security Controls That Should Be in Your SOC 2

By Dov Goldman Apr 07, 20204 min read

You want to grow your business, but your customers want to be sure that you have taken steps to prevent unauthorized access to their sensitive data and personal information. One effective way to demonstrate that your organization has the right security controls in place is through a Service Organization Control 2 (SOC 2). 

Developed by the American Institute of Certified Public Accountants (AICPA), SOC 2 is an auditing procedure that checks the security controls that service providers and third parties have in place. The SOC 2 report provides an overview of how companies manage customer data based on five categories of trust: security, availability, processing integrity, confidentiality and privacy. Achieving a SOC 2 attestation means that you have demonstrated effective security controls design. 

What are some of the important security controls that should be included in your SOC 2? Here are five important considerations: 

1. Data Access

It’s important to assess the amount and the critical nature of the data that employees can access. For example, an HR manager that interacts with unauthorized entities may not have the right training to identify a phishing attempt, and so should not necessarily be granted access. 

Therefore, it’s vital for companies to conduct periodic reviews of users and permissions, modify user access and even make sure to fully erase obsolete laptops before disposal. By limiting access to critical data, companies can reduce the threat of an attacker accessing the corporate network. 

2. Encryption

Encryption is another proven security technique that can greatly reduce the risk of unauthorized access. Simply put, it’s a method by which information is converted into code that hides the true meaning of the information. To be effective, encryption should be implemented both for data at rest (on disk/storage) as well as for data in transit. 

Despite its effectiveness, not all organizations implement encryption. In fact, in a 2019 Ponemon study of nearly 6,000 individuals in 14 countries/regions, less than half said their organizations have an overall encryption plan that is applied consistently across the entire enterprise. Moreover, Panorays’ research found that many companies fail to update their encryption. This is why it’s important to make sure that encryption is up and running in your organization.

3. Two-Factor Authentication

Two-factor authentication (2FA) requires users to provide a secondary authentication like a security token or biometric factor, as well as a password. Essentially, the requirement is to provide “something you know” along with “something you have.” This adds an additional layer of security and greatly reduces the risk of hackers accessing sensitive data. In fact, Microsoft has said that users who enable multi-factor authentication for their cloud accounts block 99.9% of account hacks

While 2FA is a requirement in some cases, such as when accessing a US government website, not all companies have it. Since it has proven to be a powerful deterrent, using 2FA is a sure sign that your company is taking security seriously. 

4. Disaster Recovery

Part of demonstrating your company’s security involves providing evidence that you’ve planned for the worst. Whether you experience a natural disaster or a cyberattack, you need to show that there’s a realistic process in place to resume business quickly, and without major losses to revenue or operations. 

Creating a disaster recovery plan begins with a thorough risk assessment so that your organization can identify vulnerabilities to your IT infrastructure. It should include a statement of the main goals of the plan, contact information for key personnel, a description of emergency response actions after a disaster, a list of license keys and software that will be used to restore operations, a testing plan, alternate facilities and/or remote work planning.

5. Third-Party Security Management

Because cyber risk can be increased through third parties, your SOC 2 should include third-party cybersecurity risk controls. For this reason, it’s important to demonstrate that you have a solid third-party security management process. But assessing and monitoring your third parties can take lots of time and effort.

Panorays works with your third parties to check that they are secure, both through its automated questionnaire and by performing an external attack surface assessment. Panorays also continuously monitors your third parties to check for any changes to cyber posture. Because the entire process is automated, your company can greatly reduce the time spent on third-party security management and simplify SOC 2 audits. 

Interested in simplifying your third-party SOC 2 process? Learn more here.

humbnail
Dov Goldman

Dov Goldman is Director of Risk & Compliance at Panorays. He’s a serial entrepreneur who’s been involved with third-party programs of all sizes, and is the go-to person for explaining the difference between inherent and residual risk.

You may also like...
Securing Your Suppliers: Complying With Regulations
Oct 22, 2020 Securing Your Suppliers: Complying With Regulations Dov Goldman
7 Facts You Should Know About NYDFS
Sep 07, 2020 7 Facts You Should Know About NYDFS Dov Goldman
4 NIST Standards Your Organization Should Align With
May 27, 2020 4 NIST Standards Your Organization Should Align With Dov Goldman
Get our latest posts straight to your inbox Subscribe

We use cookies to ensure you get the best experience on our website. Visit our Privacy Policy for more information.