Listen to: "Work from Home SOC 2: Overcoming Cyberattack Challenges"
It seems like everything these days has been delayed, put on hold, or has been completely derailed. Events have been canceled, projects have been pushed back, and plans have been shifted to the back burner as the world focuses on limiting the spread of COVID-19. Lockdown measures and stop-work orders have drastically changed the way many companies do business. So, WFH is the best way to keep activities going for the time being.
The pandemic has demanded that most offices pivot in place – relying on virtual workspaces and a largely (if not entirely) remote workforce. But that doesn’t mean that SOC 2 reporting and auditing need to get off schedule too.
What Are the Challenges to Managing SOC 2 Activities with a WFH Setup?
Having a remote workforce increases the vulnerability of your network, at a time when breach attempts and cybersecurity attacks are more aggressive than normal. Laptops and home computers logging onto networks remotely are often easy prey for hackers. Now, with so many people working from home, hackers are taking advantage of their opportunity and the number of malicious attacks has increased in the past three months.
Large and small organizations alike can modify their processes to ensure SOC 2 compliance, even while employees are working from home. But there are some extra hurdles that your team should expect. Understanding the effects of remote working on SOC 2 activities is key to making sure that all controls work properly with your organization’s infrastructure.
Now is a great time to check out our Remote IT Security Assessment & Compliance Attestation Services.
Ensuring Security for a Remote Workforce
Especially when the employees are working outside of the office, the criteria for security, confidentiality and privacy, set by the AICPA Trust Services Criteria must be met. Ensuring that current controls are expanded to include the entire remote workforce is crucial for security reasons and in preparation for SOC 2 auditing. Logical access security software and infrastructure security measures should be implemented to protect the organization’s network.
Understanding that risk and vulnerability are heightened during this period, your organization should run a thorough risk assessment. The goal is to identify any possible gaps introduced by the abundance of remote workers. Assessment will identify where security controls need to be added or modified to mitigate this new risk. Then, management is able to develop or update the Remote Work Policy appropriately.
Encrypted Hard Drives
Before switching to telecommuting, your IT security personnel will need to make sure that all laptops, smartphones, PCs, and other hard drives used to access company data are encrypted to ensure physical network security.
Virtual Private Networks (VPNs)
Plus, using an internal or reliable third-party VPN with encryption features will protect sensitive data and provide your remote workforce with safe access to company servers and internal systems.
When using virtual desktops, web-based work tools, SaaS platforms, cloud software and programs, two-factor authentication (2FA) helps verify that only authorized users have access to sensitive data. This is especially important when it comes to e-mail accounts and file sharing.
Developing a Remote Work Policy
With this shift to a virtual office, employees are using their own devices and Wi-Fi connections with questionable security levels. For this reason, organizational IT security policies need to outline guidelines for employees related to cybersecurity requirements. It’s important to enforce the updating of security patches, software, and applications for both on-site workstations and devices that will be used outside of the office.
When data is being accessed remotely and used outside of the secure environment, best practices are to:
- Make sure security patches are up to date.
- Make sure software and applications are up to date.
- Confirm that firewalls are enabled.
- Have staff refresh security awareness training to help avoid phishing and ransomware attempts.
- Review policies which limit work equipment from being used for personal activities online, including e-mail, messaging, social media, video streaming, and purchases.
- Request that employees report any security issues or concerns to the appointed IT security officer and review the reporting procedure with staff.
Adapting SOC Procedures While Working Remotely
Once you’re set up and ready to continue SOC reporting and auditing activities, there are a couple of changes that your team should be ready to make.
Using file-sharing platforms, cloud collaboration tools, and video calls make it easy to collaborate and carry out most activities remotely. Though this may be a new way to handle things for your team, it’s still important to document agendas, meetings, and results as they have in the past. For a SOC 2 assessment, this documentation serves to demonstrate the operating effectiveness of controls. And, as always, it provides valuable information for remediation efforts.
Your organization should ensure that the Remote Work Policy includes the proper documentation and retention measures for distance workers.
Just as business is moving forward during the pandemic, SOC activities should also continue. We must also remember, however, that there have been numerous interruptions and delays that were unpredicted, and which are difficult to manage. Performing assessments, collecting evidence, gathering documentation, and reporting can require a significant amount of time. Now is a good time to review the timing of these activities and plan carefully to schedule resources and engagement.
Coronavirus Outbreak: Keeping Auditing & Compliance on Track with Remote Working.
Supporting Work from Home SOC Audits – I.S. Partners
WFH SOC audits are now possible with the help of forward-thinking external auditors. I.S. Partners, LLC. boasts a team of experienced auditing professionals who perform SOC 2 audits regularly and work hard to stay up to date on all the relevant regulations.
No matter where in the world your office is located, or where your workforce is operating from, we can help you start preparing for your SOC 2 audit today. I.S. Partners offers a full range of innovative virtual auditing services. Call us at 215-675-1400 or request a quote to discuss your auditing needs.