<img src="https://ws.zoominfo.com/pixel/6169bf9791429100154fc0a2" width="1" height="1" style="display: none;">

What Would My SOC 2 Dashboard Look Like?

StrongDM manages and audits access to infrastructure.
  • Role-based, attribute-based, & just-in-time access to infrastructure
  • Connect any person or service to any infrastructure, anywhere
  • Logging like you've never seen

As your organization pursues your SOC 2 certification, organization is critical.  


You will be busy actively managing dozens of ongoing daily tasks, which can bury you in minutiae.  But at the same time, you need to keep your high-level compliance goals in focus in order to successfully move your certification over the finish line.  In this post, we will look at all the components your SOC 2 “dashboard” should contain in order to help you be successful in your journey.

Compliance tasks

Coming out of the gap analysis (also known as a readiness assessment) you will receive a list of deficient areas to tackle.  These areas are a perfect starting “punch list” for your team to grind away on first. Items in this list include missing policies, lack of technical controls such as weak password standards, as well as employment agreements that need tuning - or are missing altogether.  Your organization might also have overlooked incorporating key trust service principles in scope, so those will need to be added to your task list as well.  

Vendor management

Although many of your tasks focus on the way you protect your customers and their information, SOC 2 cares equally about the security of the vendors you work with.  You need to maintain a list of the vendors who have a presence in your network, and also have a strategy to manage the risks they pose to your organization. This strategy should include an IT Vendor Management Policy, complemented by (at minimum) a spreadsheet mapping out each vendor, the types of data they have access to, and the connection methods they use to connect to your network.  

Policy management

Policies are a huge component of SOC 2 compliance.  It will feel at times like you need a policy for “everything” (and there is some truth to that), but you also need a plan to keep the policies up to date as well.  Keep in mind that as you create new policies and procedures, you will likely change the way employees do their work. For example, you might need to change your password policy to comply with stricter requirements.  This will impact your users and potentially result in some pushback, so you also need to create a policy challenge/waiver form that employees can submit to your teams.

Training

As part of SOC 2, you should offer annual security awareness training for your users.  This training can be given in-house or via a third party, and should cover a broad variety of security topics, such as how to thwart phishing and social engineering attacks.  In addition to this yearly initiative, users should receive additional training in their specific areas of focus. For example, your developers could be trained on secure coding practices, and your IT/security teams could train on whichever topics help them be more security minded in their daily tasks.  Regardless of the training paths you choose for your employees, the hours they spend on training need to be tracked. At a minimum, track each employee’s yearly security awareness training with a sign-off sheet and keep that for audit purposes.

Milestones

As your teams work through piles of individual tasks, you need an easy way to see the bigger picture.  Organize your tasks in such a way that the high level milestones each task is associated with are clear.  That will help your overall project management efforts, as well as help employees understand that their potentially monotonous tasks do play an important part in making the organization more secure.  

Overdue tasks

While tracking individual tasks is paramount, it’s arguably more important to know which ones are past due at any given time.  The ability to quickly filter overdue items from a large list will help your team prioritize tasks and adjust deadlines as needed.  Communicate the status of overdue tasks regularly, and document them in a system that all relevant team members have continuous access to.

As you can see, there is an intimidating amount of work involved in keeping your SOC 2 compliance efforts moving forward in an efficient and organized manner.  While you could orchestrate a custom combination of open source and commercial tools to manage the project, Comply is free and includes everything you need, including:

  • A markdown-powered documentation system for publishing policies
  • Support for integrating into your existing ticketing systems
  • Templates for satisfying SOC 2 audits

For more information, visit the SOC 2 Comply Web site and join our SOC 2 Slack community. To learn more about SOC 2, take our free and completely self-paced online SOC 2 Course.

When it is time to move from policy creation to enforcement, schedule a demo to learn how StrongDM makes enforcing your policies a breeze.

To learn more on how StrongDM helps companies with SOC 2 compliance, make sure to check out our SOC 2 Compliance Use Case.

 

About the Author

, Co-founder / CCO, began working with startups as one of the first employees at Cross Commerce Media. Since then, he has worked at the venture capital firms DFJ Gotham and High Peaks Venture Partners. He is also the host of Founders@Fail and author of Inc.com's "Failing Forward" column, where he interviews veteran entrepreneurs about the bumps, bruises, and reality of life in the startup trenches. His leadership philosophy: be humble enough to realize you don’t know everything and curious enough to want to learn more. He holds a B.A. and M.B.A. from Columbia University. To contact Schuyler, visit him on LinkedIn.

logo
💙 this post?
Then get all that strongDM goodness, right in your inbox.

You May Also Like

ISO 27001 vs SOC 2
ISO 27001 vs. SOC 2: Understanding the Difference
SOC 2 and ISO 27001 both provide companies with strategic frameworks and standards to measure their security controls and systems against. But what’s the difference between SOC 2 vs. ISO 27001? In this article, we’ll provide an ISO 27001 and SOC 2 comparison, including what they are, what they have in common, which one is right for you, and how you can use these certifications to improve your overall cybersecurity posture.
Answering auditor questions in a SOC 2 review
Answering Auditors’ Questions in a SOC 2 Review
We recently completed our own SOC 2 audit, so we thought we’d review how we dogfooded our own product. We’ll share tips and tricks to make the audit process a little easier, whether you’re wrapping up your own or about to dive into the coming year’s audit. Here are the questions auditors asked us during our own SOC 2 audit and the commands and strongDM tooling we used to gather the evidence they requested.
SOC 2 Audit
Everything You Need to Know About SOC 2 Audits
Whether you’re looking to achieve SOC 2 compliance, or just want to learn more about it, your Googling is bound to lead you to a wealth of articles chock full of buzzwords and acronym soup. ‍In this post, we will provide a guide with definitions, links and resources to gain a solid understanding of everything you need to know about SOC 2 audits.
SOC 2 Policies Guide
A Definitive Guide to SOC 2 Policies
In this post, we will help you get started with a hierarchy to follow, as well as a summary of each individual SOC 2 policy.
Software Development Lifecycle (SDLC) Policy
Software Development Life Cycle (SDLC) Policy
A software development lifecycle (SDLC) policy helps your company not suffer a similar fate by ensuring software goes through a testing process, is built as securely as possible, and that all development work is compliant as it relates to any regulatory guidelines and business needs.‍Here are some primary topics your software development lifecycle policy and software development methodology should cover