Attendable risks, from the risk report.

Initial level related to SOC requirements.

Based on the given context, some technical risks that can cause difficulties for the
development team on a daily basis include:

1. Frequent Errors: Repeated occurrences of errors in the software can lead to client
dissatisfaction and potential turnover.

2. Security Vulnerabilities: If the application system controls are not adequately tested and
maintained, it can jeopardize the ability to control unauthorized access.

3. Compatibility Issues: Incompatibility with different platforms, devices, or software

versions can create challenges for the development team.

4. System Downtime: Unplanned outages or system failures can disrupt development

activities and impact productivity.

5. Lack of Skills and Resources: Insufficient skills or resources within the development
team can result in gaps in critical project tasks and inefficient use of resources.

6. Communication Challenges: Ineffective communication channels and inconsistent

messaging can lead to misunderstandings and inefficiencies within the development
team.

SOC reports are primarily concerned with overseeing organizational controls related to security,
availability, processing integrity, confidentiality, and privacy of a system (as per SOC 2). Not all
the risks listed might directly apply to SOC compliance, but they can have indirect implications.
Here’s how each risk relates to SOC compliance:

Performance Issues: While not a direct concern of SOC standards, poor performance can
indicate underlying issues in processing integrity and system availability, which are part of SOC
criteria. If performance issues affect system operation or data accuracy, they become relevant.

Frequent Errors: Similar to performance issues, frequent errors in software could point to
deficiencies in the system’s processing integrity. This is relevant for SOC compliance,
particularly if these errors could affect the system’s output or the security of customer data.
Security Vulnerabilities: This is directly related to SOC compliance, especially in SOC 2,
where security is a key criterion. The ability of a system to protect against unauthorized access
(both physical and logical) is crucial.

Unset
Examples:
- Password rotation policies.
- Lack of Secure Coding Standards
- Insufficient Logging & Monitoring
- Failure to Restrict URL Access
- Sensitive Data Exposure

Compatibility Issues: While generally more of a functionality concern and not directly a SOC
focus, severe compatibility issues could impact system availability and security controls,
especially if they necessitate frequent system changes or patches.

System Downtime: This is related to the availability criterion of SOC 2. Unplanned outages are
particularly concerning as they can indicate that the system is not as available as outlined by the
service commitment or agreement.

Lack of Skills and Resources: Indirectly related, because insufficiently skilled staff or lack of
resources can lead to failures in implementing, maintaining, or monitoring effective controls,
potentially impacting various SOC principles.

Communication Challenges: While not a direct risk in the context of SOC compliance,
ineffective communication could lead to failures in understanding and implementing the
necessary controls, or in responding effectively to identified issues. This could indirectly impact
any of the SOC areas, especially if it results in mismanagement or inadequate resolution of
security concerns.

In preparing for SOC compliance, an organization should address all operational risks that could
impact their control objectives and potentially affect their security, availability, processing
integrity, confidentiality, or privacy commitments to their clients.
SOURCES:

Risk Assessment 8-31-2022

● Page 6: If frequent errors are identified by clients, this will become an issue which could
lead to client turnover.
● Page 11: Has testing been performed on the application system controls?
● Page 6: DBP has a standardized dev ops setup process that is used for only .net new
builds.
● Page 4: Changes in laws and regulations could have an impact on organizations that
might be affected by these.
● Page 4: Ineffective communication channels result in messages that are inconsistent
with authorized responsibilities and do not effectively convey information as intended.

It’s important to note that these risks are inferred from the given context and may not cover all
possible technical risks that can affect the development team.