SOC II Certification Project Outline
SOC II Certification Project Outline
Time-frame: 2012 – 2013
I work for a Telecommunication company specializing in providing VoIP services, internet services, webhosting, and reselling CISCO products. The company started as an Independent Telephone company in Western New York that has spanned across New York State, into Pennsylvania, and has CISCO customers spread all over the east coast. One large project that we have taken on in 2012 is Data Storage. The company purchased a portion of the Seneca Army Depot in Upstate New York several years back, with the intention of using the property as a secured storage facility. Since its purchase, we have expanded into storage options available for our customers as well. Our customer base encompasses any business or organization that uses telephone and internet services, so the range is quite large. We have worked with several customer requirements over the years, since different organizations require standard operating procedures in order to maintain their status, legal funding, and tax qualifications. An example of such requirements is OSHA laws and regulations for public schools. All of our engineers who worked on a project for a school district were required to become OSHA certified before beginning any work on said project.
As a whole, the entire company did not require OSHA certification due to the law’s requirements, however now that we are delving into data storage for specific businesses that deal with HIPPA and tax information, we are required to become SOC II certified. SOC II certifications are an auditing standard that says we operate our business with system controls and meet the certifications privacy and confidentiality standard requirements. (ISACA; 2012) It’s another way of saying we have been checked and pass.
Due to the sensitive nature of this Certification, the project team had to become aware of our current Security SOP, policy, training, and the areas where we are lacking. I am currently going to R.I.T. for Information Security and Forensics, which pulled me into the project team. Since our company is mainly filled with Engineers, they were unfamiliar with stepping back and looking at the company as a whole. Since each engineer has a specific skill set for their particular area. They do their jobs extremely well, but the concept of checking Security is not always at the forefront. My direct manager and COO know of my degree and that my focus is on policy writing, specifically and felt I was perfect for the team. They felt I would contribute to any policy corrections and implementations that were needed for us to pass the certification.
The project started in September of 2012, with an estimated completion date of February 2013. I co-lead with the Sales Engineer (An Engineer who works closely with the Sales team –bridging the gap between the two Departments. This person is usually the one that offers technical oriented answers and solutions that the Sales team may not know off hand.) who was responsible for the Data Storage & Cloud Computing customer packages.
My original assigned lead role was as Policy Administrator, my duties surrounded creating and managing the compliancy policy and work with the Compliancy Team, NOC Specialist, and Audit Team. The Compliancy Officer stayed in the overall lead position, training me to take over his role once the initial audit occurred. The role of the Compliancy Officer is to be the overall policy administer and approve or deny implementation and maintain quality assurance. My role was deciding the initial risk without updating or changing those areas of unacceptable risk, and testing the policies after they had been updated. I had to do this within the definitions of the Confidentiality, Integrity, and Availability (C.I.A. umbrella of management).
As Policy Administrator, I was in control of the policy structure and presentation. Below is a list of Policy items I demonstrated a leadership role in:
- Creating Initial Risk Management Audit by determining potential threats and vulnerabilities.
- Creating and updating the overall company policy.
- Separating policies based on departments and sensitive information (I.E. creating a companywide policy, Department specific policy amendments, and a policy specific to the Data Storage team only.)
- Created the Data Storage training steps and presentation.
- Researched and demoed available Training and Awareness programs that our company could implement. Also presented the estimated budget of these programs to the Compliancy Officer and appropriate teams.
- I ran through ‘trial run’s’ of various aspects of the policy and training, to verify the overall flow and competency of the documentation.
- Ran Secondary Risk Management Audit
My role relied upon promptness and multiple team meetings and discussions along the way. I organized updates to all those involved and scheduled 1-1 meetings when necessary. I attempted to limit the amount of entire team meetings to occur when absolutely necessary.
- Summary of project can be found under ‘Women’s Leadership Certification Program’
© Kana Kennedy, Kennedy Info Sec, and Kennedyinfosec.com , 2011 – 2014. Unauthorized use and/or duplication of this material without express and written permission from this blog’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Kana Kennedy and Kennedy Info Sec with appropriate and specific direction to the original content.