Compliance Unfiltered is TCT’s tell-it-like-it is podcast, dedicated to making compliance suck less. It’s a fresh, raw, uncut alternative for anyone who needs honest, reliable, compliance expertise with a sprinkling of personality.
Show Notes: The How-to of SOC 2
Quick Take
On this episode of Compliance Unfiltered, Adam gives the an incredible breakdown of the “How to” of SOC2 Compliance. He also gives some straight talk about the importance of handling Directional Certifications (like SOC 2 and HIPAA) appropriately.
We cover everything from the criteria that needs to be met, to how your organization can define those criteria, to how you can define those testing steps to test controls.
Questions about configuration? Need a better understanding of complications and challenges of directional certs? No problem – you’ll get it all on this week’s Compliance Unfiltered!
Read Transcript
Intro
So let’s face it, managing compliance sucks. It’s complicated, it’s so hard to keep organized, and it requires a ton of expertise in order to survive the entire process. Welcome to Compliance Unfiltered, a podcast dedicated to making compliance suck less.
Intro
Now, here’s your host, Todd Coshow with Adam Goslin.
Todd Coshow
Well, welcome in for another edition of compliance unfiltered I’m Todd Coshow alongside the one, the only compliance legend guru himself, Adam Goslin. Adam, how are you today?
Adam Goslin
I’m doing good, Todd. All right.
Todd Coshow
Cannot complain, cannot complain. Well, we’ve got a whale of a conversation today, Adam, and it’s something that this time of the year is popping up on a lot of people’s radars, and that is SOC2 compliance.
Todd Coshow
Talk me down from this ledge, Adam.
Adam Goslin
Well, you know, as far as as far as SOC2 goes, you know, I’ve done I’ve done numerous engagements with where SOC2 was either the focal point or was a, you know, was a an ancillary certification for an existing client.
Adam Goslin
So maybe they had PCI as a primary and then layered on a SOC2, that type of thing. So I’ve done a number of different engagements with it. In the PCI arena, there’s if you want to look at PCI versus, you know, versus SOC 2, you know, it’s about 85% plus crossover in terms of all the all of the technical requirements when somebody’s going down the road of a PCI.
Adam Goslin
So that makes things certainly a lot easier for those that are dealing with multiple certifications, etc.
Todd Coshow
No, most certainly. And I mean, I guess the hard part on that is like, you know, you’ve got somebody who’s super familiar with PCI, and they’re looking at it going, okay, well, where does it miss? What do I need to know now that I don’t already know?
Adam Goslin
Yep, so as far as the technical requirements, the things that aren’t covered under PCI or not covered as deeply under PCI as you typically go through on a SOC2, really falls into three different main arenas.
Adam Goslin
One is the notion of kind of backups, if you will. The interesting part about PCI is they care deeply about the fact that the information’s encrypted and it’s being handled properly and it’s being handled securely.
Adam Goslin
And all this fun stuff, they don’t really care if you can put your systems back together. If something goes horrifyingly awry, they just wanna make sure that wherever it is, that it’s encrypted. So backups, high availability, which kind of blends into the next arena that typically is delving into a little bit deeper on SOC.
Adam Goslin
And that is the notions of business continuity and disaster recovery. Again, PCI’s main line focus isn’t whether or not the business can continue functioning, but is the data secured. So you typically go a little bit deeper on a SOC2 into things like the business continuity and disaster recovery elements.
Adam Goslin
And then the third main arena that we’ll typically get dialed in on is things like maintenance items for elements of physical security. So things like you’re doing your maintenance on your generators and your UPS is the batteries that’ll kind of pick up and carry load while the generator’s spinning up, doors and things along those lines.
Adam Goslin
So those are the main three areas that kind of SOC gets into it a little bit more depth than PCI does typically.
Todd Coshow
Sure. And I guess, I guess the kind of next logical question there, then Adam, is it like, why would my organization be required to do this? Like, that’s all well and good. And like, you know, normally in the PCI track, it makes sense.
Todd Coshow
It’s pretty clear cut, SOC, the waters are a little muddier. So why would I need to do this?
Adam Goslin
Well, I mean, SOC’s been around for some time. And so for the typical organization, I mean, every organization is going to want to kind of pick a standard that they want to use as their centerpiece for how they handle security and compliance, et cetera.
Adam Goslin
So while it may be a company -driven selection, oh, we want to go up against SOC 2, in most of the cases, what I’ve seen is that the organization really is being driven in terms of what they pick for even their core standard based on their client requirements.
Adam Goslin
So a lot of times they’ll have a number of different clients which are clamoring for this certification or that. And if the majority of them are saying SOC2, then hey, guess what, we’ll pick up the baton and run with SOC2.
Adam Goslin
So this is a standard that comes out of the AICPA. And so as a result, because it’s something that’s kind of familiar to what most organizations already have, which is sometimes an accounting function, if you will, a lot of them will kind of get the nod or be pushed toward doing a SOC2.
Todd Coshow
Sure. No. So I mean, I guess my question there is, does it stand to reason then that like any accounting firm can do SOC2? Because I know we work with an accounting firm. And so I mean, if that’s a relationship that I already have, is that does that work or no?
Adam Goslin
No, not directly, because there’s a certain subset. So you’ve got the entire breadth of the CPAs that are out there and the organizations associated with the AICPA. And there’s really a subset of those folks that will perform SOC2 audits.
Adam Goslin
And so while the AICPA is a requirement for the assessors which are assessing against SOC2, just the fact that I’m a CPA doesn’t necessarily make that connection. They’ve got to actually go through some internal training and auditing and things along those lines in order to step into that SOC2 arena, if you will.
Todd Coshow
Okay, so I mean, I guess what’s different about SOC2 compared to like several other standards such as, you know, PCI, for example.
Adam Goslin
Well, the SOC2 requires companies to address a list of criteria. So if I go over to, I’m going to step it back a little bit. So PCI is an astronomically prescriptive standard. You’re going to do this, you’re going to do this, and you’re going to do it this way, and it’s a requirement, etcetera.
Adam Goslin
And they’ve got this gigantic list of stuff that you need to go in and do. Where in the SOC arena, it takes kind of a different approach, if you will. They have these kind of mainline criteria that they want the organizations to kind of go up against.
Adam Goslin
And so as the company goes through, they’ve got to make sure that they’re meeting the nature of that criteria. And in doing so, that company that’s going through the assessment, they need to make sure that they have all of the controls in place in order to meet that criteria.
Adam Goslin
And what falls below that, below those controls, is that I’ve got a series of testing steps where I go through and I be able to validate each control that I have as part of my kind of makeup of how I’ve met the criteria.
Adam Goslin
And so in short, while SOC2 does allow some more flexibility, by default, it also increases the complexity of being able to get through it. And for one thing I neglected to mention, we just dove right into SOC 2, SOC 2, SOC 2.
Adam Goslin
So what SOC2 refers to, it’s a systems and organizations controls, 2, is the full name of it. But in the compliance world, everybody kind of refers to it as SOC 2.
Todd Coshow
Okay. So I mean, listen, my head spinning a bit. I’m not gonna lie about it. Like this sounds super complicated. How? How do companies keep this stuff on track?
Adam Goslin
Well, you know, back in the day, the vast majority of folks were kind of suffering through their spreadsheets, you know, for the cool kids that used the TCT portal, middle of last year, so middle of 2020, you know, we’d included the capability for companies and their assessors to leverage, you know, customize controls that they can go in and set up on the platform.
Adam Goslin
You know, one of the unique elements of, you know, of SOC2 is I can take two different companies and one company is going to include this list of controls with associated testing steps, but another company in the same, you know, kind of in the same industry, if you will, they could have a completely different list of controls that they’ve leveraged that their assessors good with.
Adam Goslin
So each company is unique, but the TCT portal allows them to basically set up a customized controls and then associate their custom testing steps right into the TCT portal. So it’s really, really cool.
Adam Goslin
And one of the other reasons why we, you know, kind of went down that route is when PCI, I know this is what we’re talking about SOC2, but when PCI v4 comes out, they’re including some capabilities which are, you know, I’m going to call them more SOC -like in that they have, you know, yeah, SOC -esque, yes.
Adam Goslin
Oh, we might have to trademark that one. So the reality is that they’re trying to appease typically the bigger organization that already has an established framework for how they do what they do, where they believe that they’ve met the nature of those requirements and have to kind of do a different approach to being able to solve them.
Adam Goslin
The customized controls is actually gonna set us up well for when we release PCI v4 on the TCT portal also.
Todd Coshow
So excellent. Well, I mean, what should a company do that wants to prepare for the experience, right? This is an undertaking. So how do you make sure that you don’t get caught flat footed?
Adam Goslin
Well, in the grand scheme of things, the best recommendation is unless they’ve got somebody internally that’s like an internal security and compliance expert, then I would strongly recommend certainly getting some help with navigating the waters.
Adam Goslin
You know, it sounds easy, right? Oh, all I’ve got to do is go meet these book criteria and poof, we’re golden. Except for the fact that you’ve got innumerable choices of how you go in and line up those controls.
Adam Goslin
You’ve got to be at one with your assessor. So certainly, one of the big elements in here is getting an assessor that you can work with, somebody that’s willing to look at your circumstances, look at your controls, help with navigating those waters.
Adam Goslin
But they’re going to be more directional in nature. But I don’t want somebody that can, no offense to the IT crew, but I don’t want somebody that can spell IT. It can’t just be somebody that we happened to nominate or the last one that sat down when the music stopped within the IT department.
Adam Goslin
We want to get somebody that has extensive security compliance background because it does get complicated. And that middleman, if you will, between the organization and the assessor really, really helps because then they can have those internal dialogues, they can play crisis negotiator with the assessor, make sure that we’re all on the same page and head in the right direction.
Adam Goslin
So, you know, the other part is that it does depend on the circumstances of the company in question. You know, if they’ve got other certifications that they already have, no matter what they are, whether it’s we have HIPAA or we have ISO or we have PCI or we have, you know, something else, if they’ve got other certs, then there is an opportunity to be able to take the hard work that they’ve already done and map those toward those controls and keep everything kind of aligned.
Adam Goslin
But that’s really where the art comes into play, especially when you’re trying to layer on a SOC2 is kind of getting all of those different pieces and whatnot in play because, you know, prep is the key.
Adam Goslin
If you can align all of those certifications that you have along with your SOC2, then your annual compliance path is just gonna be a heck of a lot smoother. And, you know, long story short, if you’re saving time, then you’re saving money.
Adam Goslin
Money, exactly. Yeah, and so, you know, once you’ve got that planning in hand, you know, and you’ve kind of got, you’ve got all the I’s dotted T’s crossed, the alignment between your certs, all your controls and testing steps, then we can go to work on going through, starting to collect out the evidence for preparing for, you know, kind of for your SOC assessment.
Todd Coshow
Well, walk me through, I guess, Adam, what I’m supposed to expect from that assessment. Because I guess that’s the big question, right?
Adam Goslin
Yeah, there’s a process in the SOC arena following a certain path. So the way that you go about, now certainly we’ve already kind of talked about, okay, you got to go in and get all your upfront prep done.
Adam Goslin
You’ve got to make sure that you’re on the same page with the assessor around the controls, the testing steps you’re going to leverage to prove out those controls and whatnot. Once you’ve got all of, I’ll call it the groundwork laid, the SOC process is a little bit different.
Adam Goslin
What they’re looking for initially, there’s something called a Type 1 and then a Type 2. So what a Type 1 is in the SOC world is it’s basically, do you have the controls to meet the criteria? Do you have the testing steps to support the controls?
Adam Goslin
And can we go from top to bottom and prove out that we not only have high level policy and procedure for the execution of that framework, but do you also have evidence showing that all of this stuff is in hand like once, right?
Adam Goslin
The Type 1 is more of a, it’s a vetting process for the framework and confirmation that, yep, we’ve got everything in hand by kind of down that line. Once I go and get in and do a Type 2, then I’m going in and I’m making sure that the controls that we had during the Type 1, I’m evaluating their effectiveness over time.
Adam Goslin
It depends on the timing. So when I go through and wrap up the Type 2, for the default answer out of the assessor is really going to be, hey, I want to go in and do the Type 2 a year down the road. So kind of the easiest, cleanest way to go about doing it.
Adam Goslin
So that’s typically how they’d like to set it up as an annual event type of thing.
Todd Coshow
Okay. So for companies that are starting down the process though, like thereby seeking their type 1., like how long do they really need to wait before going down the type 2? Because I mean, ultimately when you’re coming into this conversation, like that’s the answer you want is not when do I start, but what is this going to be taken care of?
Adam Goslin
Yeah, understood. Well, and that and the target organization is gonna be under a lot of pressure, right? They typically, it would not be normal for the company to go, you know, some miscellaneous Tuesday.
Adam Goslin
Well, you know, it’d be a great idea today. Let’s go ahead and just throw all our, you know, throw all our hats in the ring on a SOC2 for fun, not usually the way it works. Usually the driver for it is, you know, whatever, some big opportunity or they’ve been, you know, been kind of getting the heat and the pressure from several key clients, et cetera.
Adam Goslin
So normally there’s some type of external pressure, which is pushing the organization to, you know, kind of get through that process if they’re kind of approaching it for the first time. So most of the time what I’ll see out of the SOC2 assessors, that they’ll go ahead and get through the type ! and then have a preference to just say, well, let’s just set it a year down the road.
Adam Goslin
And then let’s go to our type 2, it’ll cover a whole year and the world’s at one. But, you know, there are some businesses that, you know, because they’re getting that external pressure that they want to get, they’re trying to get to the point where they can say, yeah, we got a type 2.
Adam Goslin
The reason that type 2 is important in why many of the organizations will press for it is it kind of holds more water than just a type 1. It’s one thing to say, yeah, I’ve got a bunch of documented controls and theoretically they, you know, they work and I managed to prove out that I’ve done them once, you know, but it’s different to say, hey, these things are actually up, running, operationally effective over a period of time.
Adam Goslin
And so that type 2 is really what the, you know, what the clients are gonna be pushing for. You know, really I’d recommend to folks, have I seen assessors do that type 2 in less than a year? Yes, you know, but what I’d recommend, you know, the listener to do is coordinate with their assessor, find out what options the assessor is comfortable with because, you know, I’ve seen all sorts of different, you know, kind of different timeframes. Really haven’t seen many that are, you know, kind of in that three months or less, you know, time frame, but really it comes down to the assessor and where their comfort level is.
Adam Goslin
Cause at the end of the day, they’re the ones that have to, you know, go put their, you know, go put their signature on the bottom of the, you know, on the bottom of the piece of paper. So really it comes down to, you know, to their comfort level of what they’re willing to go sign off on.
Adam Goslin
And the corollary problem there is that, you know, I said, I haven’t really seen many of their, you know, kind of under that three month period. Well, I mean, some of these controls are controls that only happen, you know, every so often or periodically, you know, things along those lines.
Adam Goslin
So it’s, you do want to, you know, typically a longer period of time for that type 2 than shorter, just so that they can go ahead and get, you know, go ahead and get a better sense for the client. Now, no matter what, no matter what in, when they’re in this trying to figure out their type 2, once they go through, get their, let’s pretend for the sake of this discussion that the assessor signs off on, yeah, I’ll do a, I’ll do a type 2 and we’ll do it over a six month period from that end, from the end of that six month period going forward, then it’s going to be kind of an, an annual shot. So, you know, there’s some thought process as well.
Adam Goslin
Now that, now that I’m kind of thinking through, remember we were talking earlier about the, about the organization that has many certifications. Well, there’s, I would strongly suggest, put some forethought into the timing of that type 2 and when you want it to wrap, because if you’ve got an exist, a mature existing program with let’s say PCI, you’ve got PCI and ISO 27001 and now I want to go layer in a SOC2, we don’t want the SOC2, all the SOC2 requirements coming up, you know, whatever five months before the end of your PCI cycle and whatnot. So putting some thought into where that lands in advance is a really good idea because what a lot of folks will do is they’ll take one of these search, make it their centerpiece.
Adam Goslin
And if their PCI timeline says, hey, our annual year is going to end at the end of August and then we’ll wrap up all of our evidence through September and we’ll shoot for reports in October. Well, you don’t want your SOC2 popping up in, you know, April, you know, type of thing.
Todd Coshow
Like I always say, Adam, it boils down to failing to prepare is preparing, preparing to fail. And so that’s a perfect segue because it really boils down to how organizations are supposed to stay on top of these things.
Todd Coshow
How are they supposed to maintain this to keep up to speed? I feel like you can get behind the eight ball on these types of requirements so easily. What should people look to do to keep themselves prepared?
Adam Goslin
Well, once I get into that kind of maintenance mode, it is all contingent on their various organization that they had performed kind of getting to that point where they’re ready to go in and start getting into that maintenance mode.
Adam Goslin
So you really need to make sure that your duck’s in a row. You’ve got everything well organized. That’s key. Secondly, knowing and plotting out what needs to be done. When do I need to do it? One of the biggest problems that I’ve seen over the years with the organizations that go from kind of trying to get there to then being responsible for maintaining it is that they haven’t kind of put the forethought into making sure that they know what they need to do and when and having some type of ability to track those things.
Adam Goslin
What I used to walk into back in the day is I’d go walk into it would be an annual assessment against fill in the blank certification. And sure enough, we get there and we’re answering some tough questions about, well, I forgot to do this, or, oh, geez, Bob, who was with us, who is no longer, he must have dropped the ball and whatnot.
Adam Goslin
So knowing what needs to be done and when is the first piece of it, as well as the taking advantage of that ability to map, all of that work that’s already being done on your other certifications, taking advantage of being able to map those in.
Adam Goslin
We were talking a minute ago about kind of planning out the end timing for your SOC2. And so if you know that I’m going to have this compendium of evidence against my standard PCI track, and I know that compendium evidence is going to be wrapped up around that September time frame, well, plan your kind of SOC coverage period for the same period or the same annual track as your PCI.
Adam Goslin
Use that as the time frame, but set your SOC reporting elements out behind PCI. That way, everything just kind of flows.
Todd Coshow
Well, I guess the question there is, do you have a system for that?
Adam Goslin
Well, I guess, you know, but no, I mean, there’s, there’s lots of different ways that folks can do it. You know, the reality is, is that I mean, we built the we built TCT portal to stop the spreadsheet insanity.
Adam Goslin
I had the unfortunate and onerous task and to manage this stuff with Excel spreadsheets for way more years than I than I care to than I care to admit. But, you know, get, get a system, get a some type of a system in place.
Adam Goslin
And here’s the important part when we talk about, you know, the system, right? Many, many of the assessor assessment firms out there, they’ve got, you know, they’ve got some type of a system that they use.
Adam Goslin
And that’s great, except for the fact that, I mean, what I would encourage the folks that are actively going through compliance, think about it this way. You need your own system and then go ahead and get your assessor to connect into it, because that will carry with you.
Adam Goslin
You know, sometimes assessor relationships, you want to change it up. Maybe you just want to try out another firm, whatever it may be, instead of making that gigantic investment into their systems. Why don’t you make it into your own and make yours accessible to them is a whole that provides that ongoing continuity.
Adam Goslin
So looking for your own system is really important. And we were talking about those recurring responsibilities. You know, I’ve seen a lot of companies that they just struggle to stay on track. You know, a lot of times where I’ll see it come out of is that, you know, there seems to be some burning desire.
Adam Goslin
Well, I think there’s two things at play. So I think we’ve talked earlier about what I call the compliance party, right? And so, you know, the compliance party happens when the team that has gotten, you know, kind of get handed the task of going and getting fill in the blank compliant finally gets there.
Adam Goslin
And everybody goes, whoo. And then we go, ah, and then it was like, oh, my God, I’m so busy. All this other stuff that I got to go do and behind on everything under the sun. So then they go walk away from the security and compliance.
Adam Goslin
And invariably, I’ve seen that trade cycle more times than I can imagine, especially a first time getting their clients. And really what they’ve got to do is they don’t treat the, you know, although the assessor is going to show up once a year, it doesn’t mean it’s an annual process.
Adam Goslin
There’s things that you need to be doing every day, week, month, quarter, twice a year and once a year. And knowing when to do those through that period. So taking that responsibility seriously right as soon as you finish the compliance party will mean that your path come a year, you know, a year down the road when you’re coming back to answer all those questions.
Adam Goslin
That’ll make that process a whole heck of a lot smoother.
Todd Coshow
Outstanding. Well, Adam, I can’t thank you enough. That’s all the time we have for this episode of Compliance Unfiltered. I’m Todd Coshow
Adam Goslin
And I’m Adam Goslin. Hope we helped to get you fired up to make your compliance suck less.
Todd Coshow
Well, that’s all the time we have for this episode of Compliance Unfiltered. I’m Todd Coshow.
Adam Goslin
I’m Adam Goslin, hope we help to get you fired up to make your compliance suck less.
Follow Compliance Unfiltered on Twitter and Instagram at @compliancesucks
