A lot of IT Security Officers responsible for driving the SOC 2 certification in their companies are probably wondering how the switch to mostly remote workspaces will affect their SOC 2 landscape.
I would say that there are two types of companies affected (or not affected) by the coronavirus:
- Companies that initially not relied on the security of individual workstations, and heavily used the office network infrastructure to provide necessary vichto and protection for sensitive company IT resources (hosted either on-prem or in the cloud).
- Companies which handled the IT security perimeter on the level of individual workstations (mostly laptops), and from the beginning controlled the access using remote VPN connections, individual user accounts, local workstation firewalls, antivirus and anti-malware software, etc.
Wallarm is the second type of company – our office networks are not trusted and our spaces are like large Starbucks’ with nice chairs, assigned tables, and better coffee machines. Yes, this is more or less how we described our office network security policy to our SOC 2 auditors :).
In our case the switch to completely remote work has not changed a thing – we keep using the same technology, security protocols, and access control as before.
Companies from the first category are forced to quickly adapt to the new realities and build or modify their existing infrastructure and security policies, install required workstation protection and remote access software, and deliver any required training about the new security realities to the workforce on the fly . As a part of SOC 2 protocols many of the activities will require the companies to perform additional network security scans, reviews of user accounts within involved systems and even application penetration testing. All these individual challenges are easily resolved (companies do them anyway as a part of SOC 2 certification routine), but the combination of major security changes in a company plus a need to accelerate some SOC 2 action items will definitely create challenges for some companies.
There is probably not a lot I can recommend right now to the companies from the first category – life is forcing them to adapt, and adapt quickly. But there is a good lesson for the future – move the security perimeter closer to your employees and don’t rely on a centralized infrastructure.