Work(force) from Home: Understanding and Managing Your SOC Compliance Risk

How we all work, and live, has drastically changed in a short amount of time. With the social changes and government restrictions amidst the COVID-19 outbreak, much of what we do on a daily basis to provide goods and services is being done very differently now.

With that in mind, it can be easy to lose sight of the processes within organizations, designed over years of trial and error, to ensure the security of information. With the dust settling after the rush to implement a work-from-home (WFH) workforce, it is important to stop for a moment to consider whether your entity’s data security controls have been negatively affected.

While this is important for all organizations, it has added significance for organizations subject to SOC examinations since any degradation of controls could potentially become a finding in your next report.

Be Proactive on Your New WFH Compliance Risks

Working from home, remote working, or teleworking changes to your operations stemming from COVID-19 will be an important discussion topic during your next SOC planning meeting. To make sure you are ready, we recommend taking the following actions:

  • Review the controls within your most recent SOC report and consider whether any of these controls have been affected by operational changes. Areas where control impact is likely include:
    • Provisioning of new IT resources to support WFH.
    • Provisioning of access to new systems/resources or elevated access within existing systems/resources.
    • Data handling policies and procedures that may not address WFH.
    • Implementation of new collaboration tools to share (potentially sensitive) customer information.
  • For any impacted or newly added controls, record the date of change/implementation and any other pertinent details in a memo.
  • Consider whether changes to controls have resulted in audit evidence that would be different from what was provided in the past. Discuss these differences with your auditor to determine whether the new evidence will cause any problems.
  • For affected or newly implemented controls, consider whether the necessary documentation and approvals have been retained to support audit requests. (Were all of those newly provisioned VPN credentials formally approved in the rush to get your teams working remotely?)

 

We Are Here to Help

The health and well-being of you and your families is the first priority. When the time comes to evaluate the integrity of your security controls in this new landscape, we can guide you through the process and to create the reports you need for assurance related to your controls.

Lurie’s Technology Assurance team is dedicated to providing technology advisory and compliance services to companies that range from start-ups to Fortune 100 companies.

Contact us today with your questions, we are here to help

Share Post: