SOC stands for System and Organization Controls. It is a standard when dealing with customer data. SOC is a means of verifying a set of standardized controls that are defined by the American Institute of Certified Public Accountants (AICPA). SOC is used to validate the controls that a company utilizes internally to their clients. You will see how automating and exposing this information would benefit a company.
For SOC 2, the main components to being successful and staying successful are threefold. One, a good centralized documentation center (a place to store all of your reviews, and controls). Two, a way to automatically update and verify controls. Three, a good auditor that can work with you and make sure that you are successful. SOC 2 is something that you have to continuously do and publicize so that your clients can see that you are compliant.
At Software.com we started on our journey like many others, by researching different vendors and looking who can support the aforementioned threefold components. We ended up choosing a company called Drata. At the time Drata had a good centralized system and a pretty good way of allowing read only access for auditors to get information. Once we found Drata we went out to find an auditor that had experience with Drata so that there was an existing cohesion between the two. Once we found our auditor we then focused on getting our SOC 1.
Drata’s tooling made it fairly straightforward to understand what needed to be done. We were able to integrate our main cloud platform and add our subprocessors. Selecting a target of SOC also made it easier because all of the controls required were laid out in Drata. We did have some controls however that did not apply to us, as we are a remote only company. We still have the same challenges as a non remote company, to ensure that our devices and personnel are in compliance with SOC. Within Drata there is a method to assign devices to specific users and ensure that the device(s) they are using are always compliant, thanks to the Drata agent. We were able to get all of our employees compliant within a short period. This included them taking security trainings, reviewing and accepting company policies, and updating their password and login methods to comply with the control standards outlined in SOC.
During this period, we benefited greatly from alining ourselves with a skilled auditor. As mentioned we are a remote only company so policies that refer to building access did not apply to us. At Software we do utilize a cloud environment for our application so making sure that was compliant and listed as an important subprocessor was something that was automated in Drata. As you can see, Drata is making this a bit easier. I told you this would be simpler, if you have the right tools. We still needed to fill in the policy templates that Drata provided. Then devise some of our policies that were not available in Drata as it is a generalized tool. It did work in our favor to see the Drata dashboard showing us all of our controls that needed to be completed and which were already done. SOC 1 was the most laborious of the tasks in our SOC 2 journey. We needed to generate documentation, vet our subprocessors, ensure everyone is compliant in: Acknowledge Policies, Identity MFA, Background Checks, Security Training, and Device Compliance.
- Acknowledge Policies
- This is pretty straight forward, as you generate company policies like a backup policy that defines and outlines your company’s policy for backing up information, your personnel read over and acknowledges.
- Identity MFA
- MFA can be company specific. You will check if your users utilize MFA or 2FA on the company provided IdP. This is important, as is all of the constant checks and controls. Any method that can be utilized to prevent data exposure, that is what SOC is all about.
- Background Checks
- Any kind of personnel check is to make sure that you have reliable employees that can be trusted with sensitive data. Nowadays as an organization you are consistently dealing with PII or SPII, and that information should be safeguarded at all times.
- Security Trainings
- Security trainings help personnel get on the same wavelength with regards to security. Sometimes this can also help enlighten personnel as to what SOC is and how securing themselves also secures the clients.
- Device Compliance
- Compliance with devices can be any workstation that personnel utilizes for company purposes. That could be a laptop, phone, or any other device that they use for anything company related. The devices that they use should at minimum have a company approved password manager, it should be encrypted, it should have antivirus software installed, and a method in which to report back to a centralized server for updates.
During the process of acquiring our SOC 2 certification we established a security team that meets monthly for risk assessments, quarterly for access reviews and annually for DR testing. Having good tools in our employ did make this process straightforward. For example our access reviews, we utilize a tool called StrongDM for server access, Kubernetes access, and others. We have a centralized place in which to look for specific access and who has it. Tools do help make getting SOC 2 certification simpler especially if you have a single pane of glass for your auditors to look at.
When we set out to get our SOC 2 certification it was because we knew it would be a great way to announce to our clients that we are consistently following a set of standardized controls. To say that we practice safe means of handling data of all types internally and externally. SOC 2 can help reduce some of the apprehension that most security teams have about companies that access any type of data. From our perspective any tool that we want to utilize has to at least be SOC 2 compliant.
If you want to check out our live security report, you can click on this link: https://app.drata.com/security-report/42b97aed-d394-4c1d-b749-4fe65ab025b9/19559124-3354-46f7-bbd2-1313d773fb36?region=NA