As your organization pursues your SOC 2 certification, organization is critical. You will be busy actively managing dozens of ongoing daily tasks, which can bury you in minutiae. But at the same time, you need to keep your high-level compliance goals in focus in order to successfully move your certification over the finish line. In this post, we will look at all the components your SOC 2 “dashboard” should contain in order to help you be successful in your journey:
Coming out of the gap analysis (also known as a readiness assessment) you will receive a list of deficient areas to tackle. These areas are a perfect starting “punch list” for your team to grind away on first. Items in this list include missing policies, lack of technical controls such as weak password standards, as well as employment agreements that need tuning - or are missing altogether. Your organization might also have overlooked incorporating key trust service principles in scope, so those will need to be added to your task list as well.
Although many of your tasks focus on the way you protect your customers and their information, SOC 2 cares equally about the security of the vendors you work with. You need to maintain a list of the vendors who have a presence in your network, and also have a strategy to manage the risks they pose to your organization. This strategy should include an IT Vendor Management Policy, complemented by (at minimum) a spreadsheet mapping out each vendor, the types of data they have access to, and the connection methods they use to connect to your network.
Policies are a huge component of SOC 2 compliance. It will feel at times like you need a policy for “everything” (and there is some truth to that), but you also need a plan to keep the policies up to date as well. Keep in mind that as you create new policies and procedures, you will likely change the way employees do their work. For example, you might need to change your password policy to comply with stricter requirements. This will impact your users and potentially result in some pushback, so you also need to create a policy challenge/waiver form that employees can submit to your teams.
As part of SOC 2, you should offer annual security awareness training for your users. This training can be given in-house or via a third party, and should cover a broad variety of security topics, such as how to thwart phishing and social engineering attacks. In addition to this yearly initiative, users should receive additional training in their specific areas of focus. For example, your developers could be trained on secure coding practices, and your IT/security teams could train on whichever topics help them be more security minded in their daily tasks. Regardless of the training paths you choose for your employees, the hours they spend on training need to be tracked. At a minimum, track each employee’s yearly security awareness training with a sign-off sheet and keep that for audit purposes.
As your teams work through piles of individual tasks, you need an easy way to see the bigger picture. Organize your tasks in such a way that the high level milestones each task is associated with are clear. That will help your overall project management efforts, as well as help employees understand that their potentially monotonous tasks do play an important part in making the organization more secure.
While tracking individual tasks is paramount, it’s arguably more important to know which ones are past due at any given time. The ability to quickly filter overdue items from a large list will help your team prioritize tasks and adjust deadlines as needed. Communicate the status of overdue tasks regularly, and document them in a system that all relevant team members have continuous access to.
As you can see, there is an intimidating amount of work involved in keeping your SOC 2 compliance efforts moving forward in an efficient and organized manner. While you could orchestrate a custom combination of open source and commercial tools to manage the project, Comply is free and includes everything you need, including:
- A markdown-powered documentation system for publishing policies
- Support for integrating into your existing ticketing systems
- Templates for satisfying SOC 2 audits
For more information, visit the Comply Web site and join our Slack community. When it is time to move from policy creation to enforcement, schedule a demo to learn how strongDM makes enforcing your policies a breeze.