What Kind of Internal Controls Should We Focus On Securing Our Physical Office SSAE16/18

What Kind of Internal Controls Should We Focus On Securing Our Physical Office SSAE16/18
Photo by imgix / Unsplash

The SSAE 16 (now replaced by SSAE 18) is an auditing standard for service organizations, which focuses on internal controls, including security measures. To secure an office space in line with SSAE specifications and to protect against social engineering, consider focusing on the following areas:

  1. Physical Security: a. Access control: Implement security measures such as access cards, biometrics, or pin-based entry systems to restrict unauthorized access. b. Surveillance: Install security cameras to monitor sensitive areas and maintain a record of activities. c. Secure entry points: Reinforce doors, windows, and other entry points to prevent unauthorized entry. d. Visitor management: Implement a visitor management system to track and monitor visitors in the office.
  2. Network Security: a. Firewalls: Deploy firewalls to protect your internal network from external threats. b. Intrusion Detection/Prevention Systems (IDS/IPS): Implement IDS/IPS to monitor and prevent unauthorized access to your network.
  3. Secure Wi-Fi: Use strong encryption and authentication methods, such as WPA2 or WPA3, for your Wi-Fi network. Consider setting up separate networks for guests and employees.
  4. d. Regularly update and patch systems: Keep your software, firmware, and operating systems up-to-date to prevent exploitation of known vulnerabilities.
  5. e. Network segmentation: Separate critical systems and data from the rest of the network to reduce the risk of unauthorized access.
  6. Employee Training and Awareness: a. Regular training: Conduct regular security awareness training for employees to educate them about potential risks, social engineering tactics, and best practices for maintaining security.

b. Clear policies and procedures: Establish clear policies and procedures for handling sensitive information, reporting security incidents, and managing access to systems and data.

c. Phishing awareness: Train employees to identify and report phishing emails and other social engineering attempts.

  1. Access Management: a. Role-based access control (RBAC): Implement RBAC to ensure employees have the appropriate level of access to systems and data based on their job responsibilities.

Regular access reviews: Conduct periodic reviews of user access rights to ensure they remain appropriate and revoke access when no longer needed.

  1. Data Security: a. Data encryption: Encrypt sensitive data both in transit and at rest to protect it from unauthorized access or interception.

b. Backup and disaster recovery: Implement a robust backup and disaster recovery plan to protect critical data and ensure business continuity in the event of a security incident or other disruption.

  1. Vendor Management: a. Assess vendors: Evaluate the security practices of your vendors and require them to adhere to your security standards.

b. Contractual agreements: Include specific security requirements and responsibilities in contracts with vendors.

  1. Incident Response Plan: a. Develop a plan: Establish a clear incident response plan that outlines roles, responsibilities, and procedures for identifying, containing, and recovering from security incidents.

b. Regular testing and updates: Test and update the incident response plan regularly to ensure its effectiveness.

  1. Compliance and Audits: a. Regular security audits: Conduct periodic security audits to ensure your security measures are effective and up-to-date.

b. Compliance monitoring: Monitor your organization's compliance with relevant regulations and standards, such as SSAE 18, GDPR, or HIPAA.

By addressing these areas, you can help secure your office space and protect against social engineering threats while adhering to SSAE specifications.

Read more