How to Write Your Software Development Lifecycle Policy

By Blog, SOC 2

With headline-grabbing software vulnerabilities becoming more and more prevalent, now is the time to tighten up your development practices into a well-written SDLC policy. This particular information security policy will help your development teams standardize on coding tools and practices, as well as get everybody on the same page from a security standpoint. And come the time when you do have a incident, you will be able to demonstrate to your customers that you do…

System Changes Policy 101

By Blog, SOC 2

In the world of SOC 2, the general rule is to write a policy, procedure or log entry for just about everything that happens in your environment. This is especially important when it comes to system changes, as auditors want to see that you have detailed logs of what’s happening in your environment, that the changes are properly documented and communicated across your organization, and that you can effectively debug problems after a change is…

How to Write a Disaster Recovery Policy

By Blog, SOC 2

As you prepare your company to endure and recover from a disaster, two primary information technology policies should be in place: business continuity and disaster recovery. These two policies help you plan for – and recover from – adverse events, but the difference lies in the goals of each policy: business continuity focuses on returning your business to normalcy, while disaster recovery details the minimum necessary functions for your business to survive.

Log Management and Review Best Practices

By Blog, SOC 2

When an information security incident occurs, you need to be able to gather as much information about it as quickly as possible. There’s also a very real possibility that you will have to involve outside parties - such as an incident response team - to help you as well. That means you can’t approach log management and retention as a simple checkbox. Instead, you need to have rich data that captures audit logs from all…

Defining Your IT Vendor Management Policy

By Blog, SOC 2, Uncategorized

Here are four practices to consider when creating your IT vendor management policy: 1. Evaluate vendors IT services vendors are generally very good at assuring you their product or service is like oxygen - you can’t live without it! They will throw around a lot of acronyms and buzzwords like “next-gen” in hopes of dazzling you into signing on the dotted line. Resist that temptation for now, and instead create a template with questions to…

Password Policy Best Practices

By Blog, SOC 2, Uncategorized

Passwords are one of the most common targets for hackers, so it’s imperative that your company enforce a strong password policy. This policy will not only define the requirements of the password itself but the procedure your organization will use to select and securely manage passwords.

SOC 1 vs SOC 2 | When Is The Right Time To Pursue SOC 2?

By Blog, SOC 2

Confusing SOC 1 and SOC 2 is easy. While both compliance frameworks attest to the controls used within your organization, the frameworks differ in focus. SOC 1 looks at your organization’s financial reporting, while SOC 2 focuses on how you secure and protect customer data. This blog post will focus on exploring the differences between SOC 1 and SOC 2.

Remote Access Policy Best Practices | A Practical Guide to SOC 2 Compliance

By Blog, SOC 2

Our world has changed.  Gone are the days of an 8 to 5 work day at a physical office, and leaving all your responsibilities behind at the end of the day.  We now live in a 24x7 global economy and are perpetually connected to our corporate networks with cell phones, laptops, and tablets.  The convenience of “work from anywhere” introduces some exciting challenges for your information security and information technology teams, and that’s where the…

Workstation Security Policy Best Practices | A Practical Guide to SOC 2 Compliance

By Blog, SOC 2

Some might say that workstations are a necessary evil.  Users with varying degrees of technical and security aptitude are using them 24/7, communicating with the world and taking care of business.  With workstations being an indispensable part of business comes a substantial security burden, especially for your information technology staff.  In the workstation security policy, you will define rules intended to reduce the risk of data loss/exposure through workstations. Often, information security best practices are used synonymously…

Encryption Policy Best Practices | A Practical Guide to SOC 2 Compliance

By Blog, SOC 2

You wouldn’t leave the house without making sure your doors and windows were locked, and that any valuables were hidden or secured in a safe. That way, if you were robbed, the burglar would have a difficult time accessing your most precious assets. In the same way, you need to make sure your organization’s critical data is well protected. While layers of defense such as firewalls and IDS/IPS are essential, they are not 100% fail…

Access Onboarding and Termination Policy | A Practical Guide to SOC 2 Compliance

By Blog, SOC 2

It's easy to focus on cybersecurity threats like social engineering and phishing. However, internal threats, such as human error and disgruntled employees, can be just as dangerous - and are often overlooked. A mature onboarding and termination policy is essential to preventing a data breach. Employees and other internal users were the cause of 60% of data breaches - both intentional and accidental - in 2016. In the world of SOC 2, these types of…

Business Continuity Policy Best Practices | A Practical Guide to SOC 2 Compliance

By Blog, SOC 2

A business continuity policy is a critical part of your SOC 2 preparation. An estimated 25% of businesses never fully recover from a major disaster. For small businesses, in particular, it can be difficult to return to normalcy after a significant disruption. Most companies have insurance and emergency funds, but those won’t protect you from failure to provide business functions at an acceptable level to your customers. A business continuity policy is critical to your…

How SOC 2 Saves Time On Security RFI | A Practical Guide To Answer Any RFI

By Blog, SOC 2

You’ve gone through the rigorous process of completing your SOC 2 certification.  Your policies are thorough, you have airtight procedures, your staff is sufficiently trained, and if anybody so much as sneezes around your datacenter you’ll know about it before someone says, “Gesundheit!”  It’s time to kick back in your chair, throw your feet up on the desk and relax, right? But what if a customer sent over an RFI (Request For Information) this afternoon?…

Data Center Security Policy Best Practices | A Practical Guide for SOC 2 Compliance

By Blog, SOC 2

There are many things to consider and questions to ask yourself when setting up your data center. Should you host your data on-premise or in the cloud? If the data is cloud-hosted, who is responsible for security? Is it the company who owns the data, the cloud provider, or both? The data center security policy outlines procedures and information security measures to prevent unauthorized physical access to your company’s data center(s) and the equipment within.…

What’s Included in a SOC 2 Report: A Breakdown

By Blog, SOC 2

A SOC 2 report (Service Organization Control report 2) focuses on the controls a company uses to protect customer data, as well as the operational effectiveness of those controls. A SOC 2 report should not be confused with a SOC 1 report, which focuses on a company’s financial reporting, nor should it be confused with a SOC 3 report, which has similar output to a SOC 2 report but in more natural language. This blog…

How Long Does It Take To Complete a SOC Audit | A Timeline To Plan for SOC 2

By Blog, SOC 2

You scheduled your on-site SOC 2 testing. While the initial step is complete, there is still a lot of process and time before you’re past the finish line. This post will help plan and manage time expectations and establish a timeline of deliverables - working backward from your SOC audit start date. The Purpose of SOC 2 Audits SOC is a system of service organization controls. SOC stands for “system and organization controls,” and controls…

Which Compliance is Right for Me?

By Blog, Uncategorized

HIPAA. NIST. ISO. FedRAMP. FISMA. SOC 2. These are just a few of the acronyms for compliance frameworks that your customers may be asking you about. The big question your organization needs to answer is, “Which compliance is right for me?” This blog post will focus on helping you understand some of the popular compliance frameworks, and specifically how they relate to SOC 2. HIPAA vs SOC 2 HIPAA (Health Insurance Portability and Accountability Act)…

Information Security Policy Best Practices | A Practical Guide for SOC 2 Compliance

By Blog

As you pursue SOC 2 certification, it’s easy to suffer from documentation fatigue. It may feel like every little thing you do with your systems and data has to have a policy written about it (and there’s probably some truth to that). These policies all tie back to the information security policy, which in many ways is the cornerstone of your security program. It answers many of the big questions people may ask, such as…

Cyber Risk Management Best Practices | A Practical Guide to SOC 2 Compliance

By Blog

The cyber risk management policy answers this question: “What is our risk management philosophy and methodology based on our landscape?” In this policy, you will identify security incidents that could occur based on security incidents that have already happened.  Then you will identify how to prevent and remediate those incidents and what the timeline to do so would look like. Here are four best practices to consider when writing your cyber risk management policy:     Identify…

Data Classification Policy Best Practices | A Practical Guide to SOC 2 Compliance

By Blog

When thinking about how to properly secure your company’s systems and information, it’s easy to approach it from strictly a technical point of view.  You might be worried about things like making sure systems are protected with antivirus, that you have an effective firewall protecting your network perimeter, and that your data is backed up.  In the context of SOC 2 data classification, you must ask what kind of protections are you wrapping around the…

SOC 2 Confidentiality Policy Best Practices | SOC 2 School

By Blog, SOC 2

Your SOC 2 confidentiality policy defines procedures to handle confidential information about clients, partners, and the company. Clients and partners expect you to keep their data secure and a confidentiality policy will demand this same expectation of your employees. Here are best practices Here are best practices to consider when writing your confidentiality policy: Answer this question: “What is confidential in your business?” Confidential data is any information that would cause reputational and/or financial harm…

How To Stay SOC 2 Compliant | Advice For This Year’s Audit

By Blog, SOC 2

It’s safe to say that not many service providers look forward to soc 2 compliance. I'd guess not many of you have the AICPA on speed dial. Whether you're preparing for a Type 1 or Type 2, audits may be perceived as events that you prepare for and complete, but then eventually they go away - at least for a while. To stay SOC 2 compliant we suggest a paradigm shift. Treat compliance as a…

What Is SOC 2 Type 2 | A Guide To Complete Your First Type 2 Audit

By Blog, SOC 2

There are several different levels of SOC (Service Organization Control) reports and types, so it is easy to get them confused. A SOC 2 Type 1 report looks at an organization’s controls at a point in time concerning its clients’ financial reporting. The SOC 2 Type 2 report measures those same controls over a more extended period. SOC 2 Type 1 builds on the reporting basis of SOC 1 but focuses on security controls rather…

How To Speed Up A SOC 2 Report | A Guide To Narrow SOC 2 Scope

By Blog, SOC 2

One of the most critical steps is selecting members to lead the initiative. Many organizations start planning for SOC 2 thinking they can delegate responsibilities solely to members of the IT and information security staff. And although members of those teams will play a big part in the process, your core SOC 2 team will also include HR, legal and other business units as well. This blog will help you understand your core SOC 2…

SOC2 Team | Learn To Define Roles & Responsibilities

By Blog, SOC 2

One of the most critical steps is selecting members to lead the initiative. Many organizations start planning for SOC 2 thinking they can delegate responsibilities solely to members of the IT and information security staff. And although members of those teams will play a big part in the process, your core SOC 2 team will also include HR, legal and other business units as well. This blog will help you understand your core SOC 2…

What is SOC 2 Compliance | A Guide To Prepare For Your First Audit

By Blog

With so much jargon in compliance, it's important to ask the fundamental questions: what is SOC 2 compliance? Just starting your SOC 2 plan? Learn how strongDM can help. What is SOC 2 compliance? SOC 2 compliance is an audit framework designed to help service organizations demonstrate how they secure customer data stored in the cloud. Commonly adopted by software vendors, it establishes strict policies to secure and protect the privacy of customer data. SOC…

SOC 2 Type 1 Guide | Everything You Need To Know

By Blog, Uncategorized

What is SOC 2 Type 1 If you are new to compliance, it’s easy to confuse SOC 2 Type 1 and SOC 2 Type 2.  SOC 2 Type 1 is different from Type 2 in that a Type 1 report assesses the design of security processes at a specific point in time, while a Type 2 report (also commonly written as “Type ii”) assesses how effective those controls are over time by observing operations for…

How Much Does SOC 2 Cost | A Guide Budgeting For SOC 2

By Blog, SOC 2

Below is a breakdown of every SOC 2 cost, including unexpected expenses and the time required from your staff. While we can’t tell you whether or not it’s right for your organization, we can tell you what you need to know - from both a cost and time perspective - if you decide to pursue it. Here is your SOC 2 compliance checklist. LEARN HOW STRONGDM MAKES SOC 2 COMPLIANCE EASY: SCHEDULE TIME TO TALK…

Why We Built Comply | Free SOC 2 Policy Templates

By Blog

SOC 2 can be a daunting process. Policies are subjective; auditors avoid providing much guidance; advice on the internet is incomplete or vague. We decided to create Comply, an open source collection of policy templates that includes best practices. We hope it reduces the stress of SOC 2 and points fellow startups in the right direction. SOC 2 involves every team in the company -- including many which don’t report to you. LEARN HOW STRONGDM MAKES…