Your customers are looking for assurance that you have security properly baked into your systems. They want to be able to trust that you are taking the right steps to protect their data and that you won’t be the cause of a data breach or another cyber incident that impacts their security. SOC 2 compliance is one way you can provide a level of trust.While compliance does not equal security, it can help you demonstrate the security and risk management work your company has in place. As more organizations choose to work with companies that maintain a mature security system, having a SOC 2 report can elevate your status in a competitive business atmosphere.
We are proud to have recently announced that we became SOC 2 Type 1 certified. Having completed this step along our journey, we are applying what we learned about the process to help you get started so you can add that level of trust for your customers.
What Is a SOC 2 Report?
Within SOC 2, there are different types of reports. Type 1 is a review of the design of your system at a specific point in time. Type 2 reviews the design of your system, but also looks over those operations over a period of time and provides a historical, more in-depth overview to ensure controls are consistently maintained.
While we chose SOC 2 there are other SOC reports that you may want to look into based on your needs.
Why SOC 2?
As mentioned earlier, your target audiences for a SOC 2 report are your current and potential customers. The report offers certain benefits to both your customers and to your company. For your customers, it adds a level of assurance that you are providing the security you promise. It also helps you with new business enablement. At Cobalt, we’re focusing on SOC 2 because we’re a service provider storing customer data in the cloud. We want to be able to show our customers that we care about them and respect their data.
The process of going through the SOC 2 framework can improve your own infosec risk management programs. SOC 2 is not a security activity in and of itself; instead, the report allows you to communicate all of the security and trust protocols your business is implementing to manage your cybersecurity.
Every company has different reasons for pursuing SOC 2 compliance, but a few of the most common drivers include:
Contracts: Especially around cloud services, customers are increasingly requesting businesses be SOC 2 compliant.
Third-party Vendor Questionnaires or Customer Requests: Prospects and customers need to assess security risk for all new service providers. If a provider does not have a SOC 2 or equivalent attestation, the service provider is required to answer questionnaires related to the security controls that are in place. Standard security questionnaires like the CAIQ can have just under 300 questions.
Marketing and Business Strategy: For young or growing companies, a SOC 2 can be used as a competitive differentiator showing the market that a baseline level of security maturity has been reached.
Preparing for SOC 2 Audit
When preparing for your SOC 2 audit, you want to start small and build over time. In fact, you may want to consider a smaller scope for your first audit, like choosing only those trust principles that are required for your organization or only the part of your environment where customer data is stored. (More on that below) Focusing on a smaller scope gives you more control of the process and improves the chance of a successful outcome. For smaller teams, this is critical to ensure that you’re able to build and maintain real controls that are supportable for the long haul.
Within the SOC 2 framework, there is the Trust Services Criteria (TSC), also known as Trust Principles. These are the requirements your business needs to meet in order to undergo a SOC 2 audit and should be tailored to your business and the particular products or services you offer. You will also carve out any services provided by a third party. For example, if you use Amazon Web Services (AWS), Amazon is responsible for the datacenter security in their cloud. Your auditors will be able to leverage their SOC 2 report to satisfy controls in your audit.
The principles that make up TSC and the corresponding abbreviation for each include:
Security (CC): The ability of your organization to protect information you store and process
Availability (A): Accessibility of systems and information for your customers
Processing Integrity (PI): Completeness and accuracy of your information
Confidentiality ©: The ability to protect confidential information
Privacy (P): The ability of your systems to uphold common tenants of privacy regulations
What’s Required in an SOC 2 Audit
The audit breaks down to the policies and controls you have in place in your organization. The audit looks for evidence that supports your security policies as they tie to the framework. These controls can be organized into the following groups:
Process Controls: What steps are you taking to control risk, how are they documented, and can you follow them? For example, one way to control risk is to implement and maintain a vulnerability management program. One area of your vulnerability management program is your pentest program. Though only one pentest is required for SOC 2, that may not be sufficient for your business if you push new code weekly or make infrastructure changes often. Your schedule and process should be documented and followed repeatedly. Also required in a vulnerability management program are automated scans and remediation of vulnerabilities. Another thing you will need to show is your risk management capabilities, which should include things such as cybersecurity insurance.
Technical Controls: This includes all of your technical or system controls, such as end-point protection, firewalls, password management, MFA, encryption, and VPNs and how they are supported.
People Controls: This focuses on risk related to people processes. How are your employees or contractors onboarded into the company and what access do they receive? Is that access appropriate for their role? Just as important is how people are offboarded when they leave the organization. If processes are not followed, past employees may be able to access sensitive business information and trust breaks in the organization.
Set a Time Frame
Once you figure out the controls to put in place, you’ll need to set up a time frame to get organized for your SOC 2 audit. During this phase, I would recommend following these steps:
Identify internal stakeholders: Identify which teams will be supporters in this initiative and who resources on those teams are necessary to help with audit readiness.
Get buy-in and resource commitments: It’s important to get buy-in from all requisite teams. SOC 2 compliance is a cross-company effort and can’t be achieved by security alone. One buy-in is established and resources are allocated, an audit date can be set by working backwards from the audit dates.
Do a gap assessment: An auditor or infosec professional may be able to help identify deficiencies and gaps that need to be implemented prior to the audit. This helps build the plan for your newly bought-in resources.
Audit readiness: This will determine what of your controls are in place and what still needs to be implemented. This is great as it shows where you are at in preparation for the audit and enables you to report out progress to stakeholders.
Engage your auditor: A qualified Certified Public Accountant (CPA) will conduct the audit, review your program, and determine if you meet the requirements.
SOC 2 compliance is a process– one that will take months and involves many parts of the organization– but once completed, being SOC 2 certified demonstrates to your customers that security and compliance is an important aspect to your business and the services you offer.
SOC 2 compliance should be treated as a program instead of validation of total security. It shows your customers that you’ve built a foundational level of security across your service offerings that has been verified by a neutral third party. This program then moves from one of net-new capabilities to an ongoing program as you prepare for your SOC 2 Type 2.
Interested in learning more about how Cobalt could help you meet your SOC 2 vulnerability management program needs? Read more about Soc 2 Compliance for SaaS companies or schedule a call with our team today to discuss your precise needs.