Despite thousands of articles, there's shockingly little actionable advice to help startups complete SOC 2. When you don't have dedicated compliance teams or six figure budgets, we set out to answer: When to pull the trigger on SOC 2. Who needs to be involved in prep work & what tasks can/can not be delegated. How to narrow the scope and save as much time as possible. What are achievable best practices for each policy. How to gather evidence for auditors. One area that usually requires some remediation is access controls. Most teams don't have answers when auditors ask "who has access to a specific database or server and what queries did they execute?" That's why we started strongDM- to manage and monitor access to every database, server, & environment. Click here to see for yourself.
ShareAbout Token SecurityWelcome! This is the inaugural episode of Token Security, our goal is to teach the core curriculum for modern devsecops. Each week we will go deep with an expert on a specific topic so you walk away with practical advice to apply to your team today. No fluff, no buzzwords.About This EpisodeThis episode we sit down with Peter Tormey, Head of Infrastructure at SoFi. The crew talks PII, security and what it takes to maintain privacy at-scale for the new model of finance. Peter leads the team that manages and develops a HA Postgres infrastructure using CoreOS utilizing K8s to orchestrate over 100 microservice databases. About The HostsMax SaltonstallMax Saltonstall loves to talk about security, collaboration and process improvement. He's on the Developer Advocacy team in Google Cloud, yelling at the internet full time. Since joining Google in 2011 Max has worked on video monetization products, internal change management,
If you sell software to businesses, clients will probably start asking if you're SOC 2 compliant? Why? Because it's a convenient way to confirm you have *some* maturity around security best practices. What SOC 2 is not! You should not confuse SOC 2 compliance for actual security best practices. Although it covers the core departments and processes that interact with sensitive data, it does not stipulate standards. It merely confirms that the processes you self declare, are actually being followed in practice. Some might argue that's a little like the fox guarding the hen house. Importantly, this is not a government regulated certification. There are no penalties for failing to fulfill declared policies. Auditors won't charge you a fine. They'll point out your shortcomings and help you resolve them. With that context, it's easy to understand why the primary motivation to become SOC2 compliant is to facilitate sales. It will
The first time I went through SOC2 I wasted way way too many hours on Google trying to figure out best practices. It drove my nuts how much was written without actually telling me anything actionable. Why wasn't there a simple summary to understand: How long will a SOC 2 Type 1 audit take? How much will SOC 2 Type 1 cost? What are best practices for each policy? Two years later, we decided to write our own. This is the first in a series of blog posts that answer each of those questions in detail. Feel free to skip around if you're farther along in the process. Click here to see the complete list of 40+ blog posts along with free policy templates.