A SOC 2 gap assessment, which is often also referred to as a readiness assessment, provides organizations with an understanding of where compliance gaps may exist within their existing internal control processes when evaluated against the Trust Services Criteria (TSC) which consists of security, availability, confidentiality, privacy, and processing integrity.

While a gap assessment is not a required step in the achievement of a successful SOC 2 examination, it can be very useful in becoming SOC 2 audit ready and often results in both time and cost savings in the long run. Although specific gaps and best practice security measures will vary from business to business, there are several common compliance gaps that are regularly identified as a result of gap assessments.

These gaps include: 

  1. Personnel Offboarding and Terminations  
  2. Change Management Segregation of Duties 
  3. User Access Reviews 
  4. Third-party and Vendor Management 
  5. Policies and Procedures 

To perform a SOC 2 gap assessment, organizations should create a remediation plan. They must then follow this plan to implement remediation strategies. This will help ensure their information security program has the right security measures, so they will be ready for a successful SOC 2 examination. We will discuss these 5 common findings below and what some common remediation plans and strategies might look like. 

Personnel Offboarding and Terminations

An effective termination process is crucial for protecting company data. Organizations often struggle with consistently operating an effective termination and offboarding process for various reasons, but one of the most common compliance gaps associated with this is the lack of timely termination notification to personnel responsible for revoking access. This is especially seen more often with contractor or temporary employee terminations. There are several key components that must be considered when designing an effective termination process.

Companies should design, implement, and communicate policies and procedures for their personnel offboarding. These should include consideration of applicable users (employees, contractors, vendor employees, etc.), in-scope systems, the termination notification process, and what constitutes a timely termination.

Personnel offboarding should be tracked and documented from the moment the individual is deemed to be no longer working for the company up until the moment all associated user access is confirmed to have been disabled and removed. Ticketing systems are often used and can be a very helpful tool. However, adequate tracking practices still need to be implemented. Relevant details such as when access is disabled and for what systems should be tracked to the exact date and time.

Breakdowns in communication are one of the most common reasons for a company to not meet its defined termination timeliness requirements. Often there is a separation of duties between the individuals being notified of personnel termination and those responsible for revoking access. Training on the importance of this responsibility is essential. Using the right communication tools can help reduce delays in access revocations.

By clearly defining and sharing security and compliance requirements for personnel terminations in policies, organizations can reduce the risk of improper procedures. Additionally, the defined requirements should be meticulously tracked and documented with a formalized offboarding tracking process. Personnel should be trained in the termination policies and procedures, and communication mechanisms should be standardized as part of defining the requirements. This helps ensure all termination requirements are followed and includes timely and appropriate communications.

Change Management Segregation of Duties

Organizations should have an internal control structure designed to specifically address the segregation of duties (SoD) between change developers and deployers. When it comes to managing IT systems and processes, implementing controls to address SoD is crucial to prevent conflicts, reduce errors, and enhance security.

In change management, it’s vital to keep the roles of developers and deployers separate. This separation ensures clear accountability and helps maintain integrity throughout the process. It helps reduce mistakes, meets regulatory standards, and improves reliability.

Organizations can mitigate risks by logically separating the roles of developers and deployers. This allows organizations to reduce the risk of errors and conflicts that arise when the same individuals have both development and deployment responsibilities. This separation also minimizes the chances of unauthorized or inadequately tested changes impacting IT systems.

While separation of duties adds an extra layer of control, it also contributes to operational efficiency. Roles and responsibilities should be clearly defined for all individuals involved in the change management process to ensure there are no segregation of duties conflicts. Developers can specialize in designing effective changes, while deployers can specialize in executing changes efficiently and in accordance with required processes and approvals without conflicting responsibilities.

Many regulatory standards and information security best practices emphasize the importance of SoD in change management. If internal controls are not defined to address potential SoD conflicts that could arise, SOC 2 compliance could become more difficult to attain.

To ensure proper controls, clear documentation of each step in the change management process should be kept. This includes the requesters, testers, approvers, reviewers, and deployers. Keeping this documentation helps show that Segregation of Duties (SoD) is followed at all times. This is often accomplished through a change tracking system. By documenting each part of the change process, additional monitoring controls could be implemented to further mitigate the risk of inappropriate changes occurring.

Segregation of duties in the change management process can be difficult to implement in smaller organizations but should be kept in mind when evaluating your internal control environment. As part of best practice security measures, developers and deployers should have logically separate roles. They should also have clear roles and responsibilities defined by the organization. Additionally, each step of the change management and systems development lifecycle should be documented and retained.

User Access Reviews

If an organization has well defined and documented access control procedures over their personnel access provisioning and terminations, then it may be thought that formalized user access review process is not as important. Unfortunately, there is always a risk of human error, whether it’s an employee being originally granted a higher level of access than was requested or an employee’s termination that was never appropriately communicated to IT to disable their access. As such, organizations should also consider implementing a user access review process.

Companies should design and implement well-defined policies and procedures for the performance of the user access reviews, which includes consideration of review frequencies (annually, quarterly, monthly, etc.), applicable users, and in-scope systems. When considering the applicable users for the user access reviews, companies should take into consideration the different roles, groups, and permissions applicable to their environments. It may make sense for higher-risk groups, such as Administrators or Super Users, to be reviewed more frequently than other users.

When performing user access reviews, each step and component of the process should be clearly tracked and documented. This should include at a minimum:

  1. The user, role, group, and permission listings used in the performance of the review.
  2. The individuals performing the review.
  3. The reviewers’ responses to each users’ access being reviewed, such as whether their access is accepted or rejected, including the date of review and any follow-up actions to be taken as a result of the performance of the review.
  4. Confirmation that any required follow-up actions were completed.

It can be difficult to apply the same approach to designing a user access review process to all critical systems as each can be very different.

As it relates to performing the review, these differences may include different reviewers for each system, different information being stored and/or processed by the system, and different role and permissions customizations and definitions. As such, performing a separate analysis for each of these factors on each system will help organizations to better identify how to design their user access review process.

Due to their initial process design and periodic manual performance requirements, user access reviews can be a cumbersome task for organizations. Ultimately, it is better to prioritize quality over quantity. When starting from scratch, it could make more sense to start with reviewing a smaller group of users (i.e. privileged and/or administrator users only) and expand the process from there. An organization can receive an unqualified SOC report without a defined user access review control, but a well-designed and implemented user access review control could prevent an organization from receiving a qualified report.

Third-Party and Vendor Risk Management

As organizations keep outsourcing important tasks to third-party vendors, they face more risks. It is crucial to have a good process for assessing these risks. This includes evaluating vendors and managing the risks properly. Though how an organization decides to manage their vendors will vary based on a multitude of factors, there are key components of the process that should be considered when designing a vendor management program.

The organization should have a vendor risk framework implemented, which typically includes an inventory, tiering, periodic assessment, and assessment when vendors are onboarded. Each step of the vendor management lifecycle should be documented. This will allow the organization to apply a risk-based approach as to how it will handle the vendors.

A vendor used for shredding or media destruction, for example, may not be considered as high-risk as a cloud service provider for the supporting infrastructure and therefore would likely require a different vendor management approach.

Additional consideration should also be given to vendors known as subservice organizations, which are vendors that are responsible for providing key functions to support the fulfillment of the SOC 2 Trust Services Criteria, and additional procedures such as periodic review of their most recent SOC reports should be implemented. Responsibility and accountability for the management of vendors, including periodic assessments and communication with the vendors, should also be clearly defined.

As part of vendor onboarding, specific requirements for the vendor including scope, roles and responsibilities, compliance requirements, and expected levels of services should be clearly defined. Typically, these would be defined within contractual agreements, and assigned vendor managers would be responsible for ensuring that the defined requirements are being met and appropriate communication channels to address identified issues are established.

Formal procedures should be in place for the termination of vendor relationships. These procedures should include considerations for the removal of related access, safe return of data, and ensuring that data is appropriately removed from the related system in accordance with applicable agreements, laws, and regulations.

A vendor risk framework should be utilized by all organizations especially if any key functions are being outsourced to third-party providers. Though the implementation will vary based on the organization and framework utilized, best practices for vendor risk management typically include maintaining a vendor inventory, tiering model, and periodic risk assessments.

Contractual agreements should be in place to define service requirements. Organizational vendor management procedures must ensure that service requirements are met and appropriate termination procedures are followed. Regular communication should be defined and appropriately assigned to personnel as part of their roles and responsibilities.

Policies and Procedures

Organizations often overlook the maintenance of policies and procedures, even for ones pertaining to critical processes. These documents play a crucial role in communicating the company’s morals and values, streamlining internal operations, setting expectations, and offering guidance for decision-making. It is crucial for organizations to have clearly defined policies and procedures. Lack of policies and procedures can lead to several issues and challenges such as:

  1. Inconsistent Practices: Employees may handle similar situations differently without clear guidelines, leading to inconsistencies in work and decisions.
  2. Unclear Expectations: Employees may lack clarity on expected behavior, performance standards, or compliance requirements, causing confusion and potential inefficiencies.
  3. Risk of Errors and Misconduct: Absence of policies increases the likelihood of errors, oversights, or misconduct, which can lead to financial losses or legal issues.
  4. Lack of Compliance: Without defined procedures, organizations may struggle to meet industry regulations or internal standards.
  5. Difficult Decision-Making: Managers and employees may find it challenging to make decisions confidently without clear guidelines, slowing down processes.
  6. Reduced Efficiency: Clear procedures streamline workflows and help employees perform tasks efficiently; their absence can lead to inefficiencies.
  7. Impeded Growth and Development: Inconsistent practices and inefficiencies hinder organizational growth and innovation.
  8. Employee Disengagement: Unclear procedures can demotivate employees and impact morale and job satisfaction.
  9. Difficulty in Training and Onboarding: New hires may struggle without documented procedures, prolonging training and hindering integration.
  10. Customer Dissatisfaction: Inconsistent service delivery due to lack of standardized procedures can lead to dissatisfaction among customers, impacting retention and growth.

Establishing clear and accessible policies and procedures is essential for ensuring smooth and consistent operations within companies. These documents provide guidelines for tasks ranging from customer interactions to financial transactions and workplace safety. By making these guidelines readily available, employees can work more efficiently, maintain compliance with regulations, and reduce the risk of errors. This clarity fosters transparency and accountability, ensuring everyone understands their roles and responsibilities in achieving organizational goals effectively.

It’s crucial for relevant personnel to review and update policies and procedures as needed. Typically reviews and updates would be performed at a minimum of annually or as major changes occur. This ensures that:

  • Documents reflect current standards and practices.
  • Updates meet legal and regulatory requirements.
  • Vulnerabilities are addressed and controls are strengthened.
  • Employees are empowered with updated guidelines for their roles.
  • Effectiveness is evaluated and enhanced based on feedback.

Regular reviews are essential for maintaining organizational effectiveness, compliance, and adaptability in a dynamic environment.

When implementing new processes, management should define corresponding policies and procedures to support employees in their roles and responsibilities and provide any relevant training on the policies and procedures. For instance, if an organization transitions logging and monitoring responsibilities from a third party to in-house, new policies and procedures must be established. These documents provide clear guidelines and expectations for employees, ensuring they understand how to execute their roles effectively within the new framework.

Organizational policies and procedures should be established for all critical processes. Lack of policies and procedures can lead to a multitude of challenges including inconsistencies, compliance gaps, errors, and overall inefficiencies. Policies and procedures should be made readily available to all personnel. Additionally, policies and procedures should be reviewed and updated at least annually, and new policies and procedures should be defined as new processes are implemented.

Achieving SOC 2 Compliance: Closing the Gap with Effective Remediation

How organizations implement these suggested remediation plans can vary based on their existing control environment. Implement appropriate security measures to mitigate the risk of process failure for each of these common findings. To check if your organization’s information security program has the right measures, get a SOC 2 Gap Assessment. This assessment helps identify risks and ensures you meet the Trust Services Criteria.

Ultimately, implementation of appropriate security measures to mitigate the risks associated with each of these common compliance gaps should be performed in accordance with the organizational requirements.

LBMC’s experts can help your organization prepare for SOC 2 compliance. Please contact us if you are interested in learning more about SOC compliance.

Privacy settings

Decide which cookies you want to allow. You can change these settings at any time. However, this can result in some functions no longer being available. For information on deleting the cookies, please consult your browser’s help function. Learn more about the cookies we use.

With the slider, you can enable or disable different types of cookies:

  • Block all cookies with personal data
  • Essentials
  • Functionality
  • Analytics
  • Advertising

This website will:

This website won\'t:

  • Remember which cookies group you accepted
  • Essential: Remember your cookie permission setting
  • Essential: Allow session cookies
  • Essential: Gather information you input into a contact forms, newsletter and other forms across all pages
  • Essential: Keep track of what you input in a shopping cart
  • Essential: Authenticate that you are logged into your user account
  • Essential: Remember language version you selected
  • Functionality: Remember social media settings
  • Functionality: Remember selected region and country
  • Analytics: Keep track of your visited pages and interaction taken
  • Analytics: Keep track about your location and region based on your IP number
  • Analytics: Keep track of the time spent on each page
  • Analytics: Increase the data quality of the statistics functions
  • Advertising: Tailor information and advertising to your interests based on e.g. the content you have visited before. (Currently we do not use targeting or targeting cookies.
  • Advertising: Gather personally identifiable information such as name and location
  • Remember your login details
  • Essential: Remember your cookie permission setting
  • Essential: Allow session cookies
  • Essential: Gather information you input into a contact forms, newsletter and other forms across all pages
  • Essential: Keep track of what you input in a shopping cart
  • Essential: Authenticate that you are logged into your user account
  • Essential: Remember language version you selected
  • Functionality: Remember social media settings
  • Functionality: Remember selected region and country
  • Analytics: Keep track of your visited pages and interaction taken
  • Analytics: Keep track about your location and region based on your IP number
  • Analytics: Keep track of the time spent on each page
  • Analytics: Increase the data quality of the statistics functions
  • Advertising: Tailor information and advertising to your interests based on e.g. the content you have visited before. (Currently we do not use targeting or targeting cookies.
  • Advertising: Gather personally identifiable information such as name and location
Save & Close