fbpx
TCM Security is offering free Active Directory Health Checks to any company with 10 or more employees. To inquire, please contact us.

I often hear from people that audits are “brutal” and that passing a SOC 2 audit is a significant accomplishment. Most people I talk to feel that an audit is a burden and that passing it takes a lot of extra, unnecessary effort. At TCM Security, we recently completed our first SOC 2 Type 2 audit with zero exceptions, I wanted to share some of our experiences with the audit while debunking some audit myths along the way. I’ll briefly explain the various types of SOC audits available, why you’d want to consider an external audit, the various areas of the audit, and some tools that may be helpful for those planning to perform an audit in the near future.

Types of Third Party Audits

There are several different types of credentials that an organization may obtain to show their expertise, maturity, or compliance using a third-party audit. For example, ISO 27001 is an extensive information security management framework that an organization can adopt and get certified in. Unlike NIST, which relies on self-reporting of compliance, ISO and SOC are verified by an impartial third party. Hence, the audit results are verifiable and based on a third party’s observation and compliance verification. Unlike ISO 27001, a SOC audit is often quicker and easier to obtain than an international standard. While there’s overlap between ISO 27001 and SOC 2, the ISO audit and certification process is much more detailed and rigorous.

SOC, which stands for System and Organization Controls, is a set of standards for audits managed by the American Institute of Certified Public Accountants (AICPA). SOC helps to demonstrate the effectiveness of an organization’s set of controls. There are several types of SOC audits, each with a Type 1 and a Type 2 variant. A Type 1 audit is done at a point in time, while a Type 2 evaluates an organization over a given reporting period, the minimum of which is three months for a first-time audit.  

SOC 1 (Type 1 and Type 2) Audits

A SOC 1 audit focuses on internal controls over financials and financial reporting. It is designed for organizations that must be explicit about their finances, such as banks, payroll processors, and anyone who provides financial data to their customers.

SOC 2 (Type 1 and Type 2) Audits

A SOC 2 audit evaluates an organization based on five principles, known as the Trust Service Criteria (TSC). They are Security, Availability, Processing Integrity, Confidentiality, and Privacy. Every SOC 2 audit must include the Security TSC, but the remaining ones are optional. Here’s what each TSC covers:

Security

Security deals with protecting information and an organization’s systems against unauthorized access, breaches, and other security incidents that could compromise an organization’s data and expose customer information. The main controls assessed by the Security TSC are access controls, authentication mechanisms, firewalls, intrusion detection, prevention, and encryption. In my opinion, security is a standard for any given organization. In other words, every company should have these controls implemented and supported within their environment. I also want to note that aspects of Availability, Process Integrity, Confidentiality, and Privacy are also evaluated here in Security, but at a higher level. Security is the single required TSC, while the remaining four are optional.

Availability

Availability is an organization’s commitment to ensuring data is available and accessible during the agreed-upon service level agreements (SLAs). This TSC verifies that an organization’s systems are reliable and meet user needs. The main controls covered by availability revolve around disaster recovery, backup procedures, and system monitoring.

Process Integrity

Process Integrity verifies that an organization’s processes are accurate, complete, and valid. It ensures the organization’s data is free from errors, delays, and unauthorized changes. Controls here include quality assurance, error handling, and data processing.

Confidentiality

Confidentiality protects sensitive data from unauthorized access and ensures that it can only be seen by authorized parties. Data classification, encryption, and access controls specific to sensitive data are used to assess the Confidentiality TSC.

Privacy

Privacy focuses on how personal information is collected, used, retained, disposed of, and disclosed under the organization’s privacy policy and relevant regulations (such as California’s Privacy Act). Data privacy policies, consent management, and controls around personal data collection and handling are used to evaluate this TSC. From speaking with several auditors, this is one of the hardest TSCs to comply with fully.

SOC 3

SOC 3 is a high-level version of a SOC 2 audit typically used for marketing purposes. While SOC 1 and 2 collect and include details about how an organization operates, SOC 3 keeps things at a high enough level that no company secrets are shared. As such, SOC 3 is intended for public use and can be freely distributed, whereas SOC 2 and SOC 1 audits are typically disclosed only to parties that have signed NDAs.

Why Do I Need an Audit?

Now that we’re familiar with audit types, let’s discuss why you may want to consider an audit for your organization.

Regulatory Compliance

First, there’s the requirement or regulation of having an external security audit done at least annually. Many organizations across various industries are locked into having an annual external audit to ensure compliance with various laws. For example, anyone in the Financial Service Industry, Technology and Cloud Service Providers, Healthcare, E-Commerce, or working with the government is likely asked to maintain a SOC or ISO certification.  

Competitive Advantage

If an organization is a vendor to other companies, SOC 2 may be required as part of the vendor due diligence performed on any third party with which a company does business. For example, TCM Security frequently reviews and looks for compliance from any vendor critical to our operation. Any vendor found not in compliance may be replaced with a vendor who is in compliance, so having a SOC 2 report helps an organization be picked as a vendor. At the same time, when we consult for other organizations, we are frequently asked to provide evidence that we handle security seriously and a SOC 2 audit report provides that evidence. 

Customer Trust

Outside of the legal or contractual obligation for a SOC 2 Type 2 audit, an organization should consider one because it demonstrates to its customers that it is serious about protecting customer data, serious about its security posture, and diligent about making sure its systems and networks are secure and that its people are educated on security issues. While this seems like something every organization should strive for, many don’t.  Some of the many reasons cited include costs, the complexity of the audit, and the time commitment required. Many also feel that the audit would distract ongoing business operations.

However, it’s hard to agree with these reasons because protecting our customers and ensuring the security of our data is fundamental to any company. If an organization is going to collect information, especially if it is deemed sensitive, it must take precautions to secure it, and accepting their word for it is not a good option. A third-party audit proves you are serious about security and do everything possible to maintain a strong security posture.

Making Audits Easier with Vanta

My initial experience with SOC 2 was with my previous employer, in an environment where everything was done manually. Each audit request had to be fulfilled through meetings, by providing screenshots, and through various other manual tasks in order to give the auditors the appropriate picture of our environment. While we did many things correctly, it wasn’t easy to prove. It also wasn’t easy to manage as controls, procedures, and other elements used by the audit were scattered throughout the environment. This is not a good situation to be in.

Here at TCM Security, we approached the audit in a much smarter way and engaged Vanta, an online platform for managing your organization’s compliance. Vanta integrates with your environment and even has a desktop agent that provides feedback on various aspects of an information security program. It can automate much of the evidence gathering required for a SOC 2 and other types of audits. Vanta helped streamline our audit process by continuously monitoring our systems and gathering necessary documentation, which reduced the need for manual data collection. This real-time data allowed us to stay audit-ready throughout the year rather than scrambling at the last minute. The benefit here is two-fold. Not only are you maintaining and doing everything you need to do to ensure a successful audit, but you are also constantly improving and addressing information security issues and needs, making your organization safer along the way.

The additional benefit of Vanta is a clear blueprint for building and maintaining a strong information security program. We were able to quickly adopt best practices for areas where we needed improvement and enhance the controls we were already implementing. This proactive approach strengthened our security posture and made our audit process much more manageable.

Moreover, Vanta made it easier for our auditors by allowing us to grant them direct access to our data on the Vanta platform. They could review our controls and evidence remotely, reducing the need for time-consuming meetings and back-and-forth requests. This efficiency made the audit more cost-effective and simplified the work for our auditors, contributing to our successful completion of the SOC 2 audit without any exceptions.

Conclusion

 While SOC 2 audits can seem daunting, they don’t have to be a burden. By leveraging tools like Vanta and approaching the process with the right mindset, organizations can ensure their security measures are up to par while making the audit process smoother and more efficient. At TCM Security, we not only passed our SOC 2 audit but also used it as an opportunity to strengthen our overall security program, providing greater confidence to our customers and partners.

Alex Tushinsky headshot

About the Author: Alex Tushinsky

Alex has over three decades of expertise in software development, application architecture, cybersecurity, and technical education. As a lifelong learner, he holds more than twenty active IT certifications and is a Microsoft and CompTIA Certified Trainer. Alex’s passion for sharing his knowledge has led him to teach at numerous institutions, including Rutgers University, Bergen Community College, County College of Morris, College of Southern Nevada, and the University of Nevada, Las Vegas (UNLV). Additionally, he is the author of numerous online courses on platforms such as Pluralsight and TCM Academy, including our C# 101 for Hackers course.

Alex holds a Bachelor of Science in Software Development and a Master’s in Cybersecurity and Information Assurance from Western Governors University. His passion for software development has led him to work at Fortune 500 organizations such as PepsiCo, Intel Corporation, Gen Re, and several smaller businesses, where he has worked on enterprise software development projects primarily in C# and Java. In the cybersecurity field, Alex has worked as a Chief Information Security Officer and is a consultant to several small and mid-sized organizations, where he educated and provided guidance on the importance and proper use of information security. Currently, he is the Chief Technology Officer at TCM Security.

When not working, Alex spends his time with his wife and many pets, including two cats and three Boston Terrier dogs. He is an active runner and cyclist and is an ethical and health-conscious vegan.

About TCM Security

TCM Security is a veteran-owned, cybersecurity services and education company founded in Charlotte, NC. Our services division has the mission of protecting people, sensitive data, and systems. With decades of combined experience, thousands of hours of practice, and core values from our time in service, we use our skill set to secure your environment. The TCM Security Academy is an educational platform dedicated to providing affordable, top-notch cybersecurity training to our individual students and corporate clients including both self-paced and instructor-led online courses as well as custom training solutions. We also provide several vendor-agnostic, practical hands-on certification exams to ensure proven job-ready skills to prospective employers.

Pentest Services: https://tcm-sec.com/our-services/
Follow Us: Blog | LinkedIn | YouTube | Twitter | Facebook | Instagram
Contact Us: sales@tcm-sec.com

See How We Can Secure Your Assets

Let’s talk about how TCM Security can solve your cybersecurity needs. Give us a call, send us an e-mail, or fill out the contact form below to get started.

 

tel: (877) 771-8911 | email: info@tcm-sec.com