Are you a cloud computing, SaaS, PaaS or IaaS provider and need to perform annual SOC 2 compliance audits & assessments for your clients for ensuring security best practices are being met and adhered to? If so, then take note of the following SOC 2 checklist for compliance for cloud computing & SaaS providers and vendors, courtesy of NDB Accountants & Consultants, LLP (NDB), North America’s leading provider of SSAE 16 SOC 1, SOC 2, HIPAA, and PCI DSS assessments:
1. Understand What SOC 2 is and what it isn’t. SOC 2 is NOT an ISO 27000 series audit, nor is it an ITIL assessment, or some other misconceived notion. Rather, the SOC 2 assessment consists of the Trust Services Principles (TSP) framework for evaluating a service organization’s internal controls against the prescribed set of “Common Criteria” found within the actual TSP’s. Thus, SOC 2 assessments cover a wide-range of controls when being assessed, such as operational, technical, and information security controls. Because of this, the SOC 2 framework also allows for a high degrees of customization, even to the point of including other frameworks to be assessed on (more on this in points 3 and 4).
2. Know the differences between SSAE 16 SOC 1 and SOC 2. Cloud computing & SaaS providers and vendors should generally not be performing SSAE 16 SOC 1 assessments as such reporting is restricted to service organizations performing services that could impact their clients’ financials. The SOC 2 standard is highly geared towards technology companies, and also allows for the incorporation of other frameworks into the SOC 2 report itself. While we still see many technology companies performing annual SSAE 16 SOC 1 compliance – the likes of data centers, managed services vendors, and others – this is changing, with more and more businesses opting for SOC 2 compliance, and rightfully so.
3. Determine what reporting framework is to be used. While a SOC 2 audit being performed is based on the Trust Services Principles (TSP) – there are an endless number of frameworks that can be used for assessing one’s internal controls – COBIT, COSO, CSA, and more. What you need to determine is that whatever framework being used by the CPA firm performing your audit is in fact the best and most appropriate fit. Many service organizations are adopting the Cloud Security Alliance (CSA) platform (see below) as it contains an excellent set of prescriptive criteria for assessing cloud providers for SOC 2 compliance.
4. Get to know The Cloud Security Alliance (CSA). The CSA is without question one of the leading standard bodies when it comes to best practices for cloud computing. What’s more, many CPA firms that issue SOC 2 reports often include the CSA framework for purposes of assessments and reporting. Specifically, the Cloud Security Alliance (CSA) Cloud Controls Matrix (CCM) is thus designed to provide fundamental security principles to guide cloud vendors and to assist prospective cloud customers in assessing the overall security risk of a cloud provider. The CSA CCM provides a controls framework that effectively details the understanding of security concepts and principles that are aligned to the Cloud Security Alliance guidance within the respective 13 domains. Source: https://cloudsecurityalliance.org/
5. Begin with a SOC 2 Scoping & Readiness Assessment. You need to gain a strong understanding of the entire SOC 2 process, what the actual audit entails, constraints and challenges, gaps and deficiencies that need to be corrected, and more. Thus, the only way this can be successfully achieved is by performing a SOC 2 scoping & readiness assessment, which is what we offer for cloud computing organizations. Without performing a SOC 2 scoping & readiness assessment, you’re missing out on key criteria that needs to be assessed prior to an actual audit commencing. Call and speak with CPA Christopher Nickell at 1-800-277-5415, ext. 706 to learn more about SOC 2 compliance and obtaining a fixed-fee proposal.
6. Be Prepared to Perform Remediation. Remediation is often a two (2) front process. First, you’ll need to develop all necessary policies and procedures, that’s the documentation aspect of remediation. Every business should have in place comprehensive information security policies and procedures – and most don’t – so consider this an important element when assessing your overall SOC 2 readiness. Next, technical and various I.T. remediation efforts will have to be performed, such as re-configuring servers, changing access control rights, and more. Remediation “can” be a time-consuming process, it all depends on the maturity of one’s control environment, which is ultimately assessed during a SOC 2 scoping & readiness assessment.
7. Why Policies and Procedures are Critically Important. Today’s regulatory compliance mandates are incredibly demanding and taxing, with documentation often proving to be one of the more tedious tasks to complete. We’re talking about the need for having comprehensive information security and operational policies and procedures in place for compliance – and especially for SOC 2 assessments – and it’s why NDB offers a SOC 2 Policy Packet to all our clients for helping save hundreds of hours and thousands of dollars on compliance fees. We also offer technical remediation forms and checklists for helping businesses correctly secure and harden critical information systems.
8. Understanding the actual Assessment Process. Audits “can” be incredibly time-consuming, but just remember that it is a collaborative process – you and the auditors working together for ensuring the overall success of your SOC 2 audit. Remember that auditors will demand a lengthy list of deliverables, such as the following: policies and procedures, system setting configuration files, screenshots, signed memos, and more. You’ll thus need to have an internal “champion” that can communicate and coordinate all aspects of the audit process with your auditors. There’s much work to be done, but with an understanding of what’s expected from your business, the SOC 2 audit process becomes very manageable.
9. Engage in Continuous Monitoring. Do you have a process in place for regularly assessing and changing/modifying/enhancing your internal control environment as needed for ensuring it’s operating as designed? Do you have a process in place for making documented changes to your policies and procedures, along with technical changes to your control environment? If not, then welcome to the concept of “continuous monitoring”, an initiative that puts forth the above described measures for helping ensure the continued success of your annual SOC 2 audits for cloud computing, but also the safety and security of your entire organizational infrastructure.
10. Know that Regulatory Compliance Is Here to Stay. Don’t think a “one and done” scenario will get you out of the regulatory compliance reporting mandates. Today’s world of business is full of threats and complexities, thus requiring organizations to put in place comprehensive measures for ensuring the safety and security of organizational assets. Therefore, the globally accepted due-diligence audit process for assessing organizational-wide internal controls has been – and will continue to be – SOC 2. Therefore, consider finding a firm and engaging in a long-term relationship for ensuring you have a stable provider performing your assessments each year. NDB offers fixed-fee pricing and discounts for multi-year engagements.
11. Helpful Tips. Before you really even begin to think about an annual SOC 2 audit – even before a readiness assessment, here are some helpful tips to get things moving in the right direction, ultimately helping to ensure a successful SOC 2 audit process from day one: (1). Develop an asset inventory list, one that’s current, accurate, and captures all relevant information systems within your I.T. landscape. We’re talking about network devices – such as firewalls, routers, switches, and more, - along with a detailed listing of your servers (i.e., both physical servers and virtual servers), along with other devices, such as laptops, PDA’s, and other items.