A Startup Guide to SOC 2

According to IBM, data breaches cost US companies $8.19 million on average. Sadly, this number is only growing. GovTech magazine found that the total number of records compromised in 2020 exceeded 37 billion, a whopping 141% increase from 2019. Scary, huh?

But guess who is even more scared about a data breach than you? Your clients. Convincing them the data you’re storing for them is safe and sound is hard to do. Just saying you’ve never had a breach in the past doesn’t persuade them that one won’t happen in the future. Luckily, there’s a (laborious, lengthy) certification that can help: SOC 2.

If you’ve ever worked at a SaaS company, you’ve probably heard someone on your engineering or compliance team talk about SOC 2, but you may not know what it is, where it came from, why your company needs it, or how to prepare for an audit. We’re going to provide a brief history of SOC 2, explain the criteria for passing a SOC 2 audit, and showcase a few vendors guiding companies through successful audits.

A bit of SOC 2 history

At their core, audits assess companies’ controls and procedures to protect their employees and their customers from fraud. By controls, we mean rules or methods that safeguard information, such as two-factor authentication, password protection services, employee offboarding checklists, and even physical key cards.

Back in the 90s and the early 2000s, audits focused mainly on internal financial controls (remember Enron?). But now, companies are increasingly relying on third-party cloud-based services and have more access to customer data than ever before. As a result, The American Institute of Certified Public Accountants (AICPA) began to think about information security more generally, formulating reports to help organizations communicate their security practices to potential clients.

And so, in 2011, Service Organization Control (SOC) reports were born. The three SOC reports一SOC 1, SOC 2, and SOC 3一differ in scope and purpose. SOC 1 is for evaluating financial controls, and SOC 2 is for evaluating operational or compliance controls. Both of these reports can only be viewed by the organization that obtained them and their customers. SOC 3, on the other hand, is meant for public use and is essentially a more condensed version of SOC 2.

But what is SOC 2, really?

SOC 2 is a framework that validates an organization’s internal data center controls and other security-related operations that preserve client privacy. While that sounds simple in theory, it’s much more complex in practice. SOC 2 reports can be hundreds of pages long, with information around engineering processes, how long certain data is stored and where, employee job descriptions, onboarding practices, emergency plans, and more. And because the audit isn’t a series of pass/fail tests, and because not all companies do business the same way, SOC 2 reports will be unique to every company.

The 5 “Trust Service Principles”

Now, you can’t just say you follow SOC 2 procedure and publish your own report. If only it were that easy! SOC 2 certifications are issued by external auditors who judge how well your company adheres to one or more of the five Trust Services Principles. They are:

1. Security - Security is the minimum requirement for a SOC 2 audit and pertains to protection against software misuse, removal of/alteration of/disclosure of confidential data, or any other system abuse. Auditors will ask for proof of network firewalls, intrusion detection, and other methods of preventing unauthorized access. If you’re doing an audit for the first time, most auditors will recommend focusing on Security only.

1. Availability - Availability proves how accessible your system is. In layman’s terms, this means your software works when it’s supposed to. You have service level agreements (SLA) in place that stipulate how long it should take to fix errors, you monitor network performance, and you have outlined the steps to take when security incidents occur.

1. Processing integrity - This principle asks you to prove that your system processes data the way you say it does. Auditors determine whether your data processes are valid, complete, and accurate and look deeply at your methods of data monitoring and QA.

1. Confidentiality - Keeping data confidential is of utmost importance to your clients, so auditors ensure that data access is restricted to a particular set of people. Auditors will verify that you have email encryption and application firewalls and educate your employees on confidentiality best practices. Examples of confidential data could be employee records, strategy plans, IP, SKU lists, or financial documents.

1. Privacy - The AICPA has Generally Accepted Privacy Principles (GAPP) that govern SOC 2 Privacy. As you might expect, GAPP includes personally identifiable information (PII) like name and SSN but also encompasses personal data about race, sexuality, religion, and health. When auditors examine this principle, they expect an extra level of protection around PII with policies around the use, retention, disposal, collection, and disclosure of sensitive data.

Do startups need SOC 2?

Now that you know what SOC 2 is, it’s time to determine whether or not you need it. Many people tend to put off audits since the entire process can take six months to a year. But depending on what your company is doing and selling, that could be a big mistake. First, ask yourself if your company deals with sensitive health or banking information. If the answer is yes, you probably need to pass a SOC 2 audit. Simple as that.

Even if you aren’t working in healthcare or financial services, SOC 2 is often a critical component of enterprise decision-making. If you’re hosting any customer data on the cloud, chances are prospects will immediately look for a SOC 2 certification. Large organizations have whole information security departments whose job it is to evaluate your company’s ability to protect their data.

A SOC 2 preparation checklist

Let’s say you are hoping to start the SOC 2 audit process next year. Now is the time to get your ducks in a row so that you have time to address any gaps before engaging with an auditing firm (who will, inevitably, find more gaps). When preparing, it helps to gather information in a few buckets:

Your baseline environment - How does your company operate on a day-to-day basis? Do you enforce certain employee behaviors? Some things to start collecting are:

• A list of all employees, their roles, and their job descriptions
• Background check reports
• Signed copies of Codes of Conduct
• Org charts
• Board meeting minutes
• Instances of non-compliance

Communications - How do you inform your employees and clients of security updates and changes to your product and internal systems? Begin assembling:

• A list of all internal systems your company uses
• Employee security training modules
• An incident response policy
• Customer agreements (MSAs, SLAs)
• Release schedule(s)

Risk, monitoring, and availability - How does your company assess and handle risk? This one is super important and can be one of the longer aspects of evidence gathering. Gather the following docs:

• A Risk Treatment Plan and Risk Assessment Procedures
• A list of monitoring software
• Vulnerability scan reports
• Annual Pen test reports
• Incident management ticket samples and documentation
• Root cause analysis samples
• A list of all previous security incidents
• Capacity monitoring reports
• Employee termination checklist
• Proof of full disk encryption on employee laptops
• Intrusion Detection Service and Production Firewall reports
• Copies of your internal employee directory (LDAP, Google Workspaces etc.)
• Proof of Business Continuity and IT Disaster Recovery Programs
• All third-party vendor agreements in a vendor management program, along with a list of all the admins of those tools

Confidentiality - How does your company manage sensitive data? Show that you have:

• A Data Retention Policy
• A Data Classification Policy
• A Data Disposal Policy
• A way to train employees on sensitive data
• Evidence of customer contracts with sections related to the treatment of confidential data

A SOC 2 marketplace ready to help

As you might imagine, many people have put significant time and effort into making this arduous process simpler. Thankfully, they’ve been working on this problem for a while, so there’s a marketplace for SOC 2 readiness software and a suite of compliance auditors to choose from. Here are just a few go-to’s:

For preparation:

• Secureframe: Secureframe is a compliance automation software that boils down the complicated SOC 2 audit process into seven key steps. They’ve saved their customers hours upon hours of tedious busywork all while delivering best-in-class security. Even after their clients achieve the holy grail of SOC 2, Secureframe provides ongoing compliance monitoring to maintain their certification. Plus, it’s a Series A startup co-founded by a woman一we love to see it.
• Vanta: The Vanta platform prepares companies for SOC 2 audits with read-only integrations to the most popular cloud services, identity providers, and task trackers to feed directly into your evidence gathering. Post-certification, Vanta runs checks on your company’s systems every hour to guarantee compliance over time.

For auditing:

• Armanino: Armanino LLP is one of the 25 largest accounting and business consulting firms in the US and works directly with Tugboat Logic’s Security Assurance Platform to provide an integrated security audit process. With the help of experienced consultants and Tugboat’s integration capabilities, Armanino can give organizations the feedback they need to efficiently and independently obtain the SOC 2 certification.
• A-LIGN: A-LIGN is a cybersecurity and compliance firm that specializes in SOC 2 audits. Their testing is based on AICPA regulations and is performed by seasoned assessors. A-LIGN was the first CPA firm to provide IT audits and has over 20 years of SOC experience.

Adopt a SOC 2 mindset

These days, Fortune 500 companies will simply shoot down the sales process outright if you don’t have a SOC 2 cert. And if we’re being honest, the process to get SOC2 compliant basically starts on day one.

Set up your infrastructure with SOC 2 in mind, paying close attention to the five trust principles. The more you do this now, the better, since audit preparation services tack on extra costs to the $25,000 - $50,000 you’ll spend on the whole process. When it comes time to do a formal audit, you’ll want to have most of the pieces to this complex puzzle.