what it takes to pass a SOC-2 audit
Getting through a SOC-2 audit covers things like:
- Executive: setting and communicating objectives; evaluating operations and financial performance; service level management; business continuity planning; budget approval; vendor management; insurance coverage
- Human Resources: background checks; hiring and termination policies; privacy; acceptable use; code of conduct; confidentiality; intellectual property; whistle-blowing; site security; staff evaluations; segregation of duties.
- Production management: the software development life cycle; production release control; configuration management; the service desk function; identity management; asset entitlements management
- Data management: information classification; data aging &disposal; data integrity &processing
- IT: disaster recovery; technology standards; patch management; security incident management; log monitoring; wireless/mobile systems, removable media, &bring-your-own-device; encryption; firewall management; remote access; systems hardening; intrusion detection &countermeasures; systems availability, capacity, and performance management; version &package management; passwords; malware &viruses; management of advanced privileges; data center facilities &access management; secure file transfer; backup &recovery; security training.
- Internal control: internal audit; operational risk management; policy management.
If your firm is publicly traded, it can also include: "Entity level" matters such as governance, the role of the board, and how the firm deals with its public filings.
The source material for the latter is COSO, but at heart, a SOC-2 audit typically has a scope made up of one or more of the following "trust services principles". Quoting the AICPA's website on the subject:
The following principles and related criteria have been developed by the AICPA and the Canadian Institute of Chartered Accountants (CICA) for use by practitioners in the performance of trust services engagements:
- Security. The system is protected against unauthorized access (both physical and logical).
- Availability. The system is available for operation and use as committed or agreed.
- Processing integrity. System processing is complete, accurate, timely, and authorized.
- Confidentiality. Information designated as confidential is protected as committed or agreed.
- Privacy. Personal information is collected, used, retained, disclosed, and destroyed in conformity with the commitments in the entity’s privacy notice and with criteria set forth in generally accepted privacy principles issued by the AICPA and CICA.
It all sounds so easy. But within those five "principles" are hundreds of criteria, organized in a giant 55 page table. These criteria repeat within the five principles, but I don't think they can be adopted by a service organization without hundreds of internal controls being adopted. I have managed to cover all but the "privacy" criteria in about 250 controls (the "privacy" criteria deals in personal information, and because a service organization doesn't directly deal with the end user as would an e-commerce operation, it's hard to put the privacy criteria to work).
To get through an annual service audit, someone has to monitor the controls in place—at all times.