SOC 2 Readiness Checklist

SOC 2 Readiness Assessment

 

# Policy Questions Yes No Partially In-Place Flag for Discussion
       
1 We have up-to-date security policies and procedures that align to industry standard best practices.
2 We have up-to-date business continuity and disaster recovery plan.
3 We have up-to-date change management and SDLC policy and procedures.
4 We have up-to-date data classification policy and procedures.
5 We have up-to-date access control policies and procedures.
6 We have up-to-date incident management and response policies and procedures.
7 We have up-to-date vendor management policies and procedures.
8 We have up-to-date privacy and appropriate use policies and procedures.
9 Our policies and procedures have been communicated to employees.
10 Our policies and procedures have been implemented.
11 We have recently undergone and audit (either internal or external).
12 Does your organization have a CISO, security governing body, or equivalent?
 

 

# Program Review Questions Yes No Partially In-Place Flag for Discussion
13 We do quarterly (or more) network vulnerability scans?
14 We have do quarterly (or more) application vulnerability scans?
15 We have annual (or more) penetration tests?
16 We perform an annual and documented risk assessment?
17 Issues identified during vulnerability scans, audits, and risk assessments are prioritized and resolved in a timely manner?

 

# Technical Questions Yes No Partially In-Place Flag for Discussion
       
18 We maintain a complete and accurate list of IT Assets (infrastructure and hardware).
19 We maintain a complete and accurate list of IT Assets (software).
20 We update all IT infrastructure with manufacturer recommended updates on regularly scheduled interviews (patch management).
21 All changes made to IT infrastructure follow a formalized and documented change management process.
22 All changes made to software follow a formalized and documented change management process.
23 We enforce password complexity on all systems.
24 Administrative access to all system is limited to only appropriate individuals.
25 We regularly review system access (including administrative access) to validate only appropriate individuals have access to systems.
26 We utilize 2FA/MFA for all administrative level accounts.
27 We monitor, log, and review all network traffic.
28 We utilize Firewalls, IPS, and IDS devices.
29 We utilize email and spam filtering tools.
30 We utilize web spam and filtering tools.
31 We utilize antivirus/malware tools.
32 We utilize mobile device management tools.
33 We back-up all critical systems on a regular basis.
34 We regularly test backups to verify they have completed fully and can be restored.
35 We have a documented disaster recovery and/or business continuity plan.
36 Remote logon requires VPN to access out network.
37 We encrypt all end-point devices.
38 We disable local administrative rights on laptop and desktop computers.
39 We change the default settings on all wireless access points, routers and switches.
40 Sensitive/Business critical systems and data are systematically segregated on the network.
41 We utilize a central point of access for all systems (i.e., LDAP, Active Directory)
42 We perform formalized and documented security training at least annually for all employees.
43 We perform a formalized and documented risk assessment at least annually.
44 A process is in place to remediation issues identified during the risk assessment.
45 We assess our vendors for security considerations prior to doing business and on a defined frequency thereafter.

 

# HR Related Questions Yes No Partially In-Place Flag for Discussion
       
46 We do pre-employment background screening?
47 We have a documented employee onboarding process?
48 We do annual performance reviews?
49 We have a documented employee offboarding process?
50 We have an up to date employee handbook that all employees review.

 

# Other SOC 2 Considerations Yes No Partially In-Place Flag for Discussion
       
51 Have you written a SOC 2 system description?
52 SOC 2 allows you to customize your controls. Have you developed a custom set of controls?
53 Have you engaged a SOC 2 audit firm? (Hey! Risk3sixty can do your SOC 2 report!)