SOC 2 Compliance



  • We need to do SOC 2 compliance for the app I'm working on. Do you guys have any tips on getting started?



  • @dangeRuss said in SOC 2 Compliance:

    SOC 2 compliance

    Everything is flooded with audit services and their "fake articles" ads.

    Here's something:

    It's still an ad, but it offers a lot more than the others, and from it, a layperson can tell what they'll need to work on.



  • @xaade Thanks, but that doesn't really help either.

    We basically need to complete these items I think.

    Hell if I know what most of them mean though.



  • @dangeRuss said in SOC 2 Compliance:

    @xaade Thanks, but that doesn't really help either.

    We basically need to complete these items I think.

    Hell if I know what most of them mean though.

    That link 404s for me...



  • I guess they decided they didn't want 3 people looking at it... That link was working half an hour ago and is still coming up in google search.

    Attaching it instead.

    Trust_Services_Map_to_COBIT5



  • @dangeRuss said in SOC 2 Compliance:

    @xaade Thanks, but that doesn't really help either.

    We basically need to complete these items I think.

    Hell if I know what most of them mean though.

    That list makes sense given the blog article I read.
    I can look through them and give you my estimates.
    The company I work for has me very close to the business side of things.

    Which ones confuse you more?

    CC1.0 is mostly saying that you need to make sure you hire the right people, with the right skills, provide them with the right resources and authority, and that you have a proper reporting procedure for incidents and oversight of the system.

    So, basically, document the employees, authorities, chain of command, and the skills and resources your employees have.

    CC2 is about communicating the roles and responsibilities of users to the appropriate parties (external users just need to know the roles of internal users: IE who can reset passwords). How roles can impact the system. Communicating when system updates impact users. And everyone is informed of how they can report incidents.

    CC3 is identifying risks and mitigation, and what controls are implemented in the software to mitigate problems.

    CC4 is regularly reviewing (based on measurements collected) whether your controls meet your commitments

    CC5 is mostly about implementing and assigning authorities that give access to the controls that roles use. Also physical access to facilities. 5.8 is specifically about software implemented to notice malicious software.

    CC6 is making a procedure to keep on top of threats, and stick to this procedure.

    CC7 is review this list to make sure you are within the parameters after an update. Second part is to actually require updating when issues are noticed.

    A is system availability, backup, restoration procedures.

    PI is making sure the data processing, storage, doesn't corrupt the data.

    C is making sure that information is confidential through authority/role restrictions and that this protection requirement is extended to 3rd party (vendors, contract workers, etc).



  • Regarding the above list. For each topic, make sure you do the following.

    1. Document everything. All of your employees skills. All of your command chain. All of your procedures. Have a location for pertinent procedure that can be readily accessed and reviewed.
    2. Make sure all of your employees know the pertinent information, and all of the procedures. The auditor will question random people.
    3. Come up with a training program for your employees and any contractors. Especially cover the topic of confidentiality.
    4. Always always always declare how confidential information will be used to the affected party, and make sure the people who have access to that information only use it in the ways that you've communicated to your customers.
    5. Be able to demonstrate that you've communicated to customers the pertinent information. (a page in your app that explains how their information will be used, and how they can report problems)
    6. Do an internal audit.

    Most likely, you're going to have deficits when you get audited, and you'll have to address them.



  • @xaade I think I saw somewhere that step 1, you get a readiness assessment. Should we just hire somebody to do that at the beginning, so we know what we need to address?



  • @dangeRuss said in SOC 2 Compliance:

    @xaade I think I saw somewhere that step 1, you get a readiness assessment. Should we just hire somebody to do that at the beginning, so we know what we need to address?

    Disclosure: My experience with this is limited to having a brief overview of ISO-9001 certification my company was preparing for, and I suspect I've experienced partial training for SOC 2 when I was working on a project for a customer. They had me take confidentiality training, because I'd have access to personal data. So I'm by no means an expert. Therefore, this does not constitute legal advice πŸ˜›

    All of those steps are to prepare you for step 6. Which is what you're referring to, an internal audit.

    From what I can tell, SOC 2 looks like the security software and business procedure flavor of ISO-9001. I could tell from that list that the focus is primarily on procedure, authorities, and roles, with ~10% having to do with the actual robustness of the software. This makes sense, because most "hacking" is just social engineering.

    Those steps need to take place before or simultaneous to hiring someone, because they'll be less efficient if they're just poking around on your network or asking around looking for those things. I imagine someone skilled in COS 2 certification would help you work through it in more accuracy so that you're not wasting your time. Depends on whether you want to hire someone to help you decide procedure, or review your procedure.

    But just like you wouldn't walk into a tax office with empty hands, you should have something to offer the internal auditor to review. I think you could probably skip making changes to current policy until you have a review though. But things like step 4, communicating how information will be used, can be done right now, because that's pretty much a given.



  • These are my guesses on each point.

    2nd tab has my guesses for definitions.



  • @xaade Thank you, this is going to be very helpful.



  • @dangeRuss I hope so. Let us know how it goes, and fix anything I got wrong.


Log in to reply
 

Looks like your connection to What the Daily WTF? was lost, please wait while we try to reconnect.