How to Stay SOC 2 Compliant

For many small- and medium-businesses, getting to SOC compliance is the biggest challenge on their radar. But it’s important to keep the longview and consider how you’ll stay compliant even after you’ve gone through your first audit. 

Practical Assurance has years of experience getting organizations to SOC 2 compliance and helping them maintain their programs. Read on to find out what to expect for an ongoing SOC 2 compliance program.

The Yearly SOC 2 Compliance Cadence

Once you’ve gotten through the process of defining and implementing your SOC 2 compliance program, you’ll find that your program can fall into a particular rhythm, hitting milestones on your checklist throughout the year. Defining this cadence is an important way to ensure that your organization stays compliant and addresses risks year-round.

The timing of addressing these processes can be mapped to semi-annual, quarterly, monthly, and even weekly due dates. For instance, larger questions of systems and overarching process reviews should happen every six months to ensure your team is on track. Systems that are more integral to your business processes, like malware, software, and risk assessment systems, should be reviewed on a quarterly basis. 

Systems that need more regular upkeep or review will need more granular tasks assigned to their maintenance. Every month, your team should hold meetings, address vulnerabilities and patching, and review industry best practices and emerging threat trends. On a weekly basis, you should run vulnerability scans and ensure security policies are being enforced. These tasks and processes should be integrated into stakeholders’ regular work so that they aren’t felt as an added burden or missed by accident. 

How to Track Your Processes

Keeping track of these processes can appear overwhelming, especially if it’s your first year after an audit. In order to maintain compliance, these processes need to be addressed in a timely way that addresses your organization’s risk, but they also need to be documented. It can be tempting to assign tasks and hope they’ll get done, but the truth is that a commitment to compliance takes a lot more time and effort. 

It’s important to define your strategy and determine how you’ll complete it in an organized manner. Beyond having a calendar of due dates, you need to be able to track which individuals in your organization are responsible for each task. You also need documentation to prove whether or not tasks have been completed. Furthermore, you need instructions on completing tasks readily available and contingent next steps if an issue is identified.  

Finding A Solution That’s Better than Binders

While the original method of tracking compliance was shelves full of binders to track and maintain processes, there is a better solution. Practical Assurance has created an automated compliance tracking software system that can help you maintain compliance with automatic reminders and project management capabilities. You can assign tasks to stakeholders, set reminders, and document completion of tasks right inside the app.

We provide this application to organizations that have some compliance experience under their belts and want to improve their tracking and maintenance systems. We also provide advisory services to organizations that are just starting their compliance programs, which includes the app as well as regular consulting on how best to implement it.

For a more in-depth look at the annual SOC 2 compliance cadence, check out our recent webinar, How to Stay SOC 2 Compliant

What You Get from Our Supercharged SOC 2 Checklist

You’ve decided that you want to start your SOC 2 compliance journey. Congratulations! But where do you begin? 

Becoming SOC 2 compliant can be a complex process, and there is a lot of information missing about what you have to do exactly to be SOC 2 compliant. Based on our extensive experience, Practical Assurance provides a clear, step-by-step checklist on precisely what it takes for each of our clients to achieve and maintain SOC 2 compliance. 

Read on to find out what your custom supercharged SOC 2 compliance checklist from Practical Assurance includes.

The Complexity of SOC 2 Compliance Decoded

It’s no secret that SOC 2 compliance requirements contain a lot of nuance. This means that they’re open to interpretation, which can be a headache when you’re trying to answer them. How do you know how to respond? And what if that’s not good enough for your auditor?

At Practical Assurance, we offer monthly webinars to help decode the complexity of SOC 2 compliance. With years of experience, we’ve developed a philosophy that can help organizations at any stage of maturity answer the requirements properly. Plus, we offer customized help to answer your specific questions on how to remain compliant.

Compliance Recommendation Tailored to Startups and SMBS

Over the years, we’ve learned that the companies with the fewest resources are the ones who have the most room for growth with SOC 2 compliance. We have fine-tuned our recommendations for startups and small- and medium-businesses, so that you won’t miss something because of a one-size-fits-all approach. 

At the same time, we give specific recommendations on what tools we’ve found to be the most useful in ensuring compliance. For instance, most of our customers are either on Amazon Web Services (AWS) or Microsoft Azure for cloud services. We focus our platform recommendations on those two, although our advice is agnostic enough to be applied to any platform. 

An In-Depth Consideration of Risk

SOC 2 compliance centers around risks, and those change from organization to organization. Our checklist takes this differing risk into account. We know that the risks faced by small technology startups are often much different from those in large public companies. Our checklists help you focus on the risks that really matter to you.

As an example, infrastructure tends to be much less complex in a small company than an enterprise organization. Your HR onboarding and offboarding processes are probably more straightforward, and you have fewer people involved in your processes overall. This means your company can communicate more easily and adapt to changes more quickly. All of this changes how you approach compliance. 

Additional Resources to Guide You to Compliance

On top of the supercharged checklist, Practical Assurance has developed templates and examples for each of our recommendations. This way, you can get up and running even faster because you don’t have to reinvent the wheel.

Practical Assurance also partners with a number of different auditor organizations that we have worked with in the past and that we trust we can recommend to you. Since we’ve worked with all of them in the past, we can also anticipate any sticking points they may have and help you address them before the audit gets underway. 
At Practical Assurance, we know we offer the lowest cost way to get started with SOC 2 compliance. For as little as $249/month, you can get started with our checklist and process and begin working towards compliance, whether you have an audit scheduled or not. Get in touch today to get started.

What is CCPA and What Does It Mean for Your Business?

The California Consumer Privacy Act of 2018 (CCPA) requires U.S. companies who do business with California to implement privacy initiatives to protect the data privacy of California residents. So what is the CCPA and what does it mean for your business? Let’s take a look.

What is the CCPA?

As stated above, the CCPA is a privacy law that went into effect January 1, 2020, meant to protect consumers in California. Its basic premise is to ensure that businesses who have access to the data of California’s citizens implement basic protections to individual privacy. It’s the strictest data privacy law in the U.S., but it looks a lot like the General Data Protection Regulation (GDPR) law that went into effect in the European Union in 2018. Unlike the GDPR, though, the CCPA is an opt-out system as opposed to an opt-in system. Also, the CCPA covers households and devices as well as consumers, whereas the GDPR only covers “natural persons”.  

The CCPA gives California consumers a slew of new rights to privacy, including:

  • Transparency about data collection
  • Right to be forgotten
  • Right to op out of having their data sold
  • Opt-in right to have data sold for minors 

In order to ensure these rights are met, businesses must provide consumers with disclosures regarding how personal information is collected and why. Companies must also comply if a consumer asks them to disclose the categories and exactly what types of personal information the business collects about them. Consumers can also ask that their data not be sold, and that a business can’t discriminate against a consumer for demanding this. And finally, consumers can demand that their personal information be deleted. 

Which businesses need to implement CCPA guidelines?

Any business that collects and sells consumer personal information or discloses personal data for a business purpose with consumers in California must comply with the CCPA. The law applies to any for-profit legal entity that sells goods or services to California residents, even if the business isn’t physically located in the state. This includes businesses that operate outside of the United States. 

However, there are some caveats, and the bar for compliance is actually set pretty high. To be subject to the CCPA, a business must also meet one of the three following criteria:

  • Have $25 million or more in annual revenue
  • Possess the personal data of more than 50,000 consumers (including households and devices)
  • Earn more than half its annual revenue selling consumers’ personal data

This means that the CCPA applies mostly to bigger companies or those that deal in quite a bit of data. Still, even if your organization doesn’t meet at least one of the above criteria, it’s probably a good idea to start looking at implementing CCPA compliance anyway, for a number of reasons.

What’s the benefit of being CCPA compliant?

First of all, if you meet the criteria as listed above, being CCPA compliant keeps you from breaking the law. That’s hugely important. But even if you don’t meet the criteria, it’s a good idea to implement the guidelines anyway, because customers are more and more concerned about data privacy. The CCPA guidelines are straightforward and implementing them gives your customers a reason to trust you. Simply put, it’s the right thing to do.

If you approach CCPA compliance as part of a holistic strategy to privacy protections compliance, you’ll be in a better position to meet regulatory requirements that are certainly going to arise in the future. Creating an overarching privacy policy that encompasses the overlapping requirements of data policies like CCPA, GDPR, and HIPAA will set you up for future compliance. 

Privacy laws are only increasing over time, and customers will definitely ask you what your policies are. It’s better to show leadership by implementing these policies before you technically have to, so that it’s easier to be compliant when you do get to the point where you have to be. Plus, it’s quite likely that future laws will look pretty similar, so getting the hard work out of the way now will make compliance much easier down the line.

Practical Assurance has vast experience with privacy law compliance, and can help your company start or manage a compliance program you can be proud to tell your customers about. Get in touch to discuss your options. 

Now is the Time to Start (or Perfect) Your SOC 2 Compliance Program

With most of the workforce either furloughed or working from home until the quarantine for COVID-19 can be lifted, many small and medium businesses are taking the opportunity to work on internal infrastructure projects. Security and compliance are two areas where organizations are turning their focus right now as part of their strategies to focus on these internal programs.

Now is the perfect time for small and medium businesses or startups to begin or perfect their SOC 2 compliance programs. We’ve outlined a few of the reasons why below. 

SOC 2 Compliance Is Only Going to Get More Important

Startups and other firms are taking a long-term perspective and realizing that, no matter where the economy is in six months, security and compliance issues aren’t going anywhere. In fact, given their previous growth trajectories, they may be bigger and greater projects than they were before. Customers who were asking you about SOC 2 compliance before the quarantine are still going to be asking about it after.

As one example, a growing question during the COVID-19 outbreak is how organizations are managing personal data, especially when it comes to healthcare. Several organizations are trying to develop a way to track outbreaks and exposure to the virus through cell phone movement, for instance, but are having to prove that they can do so anonymously without endangering personal health information. This is particularly important in Europe, where the General Data Protection Regulation stipulates strict terms on the usage of personal data. 

By starting or perfecting your SOC 2 compliance plan now, you can help avoid security risks that could make you unattractive to customers once they’re ready to buy your service or product. 

A Business Slowdown is the Perfect Time to Work on SOC 2 Compliance

While your team may have been ready to work in a fully remote capacity before the pandemic, there’s a good chance that many of your customers weren’t quite as prepared. Business has slowed down in many sectors as less tech savvy teams are trying to figure out how to implement security while providing their teams with tools that can allow them to work from home effectively. At the same time, many organizations are waiting to make big software investments until after the economy has returned to normal. All this means that a good chunk of your workforce may be twiddling their thumbs, too, with no customers to work for.

This presents an ideal situation to hunker down and focus on your compliance program. Instead of having team members work on it when they have time, you can assign tasks with confidence to be addressed now. You can increase the number of employees who are well-versed in the program, and even have some time to determine who may be best to carry it out. You might be surprised at which members of your team show competence in compliance issues, now that they have the time and resources to fully focus on the program. 

Remote Work and All Its Trappings are the New Normal

Working from home can uncover a number of issues in your regular processes and workflows. For instance, internal communications may have hit a snag because individuals can’t have a quick chat while making coffee in the morning if everyone is making coffee in their own kitchens. Hopefully, your organization has found ways to adapt to these new issues, especially since remote work is going to be the new normal for a long time going forward. 

As your team settles into remote work even further, more of these issues are going to be brought to light. Imposing a compliance program like SOC 2 on them now can help you remediate the issues and outline a way to address them in the future. It’s a very practical way to get your program in place, while producing results that will make your workflows better now and in the future

At Practical Assurance, we are working with a number of small and medium businesses to take advantage of the current downtime to help set up compliance programs for a successful audit once the quarantine is over. In this way, teams can hit the ground running when the economy bursts back to life in a few months. Practical Assurance has software that can act as the road map to create a full SOC 2 program with a step-by-step guide. We can also offer ongoing services to help your team stay compliant year over year. And we offer consulting packages for organizations that may need hands-on guidance. 

If you’re ready to use the current situation to work on your SOC 2 compliance program, get in touch with us for a free demo today. 

Making SOC 2 Hindsight in 2020

What is best practice prioritization for SOC 2 preparation? What are the top lessons learned from 2019? What are the “gotchas” to avoid? Which criteria require implementation and additional budget? What kind of total budget will I need?

Topics in this webinar include:

  • Prioritized approach for SOC 2 readiness
  • The top 4 audit deficiencies
  • List of common technology expenses
  • Get inside your auditor head!

Download the webinar:

Continue reading Making SOC 2 Hindsight in 2020

GDPR and SOC 2

How do they integrate?

What is GDPR and how do the requirements overlap with SOC 2? What do I need to do to comply with GDPR? How do I integrate SOC 2 and GDPR into one audit process?

Topics in this webinar include:

  • The core components of GDPR compliance
  • How SOC 2 compliance supports GDPR
  • How to include GDPR into your SOC 2 audit process
  • Get inside your auditor’s head

Download the webinar:

Continue reading GDPR and SOC 2

Whitepaper: How to Talk to About SOC 2 Before You’ve Done It

SOC 2 is a phrase that can strike fear and confusion into startups and small businesses, but there’s an easy way to talk about and respond to SOC 2 requests long before you undergo the time and expense of a formal SOC audit.

Most startups and SMBs first encounter the term “SOC 2” during the sales process when a customer asks if you are “SOC 2 compliant” or have a “SOC 2 certification.” In many cases, the customer or prospect doesn’t even know what SOC 2 really is, or what goes into a SOC 2 audit. They’ve just been told by their compliance director or security officer (or the pundit at an industry conference or webinar) that all vendors must “be SOC 2” to do business with their company. SOC 2 is as much a buzzword to many companies as it is an actual policy.

You can win SOC 2-contingent business by showing you understand the point of SOC 2, and that you can deliver SOC 2-style reliability even before you obtain formal compliance. The trick is understanding SOC 2 first.

Download full whitepaper here:

SOC 2 Self-Attestation Webinar

In this webinar we cover what to do before you have an audit. How do you build trust with customers? What documentation should you have ready to share? Is there ever a time when it makes sense to wait to have an audit performed? What if an audit seems to expensive?

Topics in this webinar include:

  • SOC 2 Preparation
  • Building Artifacts
  • Self-Attestation
  • Tracking Compliance
  • Documentation Examples

Continue reading SOC 2 Self-Attestation Webinar

The Other “Security Problem” with ICOs

Independent Coin Offerings are called “ICOs” and not “token sales” precisely because they want to appear similar to investor-friendly initial public offerings of stock (IPO) — which raises a catch-22 compliance problem many startups and investors haven’t much thought about. Specifically, ICOs represent a gray area in U.S. Securities Exchange and Commission (SEC) regulations, and that could make investing in an ICO a compliance minefield for many investors.

The main question in any ICO is this: do the tokens in the sale qualify as a financial security?

If so, then the ICO must follow some very specific rules to govern the sale, many of them identical to a conventional stock IPO. If your tokens are securities, your ICO must be registered with the SEC, and must be overseen by a registered broker. This is no small undertaking, but it has the advantage of laying out some clear rules to handle the token sale.

Many times, however, the SEC simply refuses to comment on whether an ICO is actually selling a qualified security. This means that — at some undetermined point in the future — your tokens could be retroactively classified as any of several asset classes, which in turn means that any initial investors are taking a risk beyond just the normal possibility of coins declining in value.

Anyone can buy a publicly traded stock, but if the SEC doesn’t consider your token equivalent to a public stock, it limits who is allowed to buy your coins under U.S. law. In theory, investors could be forced to divest themselves of their coins should the SEC later decide that your ICO sold an asset class that your investors weren’t qualified to buy — even if that divestiture causes a serious financial loss. Your investors could be forced to sell their tokens when their price is at rock bottom, all based on some unforeseen SEC decision.

This limitation applies even to sophisticated investors. For example, while hedge funds and accredited individual investors can buy pretty much anything, many mutual funds or retirement funds can only hold public stocks or bonds, and many venture capital funds can only hold stock in companies that have not yet issued an IPO. (Once a stock goes public, a VC fund usually has a window to divest, but can’t hold the publicly-traded stock for very long.)

Complicating matters further, unless your ICO qualifies as a crowdfunding instrument, it may be impossible for non-accredited investors — which is to say, average people who don’t have high net worth — to buy tokens during your sale. No one has stopped non-accredited investors from buying Bitcoin, but there’s no legal standard to prevent the SEC from treating your ICO differently.

Both the SEC and FINRA have issued investor guidelines for participating in ICOs. This is the playbook that smart coin-buyers will be following, and the standard your firm must be ready to meet.

Before issuing an ICO, it’s critical that your organization review the legal structure underpinning your token sale, both to prevent it from running afoul of regulatory guidance, and to protect yourself from investor backlash should the SEC decide to reclassify your tokens as a highly regulated asset class at some point in the future.