At Blissfully, we went through the SOC 2 compliance process just a few months after raising our first round of funding. We want to help other organizations manage IT successfully, which requires trust. Being SOC 2 compliant was about giving our customers and prospects peace of mind when it came to working with us. Read on for recommendations for your SOC 2 Compliance stack.
The process itself can be overwhelming, so we put together some recommendations around tools to use, mapped to the requirements of the SOC 2 framework (listed in parenthesis after each tool). Even if you are not 100% ready to start the SOC 2 process right now, choosing tools like these early on will help put you in a good position when you are ready to move forward.
This compliance stack focuses on five key areas:
- Document management: Shows auditors how you document internal processes.
- People ops (HR and IT): Details how carefully you manage employee-related onboarding, IT access, documents and processes.
- Security: Takes into account physical access, endpoint and database security, as well as identity and access management and password management.
- Change management: Tracks changes in code and system operations, as well as sets up a system for risk management and regular monitoring of controls.
Document Management: Quip
(A1: Availability, C1: Confidentiality, CC2: Communications)
A key part of security and compliance is documenting your internal processes. Quip makes documentation easy to create, edit, share, and navigate. Quip combines documents and communication into a single, central hub that is accessible from every device.
People Ops (HR and IT): BambooHR or Gusto, and Blissfully
(CC1: Organization and Management)
BambooHR is a human resources information system (HRIS) designed for small and medium-sized businesses, and it handles everything from applicant tracking to employee onboarding, and from vacation time to overall HR reporting. It’s an excellent, integrated system that your employees can interact with and use for self-service around many HR-related tasks.
Gusto is a similar HRIS, covering payroll, benefits, and HR writ large. It is also designed for small businesses and provides companies with access to trained HR pros (helpful if you don’t have a large HR department), as well as benefits brokers who can help you select plans for your business. As a side note, we also recommend Checkr for background checks to offer peace of mind and help you meet SOC 2 requirements.
Blissfully provides an easy and automated way to onboard new employees, giving them access to all the SaaS tools and apps they need with the click of a button. It also offers integrated, customizable onboarding checklists. Additionally, centralized audit trail features ensure that every action is tracked, so you can easily demonstrate that you are upholding compliance and/or regulatory mandates.
(CC5: Logical and Physical Access Controls)
Asset Management: JAMF
JAMF offers centralized asset tracking for Apple endpoints, plus the ability to enforce key security requirements like password lock, screenshare activation timing, and hard disk encryption, all of which should be defaults across the entire organization. These policies and the proof that you’re enforcing them will be helpful come SOC 2 audit time.
Identity and Access Management: Okta
Okta’s IAM offering replaces insecurely sharing passwords, or requiring employees to memorize various difficult passwords. Instead, you integrate your company applications to a single provider that handles secure authentication. In addition to the authentication, you get reporting on login frequency, locations, etc, which is helpful when hardening your internal processes and getting ready for a security audit. Okta is the current leader in the space, has lots of integrations, and a mature mobile offering. G Suite does offer some of this functionality but for a limited subset of products. Smaller organizations may want to consider using Google’s single sign-on options.
SaaS Security Monitoring and Management: Blissfully
Blissfully provides an up-to-date list of the SaaS in use subscriptions across your company—including “shadow” and unsanctioned applications. Plus Blissfully allows you to easily audit what permissions users in your organization are giving to which applications, and get updates on all new additions. Finally, the ability to manage employee access to required SaaS products by department, and to consolidate licenses gives unprecedented visibility into your SaaS stack.
Database Access Management: StrongDM
Databases often store very sensitive information, which can be prone to security incidents. We recommend StrongDM as a solution, since it offers convenient permissions, monitoring, and compliance reporting.
Password Management: TeamsID or LastPass
TeamsID has all the key features you’ll need in a team password platform, including the ability to have “secret” passwords that can be filled in but not seen, browser extensions, native applications for many platforms, easy team management and sharing, and more. A very solid alternative is LastPass, which offers many of the same features.
Physical Access Controls: Kisi
Kisi provides a suite of IoT tools to help companies manage physical access to their workspaces. Kisi has a wide range of keyless entry solutions that increase security while helping businesses meet SOC 2 controls related to their physical spaces.
Code Management: GitHub (CC7: Change Management)
It’s absolutely vital to carefully track changes to code, since these could be an indicator of compromise down the road. GitHub takes security quite seriously, and they have become the go-to for organizations who want to manage their code in a way that enables them to meet SOC 2 controls around change management as simply as possible.
Risk Management: Practical Assurance (CC3)
Practical Assurance offers a host of templates, forms, and expert advice on how to meet the risk management requirements of SOC 2 and other information security frameworks. The platform can also be set up to send periodic risk analysis questionnaires to all employees, helping with user awareness of security protocols and documentation of your overall risk.
Monitoring of Controls: Practical Assurance (CC4)
Keeping track of controls is an ongoing effort that is typically managed by a CSO or compliance manager. Many small companies do not have this dedicated position, so they may need help monitoring whether their controls are operating properly and regularly. Managing SOC 2 compliance requires that a number of annual, semi-annual, quarterly, and monthly controls “fire” on time and are sufficiently documented. Practical Assurance helps distribute security responsibility and ownership across the organization.
Systems Operations: Zendesk, HelpScout, Trello, or JIRA (CC6)
Finally, you need to have incident management tracking in place in order to meet SOC 2 controls around system operations. Which tool you choose may depend upon whether you are already using one or more of these at your organization for other purposes (such as customer success operations or project management).
With the right tools, even small teams and early-stage companies can meet the compliance standards they need to earn the trust of customers and prospects. Learn more about SOC 2 and our own journey toward the compliance certification in our Blissfully SOC 2 Compliance Playbook.