Here are four practices to consider when creating your IT vendor management policy: 1. Evaluate vendors IT services vendors are generally very good at assuring you their product or service is like oxygen - you can’t live without it! They will throw around a lot of acronyms and buzzwords like “next-gen” in hopes of dazzling you into signing on the dotted line. Resist that temptation for now, and instead create a template with questions to help you do the proper amount of due diligence and select the right vendors.
HIPAA. NIST. ISO. FedRAMP. FISMA. SOC 2. These are just a few of the acronyms for compliance frameworks that your customers may be asking you about. The big question your organization needs to answer is, “Which compliance is right for me?” This blog post will focus on helping you understand some of the popular compliance frameworks, and specifically how they relate to SOC 2. HIPAA vs SOC 2 HIPAA (Health Insurance Portability and Accountability Act) is a United States law developed by the Department of Health and Human Services. The main objective of HIPAA is to protect patients’ medical and health information - such as health plan details and doctor visits. However, the protections HIPAA aims to provide will not attest to your organization’s maturity in terms of privacy and security. This is where SOC (Service Organization Control) comes in. SOC was created by the AICPA (American Institute of Certified
There are several different levels of SOC (Service Organization Control) reports and types, so it is easy to get them confused. A SOC 2 Type 1 report looks at an organization’s controls at a point in time concerning its clients’ financial reporting. The SOC 2 Type 2 report measures those same controls over a more extended period. SOC 2 Type 1 builds on the reporting basis of SOC 1 but focuses on security controls rather than financial controls. The SOC 2 type 2 examines the effectiveness of those controls over a six-month period. There is also a SOC 3 report, which is essentially the same data found in a SOC 2 but written for public consumption. This blog will focus on outlining the path to SOC 2 Type 2. What Is A SOC 2 Report Although SOC 1 and SOC 2 differ in many ways, they were both created by
Before our first SOC 2 Type 1 audit, I assumed you pay an auditor, they come in make a few suggestion on how to improve and sign-off. It might take a few months, but the total cost would be some distraction plus the auditor's fee. That could not be farther from the truth. If you want to skip ahead to the hard numbers, our estimate is $147,000 all-in (download the breakdown here). To learn more about the breakdown, it takes into account: Lost Productivity Build vs Buy Decisions for New Tools Security Training It's a huge undertaking that involves senior representatives from almost every team, including HR, Legal, Engineering, Sales, Customer Support and more. If you try to carry the entire burden yourself without involving other teams, you're wasting your time and will fail the audit. No one person can complete SOC 2 certification. They won't have the domain expertise