The world is in flux right now due to COVID-19, and the global pandemic has changed the lay of the land for almost every organization. It’s likely that more people are working from home this week than at any time since technology has made it possible to do so. This has caused strain on IT departments who weren’t prepared for the new set up, while forcing companies of all sizes to adapt to a new normal.
However, SOC 2 requirements don’t go away just because the IT department is stressed, or just because employees are working from home. No matter how large or small your organization is, you can adapt your processes to ensure you stay compliant with SOC 2, even if your entire workforce is now remote.
Identifying the Key Controls to Help Maintain SOC 2 Compliance
Unlike other standard protocols like PCI or ISO 27001, the guidelines in SOC 2 aren’t hard-and-fast rules. This means SOC 2 can actually be relatively easy to adapt for non-traditional security ecosystems. In fact, many start-ups and mostly remote organizations have chosen to implement SOC 2 standards for years for this very reason. As always, you will need to identify the risks that may threaten your business processes, and put policies in place to address them.
The security challenges posed by a fully remote workforce are often different from those of an in-house team working from an office building. These include both cybersecurity and physical security issues, and some are less obvious than others. Human error or carelessness is often the biggest risk any company faces when it comes to computer and technology assets, and that can get more complicated when you don’t have your employees under one roof. Luckily, working on SOC 2 compliance can help mitigate these risks, even if you’ve never had a mostly remote workforce before.
Ensuring Physical Security for SOC 2 Compliance
One major security issue presented by a remote working situation is that you can’t offer guaranteed physical security to company hardware or systems, such as laptops or other workstations, that are now operating from the living rooms and home offices of your team members. But you can institute policies for your employees to minimize the risk of theft or physical damage to assets.
Make sure employees know best practices for minimizing this risk, such as:
- Never leave company assets in a vehicle, especially overnight
- If an asset must be stored in a vehicle, it must be locked in the trunk
- Store laptops and other assets in a locked cabinet when not in use
- Do not leave assets unattended or unlocked
- Be cautious when entering company passwords
- Never lend a company computer to anyone, including spouses, roommates, children, or other family members
Another aspect of physical security is keeping important data out of the reach of individuals who are not privy to it, including spouses and children of employees. While employees should never lend their laptops to family or household members for any reason, this also includes the printing of sensitive material. This type of material should never be printed or stored at home. You may need to create a printing policy so that documents that must be printed for whatever reason can be held until employees are allowed to return to the office. Of course, you can allow employees to connect to internal printers if they must print something, but they may not be able to access the documents until the office re-opens.
These may seem like common-sense policies, but it’s important that you write them out explicitly and train employees on them so that employees understand them. A written policy will also help you to prove you were following SOC 2 compliance guidelines when you undergo an audit.
Cybersecurity Considerations for SOC 2 Compliance
Beyond the physical safety of assets that employees are using at home, you need to maintain security of your network. With employees working from their own Wi-Fi connections, there are several policies you will need to implement to ensure SOC 2 compliance.
The first is to establish a company virtual private network (VPN) that your employees can use to connect to servers and internal systems. Using a free VPN is not a good idea, because you cannot guarantee that the connection will be encrypted and that the server will protect private information. Some third-party VPNs are safe for use, as long as they have a secure and encrypted connection and don’t log users’ activity. Your IT security team should also ensure all workstation and laptop hard drives are encrypted before they go out into the world, in case the physical security policies outlined above fail.
Reducing the risk of human error in cybersecurity is your next task. Your team should establish a way to induce automatic updates or draft guidelines for employees to follow to ensure that patching is up to date on all workstations and laptops. The workstation firewall should always be enabled to prevent attacks to the network. Implementing two-factor authentication (2FA) may be a pain for some workers, but it helps to ensure that the person logging into an asset is who they say they are. 2FA is especially important for internal systems and SaaS tools, such as internal email accounts, project management tools, and file sharing.
Reports have shown that laptops and home computers used for remote work are increasingly attractive to hackers, thanks to the high level of security that organizations have applied to their corporate networks. With so many people working from home, cyber criminals are increasing their attacks on employees who may be working in a less secure environment. These hackers also know that your IT team is overwhelmed and less likely to be able to respond as quickly as you’d like. You should ensure your policies on preventing phishing are up to date and that all employees are aware of how to spot spam and prevent scams from infiltrating.
Remind your staff not to use the laptop or workstation for personal items, such as online shopping or video streaming. The work laptop or workstation should be reserved for work only, to help minimize threats from hackers.
Finally, make sure each individual in your organization understands to report security issues to IT staff immediately, and that they know how to do so. You may need to create a phone hotline or dedicated email account for reporting security issues, if you haven’t already, so that employees can be upfront about attacks before they make it to your corporate network.
Overall, the challenges presented by a remote workforce can help you nail down your cybersecurity policies better, and provide you an opportunity to find any holes in your current SOC 2 compliance policies. While uncertainty around COVID-19 remains, SOC 2 compliance can be one less question mark for your organization.
If you would like further information about SOC 2 compliance, check out our overview of SOC 2.