SOC 2 Reports - Ready, Set, Go!

I need to complete a SOC 2 report on my controls; “Where do I start??” Aside from the easy answer of, contact Compass IT Compliance and we can help you get started, I would like to cover some tips on what to know and how to get started towards completing a SOC 2 report. Information security is of utmost importance to any business. As businesses grow and become sought after by other businesses, there may be some pressure or an absolute requirement that a SOC 2 report be completed to maintain business relationships.

There are many controls that need to be in place to ensure the successful completion of a SOC 2 report. One of the most critical components of the report is called the System Description or the Description of the System and Controls. This section contains a business or system overview, the controls that are in place around your system or application, and the “secret sauce” that your business may have to drive your success.

What Compass can do is assist you in the building of that System Description. There is a major additional value you will see from the investment into this engagement, and that is a clear understanding of what security areas and controls need to be built, enhanced, or “beefed up”. These identified areas can be used to enhance your IT security posture as it relates to your business, as well as start you on the path of an ingrained security culture within your business. Along with that enhanced security culture, a true IT security strategy can be developed along this path going forward over your fiscal year/s.

The items below lay out what security controls will need to be in place at your company and where Compass can help you develop from scratch or update:

• Management Philosophy
• Information Security Program
• Policies and Procedures for Hiring, Terminations, Training, Acceptable Use and Many More
• Risk Assessment Approach for the Business
• Security Awareness and Training
• Vulnerability Management
• Information / Data Classification, Handling, and its Protections
• Data Backup, Retention and Recovery (Disaster Recover Components)
• Change Management
• Configuration Management
• Physical / Environmental Security
• Logical Access and Remote Access Controls
• Authentication and Authorization Controls
• Monitoring and Logging Controls
• Incident Response
• Capacity Planning and Monitoring
• Asset Management
• Patch Management
• Problem Management / Help Desk
• Vendor and Third-Party Management Controls
• Business Continuity Planning

Do you have additional compliance requirements? Completing a SOC 2 Readiness Assessment can help drive you towards compliance in other areas. The security controls required to complete the SOC 2 Report can help you achieve compliance in other areas like PCI-DSS, HIPAA, and NIST. A SOC 2 Readiness Assessment can enhance your efficiency and drive cost savings for other compliance efforts that may be required of your company! For more information, download a copy of our SOC 2 Readiness Assessment brochure below. As always, if you have any questions or need clarification, feel free to contact us!