We are often asked for guidance on the controls that auditors will look for in this new remote reality. A web search for “work-from-home best practices” will generate some great advice, but when it comes to your SOC 2 controls specifically, what is required? The quick answer is that nothing is required, but the auditor will ask whether you have considered any new security (and even operational) risks in response to the pandemic. With newly identified risks, come newly identified controls.
Rather than apply a mish-mash of controls you have found from the internet, a risk based approach will ensure that you are headed down the most efficient path to compliance. If you apply solutions haphazardly, you may end up with a fancy and expensive tool that you didn’t need. You might also end up with a solution that was painful to employ, or that hinders employee efficiency.
Start By Assessing New Risks. First consider your industry, or the industry you serve. Are you dealing with healthcare records, corporate secrets, or regulated data? If there were a breach or security incident, how bad would it be for your organization? A less risky data environment may mean that you can apply fewer controls, solutions, and practices that are appropriate for your environment.
Next, brainstorm threat scenarios that may apply to your remote workforce. First consider how likely each scenario is, and then what the impact would be if it were to happen. Get creative! Consider how a bad actor could infiltrate your network and what the consequences could be. Consider the various ways that data flows in and out of your network and how it could be compromised. Think about the ways that an employee may be susceptible to an attack, and how that might lead to a network compromise. For risks with both a high likelihood of occurring, and that will have a major impact (for example, financial, reputational or legal), identify and apply reasonable controls. Here are some ideas:
Security Training, Training and More Training. Employees are hands down the leading entry point for a cyber attack. Therefore you should arm them with tools to identify, prevent, and respond to attacks or accidents accordingly. Whether your business is remote or on site, it is always a good idea to refresh your security awareness training. The training should include threats to look out for, such as phishing, smishing, whaling, and other social engineering attacks. It should also include corporate guidance on what is considered acceptable use of company assets, tips on good security hygiene, and how to report incidents. The training should also empower employees to be diligent and cautious.
Test Your Incident Response Plan. Dust off your incident response plan. You should update it based on the new risks that have emerged in this remote landscape. Test a brand new scenario that came from your risk-brainstorm session. Roll out any new revisions, and communicate to employees that they will not be held accountable if they realize they have fallen into a phishing trap. Empower them to report the incident without ramification, and communicate that you support them.
Mobile Device Management (MDMs). MDM tools are great - they allow you to centrally manage a variety of security measures on your company-owned mobile devices. Examples of these measures are screen lockouts, inability to download non-approved software, remote wiping, and disabling USB drives. You don't necessarily need to turn on every bell and whistle, but it isn’t a bad idea. If you are not yet ready to invest in a MDM solution, then address data loss related risks with both an Acceptable Use Policy and with training.
BYOD AND BYO-SW Policies. If you do not offer corporate laptops and employees can access your network with their own devices, then you will need a Bring Your Own Device Policy. Your employees must formally acknowledge that they will adhere to this Policy. The contents of this policy should align with your risk landscape. For example, if you are either in a high risk industry or you service a high risk industry, you may require that a certain antivirus/malware solution be installed on your employee’s device. You could also include a clause that no other individuals in a household may access the computer, that it is locked in a cabinet or room when not in use, and that it is backed up on a set schedule.
You may also want to incorporate a Bring Your Own Software Policy. This is especially useful in the startup world, or for organizations that utilize third-party contractors. You may want to discourage (or disallow) the use of applications or tools that are not centrally managed or approved, depending on the risks that you have identified.
IT ‘Hygiene’ at Home. Offering your remote staff the tools, guidance, and solutions to secure their home network will pay off. A plethora of tips abound on the internet, but here at Strike Graph, for example, we are all encouraged to disable automatic network connections on our home wifis, and to use WPA3 if devices are compatible, or "WPA2/WPA3 Transitional" if we have both older and newer devices at home. Consider what would be reasonable for your employees and communicate it via training, a all-hands meeting, a companywide guidance email, or all three.
Revisit Logical Access Policy and Procedures. Another policy to dust off is your Logical Access or User Access Policy. Review it through the lens of a remote workforce to see if it needs revision. Ensure that it covers the concept of least privilege (users only have the access they require and no more), that passwords shall not be shared, and that privileged access is restricted. Then perform a user access review on all critical (and even not so critical) assets. Ensure that there are no shared accounts and that the level of access is appropriate for each user.
If you have not already, immediately bump up the password setting to 10 or 12 characters in all possible places. The current advice from the Federal Trade Commission and from Microsoft (to name a few) is that passwords should be long rather than frequently changed. Requiring folks to change their password too often can lead to the sticky note under the keyboard. If you can enable MFA, do so. Encourage pass-phrases rather than passwords. Include any new advice in your Security Training.
Antivirus/Malware Tool. Whether or not you can centrally manage this, you should activate an antivirus and malware solution on all devices that can access your network. Because an infection on an end user device can lead to an infiltration of your network, you should consider requiring its installation on employee-owned devices in your BYOD Policy.
Segment Your Network. Only provide access to the areas of your network that are necessary based on risk profile and user need-to-know. Your finance team does not need to access the same area of your network as your VP of Engineering. Know where the sensitive data or processes live and secure them more stringently than other areas. When a remote user logs in, they should only be able to see and access what they need in order to do their job. Reduce the potential damage that a bad actor could do if they were to get into your network.
Secure Your Communications. Depending on your risk profile, consider implementing VPN or even a secure messaging app. Note that some commonly used solutions, like O365, already offer a layer of encryption and may be sufficient for your risk profile. Before spending more money, determine whether the tools you currently use are sufficient to address your risks.