Remote Access Policy Best Practices | A Practical Guide to SOC 2 Compliance

Our world has changed.  Gone are the days of an 8 to 5 work day at a physical office, and leaving all your responsibilities behind at the end of the day.  We now live in a 24×7 global economy and are perpetually connected to our corporate networks with cell phones, laptops, and tablets.  The convenience of “work from anywhere” introduces some exciting challenges for your information security and information technology teams, and that’s where the remote access policy comes in.  The purpose of this policy is to make your employees productive from anywhere without sacrificing security. Here are steps your team can take to work remotely while still maintaining security: Define who can work remotely Before you start mandating security controls for remote access privileges to your internal network, you need to take a step back and determine which roles should even have permission to work remotely, and when.  For

Read more

Workstation Security Policy Best Practices | A Practical Guide to SOC 2 Compliance

Some might say that workstations are a necessary evil.  Users with varying degrees of technical and security aptitude are using them 24/7, communicating with the world and taking care of business.  With workstations being an indispensable part of business comes a substantial security burden, especially for your information technology staff.  In the workstation security policy, you will define rules intended to reduce the risk of data loss/exposure through workstations. Often, information security best practices are used synonymously with “Oh that’s just common sense.”  But remember that in security - and perhaps life in general - there’s no such thing as common sense.  Spell out these best practices clearly with as much detail as possible. Define “workstation” At a high level, a workstation is a device - be it personal or company-owned - that contains company data.  This includes desktops and laptops, as well as mobile devices. Require centralized management As a general rule, to secure your

Read more

Encryption Policy Best Practices | A Practical Guide to SOC 2 Compliance

You wouldn’t leave the house without making sure your doors and windows were locked, and that any valuables were hidden or secured in a safe. That way, if you were robbed, the burglar would have a difficult time accessing your most precious assets. In the same way, you need to make sure your organization’s critical data is well protected. While layers of defense such as firewalls and IDS/IPS are essential, they are not 100% fail proof - a determined attacker will find a way into your network and access your most sensitive information. At that point, you will want to have encryption in place to protect the data so that it appears random and meaningless to anyone who finds it. Before you can deploy encryption, you need to first develop a policy to provide guidance around the proper use of encryption in your organization. Here are some things to include

Read more

Access Onboarding and Termination Policy | A Practical Guide to SOC 2 Compliance

It’s easy to focus on cybersecurity threats like social engineering and phishing. However, internal threats, such as human error and disgruntled employees, can be just as dangerous – and are often overlooked. A mature onboarding and termination policy is essential to preventing a data breach. Employees and other internal users were the cause of 60% of data breaches – both intentional and accidental – in 2016. In the world of SOC 2, these types of threats are addressed in the Access Onboarding and Termination policy. The policy’s purpose is to minimize the risk of data exposure by enforcing the principle of least privilege. The scope of the policy is only technical infrastructure. Areas like payroll and benefits are not included in this policy. Are customers concerned about your support staff accessing their data? strongDM provides you with an audit trail of who did what when and where. Schedule a demo to

Read more

Business Continuity Policy Best Practices | A Practical Guide to SOC 2 Compliance

A business continuity policy is a critical part of your SOC 2 preparation. An estimated 25% of businesses never fully recover from a major disaster. For small businesses, in particular, it can be difficult to return to normalcy after a significant disruption. Most companies have insurance and emergency funds, but those won’t protect you from failure to provide business functions at an acceptable level to your customers. A business continuity policy is critical to your information security program and defines the critical steps your employees need to keep the business processes running after a disruptive event. The plan addresses the critical infrastructure, backup plans, emergency contacts and detailed recovery procedures you need to address potential threats. Here are some best practices you should consider when writing your business continuity plan: 1. Don’t just rely on SaaS Yes, it is possible to migrate all your infrastructure and other critical assets to

Read more

How SOC 2 Saves Time On Security RFI | A Practical Guide To Answer Any RFI

You’ve gone through the rigorous process of completing your SOC 2 certification.  Your policies are thorough, you have airtight procedures, your staff is sufficiently trained, and if anybody so much as sneezes around your datacenter you’ll know about it before someone says, “Gesundheit!”  It’s time to kick back in your chair, throw your feet up on the desk and relax, right? But what if a customer sent over an RFI (Request For Information) this afternoon? Would you and your team panic, or be able to respond calmly, wholly and confidently?   First of all, try not to panic.  While it’s perfectly natural to feel your first RFI is an attempt to air your dirty laundry, it doesn’t do you any good to get your mind spinning full speed on unproductive thoughts and assumptions.  One of the reasons you achieved SOC 2 in the first place was so your organization could

Read more

Data Center Security Policy Best Practices | A Practical Guide for SOC 2 Compliance

There are many things to consider and questions to ask yourself when setting up your data center. Should you host your data on-premise or in the cloud? If the data is cloud-hosted, who is responsible for security? Is it the company who owns the data, the cloud provider, or both? The data center security policy outlines procedures and information security measures to prevent unauthorized physical access to your company’s data center(s) and the equipment within. Here are four things to consider when writing this policy: Where are you going to host your data center? There are three types of data centers: On-premise Cloud-hosted Co-located A self-hosted model increases your costs and security requirements, while a cloud-hosted model shifts some of those responsibilities – but makes you dependent on someone else’s infrastructure. It is up to you to understand the consequences of each decision before deciding what is best for your

Read more

What’s Included in a SOC 2 Report: A Breakdown

A SOC 2 report (Service Organization Control report 2) focuses on the controls a company uses to protect customer data, as well as the operational effectiveness of those controls. A SOC 2 report should not be confused with a SOC 1 report, which focuses on a company’s financial reporting, nor should it be confused with a SOC 3 report, which has similar output to a SOC 2 report but in more natural language. This blog post will focus on the SOC 2 report and an overview of its seven main components. The SOC 2 report itself is based in five Trust Service Principles as defined by the AICPA (American Institute of CPAs): Security - provides customer assurance that their data is secured against unauthorized access Availability - assures that the systems needed to store and process data will be available for use Processing integrity - requires the processing of data

Read more