Getting Your SOC 2 Compliance as a SaaS Company

If you haven’t heard of the term^[1], you will soon enough.
SOC 2, meaning System and Organization Controls 2, is an
auditing procedure developed by the American Institute of CPAs
(AICPA). Having SOC 2 compliance means you have implemented
organizational controls and practices that provide assurance for
the safeguarding and security of client data. In other words, you
have to show (e.g., document and demonstrate) that you are acting
in good faith with other people’s information. In its simplest
definition, it’s a report card from an auditor.

At Rewind, before SOC 2, we had some processes in place, such as
change management procedures for when emergency fixes need to be
released to production quickly. But after beginning our SOC 2
journey we realized that we did not have a great way to track the
reasoning behind a required emergency change, and this was required
for our SOC 2 audit. So we worked with our auditor to set up a
continuous auditing system for these requests, providing a
long-term solution and a massive procedural improvement, offering this solution^[2]
to other companies in our position. Achieving SOC 2 compliance
signals to a market, that you are willing to provide assurance in
the form of a third-party audit report that you will protect
customer information. Information your business relies on.

Why Have SOC 2 at All?

In short, more data is collected by more organizations today,
than at any point in history. As a whole, private and public sector
groups are becoming more conscious about how their proprietary data
is handled by other parties. For highly regulated industries such
as finance, healthcare, or publicly traded companies, SOC 2 has
essentially become a cost of doing business. For any SaaS companies
that want to “grow up” and sell to big brands, the question “Do you
have your SOC2?” will be one of the first things your sales team
gets asked.

SOC 2 reports also give companies a leg up in providing
assurance to customers in today’s cybersecurity landscape. The
volume of cyberattacks is increasing every year. A breach can
trigger fines, damage a company’s reputation, cause an exodus of
customers, and much more. SOC 2 compliance goes a long way in
mitigating losses from these scenarios by providing assurance that
you have key processes in place. A compliant business is more
likely to respond to a breach quickly, thus limiting its
impact.

Getting SOC2 the Swift and Smart Way

Before I joined Rewind, and similarly for most growing SaaS
companies, SOC 2 seemed like an intimidating task to achieve. We
had processes in place, but we had work to do to formalize them to
be SOC 2 compliant and audit ready. The sales team was also
consistently getting asked about Rewind and our plans for SOC 2
compliance because our customers wanted that assurance, and getting
SOC 2 became a priority. The next step is understanding your
company’s SOC2 goals, priorities, and identifying what steps need
to be taken to become compliant.

I’ve spent my entire career as an Information Security
Professional with a focus on governance, risk and compliance. Much
of this is second nature to me. For newcomers it can be a daunting
and overwhelming process. So here is a quick framework to help you
get prepared for the road ahead.

1 — Choosing your scope

The first step is to decide on the scope of your audit, what
service or product will be the focus,

and what Trust Service Principles you want to be audited. For
example, Security is a mandatory principle, but you can also
include confidentiality, availability, processing integrity, or
privacy principles.

Here’s an easy way to think about this: the service you provide
to your customers, can determine what Trust Service Principles to
focus on. For example, if your company processes financial data,
“processing integrity” may be an important principle to showcase.
An ecommerce or marketing service would likely focus on security
and privacy because of the sheer amounts of personal data that they
handle.

Rewind provides SaaS backups, so the scope was our own software
platform. For our first SOC 2 rodeo, within this scope, the focus
was on security and confidentiality controls. Confidentiality was
an important principle, since customers are trusting us with their
backup data, and we want to demonstrate how we ensure the
confidentiality of the information entrusted to us.

It’s also important to remember that if you want to pursue other
Trust Service Principles in the future, you can nourish and grow
your SOC2 compliance program and internal processes to meet that
goal down the line.

2 — Assessing Your Level of
Controls

Requests from the sales team can definitely help you determine
what Trust Service Principles to focus on, but that doesn’t mean
you can start the audit process tomorrow. I always recommend
companies complete readiness assessments. This helps establish the
benchmark of how many controls you may already have in place, and
for those that you may not, you can identify what areas to focus
on. Once you get to 100%, you can prepare for your audit.

You can find various readiness assessment documents on the web
from various third parties or visit the AICPA website^[3]. Auditors can also help
you with your readiness assessment as part of your engagement.

As an added bonus, a readiness assessment can help you
understand how to better budget for your SOC2 program going
forward.. For example, you could identify that you need to perform
a third-party penetration test on your application periodically, or
invest in an employee background check process, all of which have
ongoing costs to budget for.

3 — Organizing Controls and Evidence
Collection

There is no wrong way to organize your SOC2 compliance program
and controls. Yet in the long run, there are ways that make it more
difficult and ways that make it easier. Spreadsheets are fine to
list out all of your controls, assign owners, record notes and add
links to where your evidence is stored for audits. Over time
though, this gets messy and difficult to monitor.

At Rewind, we wanted to focus on the longevity of our SOC2
compliance program. Control ownership and evidence collection
needed to be centralized and accessible to all stakeholders. To
help with this, we invested in a Security Assurance Platform to
help us manage our compliance program. I’d recommend as part of
your SOC2 budget to consider a tool that can help you organize your
controls and monitor them going forward.

The difficulty here is finding the right solution that fits your
needs. You’ll commonly see companies advertise their solutions with
promises of “Get SOC2 in two months!”. Your compliance program
should be a machine that keeps going. It’s not a shiny medal to win
in record time. We wanted a tool that shared that mission also.

4 — Choose and Train Control
Owners

These are individuals in your business responsible for the
implementation and ongoing compliance of your controls. The main
challenge here is that on the surface you’re essentially asking
people to do more work. Yet it shouldn’t be seen this way. This is
a collaborative effort to design controls and processes to be SOC2
compliant, that become woven into each team’s everyday
processes.

Any new process added should be an improvement to the security
(or other Trust Service Principle related process/control) of your
company. Rewind’s approach was to go with a collaborative approach
led by our “Trust Team” but at the same time, empowering control
owners to be responsible for their own areas of compliance. SOC2
should be a common goal for your entire company, not just the
security team.

5 — Choose your auditors

There are many reputable CPA’s out there to perform your audit
for you, but different auditing companies offer a variety of
services. At Rewind, our choice of auditor (Moss Adams) is
recommended and trained to use our Security Assurance Platform
(Tugboat Logic), which we use to manage our SOC2 program. This
means we can manage the compliance of our entire program including
providing evidence to our auditors in the same tool. This reduces
the workload of our control auditors and means we can have a
centralized place to manage our controls, evidence collection and
audits.

A hurdle here could be really knowing where to start. You don’t
want to tie yourself to a specific security assurance tool or CPA
if it doesn’t work out for you in the long run. Choose a reputable
CPA that is open to working with you and your workflows. You want a
collaborative relationship where you can also ask for advice and
know that they also want to be a part of your success.

6 — Consider a Type 1 report before a
Type 2

A SOC2 Type 1 audit can be incredibly beneficial to get your
feet wet in the SOC2 audit process. A Type 1 audit gives you an
opportunity to get experience with the SOC2 audit process and build
a rapport and develop a working relationship with your auditor. You
also get a report to provide customers which signals your
commitment to your compliance program. This is the approach we took
at Rewind and I am happy we did.

There is obviously much more to this process than what I’ve
provided. However, based on my experience, I think this can help
you set the stage for the next steps. Thinking about how SOC 2
controls fit into your business today, will save you a world of
headaches in the future.