Background
The 2020 audit cycle for organizations that receive SOC reports is going to include new challenges related to COVID-19. Remote workforces are now the norm throughout the world and there are many new risks associated with this. For example, the use of insecure personal computers (or those already infected with malware) to connect to corporate networks. In addition, hackers and fraudsters have stepped up their game and increased the frequency and sophistication of their attacks in 2020 to take advantage of the vulnerabilities that the remote workforce has introduced. Many organizations have suffered economically due to COVID-19 and have had to lay off large numbers of employees in order to cut costs. This could result in a failure to re-assign control responsibilities and a corresponding failure to perform certain controls.
There is expected to be a higher frequency of control deficiencies noted in SOC reports in 2020 and a corresponding increase in the number of qualified opinions that are issued by service auditors. However, there are practical steps that can be taken by service organizations to minimize the impact of COVID-19 on their SOC report and also reduce the risk of security incidents and cyber-attacks. The purpose of this blog post is to explore various strategies to accomplish this.
10 Recommendations to Improve Security, Minimize the Risk of Cyber Incidents and Reduce the Frequency of Exceptions in SOC Reports
Keep your software up to date. Keep your security software, web browser, and operating system updated to the latest version. Updates help prevent patch security holes that cybercriminals could exploit to access confidential data or infect your devices with malicious software.
Encrypt your devices. If there is sensitive confidential data on employee devices, including laptops, tablets, smartphones, flash drives and other removable storage devices, consider encrypting those files. This is more important with remote workforces where the storage of confidential data on employee devices is more common than in the traditional work environment. In addition, hackers understand the vulnerabilities of a remote workforce and are exploiting them more than ever.
Use multifactor identification. In the remote workforce world, multifactor identification plays a major role in preventing cybercriminals from accessing data and employee accounts. Take the extra security step to enable multifactor authentication on any account that requires login credentials.
Secure your router. Routers typically come with a default password, and cybercriminals might already know what it is — meaning your network would be at risk. Change the password on your router to something a cybercriminal would be unlikely to guess. (See password guidance below.)
Use strong encryption. There are different types of encryption. Make sure your router offers WPA2 or WPA3 encryption. Both are strong forms of security. Encryption protects information sent over your network so it can’t be read by outsiders.
Use strong passwords. Make your passwords strong and unique. A strong password contains at least 12 characters, including letters, numbers, and special symbols. Avoid using the same password on more than one account.
Review and communicate data security policies and practices. Review and update data security policies to ensure they are compatible with a remote work setup. Communicate data security policies to your employees, and send frequent reminders to employees regarding data security best practices while working from home.
Limit access to protected and confidential information. Consider restricting employee access to confidential and protected information on a role-specific basis to ensure employees have access to only the information needed to complete their specific duties.
Use Virtual Private Networks. Organizations should enforce virtual private network (VPN) connections to access company assets. This provides an additional layer of protection for confidential data.
Be mindful of COVID-19-centric scams and phishing emails. Remind employees to be diligent in their review of emails prior to opening links or attachments, and to report phishing attempts as soon as possible once discovered. Controls such as annual penetration testing are more important than ever to help gauge the security awareness (including susceptibility to phishing emails) of employees.
Examples of Controls That May Be Impacted By COVID-19
Background Checks
Most SOC reports include the following control: Background checks are performed on all job candidates and employment with the organization is contingent upon a clean background check report. Traditionally, it was assumed that background checks were completed prior to the start of employment and service auditors generally test for this. A comprehensive background check used to take between 3 – 10 days to complete prior to COVID-19. Currently, however, it may take a month or more to complete because records are harder to access by the remote workforce. Companies risk losing good candidates if they delay job offers until after background checks are completed. From a SOC reporting perspective, we have advised some of our clients who face this issue to temporarily change the wording of their control to: Background checks are initiated prior to the start of employment. However, if there are delays with the completion of background checks, employees may be on-boarded prior to the receipt of the reports. Permanent employment is contingent upon a clean background check.
Risk Assessment
One of the entity-level control activities in a SOC 1 and SOC 2 report is the risk assessment process, which includes the identification of, and response to, changing threats and risks. Working remotely due to COVID-19 changes everyday business processes, and these changes may “break” some of the built-in controls in those processes. Additionally, threats and risks to information technology general controls (SOC 1), and to the Security, Availability, Confidentiality, Processing Integrity and Privacy of your systems and related customer data (SOC 2), are also likely to be changed, which all need to be reflected in your current risk assessment process.
Service organizations should review their risk assessment process and determine if COVID-19 has led to changes to the scope of the system, introduced new risks to the achievement of objectives or criteria and ensure the organization has properly addressed the changes and new risks.
For SOC 1, the overall risk assessment should include COVID-19 considerations, and determine whether any objectives, risks and/or controls have been impacted. For SOC 2, additional consideration should be given to the in-scope criteria and impact of COVID-19 on security, availability, processing integrity, confidentiality and/or privacy. Service organizations will need to assess whether new risks arise from increases in remote workers. For example – should multi-factor authentication or additional security measures be put in place?
Whether organizations have been impacted or not, COVID-19 is a risk that should be addressed by all organizations. Some further considerations for the risk assessment include:
- What has changed in our operation (i.e. organization structure, remote work, new service, new tools) since COVID-19?
- Which of our controls (i.e. automated system controls, configurations, alert monitoring) will continue to operate as previously designed regardless of new COVID-19 operations?
- Which controls are no longer operating as designed?
Acknowledgement of Employee Handbooks and Confidentiality Agreements
Employee acknowledgements of certain HR documents is often done manually. The sign-offs and storage of these documents will need to move to an electronic format for companies that are on-boarding employees remotely and utilizing a work from home (WFH) model.
Transaction Processing Controls for SOC 1 Reports
Controls associated with payment approval, account reconciliation, check run approval and other management review controls are often performed and documented manually. The performance and documentation of such controls may need to move to an electronic format for companies that have transitioned to a WFH model.
Performance Appraisals
Most companies have traditionally used face to face meetings as part of their performance appraisal process. Recently, however, many organizations have postponed or simply not performed annual performance appraisals, given the challenges and risks of meeting in person. We recommend that organizations maintain their normal performance appraisal cycle and conduct the management review via video conference. This is important from a control perspective (and to avoid exceptions in SOC reports). But even more importantly, performance appraisals are a valuable mechanism for communicating with employees and providing them peace of mind and encouragement during the era of COVID-19.
Physical and Environmental Security Controls
Physical and environmental security controls are generally expected to be performed consistently throughout 2020 despite COVID-19. One exception to this is the regular maintenance of equipment (fire and flood detection and prevention, etc.). Although the frequency of this maintenance may be reduced due to social distancing and other concerns, it is critical for data centers to take steps to ensure that equipment is properly maintained and operational.
While the performance of physical and environmental security controls may not change significantly during 2020, the service auditor’s method of testing these controls will be much different than the past. Data center walk-throughs and observation of physical and environmental controls will no longer be common place. Instead, service auditors will use video conferencing and other technologies to observe the implementation and operating effectiveness of controls.
Conclusion
Because of the many changes to risks and controls caused by COVID-19, 2020 will be a challenging year for organizations who receive SOC reports. However, evaluating and responding to the risks of COVID-19 proactively and early will help minimize the impact of the pandemic on the audit process.