The Impact of COVID-19 on SOC 2 Attestation
COVID-19 has changed how we work, and as the first third of 2021 comes and goes many IT and cloud companies have adapted. However, companies that still need to undergo SOC 2 attestation, or who still have not done so for one reason or another, might find the current challenges of auditing and compliance under pandemic restrictions intimidating.
Here, we’ll discuss an overview of some of the challenges that might come up during SOC 2 attestation during COVID-19. Rather than seeing these challenges as hopeless, we believe that, with the right security partner, they are easily dealt with as part of getting back to business.
The Impact of COVID-19 on Security Measures
Implementing and maintaining security controls is an involved job that requires an investment in time and money. As companies feel the pinch of COVID-19 and adjust at the beginning of 2021, changes in infrastructure and workforce will impact how readily these companies can fulfill requirements under SOC 2.
If your business has transitioned to a remote workforce or undergone (or continues to undergo) personnel changes, then there are several ways in which you might find SOC 2 attestation difficult.
Consider the following questions:
- Has IT or security leadership been consolidated, changed, or cut due to changes in your workforce or technology demands? If so, there could be critical areas where new leadership will need to wear multiple hats to recognize places where SOC 2 attestation could be impacted.
- Does your organization have the right security measures in place to support workers in multiple areas? Remote work is the norm for many companies right now, and many have adjusted their security measures enough to meet the challenges of security. However, if you have existing or upcoming SOC 2 attestation maintaining critical security measures could slip through the cracks of a hybrid workforce.
- What kind of cloud environment are you using, and who has access to it? Businesses have increasingly moved production and other operations to public cloud environments, which can pose additional challenges for security (not to mention adding another layer of security audits and certification to the entire system). Does your documentation include increased reliance on public or hybrid cloud infrastructures, if you use them?
- Can you recover from furloughed or lost staff that managed documentation? Gaps in employment can severely limit how security controls work (or don’t) in testing and operational situations. Furthermore, if an individual is responsible for managing documentation (if you don’t have an automation solution, for example) hasn’t maintained that documentation well, or in a way that can be easily transitioned, your compliance could be impacted.
Even small changes in location, technology, or personnel can call for a reexamination of your security controls and configuration.
COVID-19 and Risk Assessment
It’s not just security controls that have been impacted by COVID-19. SOC-2 risk assessment has also taken a hit and called for businesses to re-evaluate and reorganize their assessment procedures:
- Any organization conducting risk assessment now needs to take into account all the above-listed changes to security controls and the attack surface available for hackers due to remote workers, cloud infrastructure, etc.
- Risk assessment should also consider additional efforts for training and education for employees. The reality of employees failing to practice good cyber hygiene in terms of simple practices like avoiding phishing scams, not utilizing secure connections, or failing to use secure devices will factor into the risk an organization takes on.
- Any new technologies added to your system will necessarily call for new attention to the scope and scale of risk in terms of resilience and continuity. Secure tools like secure managed file transfer, secure email, and file sharing for third parties introduce entirely new levels of security problems that must be considered in the risk assessment process.
- As your company moves into a more distributed business model to account for remote work and social distancing, you may also be working with a larger pool of third-party vendors. Does your risk model incorporate working with these vendors, particularly if they are handling and sensitive data or introducing potential risks to your system?
The growing universe of threats and security due to restructuring in the time of COVID-19 will inevitably shape risk assessment for SOC 2 attestation.
Physical Security and On-Site Audits During COVID-19
“Security” is the core of SOC 2 and the 5 Trust Service Criteria. Security covers several layers of security of a system, including both technical and physical security. An integral part of SOC 2 attestation is the physical security controls that you have in place to protect data centers and workstations from unauthorized access.
The introduction of COVID-19 has changed how individuals interact physically, which also means that there are several ways in which physical security measures may have changed (and could impact physical safeguards and SOC 2 attestation):
- SOC 2 audits are usually conducted in person. This can include a physical examination of security measures on-premises, like a walkthrough of your office or data center. There will certainly be changes to how these audits are conducted.
- Along that same line of thinking, SOC 2 audits will often include interviews with employees in charge of security controls to attest to proper safeguards… which will, again, most likely work differently with a distributed workforce.
- Physical attestation for security with remote workers using company tools will also need a space in your audits, even if that is an inventory and catalog of all remote devices and their security features. This can also include a blanket restriction on certain kinds of systemic access for remote workers to mitigate risk.
As we enter 2021, most auditors have combined some form of remote walkthroughs, virtual interviews, and automated report and documentation generation to streamline physical SOC 2 audits.
SOC 2 Audit Partners in 2021
Companies looking to establish or reestablish SOC 2 attestation should already have a reputable security partner. As we’ve all been through the wringer in terms of learning how to function in the pandemic, the top-tier security vendors working with SOC 2 audits have also adapted to the challenges we’ve discussed above.
Selecting a solid SOC 2 is more important than ever, and there are some criteria to selecting that partner that is colored by COVID-19:
- Automation is key. Your partner should be able to automate your entire SOC 2 audit process, even remotely. A partner with a SaaS cloud platform to streamline audits will be critical for fast and easy audits.
- Physical requirements are dealt with. Virtual walkthroughs and interviews should be no problem, and there should be little or no break in the speed or reliability with which your partner conducts audits using these tools.
- Sample testing. In some cases, sample testing of remote sites, if you have numerous offices or data centers, can work towards attestation. Your partner should be able to determine the viability of this approach and, if possible, undertake it.
- A clear and unbroken chain of evidence. All observations, claims, walkthroughs, tests, and documents should be part of a clear chain of evidence, ideally as part of a cloud platform, to ensure that your audit is transparent.
If your organization is facing SOC 2 attestation or considering it as part of your operation, contact Lazarus Alliance at 1-888-896-7580 or through the form below to learn how we can help you navigate the process.