The 7 things SaaS companies can do to get SOC 2 audit-ready fast, as witnessed across hundreds of SOC 2 audits.
For all of the companies that we’ve seen get SOC 2 audit-ready quickly, they all had something in common: they were all aware of these 7 to-do’s when they got started, and now you will be too…
Embarking on a SOC 2 process can be overwhelming. Typically when SOC 2 becomes a priority, it’s something you needed yesterday. There’s a big deal or a big opportunity or RFP that requires it, and there’s no way around it. But if you’re pursuing a SOC 2 report for the first time, you’ll likely become inundated with ads for expert advice, expert consultants, automation tools, auditors, etc. If you scroll through Google far enough, you might be lucky enough to stumble across the actual SOC 2 standard – a glorious spreadsheet detailing all of the criteria and points of focus for each of the 5 Trust Services Criteria (TSC) that make up the SOC 2 standard. But now what?
It’s easy to get lost in the weeds. At Drata, we’ve seen companies fly through their SOC 2 preparation in a matter of a couple weeks, but in our past experience we’ve also seen it take companies a few months or more. We’ve seen a lot, and for all of the companies that we’ve seen get audit-ready quickly, they all had something in common: they were all aware of these 7 to-do’s when they got started, and now you will be too…
1. Use a Password Manager and enforce MFA everywhere including your IdP
A password manager like 1Password or LastPass is an application designed to create, store, share and manage your passwords and other authentication information for the systems you access. It’s important that your employees and contractors use a password manager to store their passwords for critical systems like GitHub, AWS, etc. Employees should never share passwords over Slack, email or iMessage. Password managers make this much more feasible in everyday practice. Multi-factor authentication is also made much easier with tools like 1Password, and should be enforced everywhere it is available, especially on AWS, GitHub, etc.
2. Enforce best practices on GitHub/Bitbucket/GitLab
There are best practices when it comes to the security of your code and application. Doing these early will set you up for success in a number of ways, including SOC 2 audit preparation. First, enable protected branches for your main and deployment branches. Setup a pull request template and place it in the root of your project or in a .github folder. Require reviews for pull requests that merge into production, restrict who can push to main and deployment branches, and setup a CI system to run your tests that are required to pass for pull requests to be merged into production. Now when it comes time to monitoring and proving this to an auditor, Drata puts this on autopilot. Drata will automatically monitor these requirements and collect evidence every day to ensure your audit readiness and notify you if the rules are somehow not followed.
3. Track your vendors and conduct vendor reviews for critical vendors
Start tracking all of the third party applications, SaaS subscriptions, browser extensions, etc. that your company is using. Understand what data you are sharing with them, and based on the criticality of the vendor begin asking for their security documentation, including their latest SOC 2 report. For your key subprocessors (like AWS), conduct a formal review of their SOC report. Here’s a vendor SOC report review template to make things easier. As your company grows, you’ll be amazed at how many SaaS applications you’re using every day. Unfortunately, using a spreadsheet (and google drive folder for the SOC 2 reports/reviews) to track this is going to be painful and likely never quite up to date as new tools are likely adopted each week. There’s a better, more automated way companies are doing this:
4. Conduct background screening, security training, and track policy acceptance
When it comes to ensuring the security of your customers’ data, your company’s personnel are its first line of defense against threats. That’s why your employees and contractors play such a key role in your SOC 2 journey. If you’re not already, you’re going to need to start conducting formal background screens of your employees and contractors. You’ll also need to conduct annual security awareness training to ensure everyone is up to date with the latest security threats and ways to avoid security incidents. This is quite helpful not just for the company, but for your personnel to protect their own personal information. All personnel will need to read and acknowledge your company’s security policies, ranging from your Code of Conduct to your Acceptable Use Policy. Tracking all of this can be a project management nightmare, especially with information spread across shared folders, some in your HR system and some in your LMS (learning management system). Admins at companies using Drata have a single view of their personnel and each of the steps required, and employees and contractors are provided with a streamlined onboarding sequence to have them complete all the required items in a timely manner.
5. Conduct external application penetration testing
A solid security practice and firm SOC 2 requirement is an annual penetration test conducted by an independent third party. A penetration test (aka “pen test”) is an ethical hack of your system. It’s an authorized cyberattack meant to evaluate the security of your system and determine specific measures to take to fight against a real attack in the future. There are a number of options available out there, from automated scripts to robust, manual tactics meant to penetrate and take advantage of your system. Cobalt has been an industry leader in the penetration testing space and is highly recommended and used by Drata customers.
6. MDM (mobile device management)
Mobile device management tools like Jamf and Hexnode allow you to provision and wipe company-owned machines on behalf of your employees. This helps ensure workstations are configured correctly and securely, enforcing things like hard disk encryption, automatic operating system updates, auto-locking with screensaver, etc. Pro Tip: if your company isn’t ready for the expense of an MDM solution and still has a BYOD policy, there is another way to satisfy the SOC 2 criteria in a streamlined way without an MDM solution. Drata provides its customers with a lightweight toolbar agent that can be installed across MacOS, Windows and Linux machines. The agent uses read-only access via OSQuery to monitor specific requirements for compliance purposes and provides real-time view across all devices. With Drata, you can see exactly what machines are configured properly, and be assured your personnel are provided with the instructions to configure theirs accordingly.
7. Enforce best practices across your Infrastructure provider
There are a handful of practical measures and best practices to follow when it comes to configuring your infrastructure. Enable CloudTrail (AWS) logs and/or Google Cloud Logs (GCP). Use IAM accounts only with 2FA enabled. For Security Groups (AWS) and Firewall Rules (GCP), limit open ports. For cloud storage (S3 on AWS), disallow public access to S3, enable logging, versioning and encryption. For RDS or CloudSQL, limit access to inside the VPC, enable encryption, and enable automatic daily snapshots. Voila, you’re going to have a much easier audit preparation process, however that’s a lot of screenshots you’ll need to take to prove to an auditor that you’re doing those things correctly and consistently. Drata customers don’t need to take screenshots of their AWS, GCP, Azure, Heroku, or DigitalOcean configurations since Drata automatically monitors and collects evidence of the items above, saving companies up to hundreds of engineering hours per year in manual compliance tasks.
There you have it. You now have the secret of the pros when it comes to getting SOC 2 audit-ready quickly. Even if you’re not already doing all 7 of these things, you’re already ahead of the game by being aware of them. There’s of course a lot more involved in getting audit-ready, including building your security policies and more. Now, staying audit-ready each year is an entirely new and interesting problem that involves a lot of screenshots, shared folders, email, calendar reminders, and our personal favorite: spreadsheets! Thankfully there’s a much better, faster, easier way to put SOC 2 on autopilot. Hundreds of companies have been using Drata to save hundreds of hours every year getting and staying SOC 2 audit-ready.
Drata was built from the ground up to streamline and automate the monitoring and evidence collection of your company’s security controls, saving companies hundreds of hours per year in manual compliance tasks. The automation is powered via deep integrations with your technology stack, from infrastructure providers to HRIS. Whether you’re pursuing SOC 2 for the first time, or are already the proud holder of a clean SOC 2 report, Drata can save your company hundreds of engineering hours per year in achieving continuous SOC 2 compliance, ensuring the audit-readiness of your organization every day of the year.
I've been doing this a long time. Drata is the slickest way of achieving SOC 2 that I've ever seen!