Some basics about SOC2 (Service Organizational Control ver 2) is that it is a compliance standard set by AICPA(It is the body of Certified Public Accountants). It tests compliance on a few trust principles namely Security, Availability, Processing Integrity, Confidentiality and Privacy of data. As organizations we often try to get SOC 2 certified and show the world we are compliant and secure. I am trying to take a different approach to this. If we break down the trust principles into Controls and create a roadmap to implement those controls, then we become ready not just for SOC2 but also other parallel certifications.
FedRamp, ISO 270001 are some of those. We will not discuss them here but SOC2 will overlap with other certifications for sure. Its important that we focus on getting the controls in place first rather than scramble for a certificate and make the actual certificate a last step. It makes us secure internally first and lets us run our business with confidence.
Read More:- What is Procurement and How To Optimize Processes, Performance, and Technology?
Now a word about controls. What is control? Well, a control is a system, process, or policy meant to mitigate a “mal” event. In real life video cameras are on the periphery of yours. Home is a system, background checks before you let someone in to meet a leader would be a process, and ensuring all check-ins are accompanied by an original ID card is a policy. All of the above are controls. The next thing to know is that SOC2 has 2 parts and for good reasons. The first part is to have the controls in place (policy written, systems installed, process documented). This is essential because now you have an inventory of controls that map to the 5 trust principles. You decide what those controls are and put them in place and get them approved by the certifier. You need to note here that you do not need to have any of this operational for a SOC2 Type 1 certification. You are capable of it, you have the inventory BUT you are not yet running it. The next step is to switch on all your controls. To run them, to monitor them, to keep trails. Then after a while (I am not going into the specifics of the certification here) you call someone to audit what you promised in Part 1 and verify they are implemented. This is Part 2 and the actual completion of SOC2.
We will now as an exercise create a set of controls mapped to each one of the trust principles that form the core of SOC2. This should illustrate how your roadmap should look like. The controls are by no means comprehensive but rather illustrative.
- Password requirement
- Password policies
- Security Training at appropriate levels for personnel
- Access into physical offices (everything from entry systems to badges that need to be physically verified)
- Multi factor authentication
- Disaster recovery
- Backup and recovery
- Load balancers
- DDOS prevention
- Role based Access
- Delivery of processed data only to authorized parties
- Audit trail of all output deliveries
- Secure storage of processed data
- Non Disclosure agreements
- Test data that does not compromise customer confidentiality
- Transaction logs protection
- Authorized access to sensitive information
- Protect PII
- Credit card and banking information
All of the above are examples of Controls that will form part of your SOC2. Create a list of your controls that are relevant to you and make sense for you to implement. Separate them into buckets, acquire the controls, and set them up and when you are ready turn them on in small chunks. In the end, you will have a well-lighted room that can be trusted by your customers and partners. Remember as you evolve you grow your controls, remove obsolete ones and create a better and better security and compliance infrastructure. Basically, you build your trust.