On June 23rd, we had the pleasure of sharing the stage with Peter vR Sternkopf of Vigilant Systems as we compared a cybersecurity audit to climbing Mount Everest.
Yes, that Mount Everest.
Before you start rolling your eyes, it’s not as far-fetched as it may seem. From the Tibet side of the mountain, there’s the parking lot, six camps on the route, and summit which constitute eight defined milestones.
If you take a risk-based approach to cybersecurity compliance you can also count on 8 milestones or phases, namely:
- Acquire organizational support and alignment
- Define context, requirements, boundary & scope
- Complete an information assets inventory / gap analysis
- Define, design, build, implement, manage your controls
- Gather evidence to prove the efficacy of your controls
- Perform an internal audit (or a couple practice audits)
- Pass the compliance audit for the given framework
- Continuous compliance & continual improvement
It may sound overwhelming but if you take a risk-based approach to achieve cybersecurity compliance, you’ll find it’s much less intimidating and the results will most likely satisfy whatever audit framework you choose to pursue.
If you were unable to attend, we are releasing the webinar in short 5-minute clips over the next in a playlist over the next week. Subscribe to our channel to be notified as each new clip is posted:
Questions and Answers
Time for Cybersecurity Q & A!
We also received a good number of questions from the audience. We asked our compliance experts to answer them in detail. Here’s a sample of the questions and answers, for informational purposes only:
Q: When performing a dry run audit for SOC 2 trust service principles, what is your recommended structure?
A: There are two readiness audits you can conduct to gauge the readiness of a business entity for SOC 2.
- Pre-Readiness Gap Assessment
- Post-Readiness Assessment.
THE PRE-READINESS ASSESSMENT
A pre-readiness gap assessment is an early assessment performed when an entity is unsure where it stands for a SOC 2 audit. This assessment aims to finalize the scope, create understanding, and a work package with gaps and action items to address before the third party auditor SOC 2 audit.
THE POST-READINESS ASSESSMENT
A post-readiness assessment aims to gauge readiness before a third-party auditor begins a formal audit. During this assessment, a business entity must ensure:
- Any gaps identified in the pre-assessment are addressed
- All risks are identified, and a risk assessment is completed
- Each risk is mitigated by controls that are fully implemented and operational.
- Evidence is collected (via automated scans or manually) to demonstrate each control is implemented and operational.
- Policies & procedures linked to controls are up to date, recent, and approved recently.
- Policies, controls, procedures, and documentation is aligned.
Q: Vendor monitoring: What are your recommended best practices?
A: First and foremost, create an inventory of vendors and assign a single point of contact or a relationship owner (or a department owner) for each vendor. Next, complete a risk assessment or assign a security score to vendors. The level of risk and the security score is determined based on:
- Type of data processed by the vendor
- Data classification
- Practices and processes of the vendor
- Based on the level of risk, apply appropriate controls for data sharing and processing
- Request SOC 2, ISO 27001, or other compliance/audit reports for high-risk vendors
- Request PCI / GDPR or other compliance reports if the vendor processes Credit Card / PII data
- If the vendor handles simple data, a simple report of policies and procedures will suffice.
- For larger vendors such as Google, Microsoft, Salesforce, where there is no single contact, subscribe to notifications of security vulnerabilities.
- Establish controls for patching, upgrading vendor software/services on a regular basis.
- Establish a cadence for a security review/audit / QA for each vendor at least annually)
Q: In a SOC 2 audit what are the typical areas that get overlooked by the service organization (in your experience)?
A: Risk assessment & Risk monitoring is one key area where organizations typically take a short cut. SOC 2 auditors are auditing controls which are aligned to the risks which a business entity faces rather than just a static laundry list of things to do.
Q: In an ISO 27001 audit, what are the typical areas that get overlooked by the organization (in your experience)?
A: Continuous Improvement is one area which is a mandatory requirement and must be demonstrated during the internal audits. Most business entities focus on implementing and documenting the requirements and controls once and do not focus on measuring and improving upon each control.
Got a question of your own?
We are here to help. Contact us at firstname.lastname@example.org to get your questions answered!