Compliance 101

How SOC 2 Compliance Works: Risk Assessment

Risk Assessment SOC 2

Welcome back to our series on Laika’s SOC 2 process! It’s time to talk about the risk assessment.

ICYMI, we’re giving our audience a sneak peek into the nitty-gritty details of obtaining a SOC 2 report. We earned ours in 2020, we guide our clients through SOC 2 each day, and we’re working to demystify the compliance process.

Catch up on the first two posts here: How SOC 2 Works: Gap Analysis and Implementation

For Laika and our clients, the process is broken down into major steps: gap analysis, control implementation, risk assessment, and audit readiness, and the audit itself. This post will cover the risk assessment process.

Recap: Control Implementation

Prior to conducting a risk assessment, you’ll need to tackle the first few steps of the SOC 2 compliance process. These include conducting a gap analysis, settling up technical and operational controls, and collecting evidence for auditors.

Our post on implementation outlines some of the common ways to implement SOC 2 controls. And we have a whitepaper highlighting the tools we recommend from a compliance and UX standpoint.

Learn more about implementing SOC 2 controls here. 

What is a SOC 2 risk assessment?

A risk assessment identifies, documents, and rates information security and privacy risk. For each of the findings, a remediation plan must be documented with timelines established consistent with the risk ratings.

Our SOC 2 risk assessment evaluates risks based on the likelihood of occurrence and the potential impact to the organization. SOC 2 requires a comprehensive risk assessment for auditors, and a future-focused strategy is vital to a scalable compliance program.

The procedure documents a consistent approach and methodology to conducting the risk assessment. Laika’s compliance architects execute a risk assessment when about 70% of the control implementation is complete.

How to execute a risk assessment for SOC 2

While the exact process is flexible, our team recommends setting the purpose, goals, and outputs prior to assessment. You’ll need to set a ranking system to identify and manage risks.

Define impacts

First, look at the sectors of the business which could be impacted by risks. Each of these sectors affects different entities and results in various levels of impact. While that’s vague, it is up to your compliance expert to intentionally customize impacts for each service organization.

Think about potential risk in the categories below:

  • Legal: how much will legal fees cost your organization in the effect of data loss?
  • Regulatory: what are the regulatory implications of the organization if the business becomes inoperable, e.g. your application is inaccessible?
  • Business: how will the loss of key personnel or office space affect your competitive advantage in the market? Do you have a business continuity plan?
  • Reputation & Brand: how does selling an unsecured product affect your reputation in the market?
  • Financial: how will exposing the company to risk cause a loss of funding or revenue? Will you be able to keep up with growth plans?

Define risk levels

Risk levels can be defined based on company maturity. This is the simplest part of the risk assessment rating system. Early-stage and smaller businesses, we recommend keeping it simple with High, Medium, and Low risk levels.

Understand the likelihood and impact of risks

Finally, your team should create a matrix to analyze each risk vector and standardize how your business should prioritize remediation.  The matrix should examine the likelihood of the risk occurring and the impact it would have on the organization’s information security.

What does the risk assessment cover?

During a risk assessment, our compliance architects examine the 12-24 month plan ahead. Based on the current deficiencies in SOC 2 implementation, the team creates a document that tracks potential incurred risk over the next audit period.

This document examines risk related to 5 epics:

  • Governance: oversight of security or compliance program, covering maintenance of policies and procedures, control and risk ownership, employee conduct, security training, asset and risk management, and due diligence
  • Operations: day-to-day business functions, including business continuity, performance management, and incident response
  • Security: physical and cybersecurity, including firewalls, logging and monitoring, penetration testing, badge systems, and employee access codes.
  • Data Governance: examines all data-related protections, from policies and procedures to access control, and more.
  • Change Management: oversight into the system, app, and technology changes, along with documented change management processes

When it comes to specific risks included in the assessment, we take a wide-angle view. For instance, if a startup is currently 10 employees but wants to scale up to 50 employees in 2 locations, the team documents a remediation plan with established timelines.

As with the rest of our SOC 2 process, our Head of Risk and Security spearheaded the risk assessment. Dana is a founding member of Laika and he is intimately aware of our growth goals and opportunities in the space and helped set expectations.

When it comes to our clients, we want them to own the risk assessment and err on the side of caution. Like most of the SOC 2 process, the risk rating is subjective and should be customized for each business.

Risk Assessment Themes

When it’s time to discuss a risk assessment with your compliance team, come prepared with any concerns after implementing your SOC 2 controls.

  • Do any gaps come to mind?
  • Are you certain you are secure for now, but worried about staying compliant as your business grows?
  • What are your hopes and dreams for the business?
  • What keeps you up at night?

Risks take a wider view than controls. Businesses could have risks mitigated by multiple controls. For example, SOC 2 asks businesses to prevent unauthorized access to sensitive data. This risk can be mitigated through a defined onboarding procedure, termination process, multi-factor authentication, strong passwords, identifying roles and responsibilities, and more.

Discuss future plans

As the first strategic step in a risk assessment, your compliance architect will request information on your growth plan and strategic pivots you have in mind over the next 2-5 years. Based on that information, they can create a threat model.

Our threat model examined any regulatory concerns and how to prepare for a new landscape. This included new endpoints, geographic challenges in expanding to a new location, data loss prevention, and the management of expanded resources.

Re-discuss the scope of the program

Based on growth plans, a compliance architect brings the conversation back to the scope of the SOC 2 program. As you consider areas of your business that may be currently under-secured, you may decide to strengthen your information security fence if it will be integral to future plans.

Dana stresses the importance of “zooming out” when it comes to planning. Don’t just think about the ways to improve an existing product, but consider acquisitions and markets you want to become competitive in.

Address security concerns and other risk vectors

At this point, we had a pretty good handle on our current security posture and how future developments would affect our SOC 2 compliance. Now it’s time to really go outside the box.

This means examining security concerns outside of program controls. For example, if you pursued Security and Privacy as your Trust Services Criteria, are there weaknesses outside of those controls?

Based on our findings, our compliance architects opened the door to additional control implementation or an additional program, like CCPA or HIPAA.

Any additional items should be flagged and recorded for follow-up. For example, while a vendor review process may not hold security risk, there may be inadequate protections around financial risk, such as approvals for funding not being included as part of the process.

Risk management and measurement approaches

While it’s easier to speak in absolute terms and create a quantitative approach to risk management, most aspects of SOC 2 compliance are qualitative. A risk assessment is no different.

Our compliance team took a stage-appropriate view when considering the impact of potential risks and compared that to the likelihood of risky events taking place. They also consider factors like the number of employees, the type of data within an environment, geographic challenges, or complications, among other factors.

Based on real-time operating conditions of our business, Dana was able to present auditors with a transparent view of our compliance program. The assessment pointed to our best practices that need to adjust to different environments as we grow.

How does Laika create a risk mitigation plan?

A risk assessment needs to be periodically reviewed and re-assessed, and Laika recommends doing this at least annually. However, it depends on your mitigation plan. You may need to re-assess more regularly.

Our team organized risk into timeframes: immediate, midterm, and long-term. We assigned dates to each category and considered the addition of new tools, product offerings, vendors, software updates, and more.

Risk assessments should grow with your business. While you may implement SOC 2 controls in the seed stage, your compliance team should give you room to grow through a remediation plan. This includes maturing controls, executing regular monitoring activities, and holding quarterly meetings to discuss current risk.

What’s next?

After the risk assessment and mitigation plan is complete, our team of compliance architects conducts an audit readiness assessment. This determines if all the controls have been implemented correctly and are functioning seamlessly, as well as identifies questions that auditors may ask and gather information to streamline the audit process.

Finally, the SOC 2 audit prep process is complete! Next up, the SOC 2 audit. We’ll explain the management of the audit in our next post, so stay tuned.