A company took on a new business line that included having access to some of the customer’s medical data. The customer required SOC certification of the company handling their sensitive data. The company was not prepared procedure and technology wise to pass the audit and certification.
SOC 2 certification ensures a customer is following industry standards for security protection and management. It covers all aspects from policy and procedures, to software and hardware compliance to employee training. Once a company has these controls in place for at least 6 months an audit can be scheduled. The preparation can be time consuming and expensive. The audit alone can cost $40K and must be done every year. Depending upon the state of the infrastructure and business complexity, upgrade costs can be in the $50K – $250K range. Click on the following link for more information about SOC.
Code Vapor was contracted to oversee upgrading the hardware and software, manging the technology vendors and writing policy and procedures. Once completed the staff needed to be trained and an internal audit done before the SOC audit could be scheduled. Code Vapor represented the company during the audit.
- Customer had minimal security protocols in place.
- No policy and procedures were written to document the processes.
- There was limited redundancy in file and data servers.
- Some software systems were not meeting SOC compliance.
- Some PCs were running non-supported O/S.
- The was no security training for the employees
- Building security did not meet requirements.
Over a period of one year Code Vapor helped the customer prepare for the audit. Below is a high level summary of the major changes that were made.
- Over fifty new security policies were written to meet the unique needs of the customer.
- A hardware audit was conducted and budget established. Code Vapor did some of the hardware upgrades and contracted and managed several IT vendors to complete the upgrades.
- Multiply aging fileserver were replaced and consolidated in a central managed server with redundancy to the cloud.
- The firewall was upgraded.
- A large central UPS system was installed to replace the individual units.
- PC OS was upgraded to the latest version of Windows.
- Camera, alarm systems and door control was added to the building
- A security handbook was created and an annual security training plan implemented.
- An employee phishing test program was implemented.
- A pre-audit was conducted and compared against policy and procedures
After a year of preparation and six months of compliance testing, a SOC audit firm was called in and the customer passed the audit.