As your organization pursues your SOC 2 certification, organization is critical. You will be busy actively managing dozens of ongoing daily tasks, which can bury you in minutiae. But at the same time, you need to keep your high-level compliance goals in focus in order to successfully move your certification over the finish line. In this post, we will look at all the components your SOC 2 “dashboard” should contain
Whether you’re looking to achieve SOC 2 compliance, or just want to learn more about it, your Googling is bound to lead you to a wealth of articles chock full of buzzwords and acronym soup. In this post, we will provide a guide with definitions, links and resources to gain a solid understanding of everything you need to know about SOC 2 audits. What is SOC 2? SOC 2 is
If this is your first time pursuing SOC 2 certification, you will quickly find that documentation is the cornerstone of a successful audit. Writing clear, concise policies is especially critical, and if you don’t currently have a policy structure in place, it can be difficult to figure out which policies you need. In this post, we will help you get started with a hierarchy to follow, as well as a
With headline-grabbing software vulnerabilities becoming more and more prevalent, now is the time to tighten up your development practices into a well-written SDLC policy. This particular information security policy will help your development teams standardize on coding tools and practices, as well as get everybody on the same page from a security standpoint. And come the time when you do have a incident, you will be able to demonstrate to your customers that you do indeed take their security seriously - it’s not just lip service.
Physical security is not just a concern for large companies. A small business also needs an established physical security policy to protect their physical assets and provide their employees with a sense of protection and safety. In this policy, you will define the controls, monitoring, and removal of physical access to your company’s facilities. Here are five practices for writing your office physical security policy: Create an access control system
Writing Your BYOD PolicyThis article will point you to the core concepts of BYOD, removable device, and cloud storage policies so that you understand best practices before writing your own. Removable media, cloud storage, and BYOD devices can be a quick and convenient way for employees to handle data. But with this convenience comes some serious security concerns. Unprotected removable storage is an easy entry point for end users to
SOC 2 compliance, like so many things related to IT and security, is chock full of terms and acronyms to learn. If you are just getting started with SOC 2, it’s helpful to get familiar with this alphabet soup ahead of time so you can move your compliance efforts forward with confidence. Below is a SOC 2 terminology glossary to get you started: AICPA The American Institute of CPAs, formed
Writing Your Security Incident Response PolicyThis article will point you to the core concepts within the SIRP so that you understand the purpose of this policy before writing your own. The Security Incident Response Policy (SIRP) establishes that your organization has the necessary controls to detect security vulnerabilities and incidents, as well as the processes and procedures to resolve them. The tricky thing about this policy is that it needs
Despite thousands of articles, there's shockingly little actionable advice to help startups complete SOC 2. When you don't have dedicated compliance teams or six figure budgets, we set out to answer: When to pull the trigger on SOC 2. Who needs to be involved in prep work & what tasks can/can not be delegated. How to narrow the scope and save as much time as possible. What are achievable best
In this post, we’ll answer the following questions:How do I know what rules and regulations I need to follow when protecting my data and data center? Where should I host my secure data center infrastructure (on-prem vs. colocation facilities vs. cloud vs. hybrid solution)? How do I plan for - and recover from - a physical data center failure?