SOC 2 Vendor Management Webinar

In this webinar we team up with Blissfully, a SaaS management company that recently completed their own SOC 2 Type II.

What are the SOC 2 criteria for Vendor Management? What’s required to properly assess my vendor’s security? What will my SOC 2 auditor expect to see? What are the best practices others are using?

Topics in this webinar include:

  • Why vendor management is critical
  • What it means for SOC 2
  • How to leverage software
  • War stories from a recent audit
  • Sample vendor management audit questions

Download the webinar:
Continue reading SOC 2 Vendor Management Webinar

SOC 2 Self-Attestation Webinar

In this webinar we cover what to do before you have an audit. How do you build trust with customers? What documentation should you have ready to share? Is there ever a time when it makes sense to wait to have an audit performed? What if an audit seems to expensive?

Topics in this webinar include:

  • SOC 2 Preparation
  • Building Artifacts
  • Self-Attestation
  • Tracking Compliance
  • Documentation Examples

Continue reading SOC 2 Self-Attestation Webinar

SOC 2 Risk Analysis Mock Audit Webinar

Risk analysis and risk management is one of the most important processes of SOC 2 preparation. A finely tuned process helps organizations ensure that they are prioritizing for the right things, and not spending unnecessary money. Risk assessment is the process of identifying assets, impact of asset loss, and likelihood of occurrence. Risk management is the process of selecting controls or other risk responses to adequately prepare for negative events.

In this webinar we cover the key processes that should be focused on when building a risk assessment and management program. We help you prepare for the unknown and ask questions that may come up in an audit. We review several risk registers as well as cover common audit questions.

Topics in this webinar include:

  • Risk Analysis Policies
  • Risk Management Process
  • Asset Inventory
  • Mock Audit Questions
  • Audit Gotchas

Continue reading SOC 2 Risk Analysis Mock Audit Webinar

How long does it take to audit a smart contract?

One of the most common questions we receive is how much time smart contract auditing takes. The quick answer is ‘it depends‘, however in this post we’ll try to give you some guidance on how to plan for your audit.

Plan Ahead

Smart contract auditing should be included in your development plan from the very beginning. Too often, the decision to have an audit conducted is made at the last minute and it ends up costing more because of priority-rush charges.

We’re happy to work with you to turn an audit around quickly, but the best audit occur when all parties have plenty of time. We maintain high quality reviews in all cases, however when we have more time to work with our clients, it creates the best learning opportunities. Yes, it’s important to uncover vulnerabilities in smart contracts, but our goal is to help you learn from patterns we uncover so that future mistakes are prevented. Let us know before you’re ready and we can get you on our schedule ahead of time.

Audit Engagement

Once you’re ready for the audit, it takes a few days to initiate the project, finalize scoping, and sign our contact. You will be assigned a lead auditor and the audit of an average smart contract will take 2-14 days. This is completely dependent on the smart contract’s size and complexity. We’re happy to give time estimates before the project starts.

After we present you the audit findings, we will give you a remediation period and spend a couple days conducting remediation testing. Once all testing is complete, we will issue your public and internal reports.

This process can be completed from beginning to end in a about a week for simple contracts and up to a month for complex ones.

Smart Contract Audit

Since we launched our Smart Contract Audit service we’re constantly asked what information is needed to provide an accurate quote. The most significant piece of information we need is language and number of lines of code. That information alone will make a few assumptions and provide you back a quote quickly.

Here are few common questions we ask:

  • Please provide a brief overview of your project.
  • Do you have any hard deadlines for completion?
  • Can you give us a little more information on scope?
  • What version of Solidity are you using?
  • Does your contract rely on any external contracts?
  • Do you use any Solidity static code analyzers?
  • Do you have Solidity unit, and/or functional tests?

It’s ok if you don’t have all the answers. We’re here to help. If you’d like more information about our services, you can request a smart contract audit quote here.

SOC 2 Change Management Mock Audit Webinar

Change management is one of the first processes companies should focus on in a SOC 2 readiness project. Topics such as authorization, peer review, quality assurance, and documentation can be approached many different ways. Change management is a “daily process” in most organizations and can have a significant impact on the success of a SOC 2 audit. Additionally, change management procedures impact a number of employees include developers, quality assurance, and product management personnel. It’s critical “get it right.”

In this webinar we cover the key processes that should be focused on when planning for change management. We help you learn to think like an auditor and be fully prepared for anything that may come up. We review sample audit requests and then cover the details audited in change tickets.

Topics in this webinar include:

  • Change Management Policy
  • Change Management SDLC Documentation
  • Mock Audit Questions
  • Change Management Toolset
  • Audit Gotchas

Continue reading SOC 2 Change Management Mock Audit Webinar

12 Critical Due Diligence Questions to Ask ICOs

Many of the most innovative companies today are choosing to raise money through token sales. Cryptocurrencies seem to be flowing more freely than investments through traditional VC route. Additionally, we’re seeing participation on a worldwide scale. It’s exciting! Who doesn’t want to earn 25x on their money? Yes, it’s fun to throw a few Ethereum at a “too good to be true” deal, but the risks are extraordinary. It’s almost certain you’ll end up losing money.

Some deals are better than others, and it’s up to you to find the good ones. Due diligence shouldn’t be reserved just traditional investors. To support the long time viability of ICOs as a funding model, it’s critical that we start being selective into which project we back. A focus on diligence and quality will raise make it nearly impossible for a scam to be successful.

Below I’ve assembled a list of key questions to consider when evaluating a token sale. If the company’s whitepaper or website doesn’t provide enough detail, I encourage you to ask the founders directly. You’ll quickly be able to determine which companies are mature enough to deserve your hard earned money.

Is the business entity properly structured? – Is there a formed business entity? What jurisdiction does the entity reside? Is it managed by a board of directors or foundation? How is the business structured?

How experienced are the founders? – Have the founders built companies or tremendous value in the past, or is this the first time? What makes the founders unique for this opportunity?

How experienced is the engineering team? – Are there industry leading experts on the team? Is key development being outsourced?

Do you have a personal connection with any on the executive team? – Do you have any close connections on LinkedIn with any key management? Is the team completely outside of your professional network?

How does the company approach risk management? – Is the company simply reactive to business and information security risks? Have contingencies been planned in detail? Are all attack vectors documented and managed?  Does the company have a culture that emphasizes security over convenience?

What are the internal fraud prevention controls? – Have segregation of duties been setup around key financial processes? How are funds moved and managed on a day by day basis? Does the company have a documented code of ethics?

How are key internal processes managed? – Is there an information security policy? What is the business continuity plan? Is there any incident response plan?  How is customer support managed?

Have you audited your smart contracts? – Have smart contracts and other code been audited by a third party? What are the internal processes for code quality and static analysis?

How are information security vulnerabilities managed – Is there internal vulnerability scanning? Are external endpoints pentested by a third party?  Have all medium and higher identified vulnerabilities been remediated?

How mature is the system architecture? – Are key components properly segregated to minimize risk? Can the system architecture be clearly described in a diagram? Has external exposure been minimized?

Is there a communication plan? — How are you notified if there are problems in the system or offering?  What are the scenarios in which token buyers would not be contacted?  What is the breach notification policy?

How transparent is the company? — How much information was provided up front? How did the company respond with regards to their weaknesses?

This is just a small sample of the questions you should be asking when evaluating an ICO.  If you’re planning an ICO, giving this type of information up front will help buyers evaluate the risks involved with yours company.  Building trust does not come easy.

As a token buyer, ICOs are a great way to participate in blockchain technology.  Asking the right questions will help you minimize risk.

How long does it take to prepare for a SOC 2 audit?

On average, going from zero to SOC 2 Type II will take from 8 months to a year. Smaller companies that don’t have many systems can often complete the process faster. To further expedite the process, it is advisable to not create all policies and procedures from scratch. Many security & compliance consultants have built vast libraries of policies and procedures that can be customized for your business and make your life easier.

What kind of businesses should be thinking about SOC 2?

A SOC 2 report will help your customers trust that you follow security best practices. SOC 2 reports are generally carried out by businesses performing information systems processing or technical services to other business. The SOC 2 report provides third party assurance that an adequate baseline of Information Security controls have been put in place. Businesses of all sizes can have a SOC 2 audit, however, it is most beneficial for businesses looking to sell in the enterprise market.