Compliance Unfiltered is TCT’s tell-it-like-it is podcast, dedicated to making compliance suck less. It’s a fresh, raw, uncut alternative for anyone who needs honest, reliable, compliance expertise with a sprinkling of personality.
Show notes: User Access Management
Quick Take
On this episode of Compliance Unfiltered, we help people who are newly tasked with obtaining SOC 2 compliance. The CU Guys cover:
- Why getting started with SOC 2 compliance can be so challenging
- Where you should start on this adventure
- What type of game plan you should have when embarking on this journey.
Questions about references, tools, and how SOC 2 coexists with your existing compliance frameworks? The CU Guys have you covered there as well!
All this on this week’s episode of Compliance Unfiltered!
Remember to follow Compliance Unfiltered on Twitter.
Read Transcript
So let’s face it, managing compliance sucks. It’s complicated, it’s so hard to keep organized, and it requires a ton of expertise in order to survive the entire process. Welcome to Compliance Unfiltered, a podcast dedicated to making compliance suck less.
Now, here’s your host, Todd Coshow, with Adam Goslin.
Well, welcome in to another edition of Compliance Unfiltered. I’m Todd Coshow, alongside a man who you could consider the curator of your compliance cornucopia, Adam Gosling. How the heck are you? I’m doing fantastic, Todd. How about yourself? It is a week that I am truly thankful, Adam, and I think our listeners are going to be truly thankful this week as well. We’re covering a topic that seems to be gaining a ton of steam this time of year, and that is getting started with SOC 2 compliance.
So, why is it a challenge to, I don’t know, get started on SOC 2 specifically? Well, if you’re going down SOC 2 for the first time, you’re about to discover how flexible that particular compliance standard is. The framework for a SOC 2, it’s more directional than prescriptive, so it kind of tells you what you need to accomplish, but not what you need to do to get there. And, that flexibility, comes with both a blessing and a curse. So, the folks that govern the SOC 2 arena, they’re more concerned with the what and the how. As long as you can meet the criteria of SOC 2, then you’re golden. But not having a roadmap to follow can add some additional stress for many organizations. Is what they’re about to go do going to be good enough? Are they covering their bases? What haven’t they thought of? Will the assessor be happy? And bless the approach. So I’ve been down the path of numerous SOC 2s. And. along the way, I’ve kind of picked up some different practices that’ll help you stay sane and make your assessor happy in the same shot.
No doubt. Now, where should one start the adventure? Well, In order to get SOC 2 compliant officially, you need to engage with an assessor. And so, you know, some of the organizations, they’re looking to identify their assessor as quickly as possible, so that they can, make their decision and get going, ASAP. You know, it’s a decision that I strongly recommend organizations not rush. Assessors aren’t, you know, assessors aren’t like, I need this wrench, you know, of this size, so you go out and go find a wrench, right? You’re not going to just hire somebody, hire an employee based on the resume, type of thing. Just the same way you shouldn’t just go to the Yellow Pages, or Google, and just pick an assessor out of a hat. The bottom line is that, the assessor is going to be very integrally involved. They’re, going to be a part of the solution. And so, it really does matter who you hire. Some of the assessors have kind of a black and white approach to SOC 2, they have this kind of predefined blueprint for filling in the requirements. And, you know, that works, and it doesn’t for some organizations, for many organizations, because, as long as you’re following their blueprint, then yeah, you’re off to the races, but if you’ve got to step outside, or paint outside the lines, now it’s grit in the gear. And, on the other end of that spectrum is an assessor that’s able to be flexible about how the criteria are met, and there’s nothing wrong with either approach. Certainly, there’s some optimizations to be gained under the first scenario. There’s some flexibility to be gained under the second, you know, but making sure that you’re gaining an assessor that meets the requirements of the target organization. I’m typically a bigger fan of the assessor that has had some experience, and been out there for a bit and, has seen many different ways to be able to fulfill the requirements and use their sense of, whether or not you’re meeting the criteria, and be flexible with your organization. You also want to find somebody that fits in well with the organization’s culture, values, and priorities etc. Looking for that assessor that has some measure of an understanding of how your organization ticks, will make it a lot easier to navigate those waters and, and stay in lockstep.
Okay, so I guess the question, speaking of staying in lockstep, is how do other certifications and standards, right, for the organization? You know, how do they kind of play into this? Because obviously, most organizations that are going up against SOC 2 are also going up against other standards? Yeah, well, if you’re subject to one, you’re often subject to more than one. So if your company isn’t already going up against multiple certifications, you could be in the future. So I’d say before you go down the path of the SOC 2, number one, what other things do we already have to maintain compliance with? And number two, is also, paint outside the lines, look outside of just the immediacy of what you’re dealing with right now, because it’s a whole lot easier to structure your compliance program. Plus, everything you have today, anything that you see on the near term horizon and go in and do that once. That way, you can optimize your compliance program and, be able to not only meet the criteria of SOC, but also, check the various boxes you have against anything else you may be compliant to. If you’re subject to PCI, or ISO, or HIPAA, etc, then you can go ahead and make sure that you’re checking all of those other sundry boxes. Certainly, if an organization is subject to something like PCI, where it’s extremely prescriptive, well, now I’ve got a roadmap where I can take those standards, map them off against the SOC criteria, and really optimize the program by fulfilling that SOC 2 criteria as you go.
Well, what do you hear people saying on that? But before we move on, I’m curious. What do you mean? What do I hear people saying? When you’re able to kind of help them with that roadmap utilizing a more prescriptive cert like PCI, to give them the signposts needed to navigate SOC 2. Well, it certainly makes things a lot easier, right? The whole point of SOC 2 is to develop controls to meet the criteria and then testing steps to measure the effectiveness of those controls. And so, if I already have controls that I have in place against a prescriptive standard like PCI, now it makes it very portable as I’m effectively mapping the controls I already have in place against the criteria of SOC 2, and now I’m able to fulfill and optimize the overall program.
Well, what should your plan of attack be? Well, as you’re getting into it, certainly the planning process will go a long way, especially on a SOC 2 style engagement. Just because we talked about that flexibility earlier, it’s rough when you just dive head-first into doing it, without stepping back and putting the game plan together. Because it’s a flexible standard, there isn’t, unless, you’re with one of those real prescriptive assessors ,that go in and do these 15 things, 57 things, whatever, then poof, you too can be SOC 2 compliant, if you’re not heading down that path, the planning process is important. That way, you can go ahead and go down some of the key questions like, what objectives are we trying, or need to meet? What are the controls that need to be in place to satisfy the assessor? Which exist, which don’t? How are you going to satisfy each of those controls that you want to have? How can you optimize those controls across your existing SOC, in addition to your other certification? But getting that planning together so that you’ve got that full set of controls to be able to cover all of the SOC 2 criteria is a real important step. Then after that, once you’ve got the control mappings all in play, then planning out those validation testing steps that you need to prove out, the effectiveness of those controls is your next step. The nice part about the planning process is this can all be done in advance of actually implementing stuff. You’ve got a road map, you’ve got a game plan in hand. Now, I can take that and validate and vet it if you will.
Anyone out there that could be helpful? Yeah, when organizations are going down this path, you’re going through that planning process. It’s critical that if you have a compliance consultant, they are involved, certainly somebody that can be there shoulder to shoulder with you, to help you through that process. If you’re fortunate enough to have a consultant as part of your team, then certainly take advantage of their skills, their knowledge, their expertise, capabilities. You know, the nice part about the relationship with a security compliance consultant is that, they aren’t assessing you, they’re on your side. A lot of the assessors, it’s kind of an interesting relationship between the assessors and the people that they’re assessing, in that they’re limited in how much they can tell you what to do, tell you, which solution you should you leverage. Most of them will take, a I don’t know, I’ll call it a middle ground approach of saying, well, you know, there’s five different ways that you could go about checking this box and hand you these five type of deal. And, the consultant, they don’t have to stay agnostic, they don’t have to give you five different options. They’re going to look where are you at, what do you have? What do you need to implement? What are the remaining steps and say, in my opinion, this is the thing that you should be going in and doing. So it’s kind of nice to be able to get the input from that consultant, because, again, they’re on your side, they’re going to give you unfettered input that’s directly helpful as you’re going through it.
That said, in addition to the consultant. So the consultant can really help with, the upfront planning, certainly the implementation prep for the assessment, etc. But before you’re running off down this path, certainly go ahead and now bounce what is now a fairly solid game plan for how you’re going to go about approaching this, go back to your assessor, have them review what you’ve done, what you’ve put together, make sure that they don’t have any questions, don’t have any concerns that they’re blessing the the game plan and the approach. Certainly at that time, the assessor can also donate, various nuggets of guidance and knowledge about what it is they’re expecting from you and, what things do you need to do to stay in bounds, etc. They can provide a lot of that upfront guidance, and certainly making sure that you’re on the same page as your assessor is huge, especially in that kind of early phase. You don’t want to go run down the path, get everything in place, and all of a sudden people are blowing trumpets, and hey, were ready, and then the assessor is just like, no, fix that and fix this, and this is wrong, you don’t want to go down that path. You want to make sure that they’re on the same page as you.
So what about your existing tools that you have in place? Like when I talked to clients in my business about SOC 2, a lot of times, they let me know, well, we’ve kind of got our own way of going about things, and it’s really what us and our staff, and our clients are used to seeing. And so how can people, I don’t know, make that process consistent, but also kind of step into a better way of going about things? Well, you know, the thing is, is that for many organizations, regardless where they’re at in the continuum, they’ve got existing tools, they’ve got existing vendors. Certainly one of the first things before you’re like, oh, well, we’re going to need this, and we’re going to need that and, you know, going off and doing these searches for these net new solutions, tools, vendors, etc, go look at what you’ve already got, you know? It sounds odd, but, go in and look at what software do we have for our existing firewall? What capabilities does that have, natively out of the box? There very well may be, you know, check boxes that you can go in and check in the configuration to fill in the blank tool and, if you’ve got a solution that is going to go ahead and meet your SOC 2 requirements. Taking a look at the tool sets that you’ve got, any of the tools that you already have in place, figuring out whether or not they’re going to be able to assist in meeting the various controls that you need to have in play, it just gives you a really straightforward and easy way to be able to extend what you already have, what you’ve already invested in, and take advantage of the internal knowledge that the team has. Also, at the same time, look at your tool sets. You might have a tool that’s just performing a single function, but other tools that you’ve got can cover that particular function. So you’ve almost have an opportunity to go in and optimize your existing tool sets, to try to streamline things, not only as you’re going down the path, but operationally as well.
And, as you’re going through looking at all these tools, go in and look at your service vendors, look at any consultants that you’ve got, find out what capabilities they have, what things can they bring to the table. A lot of times, especially as you’re trying to go in and you’re looking at, how do I want to solve this for this particular control, a lot of times there’s a notion of, well, do I extend what I already have? Do I build this thing from scratch? Do I not want to spend the time, and we’ve got the dollars to go do it, so I’m going to go hire somebody to check this particular box, or check 90% of this particular box, etc. It’s that kind of build by decision, that organizations need to go through. But there’s a lot of various areas that organizations can go in and look at as they’re laying that groundwork for heading down the path.
Any parting shots and thoughts for the folks this week? Well, we’ve talked about a lot of the getting started and prep, etc. Certainly once you’ve done all the things that we’ve been talking about so far, now rubber meets the road, right? You get to go through the joy of going ahead, putting in place all of these various sundry controls, optimizing your tool sets, finally culminating in sitting down and going through that assessment with the assessor.
In the SOC 2 arena, they’ll typically go through what’s called a Type 1, where the organization is effectively proving out that, we have all of the sundry policies, procedures, and implementation of these various list of controls, and we’ve got those in place. Once, bingo, Type 1, you get the gold star, and then move on to Type 2, which the Type 2 is really proving out that these controls that you have asserted, that you have in place, that those controls are effective over time. And, that’s really where operational mode comes into play. Certainly, once you’ve gotten through the, yes, we have all of these controls in place, moving immediately into that operational mode is important, because, now we need to actually maintain this thing. And that’s a really, really important element of not only the prep for the Type 2, and then each of your annual certification, or assessment runs after that. It’s just good for the overall organization, making sure that you’re keeping up with what you’re supposed to be doing and when. Part of that, operational mode also gives the organization the opportunity to, really look at, the overall matrix of elements that they need to accomplish over the course of the year. It also allows them with some additional planning, to kind of plan out, how do I want to spread that load over the course of the year. There’s certain things you’ve got to do each week, or each month, or each quarter, twice a year, once a year, you know, etc. But, those items that need to be done annually, doesn’t mean that they all need to be done at the last second, coordinate with your assessor, put together a game plan for which of these items can I pull ahead, do earlier in cycle, things along those lines. That way you can spread the load out over the course of the year. When someone’s taking on a particular compliance standard, we’re talking about SOC 2 today, when you’re doing it for the first time, it’s not easy. It makes things a whole hell of a lot easier to do that upfront planning, put some of these things that we’ve talked about today into place, especially when you’re dealing with a more directional standard, such as SOC going up against the criteria. But, the more that you can lean on other people, their experience, their expertise, and the planning that we’ve talked about in this particular podcast, the more that you take advantage of all of that as you’re going through and spinning up your SOC 2, it just makes things a whole heck of a lot easier. Certainly, TCT has got the capability to assist organizations with the pain in the ass compliance management aspects of it, but a lot of what we’ve talked about today really comes down more to the operational team and their planning processes as they head toward that SOC 2.
No doubt. And that right there, that’s the good stuff. Well, that’s all the time we have for this episode of Compliance Unfiltered. I’m Todd Coshow. And I’m Adam Goslin. Hope we helped to get you fired up to make your compliance suck less.
