April 21, 2023
As Mindsight’s Director of Internal Systems and Security, Matt Cox knows a thing or three about SOC 2 compliance — whether it’s of the Type 1 or Type II variety. He’s also very familiar with the intensive and potentially expensive annual auditing procedure that all SOC 2-certified organizations must endure to prove they’re adhering to five “trust service principles” — Security, Availability, Processing Integrity, Confidentiality, and Privacy — when it comes to handling their customers’ data.
Why is SOC 2 compliance so important?
It provides an annual and independent attestation that your organization is following good business practices. And it’s not strictly about security; it looks at organizational practices, your hiring and firing practices, how you train your folks, how you organize your business. Because Mindsight is in SOC 2 compliance, for example, we’re able to provide that assurance to our customers. A lot of them aren’t aware of it or don’t ask about it, but as we’re doing business with larger organizations that are aware of it, or that have requirements, we provide SOC 2 reports to them just as our vendors have to provide those reports to us.
Have SOC 2 audits become more stringent in recent years?
In talking to the auditor, I know there are some additional controls. In the last couple of years, they’ve wanted to look into our third-party risk management framework — how do we deal with risk passed on to us by our software vendors. They’re also further scrutinizing our software vendors to see who our partners are beyond the ones we provide services to. Who do we use to backup our data? Who provides our firewalls? I think that’s because it’s becoming evident, if you pay attention to security news, that some vendors are more responsible with security than others. But a company can easily pass the audit and still be a catastrophic failure. There’s no guarantee of success.
What actually happens during a SOC 2 audit?
It happens once a year and it’s kind of a three-step process. The auditor, a certified public accountant, reaches out and lets us know it’s time to begin the audit process. For Mindsight, that’s in early March. And they provide a document that includes our assertion of how we’re doing business: a list of the organizations that we work with and the services that we offer our customers. And we can make changes to that over time as our business evolves. Then, about a month later and before the on-site audit, we have to provide them with documentation of all the controls [trust service principles] they’ll be reviewing with us that year. Additionally, we have to give them a list of who we hired, who we fired, who we brought on as contractors, and a copy of our employee handbook. Eventually, they’ll also want to see onboarding documents for any recent hires.
Can MSPs facilitate these audits for their customers?
At Mindsight, we don’t have CPAs on staff, so we can’t do the audits ourselves. But I’ve talked many of our clients through the process. If it’s their first time undergoing a SOC 2 audit, I make sure they’re prepared to take it on, because the first time around is really rough. Small organizations, especially, don’t have a lot of the necessary processes and procedures in place. Or if they do, it’s not all documented. And there’s a ton of documentation that goes into an audit. Once you have all of that done, it’s not too bad. It’s time consuming and tedious, but you’re not running around frantically, going, “Where is our hiring documentation? Where are our job descriptions?”
Are MSPs like Mindsight required to get SOC 2 audits?
There are no regulatory requirements that I’m aware of. This is more something that you would use to underpin your reputation — a value-added thing. Our industry is not regulated, but some of our customers are. And so by being able to present them with a completed SOC 2 audit, we can say, “You can trust us with your data and your business processes, because we’re undergoing the same kind of scrutiny you are.”
What are the most common challenges organizations face when trying to achieve SOC 2 compliance?
Process Documentation. Most organizations have well developed processes in place but lack formal documentation of those processes. That is what the auditors are primarily looking at. The organization must define their processes, document them and then demonstrate to the auditor that the organization follows those processes.
What are the consequences for an organization if they fail a SOC 2 audit?
In most cases it is lost time and could lead to reputational damage. If you are going through the time and expense of getting SOC2 compliant, you really don’t want that time wasted. It’s also important to clarify that the audit isn’t technically a pass/fail kind of thing. If the organization cannot adequately demonstrate compliance with the defined processes, the auditor will note an ’exception’ and the organization is given time to remediate the exception and/or provide an explanation for the exception in the report. This happens from time to time; nobody is perfect.
In your experience, how have the SOC 2 compliance requirements evolved to keep up with the changing cybersecurity landscape?
Over time it’s been clear that the compliance framework has become more security savvy and is looking at those kinds of process controls more carefully. It’s adapting to the changing threat landscape and that helps to keep the framework relevant. One example, is in taking a closer look at risk management and more specifically third-party risk management.
How do you handle situations where a vendor or partner is found to be non-compliant during the audit process?
As I mentioned before, this does happen from time to time. This year one of our vendors showed an exception in their SOC2 report where during the audit it was discovered that a few of their systems were not receiving security updates even though the tools they were using indicated that they were up to date. They quickly resolved the issue and put in controls to prevent that from happening again. This was noted in the SOC2 report provided to us by the vendor. It is a good idea to regularly review SOC2 reports from your vendors as part of a healthy third-party risk management process, even if your organization does not intend to pursue SOC2 compliance.
Are there any specific industries or sectors where SOC 2 compliance is particularly crucial, and why?
I think it’s particularly important for organizations that provide technology solutions to their customers unless they are regulated by another compliance framework such as HIPAA or PCI-DSS. SOC2 compliance is just one of the ways an organization can build trust with its customers and distinguish itself from the competition.
Mindsight is industry recognized for delivering secure IT solutions and thought leadership that address your infrastructure and communications needs. Our engineers are expert level only – and they’re known as the most respected and valued engineering team based in Chicago, serving emerging to enterprise organizations around the globe. That’s why clients trust Mindsight as an extension of their IT team.
Visit us at http://www.gomindsight.com.
About The Expert
Matt Cox is the Director of Internal Systems and Security at Mindsight, and has over 20 years of experience in Telecommunications, Information Technology and Network Management. In his role at Mindsight, Matt has the uncanny ability to communicate complex technical ideas to a broad audience. He is passionate about information security and using technology to improve business outcomes and is currently pursuing CISSP certification. When he’s not focused on the hyper-technical, Matt enjoys boating, fishing, and lock picking.