SOC 2 Gap Assessment

Before starting on your gap assessment, there are a few improvements that you can put in place to make your remediation period go by quicker and allow your team to focus on more nuanced gaps. While there are many ways to meet the criteria of SOC 2, these are the most common methods for meeting the most common gaps. Before starting, be aware that some of these could be a vendor’s responsibility if your business uses Software, Platform, or Infrastructure as a Service. Ensure that this is researched (such as through a Shared Responsibility Matrix) and documented for your SOC 2 Gap assessment.

1. Penetration Testing (External Assessment)

You’ll likely need an external, from outside of the environment, assessment to speak to your security controls’ effectiveness. You can meet this requirement by obtaining an annual penetration test that covers the scope of your SOC 2. From this penetration test, you’ll need to document the severity of findings and perform remediation for those findings. This process should be thoroughly documented and auditable. You’ll need to define the minimum viable option for the severity that requires remediation, though you’re typically safe with remediation of medium and more severe findings based on the CVSS score.

2. Vulnerability Scanning (Internal Assessment)

You’ll likely need an internal, from within the environment, assessment to speak to your internal environment. You can meet this requirement by scheduling quarterly vulnerability scans that cover the scope of your SOC 2. Similar to the penetration test, you’ll need to document the severity of findings and perform remediation for those findings. This process should be thoroughly documented and auditable. You’ll need to define the minimum viable option for the severity that requires remediation, though you’re typically safe with remediation of medium and more severe findings based on the CVSS score.

3. Background Checks

You are tasked with displaying that you are dedicated to ensuring the integrity of the data that your business interacts with. Background checks are an excellent way to show that you are committed to preventing those with ulterior motives from accessing the data through your company. Background checks provide additional information to help determine if your potential hire is honest, equipped to handle the work they would be assigned, and do not have criminal motivations.

4. Cyber Insurance

Part of the Risk Mitigation strategy is to ensure that an adequate insurance policy is in place to help alleviate the issues that can arise from business disruption due to technology breach or failure. This could involve data breaches that include sensitive information. You can use the types of sensitive data you interact with or collect, possibly found within a sensitive data inventory, the most common threats to your business model, and your risk assessment to determine what type of cyber insurance would be most effective for your business.

5. Risk Assessment

A Risk Assessment is necessary to understand the risk presented to your business. You can use many different sources to document your risk areas. These sources can be your external and internal security assessment findings, the sensitive information you interact with and collect from your sensitive data inventory, and the threats to your business model, including the type of business, network, and supporting infrastructure.

By documenting these in a single location, you can develop a clear understanding of how these might impact your business and affect each other, as well as what mitigation strategies might be most effective, including what insurance to obtain and other security features you can implement and which are not in line with the level of identified risk.

6. IDS/IPS & Firewall

Intrusion Detection/Prevention Systems and Firewalls are a great way to prevent unauthorized individuals from getting into and unauthorized actions from happening in the environment and can work in tandem. They can be set up in several ways to report, block, or allow different activities. An IDS/IPS should be chosen based on how it will benefit your business and what it will cover, including both the network itself and the data. The setup should protect your business without disrupting operations. When a change is made, monitor for new issues and client complaints, which is when reporting may be most beneficial. A best practice is accepting explicitly and blocking all else, also known as least privilege. These can also aid network segregation to further protect high-risk items and intrusions in one area from allowing access across all aspects of the network.

7. Mobile Device Management

Mobile devices should be able to be centrally managed and prevented from leaking company data. This can be done using a system that allows you to log each device, assign the primary user of the device, clear the device if compromised and enforce device hardening standards. You can choose more options based on what may benefit your mobile management strategy, such as integrating with anti-virus/anti-malware software. There should be a way to ensure that each device is included in the Mobile Management listing, such as an additional listing or software that can be compared for accuracy.

8. Anti-Virus/Anti-Malware and Signature Updating with Alerts

Anti-Virus/Anti-Malware should also be in place to prevent your devices and servers from being compromised by the ever-changing threat of viruses and malware. This should come with frequent signature updates to keep up with the constantly evolving threats. If a signature update does not go through to a device, alerting should be set up to alert responsible individuals of the failure so that remediation efforts can be pursued and documented. Keeping each device and server up to date ensures you put your best foot forward in protecting your devices from this threat.