5 Things to Polish Up for SOC Audit Preparation
No one wants to wait until the 11th hour to start preparing for their annual SOC. To prevent all of the SOC readiness ‘to do’ items from presenting you with the perfect storm of daunting preparation tasks, here are 5 things you can throughout the year to ensure you are ready this year’s SOC audit.
- Policy review and update – Of course you need to have a solid set of IT Security Policies, but what exactly does that mean? To start, every company should, at minimum, a basic IT policy set that can easily followed and consistently governed. You want to ensure you’ve accurately documented all that you state you’re doing and that it is being communicated to all employees and governed accordingly. You will want to revisit the policy set at 6 months intervals to ensure that any updates and gaps are addressed and reflected correctly in the policies as your policy set evolves.
- Security risk assessment – First off, how can you secure and protect your organization if you don’t know what current risks exist within? Performing a security risk assessment will enable you to identify and remediate those risks in preparation for your SOC audit. A security risk assessment should be performed annually at absolute minimum. This can serve as your barometer of your current security posture.
- Penetration test – Penetration testing exposes and identifies the current risks, vulnerabilities and weaknesses that exist with your organization and it’s security model. The results of the penetration testing will net out all issues and vulnerabilities that need to be remediated in order to align with SOC compliance. The annual pentation testing needs ot be defined in your policy set as well.
- Vendor management process/policy review – This preparation step is a must when it comes to ensuring that your vendors are complying with your policies and information security best practices. Vendors can present risk to every organization, so in order to properly prepare for your SOC audit, you must regularly and thoroughly vet your vendors, and document the procedures for managing your vendors.
- DR plan review and restoration exercises – Your SOC audit will require that you have a documented Disaster Recovery Plan and that it is regularly tested with successful restoration exercises. You will also want to perform tabletop testing, walkthroughs or simulated testing as part of your regular DR plan reviews. Most importantly you will need to test recovery plan procedures to ensure systems recovery procedures meet their stated objectives.
If your company needs any assistance with SOC readiness, please contact Adsero Security for a free consultation.