Hacking SOC 2

What are the common ways companies try to cheat SOC 2? Why doesn’t it work? What are the hacks you can deploy? What’s the difference? Get inside your auditors head!

Topics in this webinar include:

  • Less known SOC 2 hacks and workarounds
  • Common shortcut pitfalls
  • What makes an auditor nervous and what gives them confidence
  • Get inside your auditor head!

Download the webinar:

The webinar was recorded in July 2020 and we’ve made it available for download by filling out the form below.

Send me the webinar recording and slides:

Now is the Time to Start (or Perfect) Your SOC 2 Compliance Program

With most of the workforce either furloughed or working from home until the quarantine for COVID-19 can be lifted, many small and medium businesses are taking the opportunity to work on internal infrastructure projects. Security and compliance are two areas where organizations are turning their focus right now as part of their strategies to focus on these internal programs.

Now is the perfect time for small and medium businesses or startups to begin or perfect their SOC 2 compliance programs. We’ve outlined a few of the reasons why below. 

SOC 2 Compliance Is Only Going to Get More Important

Startups and other firms are taking a long-term perspective and realizing that, no matter where the economy is in six months, security and compliance issues aren’t going anywhere. In fact, given their previous growth trajectories, they may be bigger and greater projects than they were before. Customers who were asking you about SOC 2 compliance before the quarantine are still going to be asking about it after.

As one example, a growing question during the COVID-19 outbreak is how organizations are managing personal data, especially when it comes to healthcare. Several organizations are trying to develop a way to track outbreaks and exposure to the virus through cell phone movement, for instance, but are having to prove that they can do so anonymously without endangering personal health information. This is particularly important in Europe, where the General Data Protection Regulation stipulates strict terms on the usage of personal data. 

By starting or perfecting your SOC 2 compliance plan now, you can help avoid security risks that could make you unattractive to customers once they’re ready to buy your service or product. 

A Business Slowdown is the Perfect Time to Work on SOC 2 Compliance

While your team may have been ready to work in a fully remote capacity before the pandemic, there’s a good chance that many of your customers weren’t quite as prepared. Business has slowed down in many sectors as less tech savvy teams are trying to figure out how to implement security while providing their teams with tools that can allow them to work from home effectively. At the same time, many organizations are waiting to make big software investments until after the economy has returned to normal. All this means that a good chunk of your workforce may be twiddling their thumbs, too, with no customers to work for.

This presents an ideal situation to hunker down and focus on your compliance program. Instead of having team members work on it when they have time, you can assign tasks with confidence to be addressed now. You can increase the number of employees who are well-versed in the program, and even have some time to determine who may be best to carry it out. You might be surprised at which members of your team show competence in compliance issues, now that they have the time and resources to fully focus on the program. 

Remote Work and All Its Trappings are the New Normal

Working from home can uncover a number of issues in your regular processes and workflows. For instance, internal communications may have hit a snag because individuals can’t have a quick chat while making coffee in the morning if everyone is making coffee in their own kitchens. Hopefully, your organization has found ways to adapt to these new issues, especially since remote work is going to be the new normal for a long time going forward. 

As your team settles into remote work even further, more of these issues are going to be brought to light. Imposing a compliance program like SOC 2 on them now can help you remediate the issues and outline a way to address them in the future. It’s a very practical way to get your program in place, while producing results that will make your workflows better now and in the future

At Practical Assurance, we are working with a number of small and medium businesses to take advantage of the current downtime to help set up compliance programs for a successful audit once the quarantine is over. In this way, teams can hit the ground running when the economy bursts back to life in a few months. Practical Assurance has software that can act as the road map to create a full SOC 2 program with a step-by-step guide. We can also offer ongoing services to help your team stay compliant year over year. And we offer consulting packages for organizations that may need hands-on guidance. 

If you’re ready to use the current situation to work on your SOC 2 compliance program, get in touch with us for a free demo today. 

How to prepare for your first SOC 2 audit

Security audits can be a real eye opener. As a company built on helping small and medium businesses prepare for their SOC 2 audits, we know from experience that many companies are completely blindsided by what an audit can bring out. This can happen not just during your first SOC 2 audit, but also if you change auditors. Luckily, you can prepare for these issues with a little foresight. Here are some tips for preparing for your first SOC 2 audit, or an SOC 2 audit with a new auditor. 

Understand the pre-audit timeline 

Your audit actually begins well before the auditor begins their onsite visit. Preparing for the SOC 2 audit means having implemented SOC 2 at your organization, obviously. Hopefully this will mean that you’ve outlined your controls and how you’re meeting SOC 2 criteria. In fact, having all of these lists in place should inform who you choose to perform the audit (see below). 

In preparing for an actual audit, you’ll need to assemble your internal SOC 2 project team, understand the scope of the project, and assign responsibilities, well before you determine which auditor you want to go with. You’ll also need to perform gap analysis and remediate any control deficiencies in preparation for the audit. All of this preparation has to take place well before the auditor steps foot on your premises. You may need a consultant to help with all of this, which is completely normal.  

Develop and identify your own controls based on the Points of Focus as early as possible

One way to be better prepared is to define your control list as soon as you possibly can. SOC 2 provides example controls, but the auditor will look to you and ask what your controls are in order to determine if you’re meeting the criteria. The auditor will work to guarantee that you meet any given criteria outlined in SOC2, and to do that, they’ll look at the Points of Focus. They’ll excuse irrelevant points of focus (for instance, remote companies may not need physical security), but anything else must be met with some type of control. 

The auditors will use your control list to make their request list, and will usually ask for your list about a month before the end of the audit. However, it’s a good idea to share your company’s control list with your auditor before the audit begins to ask if it throws off any red flags for them so you can prepare for those questions when they come. In fact, you may even use your control list and the auditor’s reaction to it as a way to determine the flexibility of possible external auditors so you can select an auditor who will be a good fit for your company. 

Recognize that you’re going to have disagreements with auditors

Because SOC 2 is less prescriptive than other security standards like PCI or ISO 27001, some of the requirements can be subject to opinion rather than hard and fast benchmarks. While there are common ways to ensure compliance, your methods may be different because of how your organization works. What it all comes down to is understanding your organization’s risks, and being able to explain in full how the controls you’ve put in place mitigate those risks. If you understand the criteria and the Point of Focus as laid out in the SOC 2, you’ll be in a better place to explain to an auditor why you’re doing something differently from industry best practices, or be prepared if an auditor asks you for something you don’t have. 

In fact, if you know that your organization has controls in place that are very different from what an auditor might normally expect, you might be better off bringing that up early on in the audit. Even though SOC 2 is extremely flexible, the auditors are probably going to expect that the sample controls set forth in SOC 2 will be in place at your organization. It’s a good idea to ask your auditor for a list of sample illustrative controls that they look for and see if they’re applicable to your company or not, too, so you can be prepared with a response when the time comes.

Recognizing that you’re going to have disagreements can also help you remember that you want to set your tone to be more cooperative than defensive or challenging. Challenging the standard doesn’t usually go well, because it’s the auditor’s job to show that you’re meeting it, whether you agree that it’s necessary or not. Instead, be prepared to explain why the controls you have in place meet the criteria in a different way. Don’t be defensive about your particular controls; instead, be collaborative, and the audit will go much better for everyone. 

While an SOC 2 audit can be eye opening, it doesn’t have to be a disaster. Practical Assurance has created a self-service readiness tool available that lays out a number of the expected controls and samples of what an auditor will be looking for. You can get started today for free at https://app.practicalassurance.com/signup.

For more tips on getting through an SOC 2 audit, check out our webinar, Overcoming SOC 2 Roadblocks here

SOC 2 Penetration Testing Requirements

What SOC 2 requirement applies? How do I know we’re ready? What’s the required scope? How do I get the most out of my test?

Topics in this webinar include:

  • When it’s time to schedule a pen test
  • Mistakes found in first-time pen tests
  • What to expect during the test and how to make it more effective
  • How to use pen testing in security awareness training

Download the webinar:

Continue reading SOC 2 Penetration Testing Requirements

SOC 2 Checklist – Week by Week

What does a weekly project plan and checklist look like for SOC 2 readiness? How do you prioritize practically? What are the key tasks I need to accomplish each week? 

Topics in this webinar include:

  • SOC 2 Checklist
  • 12-week readiness project plan
  • Key tasks prioritized weekly
  • Visual overview of the readiness process
  • Healthy readiness expectations

Download the webinar:

Continue reading SOC 2 Checklist – Week by Week

SOC 2 : A Tactical Approach Webinar

So you have been working on readiness; now what? How do I know I am ready for an audit? What kind of evidence do I need? What, exactly, will an auditor be asking for?  

Topics in this webinar include:

  • What evidence do you need to collect in advance
  • Who in your organization needs to ready
  • What effective compliance management looks like
  • Get inside your auditor’s head

Download the webinar:

Continue reading SOC 2 : A Tactical Approach Webinar

SOC 2 Vendor Management Webinar

In this webinar we team up with Blissfully, a SaaS management company that recently completed their own SOC 2 Type II.

What are the SOC 2 criteria for Vendor Management? What’s required to properly assess my vendor’s security? What will my SOC 2 auditor expect to see? What are the best practices others are using?

Topics in this webinar include:

  • Why vendor management is critical
  • What it means for SOC 2
  • How to leverage software
  • War stories from a recent audit
  • Sample vendor management audit questions

Download the webinar:
Continue reading SOC 2 Vendor Management Webinar

SOC 2 Self-Attestation Webinar

In this webinar we cover what to do before you have an audit. How do you build trust with customers? What documentation should you have ready to share? Is there ever a time when it makes sense to wait to have an audit performed? What if an audit seems to expensive?

Topics in this webinar include:

  • SOC 2 Preparation
  • Building Artifacts
  • Self-Attestation
  • Tracking Compliance
  • Documentation Examples

Continue reading SOC 2 Self-Attestation Webinar

SOC 2 Risk Analysis Mock Audit Webinar

Risk analysis and risk management is one of the most important processes of SOC 2 preparation. A finely tuned process helps organizations ensure that they are prioritizing for the right things, and not spending unnecessary money. Risk assessment is the process of identifying assets, impact of asset loss, and likelihood of occurrence. Risk management is the process of selecting controls or other risk responses to adequately prepare for negative events.

In this webinar we cover the key processes that should be focused on when building a risk assessment and management program. We help you prepare for the unknown and ask questions that may come up in an audit. We review several risk registers as well as cover common audit questions.

Topics in this webinar include:

  • Risk Analysis Policies
  • Risk Management Process
  • Asset Inventory
  • Mock Audit Questions
  • Audit Gotchas

Continue reading SOC 2 Risk Analysis Mock Audit Webinar