How to Answer Auditor's Questions

StrongDM can assist your organization in preparation for compliance audits with a variety of learning tools and examples. The process can be broken down into learning about the objectives for the audit, preparing for the audit, and gathering the required technical information from StrongDM for the audit.

1. Learning about auditing objectives for SOC2, ISO 27001, and other frameworks that require an understanding of key controls. StrongDM supplies a library of detailed guides and blogs about the different standards such as HIPAA, SOX, PCI, and others.
2. StrongDM can assist you in planning and preparation of your compliance checks. StrongDM maintains an open-source framework tool called Comply that can help automate and templatize the documentation process for SOC2.
3. Once you have StrongDM deployed in your organization, there are many examples on how to get the information that an auditor might request, such as via CLI or SDK, or even in more advanced scenarios, using your SIEM.

This guide will collect and present many types of materials from throughout the StrongDM ecosystem in a unified manner. Depending on your learning style, we have blogs, e-books, videos, and other resources that can be leveraged to successfully learn about, plan for, and execute on an audit with StrongDM.

Learning About Auditing Objectives

1. Understanding SOC2
   1. StrongDM Articles:
      1. The Differences Between SOC 1 vs. SOC 2
      2. What is a SOC 2 Report: A Breakdown
      3. Answering Auditors' questions in a SOC2 Review
      4. Everything You Need to Know About SOC 2 Audits
      5. How To Prepare For Your First SOC 2 Audit A 30-90-120 Day Plan
      6. How Long Does It Take To Complete a SOC 2 Audit: A timeline
      7. SOC 2 Terminology Glossary
      8. A Definitive Guide to SOC 2 Policies
      9. What Would My SOC 2 Dashboard Look Like?
      10. ISO 27001 vs. SOC 2: Understanding the Difference
   2. StrongDM Coursework:
      1. SOC 2 Compliance Course:  Everything you need to know to successfully complete SOC 2 Compliance
      2. Complete Guide to SOC2 Compliance (E-book)
   3. StrongDM Videos:
      1. How to Prepare for SOC 2 Type 1 and SOC 2 Type 2
      2. StrongDM's SOC2 Compliance video series on Youtube. Complete structured series in playlist format.
2. Understanding PCI, HIPAA, SOX, NIST, and others
   1. StrongDM Articles:
      1. FISMA vs FedRAMP, NIST vs ISO, SOC 2 vs HIPAA, ‍ISO27001 vs SOC 2: Which Compliance is Right for Me?
      2. 12 PCI DSS Compliance Requirements Explained (Checklist)
      3. HITRUST vs. HIPAA: Understanding the Difference
      4. What Are the Three Rules of HIPAA? Explained
      5. The HIPAA Minimum Necessary Standard Explained
      6. What Is a HIPAA Violation? 12 Most Common Examples
      7. What Are the Penalties for Violating HIPAA? (Civil & Criminal)
      8. PCI Compliance: 2022 Complete Guide
      9. HIPAA Compliance: 2022 Complete Guide
      10. SOX Compliance: 2022 Complete Guide
      11. NIST Compliance: 2022 Complete Guide
   2. StrongDM eBooks:
      1. The Complete Guide to HIPAA Compliance (e-book)
      2. NIST Compliance: 2022 Complete Guide (e-book)
3. Understanding ISO 27001
   1. StrongDM Articles:
      1. ISO 27001 vs. SOC 2: Understanding the Difference
      2. NIST vs. ISO: Understanding the Difference
      3. ISO 27001 Audit: Everything You Need to Know
      4. ISO 27001 Certification Process: A Definitive Guide
      5. ISO 27001 vs. 27002 vs. 27003: What’s the Difference?
      6. ISO 27001 Checklist: Easy-to-Follow Implementation Guide
      7. How Much Does ISO 27001 Certification Cost in 2022?
   2. StrongDM Coursework / Books:
      1. The Complete Guide to ISO 27001 Compliance (e-book)
      2. ISO 27001 Checklist Easy to Follow Implementation Guide

Planning and Preparing with StrongDM

1. Comply Project: Comply is free SOC 2 compliance software for SOC 2 certification. It's an open-source repo for resource management and pre-authored policies. It’s a GitHub repository. It's a Slack channel. It's education. And it's free!
   
   Comply is a SOC2-focused compliance automation tool:
   
   • Policy Generator: markdown-powered document pipeline for publishing auditor-friendly policy documents
   • Ticketing Integration: automate compliance throughout the year via your existing ticketing system
   • SOC2 Templates: open source policy and procedure templates suitable for satisfying a SOC2 audit
     
     
   • StrongDM Articles:
     1. Comply + StrongDM
     2. Why We Built Comply | Free SOC 2 Policy Templates
   • StrongDM GitHub Repository:
     1. https://github.com/strongdm/comply
   • StrongDM Videos:
     1. Comply: Open Source SOC 2 Tools
        
        
2. What is Observability?
   1. StrongDM Articles:
      1. The Ultimate Guide to Observability
      2. Data Observability Explained
      3. OK, but what are The Three Pillars of Observability?
      4. Understanding the Difference Between Observability and Monitoring
   2. StrongDM Books:
      1. The Ultimate Guide to Observability, beyond logs, metrics, and traces (eBook)
         
         
3. Customer experiences using StrongDM for compliance audits and controls:
   1. StrongDM Videos:
      1. Yext Achieves SOC 2 Compliance with StrongDM
      2. Braze Streamlines Access Controls, Enforces SOC 2 Policies via StrongDM
      3. Troops Enforces SOC 2 Policies with StrongDM

Using StrongDM to gather evidence and audit information: a technical overview

1. Queries and Captures: Queries for activity, databases, Kubernetes, cloud CLIs, SSH, RDP, and others.
   1. StrongDM Videos:
      1. Answering SOC 2 Auditors’ Questions with StrongDM Logs
      2. How to review your SSH Session Log
      3. 5 most common questions to answer using StrongDM SSH Query Logs
      4. 5 most common questions to answer using StrongDM Queries and Error Logs
      5. 5 most common questions to answer using StrongDM logs - Log Activities
   2. StrongDM Technical Documentation:
      1. StrongDM Admin guide: Logging overview
      2. StrongDM Admin guide: Using StrongDM Logs
      3. StrongDM Admin guide: Auditing Queries
      4. StrongDM Admin guide: Auditing SSH
      5. StrongDM Admin guide: Auditing Activities
      6. StrongDM Admin guide: Monitoring and Observability
      7. StrongDM Admin Guide: ‘sdm audit’ CLI command reference
   3. StrongDM Articles:
      1. StrongDM Audit Log Review and Management Best Practices
      2. How to Audit Privileged Access Management with StrongDM
      3. PostgreSQL Log Queries and Audit
      4. Answering Auditors’ Questions in a SOC 2 Review with StrongDM
      5. SSH Audit Made Simple
   4. StrongDM eBooks:
      1. How to Audit PAM (e-book)
         
         
2. (Advanced) Using StrongDM’s SDKs to automate data collections:
   1. Example scripts for audit collection of users and roles:
      1. https://github.com/strongdm/contrib/tree/main/audit
   2. StrongDM SDKs on GitHub
      1. Python
      2. Go
      3. Java
      4. Ruby
         
         
3. Exporting Logs to 3rd party systems such as your SIEM with StrongDM’s Log Export Container (known as the LEC).
   The LEC is a docker container that can be easily deployed and configured to export StrongDM query logs.
   
   1. StrongDM LEC Github repository:
      1. https://github.com/strongdm/log-export-container
   2. StrongDM documentation:
      1. StrongDM Admin guide: Code Garden
      2. Log Export Container documentation
   3. StrongDM videos:
      1. Product Demo - Log Export Container