My client Brad Schweizer, COO asked me to create a SOC Framework Diagram (36"x48" poster now hanging in the War Room) to include Terminology, Tasks, Milestones & Personnel to help monitor the implementation progress and more importantly communicate the status to the C-level stakeholders.

1. Business Objectives Project Execution & Milestone Tracking
Analysis, Strategy,
Architecture, Apps
& Processes
Mapping,
Approach &
Budgeting
Mark S Mahre
Service Organization Controls SOC Integration Framework
PLANINITIATE
Suitability,
Remediate &
Pre-Testing
AUDIT
C-Level , Security Officer, Analysts, Subject Matter Experts, Project Managers & Consultants
Readiness,
Resources &
Templates
Sponsors
Strategy,
Requirements
& Roadmap
Business Case
Project Scope
Success Criteria
HIPPA Req.
Road Map
Approvals
Project Design
Project Tasks
Risk Assessment
As-Is Assessment
Financials
Scheduling
Project Timeline
Resource Requirements
Gap Analysis
Readiness Assessment
Create Templates
Identify Partnerships
SOC Governance
HIPPA Mandates
Status Reporting
Change Controls
Authentication
Encryption Controls
Project Kick-Off
Auditor Assessment
Employee Awareness
Critical Controls
System Description
Information Security
Operational Effectiveness
Controls Testing
Readiness Reviews
Quarterly Meetings
Monitor Results
Lessons Learned
Upload Evidence
Audit Procedures
Sampling Process
SOC Compliance Report
Auditor s Letter
SOC Gap Letter
DESIGN CONTROLS OPERATIONAL
Execution,
Sustainability &
Reporting
Risk Mitigations
Suitability of Design
Data RPO/RTO
DR/BCP Strategy
Incident Response
Cloud Services
Mahre & Schweizer
Auditor
Analysis
Testing,
Sampling &
Fairness
Month 1 Month 2 & 3 Month 4 & 5 Month 6 & 7 Month 8 - 11 Month 12
SOC Strategy & Roadmap:
Task % Task % Task % Task %
Business Case Success Criteria Approval Signoff Project Budget
Project Scope of Work Road Map (Milestones) Identify Resources Contact Legal
Data Security Mandates HIPPA Mandates Blackout Dates Identify Stakeholders
Mapping & Approach:
Task % Task % Task % Task %
Project Design & Requirements As-Is Assessment (Gaps) Resource Schedule Timeline & Milestones Plan
Project Plan & Budgets Project Financials Spreadsheet Contact PMO C-Level Buy-In
Risk Assessment Approach Schedule Quarterly Mtg. SOC Status Meeting Schedule Communications Broadcast
Readiness & Resources:
Task % Task % Task % Task %
Confirm Timeline & Milestones To-Be Requirements (Targets) System Description Asset Inventory - CMDB
Create Templates People / Resources in Place Information Security Doc. Change Management Strategy
Identify Partnerships Readiness Assessment Employee Handbook Building Access Security Plan
Analysis, Architecture & Processes:
Task % Task % Task % Task %
Project Execution Kickoff Change Control Process Meeting HIPPA Mandates AWS Stack Review
Aprio Assessment Meeting Critical Controls Accuracy Bi-Weekly Status Reporting End-2-End Data Encryption
Employee Training Meeting Security Governance Process Local Area Networks Security Controls
Suitability, Remediate & Pre-Testing:
Task % Task % Task % Task %
Governance Implemented Network Penetration Testing AWS Testing Results Incident Response Testing
Critical Controls Testing Client Data Security Testing AWS Monitoring Results DR/BCP Testing
Change Controls in Place / Tested LAN/WAN Monitoring Results Data Encryption Results Readiness Reviews
Execution, Sustainability & Reporting:
Task % Task % Task % Task %
Governance Execution Help Desk System in Place Data Encryption Reporting DR/BCP 2018 Plan in Place
Critical Controls in Place System Uptime Reporting Client Satisfaction Surveys SOC T2 2018 Planning
Change Controls Best Practice Risk Mitigation Strategy 2018 Auditor’s Final Meetings SOC T2 2018 Schedule
Testing, Sampling, and Fairness:
Task % Task % Task % Task %
Uploading to Aprio Shared Drive Critical Controls Priorities Fairness Reporting Complete Lessons Learned
Audit Testing Critical Controls Short List SOC Auditor’s Letter Plan for Next Audit Period
Audit Sampling Critical Controls Accuracy ‘x’ SOC Compliance Report Build Maturity Model
Task Owner:
CXO & Leadership CISO CIO COO Legal CFO PMO
SOC Team Security Team IT Team Operations Team Contracts Team Finance Team Consultants
SOC Framework document created and owned by Mark S Mahre (ClearCost US) and Bradford Schweizer (Aces Health) September 2017.