Which Compliance is Right for Me?

HIPAA. NIST. ISO. FedRAMP. FISMA. SOC 2. These are just a few of the acronyms for compliance frameworks that your customers may be asking you about. The big question your organization needs to answer is, “Which compliance is right for me?” This blog post will focus on helping you understand some of the popular compliance frameworks, and specifically how they relate to SOC 2. HIPAA vs SOC 2HIPAA (Health Insurance Portability and Accountability Act) is a United States law developed by the Department of Health and Human Services. The main objective of HIPAA is to protect patients’ medical and health information - such as health plan details and doctor visits. However, the protections HIPAA aims to provide will not attest to your organization’s maturity in terms of privacy and security. This is where SOC (Service Organization Control) comes in. SOC was created by the AICPA (American Institute of Certified Public

Read more

Information Security Policy Best Practices | A Practical Guide for SOC 2 Compliance

As you pursue SOC 2 certification, it’s easy to suffer from documentation fatigue. It may feel like every little thing you do with your systems and data has to have a policy written about it (and there’s probably some truth to that). These policies all tie back to the information security policy, which in many ways is the cornerstone of your security program. It answers many of the big questions people may ask, such as why your company is becoming so structured and process-focused on everything related to security. However, as crucial as this policy is, it’s important to keep it high level. Here are some key points your information security policy should include: Why this policy exists This is your opportunity to make a brief, impactful statement about how critical your team’s work is, and that ultimately your mission is to protect the confidentiality, integrity, and availability of the

Read more

Cyber Risk Management Best Practices | A Practical Guide to SOC 2 Compliance

The cyber risk management policy answers this question: “What is our risk management philosophy and methodology based on our landscape?” In this policy, you will identify security incidents that could occur based on security incidents that have already happened.  Then you will identify how to prevent and remediate those incidents and what the timeline to do so would look like. Here are four best practices to consider when writing your cyber risk management policy:     Identify and classify vulnerabilities Do a scan of your platform (including production systems, public Web servers, and applications) to identify vulnerabilities.  If you use a vulnerability scanner, the tool will likely score risks based on the CVSS system. CVSS scores range from 0-10 (with 10 being the most severe) and are calculated using metric groups that take several security-related measurements into account.  The CVSS system will also assign each discovered risk a severity rating. Once you

Read more

Data Classification Policy Best Practices | A Practical Guide to SOC 2 Compliance

When thinking about how to properly secure your company’s systems and information, it’s easy to approach it from strictly a technical point of view.  You might be worried about things like making sure systems are protected with antivirus, that you have an effective firewall protecting your network perimeter, and that your data is backed up.  In the context of SOC 2 data classification, you must ask what kind of protections are you wrapping around the day-to-day handling of the data itself? How would you know if a piece of information was appropriate only for internal use or acceptable to share on the company’s public Web site? A SOC 2 data classification policy provides a way to ensure sensitive information is handled according to the risk it poses to the organization. Through this policy, you will define how company data should be classified based on sensitivity and then create security policies

Read more

SOC 2 Confidentiality Policy Best Practices | SOC 2 School

Your SOC 2 confidentiality policy defines procedures to handle confidential information about clients, partners, and the company. Clients and partners expect you to keep their data secure and a confidentiality policy will demand this same expectation of your employees. Here are best practices Here are best practices to consider when writing your confidentiality policy: Answer this question: “What is confidential in your business?” Confidential data is any information that would cause reputational and/or financial harm if it was exposed outside of your organization.  Examples of confidential data are financial reports, customer databases, passwords, CRMs, lists of prospective customers, business strategies and other intellectual property. Confidentiality can sometimes be confused with privacy, but they mean very different things from a legal standpoint. In the context of a SOC 2 confidentiality policy, confidentiality focuses on personal information shared with a trusted advisor, such as a lawyer or therapist. This information generally cannot be

Read more

How To Stay SOC 2 Compliant | Advice For This Year’s Audit

Title page of guide to stay SOC 2 compliant

It’s safe to say that not many service providers look forward to soc 2 compliance. I'd guess not many of you have the AICPA on speed dial. Whether you're preparing for a Type 1 or Type 2, audits may be perceived as events that you prepare for and complete, but then eventually they go away - at least for a while. To stay SOC 2 compliant we suggest a paradigm shift. Treat compliance as a continuous process rather than a point-in-time event.  Unlike taxes, there is no 'audit-season.' Here are some tips for always being prepared for your next audit. Embrace the idea that policies and procedures evolve After spending considerable time getting your policies and procedures just right to address the trust services principles, it’s tempting to step back and say, “Good, we finally have all this great documentation, now let's not touch it again until we absolutely have

Read more

What Is SOC 2 Type 2 | A Guide To Complete Your First Type 2 Audit

Cover Image For Guide To Complete SOC 2 Type 2

There are several different levels of SOC (Service Organization Control) reports and types, so it is easy to get them confused. A SOC 2 Type 1 report looks at an organization’s controls at a point in time concerning its clients’ financial reporting. The SOC 2 Type 2 report measures those same controls over a more extended period. SOC 2 Type 1 builds on the reporting basis of SOC 1 but focuses on security controls rather than financial controls. The SOC 2 type 2 examines the effectiveness of those controls over a six-month period. There is also a SOC 3 report, which is essentially the same data found in a SOC 2 but written for public consumption. This blog will focus on outlining the path to SOC 2 Type 2. What Is A SOC 2 Report Although SOC 1 and SOC 2 differ in many ways, they were both created by

Read more

How To Speed Up A SOC 2 Report | A Guide To Narrow SOC 2 Scope

Woman seated at laptop sharing advice on how to speed up a SOC 2 report

One of the most critical steps is selecting members to lead the initiative. Many organizations start planning for SOC 2 thinking they can delegate responsibilities solely to members of the IT and information security staff. And although members of those teams will play a big part in the process, your core SOC 2 team will also include HR, legal and other business units as well. This blog will help you understand your core SOC 2 team and how to build it.

Read more

SOC2 Team | Learn To Define Roles & Responsibilities

One of the most critical steps is selecting members to lead the initiative. Many organizations start planning for SOC 2 thinking they can delegate responsibilities solely to members of the IT and information security staff. And although members of those teams will play a big part in the process, your core SOC 2 team will also include HR, legal and other business units as well. This blog will help you understand your core SOC 2 team and how to build it.

Read more

What is SOC 2 Compliance | A Guide To Prepare For Your First Audit

front page of guide explaining what is SOC 2 compliance

With so much jargon in compliance, it's important to ask the fundamental questions: what is SOC 2 compliance?What is SOC 2 compliance?SOC 2 compliance is an audit framework designed to help service organizations demonstrate how they secure customer data stored in the cloud. Commonly adopted by software vendors, it establishes strict policies to secure and protect the privacy of customer data. SOC 2 is different from SOC 1, which reports on controls at a service organization relevant to financial reporting, and also different than SOC 3, which reports on the same information as SOC 2 but in a format intended for a more general audience. This blog post will focus on SOC 2 compliance (Service Organization Control 2).How to become SOC 2 compliantThe process to become SOC 2 compliant typically takes six months. To begin the process, first form a team to own the project. That team will be responsible

Read more