Many companies, especially start-ups, need to maintain a SOC2 certification but would rather not hire a full-time CISO. So who is going to make sure that you will pass your next SOC2 audit? . Outsourcing your Information Security program is a great way to support sales with the SOC2 certification without breaking the budget by staffing a large team.
What is SOC2?
SOC2 is a certification program from the AICPA. Yes, the AICPA. So to have this audit performed, you need to hire a (suitably qualified) CPA to do it. SOC stands for “Systems and Organization Controls” (formerly “Service Organization Controls”)
Why get a SOC2?
If you do not have a SOC2 report, customers (often larger, enterprise customers) will inevitably need to audit you when considering whether they should trust you with their data or rely on your availability. They may choose not to go through that hassle and just move on to a vendor that does have such a report. Even if they do stick around, do you really want to go through a detailed audit by every customer?
A SOC2 report lets you get audited once; after that, you just provide the SOC2 report to the customers or prospects to allay any concerns and satisfy their internal auditors.
How do you get a SOC2 report?
Firstly, you need to select which principles you are going to get audited on. You can choose one or more from this list.
- Processing Integrity
Based on that choice, there will be a set of trust services criteria that you need to achieve. These are not the controls that you need to comply with; these are the criteria that your controls need to meet.
So now you write your controls. At this stage, you should always consult with the CPA who is going to perform your audit to agree that your chosen control set is going to satisfy the necessary control criteria when they audit. If you have not chosen a CPA yet to perform your audit, we can refer you to some that our customers have used and recommend for SOC2 assessments.
Type 1 report
Once you have designed your control set, you could ask the CPA to perform an audit and issue a type I report. The auditor is not actually checking that the controls are in place or effective — only that their design is sufficient to meet the SOC 2 requirements as applied to your service.
To be honest, this is going to be of little comfort for any customer or prospect as it only really describes your plan to be trustworthy and not your achievement of that goal.
Type 2 report
This goes beyond a type 1 report and the auditor additionally renders an opinion as to the operating effectiveness of the controls over a period — often a year.
So what does that mean? Well, if you have a control that states that you are going to do background checks on every new employee before hiring, then the auditor will pick a number of new hires, check their hire dates, and ask to see proof of the background check being done first. If you have a control that requires annual penetration testing, then the auditor will want to see the penetration test report and confirm the date of the report.
Once you have your control set defined and agreed with your auditor, you need to get the controls implemented and maintained. Here are the critical factors to remember.
1. Implement the controls so that compliance is the path of least resistance
Always try to make it so that non-compliance requires extra work for people. For example, create an ‘onboarding form that creates new users in the HR system — your Gsuite account and Okta (for example). Make that form require that the date of the background check approval is entered. Now the background check is required to use the form, and not using the form is more work.
2. Automate wherever possible
Why have a human review the list of AWS API users every month to make sure they are all still active employees in your HR system? Write a script to pull the list of users from both systems and send out an alert if there are discrepancies.
3. Compliant behavior should leave its own audit trail
Not only do you need to be compliant, but you also need to prove to your auditor that you were compliant all year. If creating the records of good behavior requires an extra step, people will forget or plan to do it later (and then forget). Create procedures that leave an audit trail just by being followed.
4. Monitor every control
When you get to audit time, it is too late to make excuses for why something that you had expected didn’t happen. For every control, have a plan for how you will check that you are in compliance routinely throughout the year so that you can address any problems before the auditor arrives.
It is a lot of effort to get your first SOC2 report. But if you define your controls carefully and implement them with insightful procedures, then maintaining compliance and getting your next report can become routine.
Yaron Chelouche — אבטחת מידע :ירון שלוש CISO chalir.com