Compliance Unfiltered is TCT’s tell-it-like-it is podcast, dedicated to making compliance suck less. It’s a fresh, raw, uncut alternative for anyone who needs honest, reliable, compliance expertise with a sprinkling of personality.
Show Notes: The How-to of SOC 2
Quick Take
On this episode of Compliance Unfiltered, Adam gives the an incredible breakdown of the “How to” of SOC2 Compliance. He also gives some straight talk about the importance of handling Directional Certifications (like SOC 2 and HIPAA) appropriately.
We cover everything from the criteria that needs to be met, to how your organization can define those criteria, to how you can define those testing steps to test controls.
Questions about configuration? Need a better understanding of complications and challenges of directional certs? No problem – you’ll get it all on this week’s Compliance Unfiltered!
Read The Transcript
So let’s face it, managing compliance sucks. It’s complicated, it’s so hard to keep organized, and it requires a ton of expertise in order to survive the entire process. Welcome to Compliance Unfiltered, a podcast dedicated to making compliance suck less.
Now, here’s your host, Todd Coshow, with Adam Goslin.
Well, welcome in to another edition of Compliance Unfiltered. I’m Todd Coshow, alongside the venerable compliance legend himself, The One, and very only Adam Goslin. Adam, how the heck are you? I’m doing good. How are you doing today, Todd? It’s another beautiful one I can’t complain. Truly cannot complain. We’re here in the wonderful illustrious days of late January, so stay warm wherever you are listening to us, that’s for sure. How are you? What’s going on? Well, I don’t have nearly the first world problems you have being in Cali, but we were surmising earlier today that the temp was like in the single digits this morning, so yeah, it was awesome.
So hey, what are you going to do? Those things are overrated.
But speaking of single digits, we’re talking about SOC 2 today. And we’ve had a conversation with our listeners about SOC 2 previously, Adam, but very much of that conversation was revolved around the what. The what is SOC 2, and what do you do about it, and at a high level, how do you look at it from the outside looking in? But today, we’re going to take a different look at SOC 2. Tell us a little bit more about that. Okay. Well, I mean with SOC 2, just to frame it up, I’ll list some of the challenges in a typical SOC 2 style engagement. So the way that it’s structured, some certifications are astronomically prescriptive, right? You’re going to do these 683 steps and this is precisely how you’re going to go do them. And there’s some other certifications, which are more directional in nature. SOC 2 falls somewhere in the middle. They have criteria that needs to be met, and it allows a framework for the organization to go in, define controls as to how they’re going to go about meeting the aforementioned criteria. And then, the organization would define testing steps to figure out how they’re going to appropriately test those controls. So I mean, framework-wise, it allows a little more flexibility for those organizations, more so than a prescriptive standard. Yeah, I mean, at least at a high level, I know that sounds easy enough.
What are some of the challenges there? Why can this be tough? Well, most of those directional standards are requiring this generation of controls and testing steps, right? And a lot of the way that the framework will prescribe, thou shalt define these controls and testing steps, is typically through a process of a combination of things. One, based on the business’s circumstances, what they’re doing, how they’re doing it, what they’re storing. They’ve got to go through some type of internal risk assessment process where they go in, they look at the internal risk to the organization of why did you choose this approach? And is it appropriate? And is this really going to provide appropriate coverage? And are you meeting the criteria in the first place? And so, the organization needs to figure that piece out. In addition, they also have some form of an assessor that comes in, and will ultimately bless this structure that they put together. So the reality is that, yeah, I mean, if you think about it, right? If I just give you some objective to go meet, well, there could be dozens of ways that one could go about meeting it. And it really depends on a ton of different factors. And so at the end of the day, there’s a lot of options for organizations on how they decide to go ahead and frame up their approach. Not the least of which is, you’ve also got to consider that you’re going through this exercise for a reason, right? You’re trying to show some third party that, hey, we’ve got our act together, and here’s how we do it. So you’ve got the opinion of others that fits into this as well. Are they going to look at the structure and say, yeah, these guys really have it together or, this seems weak. So, there’s a lot of variability there with the requirement, to go in and justify it through your internal risk. I almost look at it as, in some cases, depending on who your assessor is, right? In some cases it’s like, hostage negotiation or something as you’re saying, hey, we justified, this is good because of these reasons. And then you’ve got to go over and get the assessor to give you the sign of the cross that you’re in the right ballpark or no, you’re completely out of your mind or, you didn’t think about this or whatever. So, that process of just trying to get through it, it’s complicated.
It sounds like the configuration would be very different from company to company. Talk more about that. Well, I mean, if you think about it right? Every single company that’s out there, they’ve got different circumstances. When I say that, I mean they’ve got different business objectives. They have different requirements. They have different solutions that they already have in place. They have certain vendors that they leverage that do certain activities. So the combination of all of those things is really going to be unique to any given organization. As well, the other layer to go throw onto this is assessors. This again, is a directional cert. So it’s not prescriptive. There’s a direct approach to the assessors for how they go about doing this. And so, one SOC 2 engagement with one assessor, and another SOC 2 engagement with another assessor, honestly, they could be approaching it completely different in terms of how they do what they do. So you’ve got that, that goes in and layers on to it. At the end of the day, once all of this analysis, definition, planning, and getting controls and testing steps in order. By the time you’ve gone through all of that, and the dust is settled, and you’ve got your final list of controls, with your final list of testing steps. I mean, quite literally that framework, more often than not is unique to the target organization. The only time that I’ve seen it gain some consistency is, if the approach towards SOC 2 is being driven by either of some middleman, or the assessor themselves, with a particular framework that they know is gonna go meet that criteria. Then between organizations, you start to see some more consistency. But even still, there’s going to be deviations between those controls when I take even two companies on kind of a framework style approach, going up against SOC 2, you’ll see differences between even those.
Yeah, well, I mean, that sounds like that would make tracking the compliance challenging, given the lack of standard requirement listing, no? Yeah, it definitely does. So, TCT has worked through that process in terms of the TCT Portal. So, I mean, on the TCT Portal, we’ve got things like PCI, hyper-prescriptive, NIST standard, SOC, HIPAA, GLBA, GDPR, and, and, and, right? So we’ve had to take a look at, how do we make it so the framework for being able to go through this process is kind of a consistent look and feel from the toolset perspective, and yet allow the great vole of flexibility needed to support something like a SOC 2. So, I think I mentioned this on the last podcast, but somewhere in 2020, we had gone in and kind of addressed this in terms of allowing organizations to go in, generate their own list of controls, and testing steps. So, as they’re going through that process, they basically turn the portal on in like a mapping mode, where they have the ability to go in and add the definition and wording of all of their controls, associate their testing steps with the certain controls, and in some cases, controls can be leveraged across a number of criteria, and then some of the testing steps can be used across a number of controls. So, you get the ability to create this framework within the TCT Portal, that at the end of the day, it’s almost like you’re defining that requirement listing.
So, I take the PCI case, right? Where it’s extremely prescriptive, you have this many hundred requirements and poof, here they are, go fill your stuff in. Where in SOC, we’ve kind of got this upfront process of gain all that definition. Get it all framed up, do your internal risk assessment, make sure we’re all on the same page internally, go to your assessor, review it with them. Go back in, make tweaks, adjustments, alterations, and all that fun stuff. Then you’ve got the ability to basically frame it all up within the TCT Portal. And the coolest part is, the TCT Portal. I named the company appropriately, right? Total Compliance Tracking. So it wasn’t intended to be a SOC 2 system, or a HIPAA system, or a PCI system, but a tool to be able to track any and all compliance standards.
So we lived up to the name, and gave people a place where they can live and work on the SOC 2s of the world, alongside the PCIs of the world, as they go through their process.
Well, I mean, you’ve talked a lot today about directional certifications, specifically the complications that come along with them. What can make those directional certifications so challenging? Well, especially for the organizations that are just starting down this path, there’s a lot of coordination. I mean, we talked about the various realms of complication with just trying to get the definition together as they go through that process. So for organizations that are just getting started, there’s a lot of work that they’ve got to do to go in and get everything defined, navigate those steps, gain the head nods from all of the various people that we need to down the chain, including the assessors. So, there’s a ton of upfront coordination that’s needed. But, even if I flip over to the more seasoned organizations, let’s say that for three or four years they’d gone through ISO, NIST, or PCI. And now, business requirements need them to be SOC 2 compliant as well. It’s not as easy as you think, because I can go in and define these controls, etc. But even for those more seasoned security compliance organizations, now they need to go in and identify, and select the controls which will create harmony between what they already have, and achieving and meeting the criteria for something like a SOC 2. So, it’s similarly a process to go and see which controls do we have today? How do we want to map those into what we’re proposing to meet the criteria? And then go through the whole process as well. So even if they’re well down the path, it’s not just twinkle my nose, and poof, you too can be SOC compliant, it takes a good amount of effort. What I’ll typically see in companies is, what they’ll do is they’ll take their most prescriptive certification or standard, and then map all of those controls and evidence into those directional certifications, and then figure out okay, now that I’ve gone in and done all of that upfront leg work, it actually helps them in the grand scheme of things.
One thing that the TCT Portal excels at, is the ability to be able to go in and configure up, and work against numerous standards within one system. So, we’ve got a lot of organizations that go up against PCI and SOC, and ISO and HIPAA, and they can do it all from the confines of a single interface. That upfront investment that those organizations make into the planning, that’s where you’re going to end up getting the dividends, as you start to progress into the subsequent years. What I’ll see more often than not in organizations, is that they have you get started, right? I can give you a real good example. I had one organization that I worked with for years.
Initially, they started with HIPAA, and all of a sudden a client came to them and said, we really need you guys to get SOC 2. Okay, finally, they went up against SOC 2. Then, fast forward another couple of years, somebody comes up to them and says, we really need you to be PCI. Okay, great, we went and got PCI. And next thing, somebody comes over and says, while you’re at it, we’d like you to go get ISO 27001 as well. And then fast forward another year and a half, and poof it’s HIGHTRUST. For organizations as they grow. As they deal with folks in different arenas, these new layers of certifications that they’ve got to fold on, that’s commonplace at this point in the game in this space. And it’s really, kind of an expectation that organizations should walk into this with, we’ve got to be prepared to be able to handle these, notwithstanding the fact that the certifications change over time. Right? There’s new certifications that are coming out. We’re Like what? two months-ish away from PCI going and releasing their PCI version 4.0. So all the people that have been 3.2.1 compliant, are now sitting there facing, hey, we’ve got PCI version 4.0 coming at us. So there’s cycles of existing standards. There’s also new shiny standards that keep popping up. So it’s like running on quicksand, but if you’ve got the right tools, then you’re armed for bear.
No, and that makes a ton of sense. It really does seem like planning is critical. What are some of the benefits of having that upfront investment into the structure in place? Yeah, well, I mean, number one is time savings. Part of the reason why I started TCT is that I’d lived this space. I’d had to do this stuff manually and it sucks. Straight up sucks. And so the bottom line is, for organizations that put that investment into the planning and structure for how they approach their compliance, and especially so with something like SOC 2, whether you’re starting with SOC 2, and you know at some point in the game, other standards are going to start layering on, or you already have the other standards, and you’re layering on SOC 2, it really doesn’t matter. But putting together the planning for how are we going to go about approaching this and doing this is huge. That upfront one time investment of planning, that yields dividends for every year from there on out, right? And the time savings for the organization at the root of it all, that’s what you’re trying to drive for. Because oftentimes on these security compliance engagement, the biggest draw off on the organization is, the amount of time that in many cases, your most important, most critical people have to divert from day by day, to do their security and compliance tasks. So if we can give that a better structure, if we can streamline it, if we can provide time savings to the folks that have to go through that process, that effectively yields dollars back to the organization. And so, as we go through that process, the time savings really is the key. That and the structure that you end up putting in place, that also yields dividends year after year, because now we’ve got a framework that we’ve gone through and vetted. Everybody knows what they need to go in and do. Better yet, you can go back, you can refer to what did we do the last time around? What was the evidence that worked? What did we need for what? What maps to what? All of those various questions that you did in that upfront planning segment, those are the things that end up helping you in those subsequent years by really saving a ton of time.
One of the challenges with organizations, especially today with, I don’t know, we’ve got this little thing called COVID floating around. We’ve got the labor market effectively tightening up, and a lot of transition between organizations happening, because there’s a lack of resources. All of that also plays into the long-term benefits of the investment into the planning here. Because, if you think about it, if I can go log in, let’s say that one of my critical people that was on the engagement last year, transitioned to another job, got a promotion, and is no longer engaged or involved. With the next person that comes in, now I’ve got the ability to be able to point them to what Mary was doing last year, but she’s now been promoted to VP and doesn’t have time for this type of thing. Okay, so fantastic. You can go back to those prior year engagements and go, look, what did Mary do? What did Mary provide? How did Mary structure this? What were the controls and the testing steps that we needed to go in and meet? How did those map to other certifications? All of that is now systematically preserved. And the amount of time that needs to be spent by the people coming in to go replace Mary is greatly reduced. Back in the day, oh my god, they’d have to go and sit down and try to crowbar time out of Mary, and or figure everything out from scratch like Mary had to initially. And it’s just an absolute waste of time. They’ve got a clear repository to be able to go to. The second realm outside of the time savings, really falls into that clear direction about what exactly are we doing here as you structure these engagements. So going back to that earlier example of, I’ve got a really prescriptive PCI and I layer on a SOC, and oh, by the way, I’m going to do HIPAA, right? If you’re in that type of a setup, depending on how you configured your controls in SOC, generally speaking, one could use PCI as the centerpiece, map all of those technical requirements down, and effectively dwarf the testing steps to fulfill your controls, to fulfill your criteria of SOC, and you could dwarf HIPAA technical requirements at the same time. That said, effectively when the organization goes and walks in, they know, boom, I’ve got to go tackle PCI, and I’ve got these couple of leftovers on SOC, and I’ve got one or two leftovers on HIPAA, boom, done. Next thing, they’ve got everything filled in and know exactly how they can do it.
And the third element of that is literally just the streamlining that can be done. Yeah, go ahead. I want to know more about that, because I mean, I’m an efficiency guy, right? So all of this leads my head immediately to, how do we streamline this approach, and how do we replicate that? Yeah, It’s really the nature of that upfront investment in making sure that we clearly understand what we’re doing today. How does that map to the shiny new cert that we went and layered on? How can we best leverage the things that we’ve got? But that planning that you do, especially as you’re either founding, or really taking seriously getting your compliance program organized. The streamlining that you get out of that, oh, huge, huge, huge, huge dividends. Because in a lot of cases where you don’t spend that time, not in a lot of cases, in all the cases where you don’t spend the time to go in and do that upfront planning, it gets really discombobulated. If I were to take this approach of, okay, we’re going to go finish PCI, and when we’re done with PCI, then we’re going to go over, and start filling in the blanks on SOC. Well, In fact, the crossover between PCI and SOC is substantial. It’s planned out correctly. So I can layer over, and cover easily 85, 90 percent of a SOC engagement, if I do the right planning of those controls and testing steps. And in the HIPAA case, literally you can just dwarf the entire engagement with the technical requirements of a PCI. Obviously the circumstances are different, and the planning is different. It just depends on what the organization’s doing, and using.
Probably one of the harder challenges would be, starting off with a SOC and then layering on another semi-directional standard. I think it’s a little more challenging, but it just depends on the circumstances of the of the organization. But you’ve got to sit down and get the stuff planned out, so that your engagement’s efficient. And certainly one of the biggest keys to that is having some place to put all this stuff that will preserve the activity. Who did what? What did they do? What did they use? What passed muster? Who did the assessment, or provide additional directional guidance? What guidance did they deliver that I need to go make tweaks to the evidence? All of those elements are pieces that will play into some of the benefits of the planning, and having a systematic approach to the workflow, storage, and reusability of the information that you gather and gain, going through one of these style engagements. And that really does put a bow on the how of SOC 2.
Well, that’s all the time we have for this episode of Compliance Unfiltered. I’m Todd Coshow. And I’m Adam Goslin. I hope we helped to get you fired up to make your compliance suck less.
Follow Compliance Unfiltered on Twitter and Instagram at @compliancesucks
