Security professionals often hear about SOC 2 compliance as a standard to which technology companies should be held. This is especially true in recent years with companies experiencing an ever greater reliance upon Software as a Service offerings which store customer data.
Organizations use SOC 2 certification and reporting as a de facto industry standard for assessing the degree to which they can trust a partner with their data.
What is SOC 2?
System and Organization Controls (SOC) is a comprehensive reporting framework put forth by the American Institute of Certified Public Accountants (AICPA) in which independent, third-party auditors assess and test an organization’s controls relating to Security, Availability, Processing Integrity, Confidentiality or Privacy.
Because SOC 2 represents such a comprehensive investigation into an organization’s operations, controls, and policies in place to ensure security, availability, and integrity of the system, SOC 2 reports can play a critical role for organizations seeking assurance of their partners’ business and technology. The significance of SOC 2 compliance runs deep, from corporate governance all the way through regulatory compliance and security architecture.
Why does SOC 2 matter?
A SOC 2 report provides assurance that an organization has adopted secure policies and practices. More than just that, a SOC 2 report is an independent, real-world, third-party analysis of how well those policies and practices protect customer data.
For many organizations, the very first question in assessing a new vendor is whether or not that vendor is SOC 2 compliant, because the answer to that single question eliminates the need for so many others.
SOC 2 at Oort
Oort is a cybersecurity company, and our mission is to provide enterprises with identity threat detection and response capabilities that improve their security and operational efficiency.
As a trusted partner to enterprise organizations, it is essential for us to show our customers that we are committed to securing their data in every way that we can, and SOC 2 compliance is one of these ways.
From the outset, we knew that we needed to become SOC 2 certified. Most technology organizations when faced with compliance questions prepare for a long and arduous process of audits, preliminary findings, and remediations.
For large organizations, SOC 2 certification can take months to complete.
While we are at the start of our journey towards becoming an “enterprise,” we have always been overachievers. Our comprehensive SOC 2 audit was completed in a week. Here’s how we did it:
A Security Mindset
Our team has strong foundational experience in the security industry, and deep experience with compliance frameworks, including SOC 2. We’ve built a security product from the ground up, always with an eye on the details to ensure security of our offerings. We have adopted policies that make it clear from the beginning that not only are we building a secure offering, but that the way we work keeps it secure. We always ask the question “is our customers’ data safe?”
Proper Preparation Prior
Building a secure platform in a secure way is the paramount requirement for a security company. For SOC 2, we have to have more than policies, we have to have proof of implementation. Once we set the SOC 2 goal for ourselves, our team spent weeks mapping our internal policies, procedures, and technologies to SOC 2 controls, and gathering evidence to show that we are already in compliance. This went quickly, precisely because we have our own platform to use for reviewing identity and access, and because we design security into everything we do.
The Audit
The third-party performing our SOC 2 audit informed us on a Tuesday that they would begin. We provided them with all of the policies and evidence that we had already gathered, and had our draft report on Friday, without a single deficiency found.
The Lessons
There’s an old joke: “How do you eat an elephant? One bite at a time!” For many companies, SOC 2 certification is an inedible elephant. At Oort, we decided it was necessary because of what we do, and when we started to look at it, we saw that we were already chewing.
Having a team with a security mindset and deep experience meant that we had already built a SOC 2 compliant architecture, and that we were already working in ways that make an auditor’s job easy – we were already eating the elephant.
Once we had the goal in mind, then, the most time-consuming part of the process was gathering the evidence. We did not have to adopt new practices or policies _because we had been doing them all along._ We just had to prove it to an auditor, which was easy because we had maintained systems to record auditable activity trails everywhere we went.
In the final analysis, the biggest lesson about SOC 2 – and compliance efforts generally – is to say what you do and do what you say. Have secure policies, and have audit trails in place to prove that you follow them.
Oort can speed up SOC 2 compliance for enterprise
One of the factors that made our SOC 2 audit so easy was using our own instance of Oort’s identity and access analytics platform. The SOC2 specification of controls puts a great deal of emphasis on access reviews, access alerts, access control policies, and multi factor authentication. We were able to rapidly provide evidence for our own audit because our product is designed specifically to monitor and report on the identity and access activity within an organization. This level of granular visibility and segmentation is absolutely critical for adopting a “Zero Trust Architecture” and Oort helped us achieve SOC 2 compliance in record time.
