BLOG

by Alan DeVaughan

In a previous blog we discussed how to unravel cybersecurity acronyms and determine what option(s) might be the best for your organization. We highlighted three major questions to ask about your organization to help point you in the right direction. Those were related to conducting risk assessments, information security program maturity, and contractual obligations. For now, let’s assume there is a contractual obligation or business desire to obtain a SOC 2 examination report.

Like other audits or certifications, there are several processes which need to be in place at your organization before you attempt to undergo a SOC 2 examination.  If these processes are not in place, your organization runs the risk of being unable to complete the examination process or receiving a qualified opinion which calls out control failures affecting one or more trust services criteria.

We have come across these potential “showstopper” situations over the years and want to share them with you – wherever you are on your SOC 2 journey.  Let’s review each of these processes.

Risk Assessment

A security risk assessment helps you identify potential risks and threats to your organization, assess their impact and likelihood, and evaluate possible mitigating controls/processes. It's essential regardless of the industry you operate in - healthcare, finance, non-profit, manufacturing, or service.

Once the risk assessment is complete, you should determine if the residual risks (i.e., the risks after accounting for mitigating controls) are acceptable by organizational leadership and meet the organization’s objectives. There should be a remediation plan to reduce the risks to an acceptable level. The remediation plan is the key area as your organization should show continual evaluation of risks as the threat landscape changes.

Information Security Policies and Procedures

Information security policies and procedures are crucial for protecting an organization's sensitive data and ensuring the confidentiality, integrity, and availability of information. These documents provide a structured framework for managing risks related to cyber threats, data breaches, and unauthorized access.  This framework helps to safeguard critical assets from potential harm. By establishing clear requirements and best practices for handling data, organizations can reduce vulnerabilities, ensure compliance with industry regulations, and promote an internal culture of security awareness.

Key areas which should be part of your information security policy and procedure set include change management, incident response, and control performance monitoring.  Best practice includes reviewing and updating these documents annually.

Vendor Management

A vendor management program is essential for organizations to mitigate risks, ensure compliance, and maintain operational resilience when working with third-party vendors. The program provides a structured approach to evaluating, monitoring, and managing vendor relationships to protect sensitive data, uphold contractual obligations, and ensure service continuity. By implementing a strong vendor management program, organizations can identify potential security vulnerabilities, enforce regulatory requirements, and establish clear accountability for vendor performance.

Penetration Testing

Penetration testing is a key security practice which helps organizations proactively identify and address vulnerabilities before they can be exploited by malicious actors. By simulating real-world cyberattacks, penetration testing uncovers weaknesses in networks, applications, cloud environments, and connected devices, allowing organizations to remediate security gaps and strengthen their overall defense posture. Regular testing is essential for meeting compliance requirements and ensuring that security controls are functioning as intended. Additionally, penetration testing provides valuable insights into an organization's ability to detect, respond to, and mitigate cyber threats.

Final Thoughts

Don’t let the lack of these processes dissuade you from pursing a SOC 2 examination. At Meditology, we have years of experience helping organizations like yours establish strong information security practices and improving your cybersecurity. Our tailored SOC 2 approach provides readiness assessments and remediation guidance to prepare you for the formal SOC 2 examination. We can customize your SOC 2 control set to match your organization’s goals without exceeding your capabilities.

Meditology Services is a leading provider of risk management, cybersecurity, and regulatory compliance consulting services that is exclusively focused on serving the healthcare community. More than a provider of services, Meditology is a strategic partner committed to providing our clients actionable solutions to achieve their most pressing objectives. With experience serving healthcare organizations ranging in size, structure, and operational complexity, we uniquely understand the challenges our clients face every day and dedicate ourselves to helping solve them.

For more information on third-party attestations which demonstrate that your organization has implemented effective controls to safeguard the security and privacy of sensitive data, see our sister company, CORL.  

About the Author

Alan DeVaughan | Senior Manager, IT Risk Management

Alan DeVaughan is an experienced compliance and information security senior manager specializing in assisting organizations with SOC 2 readiness assessments and examinations for over 10 years. In addition to leading Meditology’s SOC 2 service line, he serves as a consultant team leader focused on advising healthcare clients of varying size and complexity in areas of IT, privacy, security, and compliance. Alan has in-depth knowledge of security technology frameworks such as NIST, HITRUST, SOC 1 / SOC 2, HIPAA, and FFIEC. With a background in network administration, he has over 25 years’ experience in information technology consulting for a wide variety of organizations and industries.