The Blissfully SOC 2 Compliance Playbook
Ariel Diaz, CEO & Founder, Blissfully, with contributions from
Ben Thomas, CEO & Founder, Practical Assurance
Schuyler Brown, CMO, StrongDM
Bernard Mehl, CEO & Co-Founder, Kisi
SOC 2 compliance is an increasingly common framework and applies to many businesses today. Specifically, SOC 2 applies to any service provider that stores customer data in the cloud. It is quite relevant to SaaS businesses, but also to many others who store their customers’ data in this way.
SaaS vendors in particular need to be SOC 2 compliant in many instances, especially when they sell to the enterprise. Enterprises are often beholden to a wide variety of security and compliance controls, and being demonstrably SOC 2 compliant as a vendor gives those enterprise customers the peace of mind they need to do business with you.
A SOC 2 Overview
The industry as a whole does not see SOC 2 as a set of hard and fast rules. Rather, it is a framework that sends a strong signal that an organization prioritizes these key attributes: security, availability, processing integrity, confidentiality, and privacy.
Completing a SOC 2 certification on its own is generally not enough to prove that you are 100% secure as an organization, but it’s a very good start and will go a long way toward instilling trust in your customers.
The History of SOC 2 in Brief
Before SOC 2, the original standard for auditing service organizations was known as a SAS 70 (Statement of Auditing Standards No. 70). SAS 70 audits were performed by Certified Public Accountants (CPAs) with the original intent to report on the effectiveness of internal financial controls. These were introduced in the early 1990’s.
Over time, the audit started to be used as a way to report on the effectiveness of a company’s internal controls around information security more broadly. Around 2010, SOC 1 and SOC 2 reports were introduced by the AICPA with the explicit purpose of addressing the growing need of companies to externally validate and communicate their state of security.
Today, SOC 1 reports are generally centered around controls impacting financial reports, similar the original SAS 70. SOC 2 reports, on the other hand, are written on audits against the Trust Services Criteria (TSC) standard, which we’ll explain below. This standard is ideal if you’re looking for a way to simultaneously improve your company’s maturity around business processes and security.
SOC 2 Trust Principles
The next question an auditor will ask is what principles the organization wants tested. The response to this question will impact how many processes are reviewed and the overall cost of the audit.
The foundational security principle, common to all audits.
Protection from unauthorized disclosure of sensitive data
Protection that systems or data will be available as agreed or required
Protection that systems or data are not changed in an unauthorized manner.
The use, collection, retention, disclosure, and disposal of personal information is protected.
All SOC 2 audits include “Common Criteria”. This is the biggest section of the audit and touches on every aspect of information security controls. Companies can start with a Common Criteria audit if they’re looking to keep the scope small. Common Criteria includes aspects of all principles noted below.
SOC 2 Common Criteria
In addition to Common Criteria, mature SaaS companies tend to add on Confidentiality and Availability. The Integrity principle is typically used by companies processing a lot of transactions, as well as financial institutions. Privacy is seldomly included as part of a SOC 2 audit. While it has value, most organizations tend to focus their privacy efforts around compliance with HIPAA or EU regulations (like GDPR). This is because European companies generally want audits against their own standards, rather than SOC 2, and they tend to have more stringent requirements. If you need to uphold GDPR, for example, then you’ll be focusing on privacy when you go through that process.
The SOC 2 Audit Process
The SOC 2 reporting standard is defined by the AICPA (The American Institute of Certified Public Accountants). All SOC 2 audits are signed by licensed CPAs . To achieve SOC 2 compliance, most companies spend anywhere from six months to a year on focused preparation. This includes identifying which systems are in scope for the audit, developing policies and procedures, and implementing now security controls to reduce risks.
When ready, an organization will hire a licensed CPA audit firm to conduct the audit. The actual process involves scoping, artifact document collection, and an on-site visit. The time commitment is typically several hours of introductory phone conversations and two days in-person at your office. While in your office, the auditor will conduct interviews and review submitted material. When starting to scope a SOC 2 audit, there a few key decisions that will need to be made up front. First, do you want a Type I or Type II audit? This terminology can be confusing to newbies because of the mix of numbers and Roman numerals.
SOC 2 Type I vs Type II Explained
SOC 2 Type I
An audit conducted against the Trust Services Criteria standard at a single point in time. This audit answers: Are all the security controls that are in place today designed properly?
SOC 2 Type II
An audit conducted against the Trust Service Criteria standard over a period of time. This period typically covers six months the first time, and then a year thereafter. In other words, this audit answers: Did the security controls that were in place from January 1 through July 31st operate effectively? (Note: SOC 2 audits are generally only considered valid for a year, so you must get into a rhythm of conducting them annually.)
Type I reports are, as you might imagine, quicker to prepare for and conduct because you don’t have to wait for the controls to have been in place for a full six months. However, while Type II reports take more time, they are also that much more valuable in the hands of customers, prospects, board members, partners, insurance companies, and so on. They report on what you’re actually doing, rather than what you aspire to do. Because of this added value, my general recommendation is to get started early and work directly toward the Type II report. This approach emphasizes immediate action taken toward improving your security, and because Type II also covers Type I, there are financial savings in the long term if you start with Type II from day one.
Why SOC 2 Compliance?
Companies of all sizes can benefit from establishing an elevated level of trust with customers, prospects, and partners. If you process or store data on behalf of a customer, you should be concerned with how it’s protected.
In the news, we continually hear stories of large companies admitting to massive security incidents such as 500,000 leaked passwords, or millions of stolen credit card numbers. The recovery and cleanup of these incidents can cost in the tens of millions of dollars when combining the clean-up and forensics process, implementation of new controls, and lagging sales due to lack of customer confidence.
Large companies can often recover from a security incident like this because they have the financial resources and brand recognition to move past a single slip-up. Small companies and startups aren’t always so lucky. Loss of a single large customer due a security compromise, or reputational damage that impacts a company’s ability to raise additional rounds of VC funding can be devastating for a small or young business.
While there is no way to absolutely guarantee security, the SOC 2 report and Trust Services framework give companies external validation that they are managing risks appropriately.
The Value of SOC 2 as a Vendor
If you don’t have SOC 2 compliance as a vendor, you will probably have to fill out more than a few security questionnaires before you can work with any enterprise-scale customers. While that might sound easier than a SOC 2 audit on the surface, the questionnaires can be quite detailed and overwhelming, and they are often hard to fill out if you don’t already know the security lingo, have tooling in place, and know how to document processes. In other words, if you haven’t already gone through the process of setting up and enforcing policies as you would for SOC 2, you may find yourself stuck when the questionnaires arrive.
In a nutshell, being SOC 2 compliant will both help you sell to the enterprise, and force you to follow a set of strong best practices when it comes to keeping your company’s and customers’ data safe. Security is (or at least should be) a major concern for all technology-focused companies today, as we’ve written about in our previous eBook: Blissfully’s Practical Guide to People-First SaaS Security. Achieving SOC 2 compliance is a good way to demonstrate that you do indeed have security at heart in all you do as an organization.
4 Good Reasons to Pursue SOC 2 Compliance
Regardless of whether customers or prospects are knocking down your door for a SOC 2 report, it’s crucial to start SOC 2 preparation as early as possible. Even if don’t plan to have an audit conducted for another two years, starting early will set your company up for success in many arenas. SOC 2 is a good idea for many reasons including:
It Improves Security
The formulaic approach necessitated by SOC 2 will improve your overall security. This process will simultaneously mitigate potential attacks while building a strong security narrative that will help you win new business by better answering risk questionnaires. Security and compliance should be approached as an ongoing process, rather than a single event, and SOC 2 pushes organizations to build sustainable programs.
It Bolsters Company Culture
Implementing new security controls can be tough. People may complain about the extra time it takes to log in to services using multi-factor authentication. However, the minor annoyances are well worth the ultimate outcome. When it comes to building a secure and compliant company culture, the smaller and younger you are as an organization when new processes are put in place, the easier it will be to scale. Companies as small as three employees have gone through SOC 2 audits. It is also helpful to automate these processes as much as possible, baking them deep into your company culture. (We’ll cover the tools you can use to automate and streamline compliance later in this document.)
It Provides Documentation
It’s never too early to get your documentation in order. Do you have policies and procedures? Do you have internal standards documentation? Having these processes well-documented will improve internal communication and consistency, which in turn enables you to meet legal and compliance challenges, close more sales, and prepare for financial changes like a merger or acquisition or a new round of VC funding.
It Helps with Risk Management
Finally, preparing for a SOC 2 audit will give you a framework for acknowledging and mitigating risks. Many organizations who have not undergone a formal compliance audit are either unaware of security risks or addressing them in an ad hoc way. Approaching compliance systematically instead will ensure that even risks that aren’t top of mind receive attention and can be mitigated in a timely manner.
When to Consider SOC 2 Compliance
It’s a good idea to consider becoming SOC 2 compliant early in your company’s journey if you know you are going to be selling technological services to enterprises and will be storing and/or accessing sensitive customer data of any sort.
While it can be challenging to undertake a SOC 2 compliance exercise while you are small and under-resourced, it can actually be even harder to do once you grow larger. The larger your company is and the further along you are in your growth, the harder it is to change culture, processes, tools, and more. When you are smaller, you may not have an IT or security owner, but as soon as you do hire someone in a role like that, you may want to begin thinking about preparing for SOC 2 compliance. Sooner is better, since it will help you integrate the processes and controls into your team’s culture from the get-go. Later in this guide, we’ll talk about why the team at Blissfully decided to become SOC 2 compliant quite early in our journey and how we went about it.
The Tools to do SOC 2 Compliance Right
When it comes to the actual process, we highly recommend you lean on technological tools and automation, as opposed to spreadsheets and manual tracking. Keeping a level of organization will reduce the amount of busy work that your SOC 2 leader must undertake.
In addition, it’s important to identify a leader for the project. This person could be an IT or security lead, or it could be someone from your executive team. Ideally, he or she will have some technology background, but it’s not necessary for this person to be a compliance expert. If no one on your team has ever been through the process of becoming SOC 2 compliant in the past, however, you may want to consider hiring a consultant or firm that can help guide you through the process.
Here are some of our recommendations around tools to use during the SOC 2 compliance process, mapped to the common criteria requirements of the framework. You’ll note that these are excellent choices from an operational and security perspective as well, so even if you are not 100% ready to start the SOC 2 process right now, choosing tools like these will help put you in a good position when you are ready to move forward.
1. Organization and Management
Because SOC 2 requires careful controls around your organization and management of employees, it’s a good idea to invest in a human resource information system (HRIS). These systems track employee onboarding, key paperwork, policies, and other HR workflows. Using dedicated software for these workflows (vs. homegrown spreadsheets or docs) will streamline workloads, solidify your processes, and help you prepare for a compliance audit.
BambooHR is designed for small and medium-sized businesses, and it handles everything from applicant tracking to employee onboarding, and from vacation time to overall HR reporting. It’s an excellent, integrated system that your employees can interact with and use for self-service around many HR-related tasks.
Gusto is a similar HR software offering, covering payroll, benefits, and HR writ large. It is also designed for small businesses and provides companies with access to trained HR pros (helpful if you don’t have a large HR department), as well as benefits brokers who can help you select plans for your business.
Either of these choices will give you valuable visibility into HR-related data that will help you meet SOC 2 controls, especially CC1.
Next, Blissfully provides an easy and automated way to onboard new employees, giving them access to all the SaaS tools and apps they need with the click of a button. It also offers integrated, customizable onboarding checklists. Additionally, centralized audit trail features ensure that every action is tracked, so you can easily demonstrate that you are upholding compliance and/or regulatory mandates.
Additionally, we also recommend Checkr for background checks when you are hiring a new employee. Conducting background checks on all new hires should offer peace of mind and will also help you meet SOC 2 requirements around organization and management.
Our Recommendation: Quip
A key part of security and compliance is documenting your internal processes. This documentation should be a living and breathing part of your organization. Therefore, it needs to be easy to create, edit, share, and navigate. Quip is a great product on all of those fronts, way better than using Google Docs (way too brittle for this type of documentation) or Google Sites / Wikis (way too much friction to ensure smooth usage and updates). Quip combines documents and communication into a single, central hub that is accessible from every device.
3. Risk Management
Our Recommendation: Practical Assurance
Formalized risk management processes are often a mystery to those without experience. Practical Assurance offers a host of templates, forms, and expert advice on how to meet the risk management requirements of SOC 2 and other information security frameworks. The platform can also be set up to send periodic risk analysis questionnaires to all employees, helping with user awareness of security protocols and documentation of your overall risk.
4. Monitoring of Controls
Our Recommendation: Practical Assurance
Keeping track of controls is an ongoing effort that is typically managed by a CSO or compliance manager. Many small companies do not have this dedicated position, so they may need help monitoring whether their controls are operating properly and regularly. For example, you need to know:
Was that quarterly backup and recovery test actually conducted?
What were the results?
Were the results sufficiently documented?
Managing SOC 2 compliance requires that a number of annual, semi-annual, quarterly, and monthly controls “fire” on time and are sufficiently documented. Practical Assurance helps distribute security responsibility and ownership across the organization, so you can meet SOC 2 requirements such as this one.
5. Logical and Physical Access Controls
Database Access Management
Our Recommendation: strongDM
SOC2 requires that you restrict access to information assets (CC6.1) and authorize, modify and remove access to data when appropriate (CC6.3). Those controls include every employee; technical staff are not exempt.
Access for technical staff tends to be the most difficult to manage because they require the most access to sensitive data and that access occurs through databases that can not be managed by Single Sign On Providers. Those permissions require custom scripting and manual work to manage.
strongDM eliminates that work and integrates seamlessly with your SSO to extend their control beyond applications to databases. That way you can conveniently onboard or offboard every employee through one platform. Because strongDM logs every permission change and query for every database, you enjoy instant answers to auditors’ questions during compliance reviews.
SaaS Security Monitoring and Management
Our Recommendation: Blissfully
Blissfully provides an up-to-date list of the SaaS in use subscriptions across your company—including “shadow” and unsanctioned applications. Plus Blissfully allows you to easily audit what permissions users in your organization are giving to which applications, and get updates on all new additions. Finally, the ability to manage employee access to required SaaS products by department, and to consolidate licenses gives unprecedented visibility into your SaaS stack.
Single Sign-On and Identity and Access Management
If you are going for SOC 2 compliance, it’s a good idea to deploy a unified identity and access management (IAM) or single sign-on solution. These types of tools both streamline the end user’s experience and protect the entire organization from security threats—all while helping you meet key SOC 2 requirements. IAM solutions work by authenticating a user once and then unlocking all apps for them (rather than users having to individually sign into each app).
We recommend using Okta for this. Okta’s IAM offering replaces insecurely sharing passwords, or requiring employees to memorize various difficult passwords. Instead, you integrate your company applications to a single provider that handles secure authentication. In addition to the authentication, you get reporting on login frequency, locations, etc, which is helpful when hardening your internal processes and getting ready for a security audit. Okta is the current leader in the space, has lots of integrations, and a mature mobile offering. G Suite does offer some of this functionality but for a limited subset of products.
Another strong option is OneLogin, which offers cloud-based access management controls for web applications, both in the cloud and behind the firewall. Smaller organizations may want to consider deploying Google’s single sign-on options.
Our Recommendation: LastPass
Bad passwords are a key reason that credential attacks are so successful and common. Implementing a strong password management service is a good way to decrease your security risk while also meeting key SOC 2 controls.
Our recommendation is to use LastPass, which offers a vault for your users’ passwords, either via browser or apps on their devices. This way, they only have to remember a single master password. LastPass offers both small business and enterprise solutions to ensure that your users employ secure, unique passwords for every service.
JAMF offers centralized asset tracking for Apple endpoints, plus the ability to enforce key security requirements like password lock, screenshare activation timing, and hard disk encryption, all of which should be defaults across the entire organization. These policies and the proof that you’re enforcing them will be helpful come SOC 2 audit time.
(A note: In general Macs are more powerful, easier to maintain, last longer, are easier to support, and are less prone to security issues. All of these qualities make them a good choice for organizations who want to maintain security and easily meet SOC 2 compliance standards.)
In addition, you can use G Suite’s Mobile Management features to secure Android, iOS, Windows, and other smartphones and tablets. You can enforce screen locking and strong passwords, as well as remotely erase confidential data with device wipe or selective account wipe. G Suite’s Mobile Management features are a great way to meet key asset management requirements of SOC 2, and are built into G Suite.
Physical Access Controls
Our Recommendation: Kisi
It’s easy to focus on technological controls and forget that an uninvited visitor can pose just as much risk to your organization if they’re able to walk in the front door of your physical office space unfettered. Enter Kisi, a suite of IoT tools to help companies manage physical access to their workspaces. Kisi has a wide range of keyless entry solutions that increase security while helping businesses meet SOC 2 controls related to their physical spaces. Kisi is simple for IT admins, with a cloud management dashboard to remotely manage access rights to the various doors on the premises, and integration with user directories. For users, this also means simply unlocking doors straight from their mobile devices — making it easier to use and removing risk of lost access cards.
6. System Operations
You need to have incident management tracking in place in order to meet SOC 2 controls around system operations. Some tools you may want to consider are:
Which tool you choose may depend upon whether you are already using one or more of these at your organization for other purposes (such as customer success operations or project management).
7. Change Management
Our Recommendation: GitHub
GitHub is, as you probably know, the standard for code management. While many might not think of code management as an area where compliance would apply, it’s absolutely vital to carefully track changes to code, since these could be an indicator of compromise down the road. GitHub takes security quite seriously, and they have become the go-to for organizations who want to manage their code in a way that enables them to meet SOC 2 controls around change management as simply as possible.
The Complete SOC 2 Compliance Stack
Our Experience Becoming SOC 2 Compliant
It’s one thing to hear about all the specific controls and tools that go into SOC 2 compliance, but sometimes it’s helpful to hear from another organization about what the process is actually like. At Blissfully, we decided early on that achieving SOC 2 compliance was very important to us. We started the process just a few short months after completing our first round of funding.
As we reasoned, becoming SOC 2 compliant was fundamental to our vision of the company we wanted to build. One of our missions is to help other organizations manage IT successfully, and doing that requires trust. Achieving SOC 2 compliance, we hope, helps us demonstrate to our customers that we are trustworthy enough—that we take security and compliance seriously enough—to help manage your IT stack.
To get to SOC 2 compliance, we spent a couple of months really building out our own processes, tools, and workflows. Then we went through the process of finding an auditor. While price is important, we don’t consider this the most important factor.
The audit itself takes about two to three days for the key people involved. It’s a good idea to budget people’s time in advance. We did most of the documentation live, via exports or screenshots from our tools, to a shared Google Drive. We found that this was a pretty efficient way to go about it. (Note that Google Drive worked well for file sharing with SOC 2 auditors, but we still recommend Quip for internal workflows for the reasons we outlined earlier.)
We are happy to be able to say that we passed our SOC 2 audit on the first go with flying colors, mainly due to the automation tools and built-in documentation that form the core of how we work. You can see more about our journey, in our post about why we did our SOC 2 early in our company lifecycle.
Achieving Compliance with Minimal Burden
Many organizations put off compliance because they believe it will be a huge hassle. You may have some latitude to decide exactly when you go through SOC 2 compliance. However, as we discussed earlier in this guide, it’s a good idea to do it sooner rather than later if you plan to work with enterprise customers and interact with sensitive data in any way, shape, or form.
Getting compliant without disrupting your team’s flow requires some advance planning. In our view, one of the best ways to make achieving compliance as painless as possible is to consciously choose tools and processes that facilitate compliance from the beginning. Even if you are going to wait a few months or a few years to actually go through a SOC 2 audit, following the recommendations above when it comes to tooling will help put you in a really strong position to make that move when you are ready.
When it comes to building a technology stack, including one for compliance, remember that people must use these tools and follow your controls. So you should always strive to balance achieving relevant security and compliance mandates with making life easier for your employees, customers, and the other humans who interact with your products and services.