SOC 2 Confidentiality Policy Best Practices | SOC 2 School

Your SOC 2 confidentiality policy defines procedures to handle confidential information about clients, partners, and the company. Clients and partners expect you to keep their data secure and a confidentiality policy will demand this same expectation of your employees. Here are best practices Here are best practices to consider when writing your confidentiality policy: Answer this question: “What is confidential in your business?” Confidential data is any information that would cause reputational and/or financial harm if it was exposed outside of your organization.  Examples of confidential data are financial reports, customer databases, passwords, CRMs, lists of prospective customers, business strategies and other intellectual property. Confidentiality can sometimes be confused with privacy, but they mean very different things from a legal standpoint. In the context of a SOC 2 confidentiality policy, confidentiality focuses on personal information shared with a trusted advisor, such as a lawyer or therapist. This information generally cannot be

Read more

How To Stay SOC 2 Compliant | Advice For This Year’s Audit

Title page of guide to stay SOC 2 compliant

It’s safe to say that not many service providers look forward to soc 2 compliance. I'd guess not many of you have the AICPA on speed dial. Whether you're preparing for a Type 1 or Type 2, audits may be perceived as events that you prepare for and complete, but then eventually they go away - at least for a while. To stay SOC 2 compliant we suggest a paradigm shift. Treat compliance as a continuous process rather than a point-in-time event.  Unlike taxes, there is no 'audit-season.' Here are some tips for always being prepared for your next audit. Embrace the idea that policies and procedures evolve After spending considerable time getting your policies and procedures just right to address the trust services principles, it’s tempting to step back and say, “Good, we finally have all this great documentation, now let's not touch it again until we absolutely have

Read more

What Is SOC 2 Type 2 | A Guide To Complete Your First Type 2 Audit

Cover Image For Guide To Complete SOC 2 Type 2

There are several different levels of SOC (Service Organization Control) reports and types, so it is easy to get them confused. A SOC 2 Type 1 report looks at an organization’s controls at a point in time concerning its clients’ financial reporting. The SOC 2 Type 2 report measures those same controls over a more extended period. SOC 2 Type 1 builds on the reporting basis of SOC 1 but focuses on security controls rather than financial controls. The SOC 2 type 2 examines the effectiveness of those controls over a six-month period. There is also a SOC 3 report, which is essentially the same data found in a SOC 2 but written for public consumption. This blog will focus on outlining the path to SOC 2 Type 2. Starting your SOC 2 planning? Learn how strongDM makes SOC 2 compliance easy.  What Is A SOC 2 Report Although SOC

Read more

How To Speed Up A SOC 2 Report | A Guide To Narrow SOC 2 Scope

Woman seated at laptop sharing advice on how to speed up a SOC 2 report

One of the most critical steps is selecting members to lead the initiative. Many organizations start planning for SOC 2 thinking they can delegate responsibilities solely to members of the IT and information security staff. And although members of those teams will play a big part in the process, your core SOC 2 team will also include HR, legal and other business units as well. This blog will help you understand your core SOC 2 team and how to build it.

Read more

SOC2 Team | Learn To Define Roles & Responsibilities

One of the most critical steps is selecting members to lead the initiative. Many organizations start planning for SOC 2 thinking they can delegate responsibilities solely to members of the IT and information security staff. And although members of those teams will play a big part in the process, your core SOC 2 team will also include HR, legal and other business units as well. This blog will help you understand your core SOC 2 team and how to build it.

Read more

What is SOC 2 Compliance | A Guide To Prepare For Your First Audit

front page of guide explaining what is SOC 2 compliance

With so much jargon in compliance, it's important to ask the fundamental questions: what is SOC 2 compliance? Just starting your SOC 2 plan? Learn how strongDM can help. What is SOC 2 compliance? SOC 2 compliance is an audit framework designed to help service organizations demonstrate how they secure customer data stored in the cloud. Commonly adopted by software vendors, it establishes strict policies to secure and protect the privacy of customer data. SOC 2 is different from SOC 1, which reports on controls at a service organization relevant to financial reporting, and also different than SOC 3, which reports on the same information as SOC 2 but in a format intended for a more general audience. This blog post will focus on SOC 2 compliance (Service Organization Control 2). How to become SOC 2 compliant The process to become SOC 2 compliant typically takes six months. To begin

Read more

SOC 2 Type 1 Guide | Everything You Need To Know

Cover illustration for Guide explaining SOC 2 Type 1

If you are new to compliance, it’s easy to confuse SOC 2 Type 1 and SOC 2 Type 2.  SOC 2 Type 1 is different from Type 2 in that a Type 1 report assesses the design of security processes at a specific point in time, while a Type 2 report (also commonly written as “Type ii”) assesses how effective those controls are over time by observing operations for six months.  If that weren’t confusing enough, SOC 2 is different than SOC 1, which focuses on an organization’s financial statements and financial reporting. It’s also different than SOC 3, which reports on the same information as SOC 2, but in a format intended for a more general audience. This blog post will focus specifically on SOC 2 Type 1. You will also need to determine which report types best fit the needs of your company and customers.  LEARN HOW STRONGDM MAKES

Read more

How Much Does SOC 2 Cost | A Guide Budgeting For SOC 2

Introduction to a guide that explains how much a SOC 2 compliance audit will cost

Below is a breakdown of every SOC 2 cost, including unexpected expenses and the time required from your staff. While we can’t tell you whether or not it’s right for your organization, we can tell you what you need to know - from both a cost and time perspective - if you decide to pursue it. Here is your SOC 2 compliance checklist. LEARN HOW STRONGDM MAKES SOC 2 COMPLIANCE EASY: SCHEDULE TIME TO TALK Expect the cost of an auditor for SOC 2 Type 1 to be in the $12k-$17k range. But the cost of the audit itself is just the beginning. You will need months of dedicated time from your existing staff or consultants. Once the audit is complete, you will have a laundry list of items to remediate, which may necessitate the purchase of additional tools and training as well. First, assign someone to own the SOC

Read more

Why We Built Comply | Free SOC 2 Policy Templates

strongDM Founders introduce Comply an open source project for SOC 2 compliance

SOC 2 can be a daunting process. Policies are subjective; auditors avoid providing much guidance; advice on the internet is incomplete or vague. We decided to create Comply, an open source collection of policy templates that includes best practices. We hope it reduces the stress of SOC 2 and points fellow startups in the right direction. SOC 2 involves every team in the company -- including many which don’t report to you. LEARN HOW STRONGDM MAKES SOC 2 COMPLIANCE EASY You need to inventory your existing tools/infrastructure, research best practices, define policies and procedures for your teams, build consensus, and ultimately persuade every team to adopt them. The process is inevitably accompanied by acute time pressure: a major Q4 deal, an impending IPO, or a life-changing partnership that depends on successfully completing your audit. Our team recently went through another SOC2 audit, and decided this time around we'd like to share

Read more