|
SOC 2 Readiness Assessment
| # | Policy Questions | Yes | No | Partially In-Place | Flag for Discussion |
| 1 | We have up-to-date security policies and procedures that align to industry standard best practices. | ☐ | ☐ | ☐ | ☐ |
| 2 | We have up-to-date business continuity and disaster recovery plan. | ☐ | ☐ | ☐ | ☐ |
| 3 | We have up-to-date change management and SDLC policy and procedures. | ☐ | ☐ | ☐ | ☐ |
| 4 | We have up-to-date data classification policy and procedures. | ☐ | ☐ | ☐ | ☐ |
| 5 | We have up-to-date access control policies and procedures. | ☐ | ☐ | ☐ | ☐ |
| 6 | We have up-to-date incident management and response policies and procedures. | ☐ | ☐ | ☐ | ☐ |
| 7 | We have up-to-date vendor management policies and procedures. | ☐ | ☐ | ☐ | ☐ |
| 8 | We have up-to-date privacy and appropriate use policies and procedures. | ☐ | ☐ | ☐ | ☐ |
| 9 | Our policies and procedures have been communicated to employees. | ☐ | ☐ | ☐ | ☐ |
| 10 | Our policies and procedures have been implemented. | ☐ | ☐ | ☐ | ☐ |
| 11 | We have recently undergone and audit (either internal or external). | ☐ | ☐ | ☐ | ☐ |
| 12 | Does your organization have a CISO, security governing body, or equivalent? | ☐ | ☐ | ☐ | ☐ |
|
|
|||||
| # | Program Review Questions | Yes | No | Partially In-Place | Flag for Discussion |
| 13 | We do quarterly (or more) network vulnerability scans? | ☐ | ☐ | ☐ | ☐ |
| 14 | We have do quarterly (or more) application vulnerability scans? | ☐ | ☐ | ☐ | ☐ |
| 15 | We have annual (or more) penetration tests? | ☐ | ☐ | ☐ | ☐ |
| 16 | We perform an annual and documented risk assessment? | ☐ | ☐ | ☐ | ☐ |
| 17 | Issues identified during vulnerability scans, audits, and risk assessments are prioritized and resolved in a timely manner? | ☐ | ☐ | ☐ | ☐ |
| # | Technical Questions | Yes | No | Partially In-Place | Flag for Discussion |
| 18 | We maintain a complete and accurate list of IT Assets (infrastructure and hardware). | ☐ | ☐ | ☐ | ☐ |
| 19 | We maintain a complete and accurate list of IT Assets (software). | ☐ | ☐ | ☐ | ☐ |
| 20 | We update all IT infrastructure with manufacturer recommended updates on regularly scheduled interviews (patch management). | ☐ | ☐ | ☐ | ☐ |
| 21 | All changes made to IT infrastructure follow a formalized and documented change management process. | ☐ | ☐ | ☐ | ☐ |
| 22 | All changes made to software follow a formalized and documented change management process. | ☐ | ☐ | ☐ | ☐ |
| 23 | We enforce password complexity on all systems. | ☐ | ☐ | ☐ | ☐ |
| 24 | Administrative access to all system is limited to only appropriate individuals. | ☐ | ☐ | ☐ | ☐ |
| 25 | We regularly review system access (including administrative access) to validate only appropriate individuals have access to systems. | ☐ | ☐ | ☐ | ☐ |
| 26 | We utilize 2FA/MFA for all administrative level accounts. | ☐ | ☐ | ☐ | ☐ |
| 27 | We monitor, log, and review all network traffic. | ☐ | ☐ | ☐ | ☐ |
| 28 | We utilize Firewalls, IPS, and IDS devices. | ☐ | ☐ | ☐ | ☐ |
| 29 | We utilize email and spam filtering tools. | ☐ | ☐ | ☐ | ☐ |
| 30 | We utilize web spam and filtering tools. | ☐ | ☐ | ☐ | ☐ |
| 31 | We utilize antivirus/malware tools. | ☐ | ☐ | ☐ | ☐ |
| 32 | We utilize mobile device management tools. | ☐ | ☐ | ☐ | ☐ |
| 33 | We back-up all critical systems on a regular basis. | ☐ | ☐ | ☐ | ☐ |
| 34 | We regularly test backups to verify they have completed fully and can be restored. | ☐ | ☐ | ☐ | ☐ |
| 35 | We have a documented disaster recovery and/or business continuity plan. | ☐ | ☐ | ☐ | ☐ |
| 36 | Remote logon requires VPN to access out network. | ☐ | ☐ | ☐ | ☐ |
| 37 | We encrypt all end-point devices. | ☐ | ☐ | ☐ | ☐ |
| 38 | We disable local administrative rights on laptop and desktop computers. | ☐ | ☐ | ☐ | ☐ |
| 39 | We change the default settings on all wireless access points, routers and switches. | ☐ | ☐ | ☐ | ☐ |
| 40 | Sensitive/Business critical systems and data are systematically segregated on the network. | ☐ | ☐ | ☐ | ☐ |
| 41 | We utilize a central point of access for all systems (i.e., LDAP, Active Directory) | ☐ | ☐ | ☐ | ☐ |
| 42 | We perform formalized and documented security training at least annually for all employees. | ☐ | ☐ | ☐ | ☐ |
| 43 | We perform a formalized and documented risk assessment at least annually. | ☐ | ☐ | ☐ | ☐ |
| 44 | A process is in place to remediation issues identified during the risk assessment. | ☐ | ☐ | ☐ | ☐ |
| 45 | We assess our vendors for security considerations prior to doing business and on a defined frequency thereafter. | ☐ | ☐ | ☐ | ☐ |
| # | HR Related Questions | Yes | No | Partially In-Place | Flag for Discussion |
| 46 | We do pre-employment background screening? | ☐ | ☐ | ☐ | ☐ |
| 47 | We have a documented employee onboarding process? | ☐ | ☐ | ☐ | ☐ |
| 48 | We do annual performance reviews? | ☐ | ☐ | ☐ | ☐ |
| 49 | We have a documented employee offboarding process? | ☐ | ☐ | ☐ | ☐ |
| 50 | We have an up to date employee handbook that all employees review. | ☐ | ☐ | ☐ | ☐ |
| # | Other SOC 2 Considerations | Yes | No | Partially In-Place | Flag for Discussion |
| 51 | Have you written a SOC 2 system description? | ☐ | ☐ | ☐ | ☐ |
| 52 | SOC 2 allows you to customize your controls. Have you developed a custom set of controls? | ☐ | ☐ | ☐ | ☐ |
| 53 | Have you engaged a SOC 2 audit firm? (Hey! Risk3sixty can do your SOC 2 report!) | ☐ | ☐ | ☐ | ☐ |
