The impacts of COVID-19 may have caused your company to change up processes and work outside of what is normal operations. Below are some best practices to consider in getting back to “normal” for the current and future SOC reporting periods.
- Policies should be reviewed on a set frequency
- Management meetings/oversight should be documented and performed on a set frequency
- Logical access should be granted and terminated based on what was authorized and should be performed timely
- Administrative access to systems should be limited and restricted to appropriate personnel
- Password configurations should be reviewed and configured in accordance with policy
- User access reviews should be conducted at least quarterly and changes needed implemented timely
- Anti-virus should be installed and configured on servers and laptops/workstations
- Patching of systems should be performed routinely and timely throughout the examination period
- Proper change management procedures should be enforced, including segregation of duties related to deployment to the production environment
- Infrastructure changes should be tracked and documented, with appropriate approvals as necessary
- Backups should be based on a set frequency – usually daily, and logs must be maintained for the period
- Risk assessment should be performed at least annually, and the impacts of COVID-19 may have significant impacts to the current year assessment
- Review your prior SOC report and make sure that controls for your business/transaction processing continue to operate throughout the period or you have implemented mitigating controls for the COVID period that will still achieve the SOC criteria and objectives.
We are always here to help
If you have questions about your changes and how they impact your current or upcoming SOC engagements, please don’t hesitate to reach out to your SOC auditors for guidance and feedback.
If you are not currently an Auditwerx client, please contact us as we’d love the opportunity to work with you on your next SOC engagement.