No organization is immune to cyber threats. Some businesses are targeted because of what they do and the information they possess. And yet others are attacked simply because they appear most vulnerable.
Cyber threats continue to grow worldwide, and COVID-19 has only fueled the fires as hackers look to exploit vulnerabilities in a work world gone remote. It’s likely your organization will be attacked at some point. How well you respond — in defending, detecting and mitigating the damage — will have lasting consequences for your business.
Senior leaders acknowledge cybersecurity is a top concern. But they need more information about how to manage the risk. Meanwhile board members and business partners are ramping up their scrutiny and pressuring organizations to demonstrate they have effective controls in place.
In response, the AICPA developed SOC for Cybersecurity. This risk management framework is a tool organizations can use to evaluate their cybersecurity risk management program and verify the effectiveness of their controls.
What is the SOC for Cybersecurity framework?
SOC for Cybersecurity is a framework that provides common criteria for assessing your organization’s cybersecurity risk management program. It is both a decision-making tool for internal leaders as well as an audit tool to communicate to customers that you have security measures in place to protect their data.
Using the SOC cybersecurity framework, a qualified CPA firm like Wipfli can perform an audit of your cybersecurity controls and risk management efforts. This provides third-party assurance that your organization has best-practice controls in place to protect, detect, mitigate and recover from cybersecurity events.
What goes into a SOC for Cybersecurity report?
SOC for Cybersecurity begins with this basic premise: A cybersecurity risk management program is a set of policies, procedures and controls designed to: 1) protect information and systems from security events that could compromise the organization and 2) detect, respond to, mitigate and recover from (on a timely basis) security events that are not prevented.
Using the SOC for Cybersecurity framework, the SOC report addresses your cybersecurity risk management program and the effectiveness of the controls you have in place to meet your cybersecurity objectives. Elements of a SOC Cybersecurity report include the following:
1. Nature of business and operations
This is a general disclosure on the overall nature of your business. This includes information about the products and services you provide, how you distribute products, the geographic markets where you operate and a breakdown of your service lines.
2. Nature of information risk
This covers the nature of the information you hold, such as customer information, healthcare data, personal financial data, etc. Consider whether you’re subject to other frameworks that would guide you in how you protect that information. For example, are you bound to legal requirements, regulatory or contractual commitments about how you need to protect information?
Beyond customer data, consider the internal information you need to maintain to keep the business successful. This could include internal financial information, operational data, trade secrets, customer lists, strategic planning documents, and so on.
3. Cybersecurity objectives
In this section of the report, management defines the organization’s cybersecurity goals. These objectives should be established, and regularly reviewed, by a board or an entity responsible for governance and strategic planning functions.
Data availability, for example, is a standard goal. You’ll need to determine and disclose your objectives for making data available to both internal and external users such as business partners, vendors, customers, etc.
In terms of data integrity, your objectives might be to prevent improper access to data or modification of data. Likewise, you might also focus on ensuring your systems are producing complete, accurate and reliable information.
4. Cybersecurity risk factors
This section discloses the inherent risk factors that affect your cybersecurity. By this we mean anything that introduces cyber risk — things like outsourcing for significant business processes, mobile technology, internally developed applications, network architecture, dependencies on certain kinds of technology and dependencies within your own internal IT organization.
5. Risk governance structure
This is about setting tone at the top. That means setting standards for employees to follow and identifying and addressing issues when people aren’t doing the right things. Your risk governance structure should include:
- Communicating integrity and ethics
- Establishing reporting lines and accountability
- Ongoing development for employees with cyber responsibilities
6. Risk assessment process
This part of the SOC for Cybersecurity report addresses your methodology for assessing risk. Here you’re reporting on who’s responsible for the risk assessment process, how often they perform it, how it gets updated, etc.
No matter the methodology, the process needs to consider the threats and vulnerability and likelihood of occurrence. Changes to the business should trigger an assessment, or reviews should be frequent enough to address business changes.
7. Cybersecurity communications
This part of the report addresses both internal and external communications. In terms of internal communications, we’re talking about communicating to employees and contractors the things they need to do to carry out their cybersecurity duties. This includes things like training, job descriptions, having an appropriate code of conduct and robust policies and procedures.
For external parties, this part of the framework is about outlining how you communicate with customers in the event there is a cybersecurity incident. This also involves how external customers or business partners contact you in case they think there’s been a cybersecurity event.
Recognize that you have reporting requirements under the SOC for Cybersecurity framework. For events that have occurred in the last 12 months that have caused significant impairment, you need to disclose the nature, timing and extent of cyber incidents as part of this report.
This part of the framework addresses monitoring, such as continuous scanning procedures or point-in-time audits. Monitoring results need to go to your board or governance group as well as your internal remediation group. Remediation plans and communication should be formalized and described in the report.
9. Cybersecurity control activities
This is the bulk of the report and discloses the control activities you have in place to reduce risk. This includes the bulk of your IT controls as well as key security policies and processes that address the risks you’ve identified and outlined above.
Benefits of the SOC for Cybersecurity assessment
Defining and documenting your risk environment allows you to provide business leaders and stakeholders with a reasonable understanding of your risk management program. A SOC report can help your organization better understand your risk environment and more adequately defend against risk.
Using the SOC framework you can:
- Standardize and optimize your risk management processes.
- Make better informed decisions regarding the processes, policies, technology and controls you use to create a more secure business environment.
- Build confidence and trust among board members, business partners, customers and other valued stakeholders.
- Reduce security risks by detecting vulnerabilities before they lead to data loss.
- Increase response time to detect and stop attacks and then mitigate damage with a well-orchestrated response.
Improve your processes and give your customers high confidence in the quality of your internal controls. Contact us for risk management support and a qualified SOC report of your cybersecurity risk management program.
Or continue reading on:
SOC for Cybersecurity vs. SOC 2: 5 key differences
Can a SOC exam help me grow my business?
How to choose the timing of your SOC exam
SOC 1 vs SOC 2: What’s the difference?