Subscribe to the InfoTech eNewsletter

infoTECH Feature

April 03, 2017

Five Lessons Learned While Preparing for Our SOC 2 Audit

By Special Guest
Jose Casinha, Chief Information Security Officer, OutSystems

OutSystems recently went through a successful SOC 2 (Service Organization Control) audit of security controls to demonstrate compliance and our ability to protect sensitive customer data. As that is something organizations are increasingly asking of vendors, knowing five key tips will help ensure a smooth audit.

Before embarking on this journey, remember that there are many certified auditors and picking the right auditor is critical. Take into consideration your gaps in security, confidentiality, availability, privacy, and processing integrity. Some auditors can help you with this gap analysis and work with you to develop a prioritized approach.

Following are the top five tips for SOC 2 audit success:

1. It’s about more than just technology

Tech companies often think of information security in terms of technologies such as antivirus software, firewalls, perimeter networks, and more. As important as those technologies are, it’s important to remember that information security is also about people and processes.

If your organization doesn’t have defined processes to support its technologies, not to mention people with the proper knowledge and experience to use those technologies, it’s a recipe for disaster.  You’ll wind up with gaps in your security, privacy, and processing integrity, as well as a host of other problems that come when you don’t effectively manage and govern information technologies.

It’s also important to keep in mind that you need proper planning, communication, and follow up. Try to engage all of the right stakeholders across your entire organization.

2. Management commitment is key

To succeed with SOC 2 compliance, management commitment is required, especially at the top. In particular, you’ll need their commitment to: 

  • Provide the necessary resources (budget, tools, etc.)
  • Be part of communications
  • Participate in project meetings
  • Motivate information assets owners and users
  • Create the visibility needed to get the support of the rest of the organization

Management, reinforcing the importance of your SOC 2 program is critical. Because, in any fast moving organization, there are competing priorities.

3. Promote security awareness early on

It’s common to find considerable gaps in security awareness at different levels of any organization. The sooner you start promoting greater awareness of security-related topics, the sooner you will start to realize the benefits.

Keep in mind that different security terms may mean different things to different people. For example, people often confuse disaster recovery with business continuity. Knowledge harmonization is key, so we adopted a variety of different approaches to achieve it, ranging from more casual brown bag lunches to formal classroom training. Because security is a broad and complicated topic, ensure you have multiple communication points and constant reinforcement.

4. Security is a continuous management process

Verifying SOC 2 compliance with an audit is just the first step. There are ongoing security requirements that you will have to fulfill under SOC 2 that will take time and dedicated resources. For example:

  • Security incident management. This is a challenge because different incident procedures are required in accordance with the type of incident. There’s a need to train the overall organization and, in particular, the customer support function on the new policies and procedures. The support team’s natural tendency is to solve customer issues as quickly as possible. This can lead to issues. For example, in a SOC 2 environment, security may be more important than restoring service.
  • Change management. SOC 2 requires the implementation of formal steps for planning, authorizations, risk management, fall back plans, record keeping, etc.  So for every change, somebody is assigned to execute the change and somebody assesses the change from a security perspective. This can quickly get complicated as you define roles and incorporate extra approvals into your existing processes. Ask yourself questions like, “what if somebody is on vacation?” The key to achieving scale is to automate as much as possible. Don’t forget that security verifications also extend to the customer requesting the change. How do you verify their identity? Are they allowed to request the change? What changes can be considered preapproved?
  • Security information event management. SOC 2 prescribes the logging of security events related to users, applications and infrastructure. A pro-active security management approach correlates information across these logs.  When implementing security alerts, it’s easy to generate many false positives that can consume the team. Plan time to fine-tune your infrastructure, as it won’t be perfect on day one.

5. Include planning for your innovation processes from the beginning

Risk is an inherent part of innovation and building the appropriate approach to risk management into your innovation process can facilitate and even accelerate it. However, it also requires careful planning and communication. Preparing for a SOC 2 audit is time consuming. Avoiding a conflict with a major innovation initiative is critical. So, make sure that the relevant teams are involved early and updated regularly.

As the only audit with predefined and consistent criteria, SOC 2 reports are quickly becoming the standard by which service providers are measured. The SOC 2 journey can be challenging, but there’s no better way to simultaneously demonstrate your commitment to security and provide transparency into your controls and policies.

About the Author

With 20+ years of international software, B2B and IT security experience, José Casinha is Chief Information Security Officer for OutSystems, the world's leading low-code platform for application development.

Edited by Alicia Young

Subscribe to InfoTECH Spotlight eNews

InfoTECH Spotlight eNews delivers the latest news impacting technology in the IT industry each week. Sign up to receive FREE breaking news today!
FREE eNewsletter

infoTECH Whitepapers