Most startups and many small or medium businesses have turned to remote work while the quarantine for COVID-19 is in place. As we’ve said before, if you’re experiencing a lull in business, it’s an ideal time to define your SOC 2 compliance program. But how can you launch an SOC 2 compliance program while your team is working remotely?
As experts in helping companies prepare for SOC 2 compliance, Practical Assurance has devised some best practices to help guide you through SOC 2 preparation, even when your team is remote.
Start with Basic Questions about SOC 2
Getting started with your SOC 2 compliance program while working remotely is the same as if your team is in-house. There are some basic questions you need to ask yourself that will help you determine how you’ll go about your SOC 2 compliance program.
These questions include:
- Why are we doing SOC 2?
- What are the basic SOC 2 requirements?
- Which services, products, business units, etc., are in scope for an audit?
- What are our trust principles?
- Do we want to try Type I or Type II?
- When do you want to aim for implementation?
As an IT leader or founder, these questions should take you no longer than a day to answer. There’s really no excuse not to get started, regardless of where your workforce is.
Gather Documentation for an Initial Gap Test
Over the next week, take some time to get the momentum on your program going. This may be more difficult while working remote, but if your documentation is saved in the cloud, it won’t be as difficult as you may think.
You can start by gathering any existing documentation you have, such as policies and procedures from your HR and technical teams. You should also look out for maps of your system, network, data flow, and architecture diagrams that may explain your IT infrastructure.
Take inventory of your data, servers, workstations, and software as well. If your IT department doesn’t have this information, you may need to survey your employees regarding what items they work on while they’re working from home. Make sure that you understand whether or not your employees are working on their personal computers from home, as that can have an impact on your compliance.
If you’ve engaged in penetration testing in the past, those reports will help inform your future security strategy. Previous due diligence questionnaires are also key to identifying how you will move forward. In the same vein, take some time to meet with your various teams and get clarity on what sensitive data you store on behalf of customers. This information may come from your sales and marketing teams, as well as any web forms and IT security.
After getting all this information together, you can do your first SOC 2 gap assessment. Take a look at where your organization currently stands based on these documents and data, and compare it to where you want to be.
Identify Your Team and Treat Compliance Like a Regular Project
The key to success in any SOC 2 program is structure. This includes identifying which team members will be responsible for which aspects of the program. Right now, your team members may not have as much work as they normally do, and you may be able to find more volunteers than you normally would. Make sure that you are clear on deadlines, responsibilities, and communication to ensure success, even while your teams are working from home.
The top roles that you need to identify are:
- Business Process Lead
- Technical Lead
- InfoSec Lead
- Compliance Manager
For the best possible outcome, your team leaders should include executives if possible. For instance, the business process lead can be your HR manager or chief operations officer, and your technical lead can be your VP of engineering. Their buy-in will make or break your compliance program, and having them lead teams is a great way to keep them in the loop.
After your team is in place, you’ll need to ensure that you structure your project like you would any other project. Include it in your regular project management programming so that team members understand what they’re assigned to do and when it’s due. This is particularly important when your team is working remotely, as they won’t be able to pop into each other’s offices when they have questions. If you treat compliance as though it’s as important as a customer project or software roll out, you’ll have a much better chance of success.
Run Your Business in a Compliant State and Measure Success
Once you’ve set your SOC 2 compliance program up, you’re ready to run your business in a compliant state. It should be relatively natural if you’ve set everything up properly.
There are a few easy metrics you can use to measure your success, such as asking yourself:
- Why do we need to be compliant?
- Is our leadership bought-in?
- Are the right stakeholders involved?
- Have we committed a budget?
- Is there a plan and a roadmap?
- Are we expecting the right amount of work from team members?
- Is our timeline expectation reasonable?
If the answers to these questions exist, you’re doing a good job.
You don’t have to start a compliance project on your own. Practical Assurance was founded to help startups and small businesses institute compliance programs with tools and tips from experts. To get more details on how to set up a compliance program while your team is working remotely, Download a recording of our webinar.