Blog Compliance SOC2 Reddit AMA: Most Upvoted Questions and Answers December 27, 2022 Amanda Levine System and Organization Controls 2 (SOC 2) compliance is essential to any organization or business storing data in the cloud. But getting SOC 2 compliant can be a long, expensive process. Luckily, Laika is a leader in compliance innovation. One of our superpowers is the talented army of compliance experts working hard behind the scenes to help customers go from zero to compliant with as little friction as possible. In November 2022, we decided to lend some of our skilled compliance minds to the r/cybersecurity subreddit to help answer the community’s SOC 2-related questions. Meet the Thoropass (formerly Laika) Reddit AMA experts Three of our compliance experts brought over 16 years of combined experience to the Reddit AMA, including: Zac Patenaude, Compliance Architect. Zac has worked on all different flavors of compliance frameworks, primarily focusing on SOC 2 and ISO 27001. From large-scale companies to start-ups, Zac has helped audit or implement programs for various companies to suit their compliance needs. Alek Mosholt, Laika Compliance Architect. Alex is a past auditor who primarily supported SOC 1, SOC 2, and HITRUST audits for global tech companies as part of the Trust and Transparency Solutions group within PwC. Alek also supports Laika customers pursuing ISO 27001 certification and HIPAA compliance. Cristina Bartolacci, Strategic Compliance Architect. Cristina specializes in frameworks including SOC 2, SOC 1, IT SOX, and HRTRUST. She is also a thought leader on broader interests in privacy and cybersecurity. Read on for some of the answers to some top-of-mind SOC 2 queries: For a new startup, how many employees should be assigned to help achieve SOC 2 compliance? Do you see a trend toward European companies requiring ISO 27001 instead of SOC 2? What are the most difficult areas of a SOC 2 audit for an organization to pass? How can you set yourself up for success? What are some important alerts to add to your Security Information and Event Management (SIEM)? What are the Trust Services Criteria? How does Laika audit the controls that get implemented to ensure there’s no gap in compliance once certification happens? What initial steps can an organization take to get ahead of its first meeting with a consultant/auditor for SOC 2? How much does it cost for SOC 2? Question: For a new startup, how many employees should be assigned to help achieve SOC 2 compliance? Answer: At least two. To ensure proper segregation of duties, at least two will be required. Especially when considering change management, someone should continuously check others’ work to ensure quality and security. Question: Do you see a trend toward European companies requiring 27001 instead of SOC2? Our small LMS startup initially aimed for SOC2, but management decided that ISO 27001 would become more relevant in the future and was thus worth the effort. But I am still wondering if it is as indispensable in the industry as they say it is. Answer: Currently, yes, but only time will tell! SOC 2 is the Belle of the Ball for a large majority of companies operating in the US. However, ISO has a much larger presence in the EU and is much more cost-effective. The beauty of SOC 2 is that it allows you to design a control set rather than simply implementing the ones prescribed to you in 27001 and Annex A. If your plans include moving toward US markets, I would say a SOC 2 report is worth its weight in gold. Recommended for you Cut through the legalese and find out which framework is right for your business Founder’s Guide: The Right Compliance Framework for Your Startup icon-arrow-long Question: What are the most difficult areas of a SOC 2 audit for an organization to pass? How can you set yourself up for success? Answer: Most companies struggle with two primary areas. One is change management. There is always some workflow that needs to be enforced, or some sidestep that happens during the change management process that inevitably ends up causing difficulties in audit. The other is simply documentation, making sure what’s in policy is accurate and reflects the current state of affairs and how things are done. I’d also recommend reviewing the documents at least annually. Setting yourself up for success comes down to a few things. Make sure you take compliance seriously 365/24/7 and track the promises you make in your controls. Taking stock of what you have said you will do and making sure it’s done is the easiest way to set yourself up for success. Question: What are some important alerts to add to your Security Information and Event Management (SIEM)? Answer: Some examples off the top of my head: Security Monitoring: Actions taken by privileged or root users Access to sensitive or customer data Invalid login attempts Malicious activity Availability Monitoring: CPU threshold spike + memory threshold spike + network traffic spike = potential performance or security issue. Database read/write spike + network traffic spike = possible data exfiltration event. Question: What are the Trust Services Criteria? Answer: The trust services criteria are the five pillars of SOC 2 (defined by the AICPA), and what audit firms will audit you against depending on the customer commitments you are making in you contracts/agreements / MSAs, etc. I have included a brief description of the topics covered by each one below: Security – How do you keep my data secure? Availability – How do you make sure my data is available? Confidentiality – How do you ensure that my data is kept confidential? Processing Integrity – How do you process my data and make sure it’s accurate when processed? Privacy – How do you keep my data private and what are the methods? Question: How does Laika audit the controls that get implemented to ensure there’s no gap in compliance once certification happens? Answer: There are three main ways we do this: The Laika platform has monitors that integrate with the most common Cloud Service Providers (AWS, Azure, GCP), which will flag if certain configurations fall out of compliance. For example, we have monitors around the encryption of storage services, logging and monitoring, whether security groups allow unrestricted access, etc. The Laika platform has recurring action items that remind customers to execute periodic controls, e.g., access reviews, security awareness training, etc. Periodic meetings with the customer’s designated Compliance Architect (i.e. subject matter expert) to discuss ongoing compliance measures, potential issues, etc. Question: What initial/basic steps can an organization take to get ahead of their first meeting with a consultant/auditor for SOC2 Answer: When looking to begin prepping for a SOC2 audit, organizations should look at the current policies and procedures they have in place. This is both for technical as well as operational functions of the organization. If there are no set policies or procedures in place, many organizations seek outside vendor/consultant support here to lay the foundation for the audit. If there are already policies/procedures in place, a gap analysis aids in understanding where current controls in place meet criteria needs. This is also something that vendors can assist in helping you identify and remediate any gaps. I recommend taking advantage of your Cloud Service Provider’s internal tooling to ensure best practices. For example, AWS has a framework called AWS Well-Architected, which will assess your environment against best practices, including ensuring data confidentiality and integrity, managing user permissions, and establishing controls to detect security events. Question: How much does it cost for SOC 2? Answer: There are a couple of different factors to consider when considering costs, such as whether to work with an external vendor/consultant or tackle it internally, which solution/audit firm you end up with and the scope of the engagement. For a small start-up performing its first SOC2, we typically see customers engage with a vendor or consultant to help guide them through and streamline the process. Click here to learn more about Laika’s pricing, talk to one of our experts! Hungry for more? You can check out the entire Reddit AMA here. Make sure to join the r/cybersecurity subreddit and follow us on LinkedIn to learn when our next AMA will be! Explore more content Find out which compliance framework is right for your business with our guide Get your copy icon-arrow Share this post with your network: Facebook Twitter LinkedIn