blog-banner

What is SOC 2? How to obtain a SOC 2 Report

Last edited on November 11, 2021

0 minute read

    I was hired as the compliance manager at Cockroach Labs in November 2020 to help support the compliance workstreams that sprawl across multiple business units. Compliance can be a daunting task for organizations, even if they have a mature security posture, as compliance and security are often linked together but they are not the same thing. Cockroach Labs completed our first SOC 2 Type II audit in April 2021. In this blog post, I will cover details about:

    • What compliance is,

    • When organizations should start to think about compliance,

    • What are common the compliance frameworks that organizations will be audited against,

    • Where to start your company’s compliance journey, and

    • How Cockroach Labs built a set of internal controls to be audited against SOC 2 Type II Trust Services Criteria.

    What is compliance?Copy Icon

    Compliance is adherence to policies. If your organization is looking into obtaining a compliance report or certification you will need policies that govern your company’s information and cyber security.

    When to think about compliance? Which industries commonly require it?Copy Icon

    Does your company offer a product or service that could impact the confidentiality, integrity, or availability of your customers’ information or data? If yes, you will eventually be audited in some way, shape, or form. Third party risk management processes generally require that companies who are data custodians are audited, at a minimum, annually. The need to have a certified audit report that you can share with your customers is really only a matter of time. Often compliance and audit reports only become a requirement after a customer asks. If you can plan to have compliance as part of your product delivery, you can put yourself in an advantageous position. When internal processes are designed with compliance in mind there is rarely a need to re-engineer and alter how work is done.

    What is SOC – SOC 1 and SOC 2?Copy Icon

    AICPA’s Service Organization Controls (SOC), both 1 and 2, are sets of criteria that are used to evaluate a company. Depending on how your business operates and the types of services you offer, you can obtain a SOC 1 and/or a SOC 2 report. The goal of a SOC 1 report is to provide assurance that financial information that is stored or processed by a company is being handled safely and securely. So if your organization is offering a service that deals with financial records, an example would be a company offering payroll services, then a SOC 1 report may be a requirement of your customers, or can help to offer assurances to prospective customers.

    A SOC 2 report can be used to measure the effectiveness of an organization’s controls regarding the security, availability, confidentiality, privacy, and process integrity of a system or service offering of a company. An organization can choose what criteria they will be audited against, but generally, all SOC 2 audits will cover the security criteria, aka the common criteria (CC). SOC 2 is more generalized as opposed to SOC 1 and as it reviews the organization’s controls regarding the selected criteria and not specifically protection of financial information.

    Both SOC 1 and SOC 2 audits can be either a Type I or Type II. In a Type I audit, you will be audited against the design on your controls at a point in time. Audits will review the control set and ensure that the controls are designed appropriately for the criteria that you are auditing against. In a Type II audit, you are audited for a review period to ensure that the controls have been operating effectively during a period of time. You and your audit partner can determine the best cadence for your audits; generally the shortest review period is three months to allow time for an adequate sample of control evidence and the max is twelve months. In my opinion, the easiest way to look at Type I versus Type II is that the Type I is a readiness test for the Type II audit. During a Type I audit you can work with your audit partner to ensure that your controls are designed properly and establish testing procedures for each control. This will allow you to understand what will need to be collected for evidence during the review period for your Type II audit. If you are interested in obtaining a SOC 1 and SOC 2 report, the best approach is to conduct a Type I audit for readiness and then conduct on-going Type II audits to ensure that your controls are continuing to operate effectively.

    Other common compliance frameworksCopy Icon

    SOC 2 Type I and Type II audits are more flexible and less of a targeted audit compared to other types of audits. Some common compliance frameworks include the following:

    • International Standards Organization (ISO) 27001 is another popular compliance certification that tests the Information Security Management System of any organization. ISO 27001 is more focused on the organization of information security of a company.

    • The Payment Card Industry Data Security Standards (PCI DSS) is a compliance framework that governs the security standards for companies that store, process, and/or transmit payment card data. If your organization presently stores, processes, and/or transmits payment card data and you are not PCI DSS compliant, stop reading this blog post immediately, start the process to achieve PCI DSS compliance, and best of luck to you! This is obviously a joke, but I am trying to highlight a point that the business you conduct and your customer base will drive the compliance requirements of your organization.

    • Health Information Trust Alliance (HITRUST) is a data protection framework that is designed to help organizations regulatory compliance and risk management. Organizations can adopt HITRUST Common Security Framework (CSF) which is certifiable by approved security assessors who can audit your policies and security controls against the HITRUST CSF. HITRUST leverages nationally and internationally accepted security and privacy-related regulations, standards, and frameworks–including ISO, NIST, PCI DSS, HIPAA, and COBIT.

    • Federal Risk and Authorization Management Program (FedRAMP) is designed to authorize your cloud service offering for use with federal agencies. FedRAMP sets the baseline controls from NIST Special Publication(SP) 800-53. A cloud service provider can be assessed as a Low, Moderate, or High security level system. The security level will determine the total number of controls that an organization will be required to adhere to. Authorization can be achieved in one of two paths; agency process or joint advisory board (JAB) process. In the agency process, cloud service providers will work directly with an approved agency to receive their Authority to Operate (ATO). For the JAB process, cloud service providers will work directly with the primary governing body of FedRAMP to receive a Provisional Authority to Operate (P-ATO). If your organization is interested in pursuing FedRAMP, the best place to get all the information needed is https://www.fedramp.gov/.

    • Privacy compliance is a company’s adherence with established personal information protection guidelines, specifications or legislation. Privacy compliance has become a prevalent business concern due to an increasing number of high-profile regulations, including the European Union’s (EU) General Data Protection Regulation (GDPR). GDPR is the toughest privacy and security law in the world. Though it was drafted and passed by the European Union (EU), it imposes obligations onto organizations anywhere, so long as they target or collect data related to people in the EU. The technical controls for GDPR can intersect with other compliance frameworks; primarily controls intersections are regarding identity and access management, incident and breach response, and policy management.

    Having a solid understanding of products and services your organization provides and the type of data that you process or control on behalf of your customers should drive your compliance requirements. At Cockroach Labs, the need for a SOC 2 Type II audit report was needed to meet our customers’ requirements for vendor risk management and to help enable our sales team to engage with customers with specific requirements for vendors to have compliance certifications or audit reports.

    Regardless of the compliance framework or third party audit you would like to conduct against your company and systems, you should always look at designing a set of internal controls that will meet your security and compliance goals. It’s critical to understand the framework that you will be audited against. Once you have the necessary understanding of the framework you can begin to design your internal controls and map those to the framework. This does not always have to be a one for one, meaning that you can have one internal control that maps to multiple framework controls. It is important to balance your internal controls, as too few controls can create a risk of audit deficiencies and potential failures, and too many controls can make the amount of compliance workloads unmanageable. Next I will cover some options for first steps to establishing a plan to meet your compliance goals.

    Where to start and what are the approaches to complianceCopy Icon

    There are multiple ways that your organization can work towards and achieve your compliance goals. I’ll cover three of the most common approaches that I have come across in my time working in compliance.

    Tools/softwareCopy Icon

    There are many companies that offer great tools for streamlining compliance inside an organization. This is a popular approach for many startups as it can assist with building and streamlining the SOC 2 audit process. Some of the common tools that are used are: Vanta, Drata, and Hyperproof.

    These tools can be a great asset for organizations that do not have a team dedicated specifically to compliance work. If your organization is looking to audit against the SOC 2 criteria and you do not have a dedicated compliance individual team it can be extremely overwhelming. The use of a compliance automation tool can help to automate some compliance tasks as these tools will often come preconfigured with compliance frameworks and can automatically create a list of tasks that are required to meet the requirements of SOC 2 or other frameworks.

    These tools can be helpful but you must do your due diligence. There are many products that will claim they can fully automate your compliance work, specifically SOC 2 audit work. Often, these tools are designed for smaller organizations that have limited headcount and do not have highly complex environments. In my experience, these tools can end up being an extension of your company’s internal tracking system or tools. By this I mean that you will stand up a compliance automation tool that issues tickets into your internal systems. Compliance evidence and artifacts still need to be collected, reviewed, and transferred to your auditors. Ensure that you are vetting and piloting these systems as part of your due diligence process.

    Hire a consultantCopy Icon

    SOC 2 is a very popular audit framework and there are many individual consultants and consulting agencies with years of experience that can help organizations reach their goal of completing a SOC 2 audit. Having an expert consultant can make all the difference in the world as they will know how to manage compliance workloads, draft and design policies and procedures that will stand up to audits, and help to coach team members on what to expect when the time comes for an audit.

    Hire a compliance specialistCopy Icon

    An alternative to hiring a consultant is to hire someone to manage your compliance work. Having a dedicated person to manage the compliance work at your company can simplify things significantly. A dedicated compliance specialist can relieve the burden from engineering and security teams by managing compliance tasks and gathering evidence that would normally fall to teams like site reliability engineering (SRE), information security, or software engineering teams. An in-house compliance specialist can also often reduce time spent with auditors during audits. If your organization is looking to audit against the SOC 2 trust principles and you do not have a dedicated compliance individual or team it can be extremely overwhelming. Compliance specialists give companies a subject matter expert on all things compliance related. Often the compliance team can offer more to a company beyond managing compliance audits. Compliance specialists can handle third party risk management, writing and approving policies, and risk assessments.

    How did Cockroach Labs handle SOC 2? Copy Icon

    At Cockroach Labs, we took a hybrid approach of first hiring a consultant to help design our internal controls and then hiring a compliance specialist to manage our compliance work. We took an audit approach that many companies follow, first conducting a SOC 2 Type I audit to test design of our systems and controls. After we successfully validated our controls through a SOC 2 Type I audit, we conducted a SOC 2 Type II audit to test the effectiveness of our controls over a period of time. Conducting a SOC 2 Type I audit gives a company the benefit of validating the current controls set, adding any additional controls needed, and establishing a relationship with an audit firm. This last item is one of the most important aspects of third-party audits. The relationship between your company stakeholders and your auditors should not feel like an “us versus them” situation. Companies and auditors should be working together to assess your systems and controls against the framework to ensure that if there are exceptions or deficiencies, these issues are fixed for the betterment of the company and your customers. Ultimately, the auditors issue the report and if they need to note exceptions or deficiencies that is their responsibility, but it should always be a discussion and back and forth between your team and the auditors. So when you are evaluating the firm that will be auditing your controls, be sure that you feel comfortable with their approach to auditing, their methodology for testing your controls, and how they plan to work through any disagreements in potential audit findings.

    At Cockroach Labs, we were able to have a successful SOC 2 Type II following these steps, hiring a consultant to help design controls that map to the SOC 2 criteria, hire a compliance specialist to manage the compliance workloads, completed a SOC 2 Type I audit to ensure our control set was designed properly and that we had an audit firm that we felt comfortable working with, and finally conducting a SOC 2 Type II audit to validate the effectiveness of our internal controls over a period of time. It was not a perfect audit by any stretch of the imagination and we did have exceptions noted in our report. IMO, exceptions are not always a bad thing or an indication that an organization is not doing the right thing. I feel that expectations can demonstrate to your user community that an objective and professional audit was obtained. For an organization’s first time through a SOC 2 Type II audit, having exceptions is common.

    ConclusionCopy Icon

    To wrap things up, compliance is a journey for every organization. It can offer great benefits to your company by ensuring that your security controls are operating effectively and giving assurance to your customers. Also, your sales and marketing teams will appreciate having an audit report that can be supplied to customers that cover the assurances that you are offering with regards to securing their data. Cockroach Labs recently deployed a Trust Center page that provides current and prospective customers with details about the availability, security, and compliance of our products and services. Finally, I am excited to announce that our compliance team is growing at Cockroach Labs! If you are interested in learning more about the compliance roles available at Cockroach Labs, please visit us here.

    Data Privacy
    Compliance
    GDPR
    Security
    SRE