How to Stay SOC 2 Compliant While Your Team is Working Remotely

The world is in flux right now due to COVID-19, and the global pandemic has changed the lay of the land for almost every organization. It’s likely that more people are working from home this week than at any time since technology has made it possible to do so. This has caused strain on IT departments who weren’t prepared for the new set up, while forcing companies of all sizes to adapt to a new normal. 

However, SOC 2 requirements don’t go away just because the IT department is stressed, or just because employees are working from home. No matter how large or small your organization is, you can adapt your processes to ensure you stay compliant with SOC 2, even if your entire workforce is now remote. 

Identifying the Key Controls to Help Maintain SOC 2 Compliance

Unlike other standard protocols like PCI or ISO 27001, the guidelines in SOC 2 aren’t hard-and-fast rules. This means SOC 2 can actually be relatively easy to adapt for non-traditional security ecosystems. In fact, many start-ups and mostly remote organizations have chosen to implement SOC 2 standards for years for this very reason. As always, you will need to identify the risks that may threaten your business processes, and put policies in place to address them. 

The security challenges posed by a fully remote workforce are often different from those of an in-house team working from an office building. These include both cybersecurity and physical security issues, and some are less obvious than others. Human error or carelessness  is often the biggest risk any company faces when it comes to computer and technology assets, and that can get more complicated when you don’t have your employees under one roof. Luckily, working on SOC 2 compliance can help mitigate these risks, even if you’ve never had a mostly remote workforce before. 

Ensuring Physical Security for SOC 2 Compliance

One major security issue presented by a remote working situation is that you can’t offer guaranteed physical security to company hardware or systems, such as laptops or other workstations, that are now operating from the living rooms and home offices of your team members. But you can institute policies for your employees to minimize the risk of theft or physical damage to assets. 

Make sure employees know best practices for minimizing this risk, such as:

  • Never leave company assets in a vehicle, especially overnight 
  • If an asset must be stored in a vehicle, it must be locked in the trunk
  • Store laptops and other assets in a locked cabinet when not in use
  • Do not leave assets unattended or unlocked
  • Be cautious when entering company passwords
  • Never lend a company computer to anyone, including spouses, roommates, children, or other family members

Another aspect of physical security is keeping important data out of the reach of individuals who are not privy to it, including spouses and children of employees. While employees should never lend their laptops to family or household members for any reason, this also includes the printing of sensitive material. This type of material should never be printed or stored at home. You may need to create a printing policy so that documents that must be printed for whatever reason can be held until employees are allowed to return to the office. Of course, you can allow employees to connect to internal printers if they must print something, but they may not be able to access the documents until the office re-opens. 

These may seem like common-sense policies, but it’s important that you write them out explicitly and train employees on them so that employees understand them. A written policy will also help you to prove you were following SOC 2 compliance guidelines when you undergo an audit. 

Cybersecurity Considerations for SOC 2 Compliance

Beyond the physical safety of assets that employees are using at home, you need to maintain security of your network. With employees working from their own Wi-Fi connections, there are several policies you will need to implement to ensure SOC 2 compliance.

The first is to establish a company virtual private network (VPN) that your employees can use to connect to servers and internal systems. Using a free VPN is not a good idea, because you cannot guarantee that the connection will be encrypted and that the server will protect private information. Some third-party VPNs are safe for use, as long as they have a secure and encrypted connection and don’t log users’ activity. Your IT security team should also ensure all workstation and laptop hard drives are encrypted before they go out into the world, in case the physical security policies outlined above fail.

Reducing the risk of human error in cybersecurity is your next task. Your team should establish a way to induce automatic updates or draft guidelines for employees to follow to ensure that patching is up to date on all workstations and laptops. The workstation firewall should always be enabled to prevent attacks to the network. Implementing two-factor authentication (2FA) may be a pain for some workers, but it helps to ensure that the person logging into an asset is who they say they are. 2FA is especially important for internal systems and SaaS tools, such as internal email accounts, project management tools, and file sharing. 

Reports have shown that laptops and home computers used for remote work are increasingly attractive to hackers, thanks to the high level of security that organizations have applied to their corporate networks. With so many people working from home, cyber criminals are increasing their attacks on employees who may be working in a less secure environment. These hackers also know that your IT team is overwhelmed and less likely to be able to respond as quickly as you’d like. You should ensure your policies on preventing phishing are up to date and that all employees are aware of how to spot spam and prevent scams from infiltrating. 

Remind your staff not to use the laptop or workstation for personal items, such as online shopping or video streaming. The work laptop or workstation should be reserved for work only, to help minimize threats from hackers. 

Finally, make sure each individual in your organization understands to report security issues to IT staff immediately, and that they know how to do so. You may need to create a phone hotline or dedicated email account for reporting security issues, if you haven’t already, so that employees can be upfront about attacks before they make it to your corporate network. 

Overall, the challenges presented by a remote workforce can help you nail down your cybersecurity policies better, and provide you an opportunity to find any holes in your current SOC 2 compliance policies. While uncertainty around COVID-19 remains, SOC 2 compliance can be one less question mark for your organization.

If you would like further information about SOC 2 compliance, check out our overview of SOC 2.

The SOC 2 Mindset

What is SOC 2 preparation and compliance really like? Is it a set of configurations and security tools? Is it a bunch of documentation we haven’t created yet? Is it something we do? What if the most important thing about SOC 2 isn’t those at all?

Topics in this webinar include:

  • How to keep the main thing the main thing
  • Set yourself up for success
  • How to communicate with ALL stake holders
  • Get inside your auditor head!

Download the webinar:

Continue reading The SOC 2 Mindset

Breaking SOC 2 Roadblocks

How do you deal with the inevitable “impossible” requirement for your organization? What are some common pain points and ways to get around them? How can a risk perspective rescue the conversation? What will be your auditors perspective?

Topics in this webinar include:

  • The good and poor way to approach compliance disagreement
  • Using risk assessment to make your argument
  • Top compensating control strategies
  • Get inside your auditor head!

Download the webinar:

Continue reading Breaking SOC 2 Roadblocks

Making SOC 2 Hindsight in 2020

What is best practice prioritization for SOC 2 preparation? What are the top lessons learned from 2019? What are the “gotchas” to avoid? Which criteria require implementation and additional budget? What kind of total budget will I need?

Topics in this webinar include:

  • Prioritized approach for SOC 2 readiness
  • The top 4 audit deficiencies
  • List of common technology expenses
  • Get inside your auditor head!

Download the webinar:

Continue reading Making SOC 2 Hindsight in 2020

SOC 2 System Description

What are the Descriptive Criteria for SOC 2? Why do I have to write the description?  What are the minimum requirements? What else can I include? What will an auditor expect to see?

Topics in this webinar include:

  • Understand the 2018 SOC 2 Description Criteria
  • Know the minimum requirements
  • Take advantage of the marketing opportunity
  • Don’t be caught off guard, this will take time!

Download the webinar:

Continue reading SOC 2 System Description

SOC 2 Subservice Organizations

What is a Subservice Organization? A vendor that provides services and controls directly relevant to the service undergoing an audit. Usually a key-component of the service you provide; Processes customer data; Stores customer data; Most relied-upon vendors

Topics in this webinar include:

  • How to identify subservice organizations
  • How to monitor and evaluate
  • What to expect during a SOC 2 audit

Download the webinar:

Continue reading SOC 2 Subservice Organizations

SOC 2 Technical Monitoring

What are the technical monitoring controls look like for SOC 2? What tools will be necessary?  How to you use and configure SIEM and FIM tools? How do we monitor configurations adequately? What will an auditor expect to see?

Topics in this webinar include:

  • Understand SOC 2 requirements CC5.1, CC6.6, CC7.1, CC 7.2
  • Best practices for technical monitoring
  • What to expect during the test and how to make it more effective
  • How monitoring can be automated

Download the webinar:

Continue reading SOC 2 Technical Monitoring

SOC 2 Penetration Testing Requirements

What SOC 2 requirement applies? How do I know we’re ready? What’s the required scope? How do I get the most out of my test?

Topics in this webinar include:

  • When it’s time to schedule a pen test
  • Mistakes found in first-time pen tests
  • What to expect during the test and how to make it more effective
  • How to use pen testing in security awareness training

Download the webinar:

Continue reading SOC 2 Penetration Testing Requirements