SOC 2 Compliance is Nothing To Be Afraid Of

Get the Insider’s Guide on how to prepare for a SOC 2 compliance audit and how to implement identity governance processes that will scale with your business

Identity Governance and Administration (IGA) systems take a policy-based approach to IT governance by offering identity and access management, access control, and compliance capabilities that help address SOX, SOC2, and ISO27001 requirements. With IGA systems, you can manage identities, automate workflows for provisioning and de-provisioning users and devices, manage segregation of duties, manage roles, log activity for audits, and more.When it comes to SOC2 compliance, there’s no clear step-by-step guide and the process takes months to complete. One of the trickiest parts of the audit process is app permissions, access reviews, vendor risk assessments, and on- and off-boarding. But it doesn’t have to be that way. Here’s our hands-on roadmap to help you simplify the process and easily finish your SOC 2 audit.

Introducing Lumos

IT teams spend way too much time tracking help desk tickets for routine access requests. And employees spend way too much time waiting to get access to the apps they need to do their jobs.

Lumos Is on a Mission To Change That

Lumos takes access management and the ITIL experience to the next level by combining the workflow automation power of an identity governance and administration tool with the visibility and cost management controls of a SaaS management solution.

The result: a single solution that helps IT teams achieve compliance, drive productivity, and manage costs with workflow automation that handles employee access requests, access reviews, and SaaS app license removals.

Onboarding + Off-Boarding Automation

Streamline onboarding and rely on one-click off-boarding to manage app access and permissions.

Employee Self-Service Access Requests

Employees can see and request access to the apps they need to do their jobs.

Access Reviews

Speed through your SOX, SOC2, HIPAA, and ISO27001 audit prep with audit-friendly reporting.

Ready To Learn More About How We Can Help Transform Your IT Operations?

Visit Lumos

SOC 2 compliance is an important part of any company's growth. Whether you want to take your company public or to do business with larger organizations, it's an essential step. This article will take you through the basics of SOC 2 compliance. The goal is to give you a better understanding of what it is and how to make your management of it easier.

What is SOC 2 Compliance?

SOC 2 is all about handling, managing and storing data correctly. While being essentially a technical audit, it can be pretty extensive. SOC stands for System and Organizational Controls, and was developed by the American Institute of Certified Public Accountants or AICPA. SOC 2 is part of a larger framework, which addresses the shift in how corporate technology systems are accessed and data is stored as SaaS application use and cloud environments have grown.

There are several internal controls related to SOC 2 compliance. SOC 2 looks at those related to security, availability, processing integrity and confidentiality of customer-related data. While security controls—or specifically access controls—include things like your implementation of two-factor authentication and encryption as part of your security practices, confidentiality looks at your maturity in user permissions and your ability to protect access to customer data like intellectual property or trade secrets.

Why is SOC 2 Compliance Important?

There are some major advantages of being SOC 2 compliant and being able to communicate that compliance to a partner or prospective client. Much of this centers around trust. This is the major currency of any long term business relationship, and SOC 2 compliance helps establish it. While some companies may see a privacy notice and trust badging on their website to be enough, there is a much higher level and broad range of scrutiny that comes with larger companies. SOC 2 compliance demonstrates that your company has the internal controls—specifically security controls—in place to protect the privacy of customer data from a security incident like cyber attacks or other malicious activity like using your customer or business partner data for gain. Your security standards and practices directly address risk mitigation concerns of potential customers. The fact that your security measures and security systems are verifiable via a third party through a standard set of criteria means it is not just your assertion, but the industry as a whole recognizes your adherence to these business practices. In a prospect risk assessment, the effectiveness of controls you have in place shouldn't give them pause.

This trust can be leveraged well within a sales process or even larger business plan. Instead of slowing the sales process down for lengthly requests for information (RFIs), you can provide a recognized evaluation that speeds you time to close a prospective client. This can be a competitive advantage over smaller or less mature vendors in your space who may see the time period of their sales cycle increase.

SOC 2 Type 1 vs. SOC 2 Type 2

There are some important differences between SOC 2 type 1 and SOC 2 type 2. While both are regulated by the AICPA, they focus on different things. SOC 2 type 1 evaluates the design of security procedures at a specific point in time. SOC 2 type 2 looks at controls related to operations and compliance. These are outlined in the AICPA’s Trust Services Criteria (TSC).

For IT teams, SOC 2 type 2 is primarily what they'll deal with, often on a quarterly basis. From a practical standpoint, it means ensuring you have the correct controls in place and are regularly doing things like access reviews of the SaaS products you license at your company.

What is a SOC 2 Audit and Who Can Perform One?

A SOC 2 audit starts with a readiness assessment and is then done, or at least certified, by an external auditor at a licensed CPA firm as your service provider. They use the Trust Services Criteria (TSC) and look at the security, availability, processing integrity and confidentiality controls you have in place. It does this over a period of time in data, typically 6 - 12 months. The resulting audit reports from external auditors will acknowledge you comply with TSC. It includes test results for trust categories as well as specifics about systems and services.

Pricing can range quite a bit, but generally readiness assessments can cost upwards of $20K with the SOC audit from an independent auditor costing an additional $20K - $30K. Having Identity Governance systems and processes in place by company personnel can help reduce this cost. There are SaaS solutions or cloud services like Lumos that can accelerate this.

SOC 2 Readiness Assessment

The typical first objective in a readiness assessment or compliance checklist is to map what you have in place currently in your control environment to related controls defined in the SOC 2 framework. This includes looking at relevant organizational structure and processes, documentation of control activities and settings in systems as part of the audit process. While not necessarily looking for suspicious activity, it is meant to look more broadly at privacy controls—as well as additional controls—that are part of SOC 2.

Once you understand how what you have measures up to the SOC 2 framework, you can begin on the next objective of documenting gaps you have. Based on this you can formulate an ideal future state and create a remediation plan that has set deliverables and milestones to address control standards. This will help you identify the team and resources you need for successful management of a SOC 2 audit.