{"id":42123,"date":"2022-02-21T01:45:47","date_gmt":"2022-02-21T06:45:47","guid":{"rendered":"https:\/\/simfoni.com\/?p=42123"},"modified":"2022-06-07T05:18:29","modified_gmt":"2022-06-07T10:18:29","slug":"the-road-to-soc2-through-controls-that-build-trust","status":"publish","type":"post","link":"https:\/\/simfoni.com\/engineering\/the-road-to-soc2-through-controls-that-build-trust\/","title":{"rendered":"The Road to SOC2 through Controls that build trust"},"content":{"rendered":"
\n\t\t\t\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t
\n\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t\t\t
\n\t\t\t

\n\t\t\t\tSOC2 tests compliance on a few trust principles namely Security, Availability, Processing Integrity, Confidentiality and Privacy of data. \t\t\t<\/p>\n\t\t\t\t\t<\/blockquote>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t

\n\t\t\t\t\t\t
\n\t\t\t\t\t
\n\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t\t\t\t\t

Some basics about SOC2 (Service Organizational Control ver 2) is that it is a compliance standard set by AICPA(It is the body of Certified Public Accountants). It tests compliance on a few trust principles namely Security, Availability, Processing Integrity, Confidentiality and Privacy of data. As organizations we often try to get SOC 2 certified and show the world we are compliant and secure. I am trying to take a different approach to this. If we break down the trust principles into Controls and create a roadmap to implement those controls, then we become ready not just for SOC2 but also other parallel certifications.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t

\n\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\"SOC2\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t
\n\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t\t\t\t\t

 FedRamp, ISO 270001 are some of those. We will not discuss them here but SOC2 will overlap with other certifications for sure. Its important that we focus on getting the controls in place first rather than scramble for a certificate and make the actual certificate a last step. It makes us secure internally first and lets us run our business with confidence.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t

\n\t\t\t\t\t\t\t\t\t

Read More:-  What is Procurement<\/a> and How To Optimize Processes, Performance, and Technology?<\/strong><\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t

\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\"Compliance\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t

Now a word about controls. What is control? Well, a control is a system, process, or policy meant to mitigate a “mal” event. In real life video cameras are on the periphery of yours. Home is a system, background checks before you let someone in to meet a leader would be a process, and ensuring all check-ins are accompanied by an original ID card is a policy. All of the above are controls. The next thing to know is that SOC2 has 2 parts and for good reasons. The first part is to have the controls in place (policy written, systems installed, process documented). This is essential because now you have an inventory of controls that map to the 5 trust principles. You decide what those controls are and put them in place and get them approved by the certifier. You need to note here that you do not need to have any of this operational for a SOC2 Type 1 certification<\/strong><\/a>. You are capable of it, you have the inventory BUT you are not yet running it. The next step is to switch on all your controls. To run them, to monitor them, to keep trails. Then after a while (I am not going into the specifics of the certification here) you call someone to audit what you promised in Part 1 and verify they are implemented. This is Part 2 and the actual completion of SOC2.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t

\n\t\t\t\t\t\t\t\t\t

We will now as an exercise create a set of controls mapped to each one of the trust principles that form the core of SOC2. This should illustrate how your roadmap should look like. The controls are by no means comprehensive but rather illustrative.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t

\n\t\t\t\t\t\t\t
\n\t\t\t\t\t\t\t
\n\t\t\t\t\t
\n\t\t\t\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<\/path><\/svg><\/span>\n\t\t\t\t\t\t\t\t<\/path><\/svg><\/span>\n\t\t\t\t\t\t\t\t\t\t\t\t\t<\/span>\n\t\t\t\t\t\t\t\t\t\t\t\tSecurity <\/a>\n\t\t\t\t\t<\/div>\n\n\t\t\t\t\t