How SOC 2 Saves Time On Security RFI | A Practical Guide To Answer Any RFI

You’ve gone through the rigorous process of completing your SOC 2 certification.  Your policies are thorough, you have airtight procedures, your staff is sufficiently trained, and if anybody so much as sneezes around your datacenter you’ll know about it before someone says, “Gesundheit!”  It’s time to kick back in your chair, throw your feet up on the desk and relax, right? But what if a customer sent over an RFI (Request For Information) this afternoon? Would you and your team panic, or be able to respond calmly, wholly and confidently? Need to complete SOC2 to close a deal? strongDM speeds up the work to enforce access controls & gather evidence to deliver SOC 2 on a tight timeline. See strongDM in action in a demo. First of all, try not to panic.  While it’s perfectly natural to feel your first RFI is an attempt to air your dirty laundry, it doesn’t

Read more

Data Center Security Policy Best Practices | A Practical Guide for SOC 2 Compliance

There are many things to consider and questions to ask yourself when setting up your data center. Should you host your data on-premise or in the cloud? If the data is cloud-hosted, who is responsible for security? Is it the company who owns the data, the cloud provider, or both? The data center security policy outlines procedures and information security measures to prevent unauthorized physical access to your company’s data center(s) and the equipment within. Here are four things to consider when writing this policy: Where are you going to host your data center? There are three types of data centers: On-premise Cloud-hosted Co-located A self-hosted model increases your costs and security requirements, while a cloud-hosted model shifts some of those responsibilities – but makes you dependent on someone else’s infrastructure. It is up to you to understand the consequences of each decision before deciding what is best for your

Read more

What’s Included in a SOC 2 Report: A Breakdown

A SOC 2 report (Service Organization Control report 2) focuses on the controls a company uses to protect customer data, as well as the operational effectiveness of those controls. A SOC 2 report should not be confused with a SOC 1 report, which focuses on a company’s financial reporting, nor should it be confused with a SOC 3 report, which has similar output to a SOC 2 report but in more natural language. This blog post will focus on the SOC 2 report and an overview of its seven main components. The SOC 2 report itself is based in five Trust Service Principles as defined by the AICPA (American Institute of CPAs): Security - provides customer assurance that their data is secured against unauthorized access Availability - assures that the systems needed to store and process data will be available for use Processing integrity - requires the processing of data

Read more

How Long Does It Take To Complete a SOC Audit | A Timeline To Plan for SOC 2

Book describing how long does it take to get soc 2

You scheduled your on-site SOC 2 testing. While the initial step is complete, there is still a lot of process and time before you’re past the finish line. This post will help plan and manage time expectations and establish a timeline of deliverables - working backward from your SOC audit start date.  The Purpose of SOC 2 Audits SOC is a system of service organization controls. SOC stands for “system and organization controls,” and controls are a series of standards designed to help measure how well a given service organization regulates its information, user entities, and sensitive data - particularly customer data. The purpose of SOC standards is to create a level of confidence and trust for organizations when they engage third-party vendors. A SOC-certified organization (hey, that will be you soon!) has been audited by an independent certified public accountant who worked with your organization on a readiness assessment

Read more

Which Compliance is Right for Me?

HIPAA. NIST. ISO. FedRAMP. FISMA. SOC 2. These are just a few of the acronyms for compliance frameworks that your customers may be asking you about. The big question your organization needs to answer is, “Which compliance is right for me?” This blog post will focus on helping you understand some of the popular compliance frameworks, and specifically how they relate to SOC 2. HIPAA vs SOC 2 HIPAA (Health Insurance Portability and Accountability Act) is a United States law developed by the Department of Health and Human Services. The main objective of HIPAA is to protect patients’ medical and health information - such as health plan details and doctor visits. However, the protections HIPAA aims to provide will not attest to your organization’s maturity in terms of privacy and security. This is where SOC (Service Organization Control) comes in. SOC was created by the AICPA (American Institute of Certified

Read more

Information Security Policy Best Practices | A Practical Guide for SOC 2 Compliance

As you pursue SOC 2 certification, it’s easy to suffer from documentation fatigue. It may feel like every little thing you do with your systems and data has to have a policy written about it (and there’s probably some truth to that). These policies all tie back to the information security policy, which in many ways is the cornerstone of your security program. It answers many of the big questions people may ask, such as why your company is becoming so structured and process-focused on everything related to security. However, as crucial as this policy is, it’s important to keep it high level. Here are some key points your information security policy should include: Why this policy exists This is your opportunity to make a brief, impactful statement about how critical your team’s work is, and that ultimately your mission is to protect the confidentiality, integrity, and availability of the

Read more

Cyber Risk Management Best Practices | A Practical Guide to SOC 2 Compliance

The cyber risk management policy answers this question: “What is our risk management philosophy and methodology based on our landscape?” In this policy, you will identify security incidents that could occur based on security incidents that have already happened.  Then you will identify how to prevent and remediate those incidents and what the timeline to do so would look like. Here are four best practices to consider when writing your cyber risk management policy:     Identify and classify vulnerabilities Do a scan of your platform (including production systems, public Web servers, and applications) to identify vulnerabilities.  If you use a vulnerability scanner, the tool will likely score risks based on the CVSS system. CVSS scores range from 0-10 (with 10 being the most severe) and are calculated using metric groups that take several security-related measurements into account.  The CVSS system will also assign each discovered risk a severity rating. Once you

Read more

Data Classification Policy Best Practices | A Practical Guide to SOC 2 Compliance

When thinking about how to properly secure your company’s systems and information, it’s easy to approach it from strictly a technical point of view.  You might be worried about things like making sure systems are protected with antivirus, that you have an effective firewall protecting your network perimeter, and that your data is backed up.  In the context of SOC 2 data classification, you must ask what kind of protections are you wrapping around the day-to-day handling of the data itself? How would you know if a piece of information was appropriate only for internal use or acceptable to share on the company’s public Web site? A SOC 2 data classification policy provides a way to ensure sensitive information is handled according to the risk it poses to the organization. Through this policy, you will define how company data should be classified based on sensitivity and then create security policies

Read more

SOC 2 Confidentiality Policy Best Practices | SOC 2 School

Your SOC 2 confidentiality policy defines procedures to handle confidential information about clients, partners, and the company. Clients and partners expect you to keep their data secure and a confidentiality policy will demand this same expectation of your employees. Here are best practices to consider when writing your confidentiality policy: Answer this question: “What is confidential in your business?” Confidential data is any information that would cause reputational and/or financial harm if it was exposed outside of your organization.  Examples of confidential data are financial reports, customer databases, passwords, CRMs, lists of prospective customers, business strategies and other intellectual property. Confidentiality can sometimes be confused with privacy, but they mean very different things from a legal standpoint. In the context of a SOC 2 confidentiality policy, confidentiality focuses on personal information shared with a trusted advisor, such as a lawyer or therapist. This information generally cannot be shared with third parties

Read more

How To Stay SOC 2 Compliant | Advice For This Year’s Audit

Title page of guide to stay SOC 2 compliant

It’s safe to say that not many service providers look forward to soc 2 compliance. I'd guess not many of you have the AICPA on speed dial. Whether you're preparing for a Type 1 or Type 2, audits may be perceived as events that you prepare for and complete, but then eventually they go away - at least for a while. To stay SOC 2 compliant we suggest a paradigm shift. Treat compliance as a continuous process rather than a point-in-time event.  Unlike taxes, there is no 'audit-season.' Here are some tips for always being prepared for your next audit.  Embrace the idea that policies and procedures evolve After spending considerable time getting your policies and procedures just right to address the trust services principles, it’s tempting to step back and say, “Good, we finally have all this great documentation, now let's not touch it again until we absolutely have

Read more