How SOC 2 compliance works: Gap Analysis

Achieving a SOC 2 can be intimidating, particularly for first-timers. Our team has a lot of experience walking first-timers through each step. Thoropass (formerly Laika) is made up of former compliance executives, heads of security, privacy & risk, and even SOC 2 auditors. Collectively, we’ve gone through thousands of SOC 2 audits. And we walk our clients through the process every day. Here, we wanted to share some insights to shed light on the SOC 2 process.

We recently got our SOC 2 Type 1 report. ICYMI, read our SOC 2 announcement here.

Thoropass’s compliance team set their sights on a SOC 2 Type 1 in 2020, and a Type 2 in 2021. This blog series will use our own SOC 2 compliance to shed light on the process. We used the Thoropass platform to keep ourselves organized, automate evidence gathering, collaborate across teams, hold security awareness training, manage vendors, and so much more.

While many businesses put off getting a SOC 2 until their clients demand it, our team knows the importance of getting ahead of the game. We’ve seen businesses wait until it’s too late–resulting in lost deals, painful sales cycles, rebuilt products, and tech stacks–and we knew it was time to get our report.

Ultimately, not having SOC 2 impacts overall trust. Any offering with sensitive customer information will need to demonstrate a security posture to prove a product is built on SOC 2 best practices.

We built compliance into our organization, our culture, and the practices of Thoropass from the jump. Because these best practices were operational, our audit prep wasn’t a painful process. And Dana, our Head of Security and Risk, was able to speed through discovery and classification because he was instrumental in identifying paths to compliance from the start.

What is a Gap Analysis?

The first step toward getting your SOC 2 is a gap analysis and remediation plan.

The gap analysis helps understand which existing policies, procedures, and controls your business already has in place and operationalized. Measuring those against SOC 2 requirements, your team will form a remediation plan to protect your business and implement controls against those gaps.

When examining your business for information security controls, we don’t just measure against SOC 2. We also ensure that you implement appropriate best practices for the size and stage of your organization. SOC 2 requirements are the same for big corporations (like Google or Facebook) as they are for Series A startups. Information security should be implemented and enforced based on your current situation and how you want to grow.

In a sentence, a gap analysis is a fact-finding conversation that judges a current security posture against industry standards and the SOC 2 framework.

Conducting a gap analysis sets you up for success in the SOC 2 process. You’ll be able to tackle your implementation tasklist more efficiently, quickly prepare for audit, and ensure the highest quality of control implementation.

Fundamentally, a SOC 2 audit tells the story of your information security in a compelling way. To tell that story effectively, you need to identify the basics:

  • What type of data do you store or transfer?
  • Where does that data live?
  • How does it move through your organization?
  • Who has access to the data?

Based on the SOC 2 requirements, we examine what controls are in place and what is still needed. For example, endpoint security is a must-have for SOC 2. We didn’t leverage BitDefender (our endpoint security vendor) until our SOC 2 process started up. Ta-da, a gap!

We’ll start with the “what”.

Get SOC 2 compliance for your startup
Recommended for you
Navigate the complexity of SOC 2 compliance from gap analysis and beyond
Security Questionnaire Tools icon-arrow-long

What: Data Classification

We started with data classification. Keep in mind that all data is not created equal. Sensitive data, or PII, is stored differently than non-PII. Thoropass doesn’t have a lot of regulated information, PHI or PII, so classification wasn’t prescriptive.

This is a good starting point for any compliance framework implementation. By classifying your data, you’ll understand what types of information is held by your organization. As a bonus, building this practice early makes it easier to stay compliant as your business and data grow exponentially.

We put our data into four buckets

  • Classified/Restricted: Company financials, HR data, intellectual property
  • Confidential: Slide decks, training materials, names of certificates and vendors, customer records
  • Internal: CSS files, static branding fonts, and styles, any code in production on our app or website
  • Public: Blog posts, published marketing materials, and customer-facing documents

Our founders intentionally chose systems that can safely transfer, store, and dispose of data. This made our remediation strategy shorter than it would be for a business that doesn’t use platforms with existing security.

Tip from our experts: select your vendors carefully.

Auditors will examine your vendors and their compliance. If you’re a young start-up, you can use partnerships to fulfill some SOC 2 requirements. For us, that meant GSuite for items like emails and documents, Justworks for employee data, and AWS to handle instance encryption requirements, such as database encryption, and logging, and monitoring, etc.

But it is up to the business how many categories you’d like to have and which data falls into each. The naming of the categories is less important than how each is tied back to the gaps in requirements and audit prep. When each piece of information has been classified, you’ll need to understand where it lives and moves.

Where: Asset Inventory

Building an asset inventory is the “where” of your information security story. It sets organizations up for an easier implementation process and long-term compliance.

An asset inventory should outline each part of your infrastructure, from web applications to databases and data warehouses. By breaking down each asset, you should be able to identify where your information lives in each asset and how it is currently secured.

If you use a cloud provider, like AWS, your asset inventory will already be generated for you by the provider. In fact, you should already have a pretty good idea of your assets, since more providers will bill you based on data usage and the tools in your environment. If you use on-premise hardware, it’s likely that forming your asset inventory will be made simple through the 3rd-party asset management product you currently use.

Include devices like employee laptops and company-issued mobile devices in the inventory. In the current remote environment, keep track of all devices that could hold proprietary or sensitive data. When we implemented SOC 2 controls for endpoint security, the company had each employee log the serial numbers of their devices, which were then stored and maintained in Thoropass’s SOC 2 compliance automation platform.

How: Network Architecture and Data Flow Diagrams

A step beyond your asset inventory, network architecture, and data flow diagrams depict how information moves through your organization. This isn’t as complicated as you might think. Whatever tools your product team uses for flow diagrams, you can use those for this SOC 2 control as well!

We recommend using Lucidchart; check out Amazon Web Services for a good example:

This is one of the first controls we work with our customers to complete if they have not already. It’s not only important for the audit but also helpful for your compliance team to understand potential weaknesses in data processing.

Who: Roles and Responsibilities

Combine this step with building diagrams or an assets inventory, but it’s important to call out independently as well. While the “what” and “where” of information security are important for SOC 2, so is the “who.” Auditors will want to know that different types of employees are allowed access to select data categories, and each data category has an owner.

You should be able to answer the following questions:

  • What types of data can each employee access?
  • How do they have access?
  • What do they use it for?

Structure personnel qualifications on an individual basis or based on teams and responsibility levels; e.g. your COO should obviously have access to more information than an associate.

Gap Analysis Conversation

While you’re taking the steps above to understand your security story, your compliance team should be asking relevant questions to identify gaps. These questions could include a demo of your product offering, helping create a network flow diagram, or understanding how you currently classify your data (if at all).

After these conversations, the compliance team will measure your compliance posture against best practices specific to SOC 2. The team can then create a task list based on your gap analysis and form a strategic plan to resolve any issues. For example, we needed to implement endpoint security for our SOC 2 audit and placed that task into a remediation plan.

Remediation Plan

We prioritized our to-do list into key, required, and optional buckets to complete by identifying which controls need to be put in place. This helped our team understand the needed lift, and how far we should go to secure all our information.

Using the steps above, we painted a picture of people, processes, and technology covered in our information security implementation. Our compliance architects created a task list in Thoropass to remediate the remaining gaps.

Stage Appropriate

Not all remediation plans will be the same; implementation can take different turns to satisfy SOC 2 requirements. A compliance expert identifies the stage-appropriate controls for our task list based on the maturity of your organization, strategic plans for growth, and available resources. What is appropriate for a pre-seed startup likely will not be the same for a big corporation.

For example, if you’re a 2,000-person organization, you’ll likely want to include a centrally managed endpoint solution in your remediation plan. For a 10-person start-up, it’s more appropriate to have a manual operational process for endpoint security.

If you’re confused about any of the steps above, reach out to our team of compliance experts! We’re always happy to help.

Share this post with your network: