Surviving and Passing SOC Audits – The Physical Walkthrough

Surviving and Passing SOC Audits – The Physical Walkthrough

The on-site walkthrough with the auditor varies based on whether your data center is located on-site or at a different facility. In this scenario, let

Surviving and Passing SOC Audits – Business Impact Analysis
Beefing Up Your Home Security Camera Systems
Surviving and Passing SOC Audits – Part Three

The on-site walkthrough with the auditor varies based on whether your data center is located on-site or at a different facility. In this scenario, let’s assume that your production network environment is situated elsewhere, while your corporate office houses a smaller server area with minimal infrastructure necessary for normal business operations. During the physical walkthrough, the auditor will focus on several key aspects:

  • Exterior: An auditor usually begins the inspection from the exterior of the building, ensuring that security cameras adequately monitor all entry points, exits, and the parking area. The auditor will verify roof access points to confirm they are secure and under surveillance. Additionally, they will perform a physical examination of doors to ensure they are firmly locked and resistant to forceful opening. Prepare for the auditor to apply a strong, forceful pull to test the doors’ security. They will check for adequate outside lighting around entrances and parking areas.
  • Card Entry and Keypads: The auditor will examine the card entry system and keypads. They’ll inquire about the hours during which these entry devices are active.
  • After-Hours Access: If after-hours entry is allowed, the auditor will verify the procedures and permissions associated with it.
  • Visitor Check-In/Check-Out System: The presence of a visitor check-in and check-out system will be evaluated. This may include visitor name tags. This may also be a receptionist or guard area that performs this function.
  • Access Log Sample: The auditor will request a sample of the entry and exit logs to review visitor activity.
  • Camera Security: The auditor will be looking to see that there is security coverage in every area, with as minimal blind spots as possible. Video retention will need to be at least 90 days, and they will ask for evidence proving it like video clips 90 days apart.
  • Alarm System: The auditor will look to see that you have an active security alarm system installed and may ask you for evidence as to who has the codes to enable/disable.
  • Fire Alarms: The auditor will be checking to see that you have manual pull type fire alarms located within the building, particularly near the exits.
  • Sprinkler Systems: The auditor will check to see that you have sprinklers in every area for fires.
  • Fire Extinguishers: These should be present and checked at least annually for operational readiness.
  • Network and Server Equipment Room: This should always be a locked door, preferably spring closing, it can be manual lock or biometric. They will ask who has access to that room. They will verify that you have adequate cooling, security cameras, and water leak detection devices. They might ask you to explain where your ISP interconnects, where is the firewall, what are the core switches, routers, etc. and will for certain ask for a detailed network diagram.
  • Wireless Access Points: The auditor will ask to see the location of these as well as to provide screenshots of the wireless security configs. It is best that you do not have a guest Wi-Fi, but if you do then be prepare to explain what controls you have in place to prevent anyone from using that to access your business networks. My advice do not create a guest Wi-Fi!
  • Backup Power: The auditor will ask to see a backup power source like a generator, and they will ask you to provide proof of its testing at least annually but quarterly is even better.

That should conclude a majority of the general areas the auditor will be inspecting, however there could be other areas or items that are specific to your location or business that you will need to address.

COMMENTS

WORDPRESS: 0