SOC-2 Initial Made Easy

Soc 2 initial

today we're going to talk about four organizations who are thinking about it thinking about getting a sock to report some of the basics to be able to get a sock to report successfully and some of the terminology so people are familiar with what they're gonna be going for if they're doing this for the first time so get us started off here let's do some quick intros so I'm Christian Hyatt I'm a managing director at risk 360 I help oversee our compliance practice and our security practice and also with this we have Christian white there's also a managing director and leads our sock do practice Christian lending a quick intro yes hi Christian mentioned I'm Christian why I help lead up head up our compliance practice so that includes sock 2 PCI hi trust to look forward to talking about sock to today so just in a way of kind of where we're going so people know what to expect we'll give a quick background on sock - we'll talk about some of the elements of scoping with the audit process looks like timeline efforts and then there at the end Christian I'll I'll do a rapid-fire see if you can answer these questions itself alright cool so Christian you might given us just a quick background of kind of the market drivers and what stock to is sure so so plenty of market drivers these days for sock - but but some of the ones to highlight are you know as we're in this climate 2020 now you know security is a must privacy is a must and so in order to do good business companies are increasingly being asked to provide a level of assurance around their information security programs and and possibly privacy programs as well so sock tea provides an opportunity to provide that assurance that third-party assurance that that is being requested so we see this a lot in the b2b space industry agnostic and then some of the other market drivers for why companies may choose the top sock - are the fact they're subject to a lot of third-party vendor due diligence so they may be filling out questionnaires on a daily basis doing a lot of due diligence stuff which takes a lot of time and effort and often sock to is even written into contracts or MSA is sa double use because larger companies need to manage their supply chain and and make sure that the third and even fourth parties are you know practicing good information security yeah I think most of the most of the clients that we get that are first-year clients have have a similar story and that one I've been answering questionnaires non-stop for the last year and I'm tired of doing that too you know they got written into a contract and and some big client will not do business with me unless I have a stock to report so by the time they you know approach us oftentimes you know they're they're on a time line they have to do it quickly so uh just as you pointed out it's a pretty big market drivers in line with revenue so I think a lot of people don't understand we're shocked to came from like who governs it what is it is it a framework so can you maybe talk about like you know who runs stock to and in the background there yeah absolutely so the AICPA governs the softube framework sock to is a reporting framework as opposed to a security framework and what that means is the AICPA puts out the sock to you framework they define the criteria that must be met in order for a company to be compliant with sock to but tactically how a company meets that compliance there's flexibility there there's there's options for how those controls are designed to meet the criteria and so because of that it's considered a reporting framework versus a security framework and only CPA firms are authorized to issue sock to reports so iris 360 or CPA firm a sock to practice is a big part of what we do on the compliance side that's a little bit of background there yeah I think it's interesting I think when most people think of any kind of reporting or certification framework they think that there's a prescriptive set of controls so if you look at PCI or ISO you know there's there's a specific set of controls that you have to do whereas as you mentioned with sock two they really give you criteria at a very high level that you have to meet but every reports are different so how you meet those criteria which controllers you put in place or gonna be pretty unique by organization which can be frustrating but can also be very helpful because almost any organization can go through Sauk to which i think is a interesting and kind of neat neat quality yeah I think that's one of the big values is is being able to customize a control set that fits the needs of the business wherever they're at whatever stage of growth they're in versus having that prescriptive set of controls that might not make sense for the size and industry okay so and that kind of brings us to our next question so a lot of people may wonder you know how do I even know what I'm gonna get us talk to over how do i scope that what are some of the elements that you as a shock to professional kind of guide in the client through that process can you gotta walk us through what you consider when you're thinking about scope yeah absolutely so sock to that the framework we refer to it as the trust Services criteria those are the criteria that make up sock two and there's five different categories trust service categories with security being the baseline so every sock to report is going to have at least security as a baseline but there are in addition there are four additional categories that that companies may choose to add a lot of times that will be based on industry norms or preferences or expectations or client demands and those include confidentiality availability processing integrity and privacy those are optional right the security is mandatory yep yep absolutely so you consider you know you know data center for instance availability would be very important to their customers so they would they might want to include that in their sock report in the healthcare industry especially privacy is very important so you expect companies in that industry to to adopt privacy and FinTech processing integrity is important so often for first year companies you recommend starting out with security kind of get your foot in the door get you so sought to build your program and then over time consider whether it makes sense to mature that program by adding additional categories yep as far as systems in scope so sock 2 gives flexibility there as well because each company can define their information system and it's the information system that is being reported on I'm so you might define your information system as your entire company you might define it as a business unit within the company or maybe it's product specific there are going to be controls that are going to apply to the entity as a whole or be a shared services but there is a lot of flexibility and how you define that scope and I think that's important to note yep and then on the timeline front which we'll talk a little bit about later but what's your experience with companies because I feel like most those organizations or at least many organizations that that desire to get a sock to report they've been issued a mandate by a partner that says hey you have six months or 12 months or something to get a report in hand is that typically feasible from your experience yeah sure right what I would recommend is you know give as a planning factor give three to six months to get your type one report and we'll dive into kind of the nuances of type 1 and type 2 but I think that's a fair planning factor I've seen companies go faster when they're when they're motivated and they've got a client deadline and then also there's companies that are ahead of where they need to be and they know it's just something that's that's on the horizon and they take a longer approach to go ahead and implement the controls that they need but three to six months is fair yep so that will kind of walk us into maybe their readiness and or the the overall audit process so for most organizations that approach us if they're a first year client we typically take them through really a three step process for us and and usually that involves getting a client ready so some gap assess met again sought to where you know a lot of comments don't know where they stand you know they don't know what controls to meet the criteria they don't know you know how far off they are from actually being able to meet the sock to standard so a good way to do that is working with the firm that's gonna audit you to do a readiness assessment and that's when we come in there help identify the controls help identify gaps where gaps exist help provide some guidance on what would meet the requirement and how they might go about fixing that for example maybe they have to write policies or they have to update a few processes and then that's when we kind of get into the nuance of type 1 and type 2 because after you finish readiness most organizations are ready to get a report at that time and what most organizations do for their first years they do is called a sock - type 1 which is a point-in-time report it basically means the the day that you're ready the day that you have all of your controls in place you can you're qualified to get a report on that day so if we're doing readiness and we're gathering evidence during that time once we get that last piece of evidence we can issue a type 1 but that's typically not enough the expectation in the marketplace is that you ultimately get what's called a sock - type 2 which usually covers a period of time the most common reporting period is a 12-month audit period but sometimes an organization will do a six-month all that period their very first year so they can get a report a little bit quicker so usually the day that you're saw you get your sock to type one that will begin your audit period for your sock to type two and then either you do a 6 or 12 month period your first year and then usually subsequent years you do a 12 month rolling period so that that's really the process do readiness to your type 1 and then do your type 2 and then I guess the one thing to note is that the type 2 is the annual audit it's not a one-and-done thing where you only have to do it one year it is an annual audit you have to refresh every single year go through the full process and customers and clients are savvy to that they're gonna be looking for those report dates and asking for that refreshed report every year so just be prepared to stand up those processes and maintain them over time anything said you want to add there as far as an audit process maybe one thing and that is just during the readiness phase that's usually the phase it takes the most because the way we approach is we'll sit down with our clients will understand the business the business drivers how security fits into that and then design controls to meet the Softee criteria that's an important piece that part is doesn't take a long time but often where we see you know the biggest time commitment is in that remediation piece so I say stop to your readiness you know that that can take three to six months and kind of the output of that would be that type one report yeah absolutely the other thing I think you do see W very well the I think is a huge differentiator that you don't know that you need it until you need it is the level of customization that we go through when it comes to readiness because if you've never worked with multiple CPA firms on this there's kind of two approaches there's the approach where everyone gets the same report so you're kind of forced into a box and there's reasons to do that and then there's the approach where you get a pretty custom report that reflects accurately your environment and the specific controls that you have in place and that flexibility makes all the difference because it allows people to have a report that is actually reflective of what they do and doesn't force people to change processes just to meet a compliance requirement and I know that as a rule our practice really trusts to take that approach to be very custom to make the report and reflect the client's environment and not overburden them with a lot of compliance check the boxes that might not be necessary so just want to point that out so I think you guys do a great job there yeah absolutely and I think the reason why that's so important is you know sock teas not one and done like you want to put into place a program that is sustainable that you can maintain and manage that closely aligns with what you're already doing with with the direction the business wants to go yeah absolutely and then that brings us kind of the timeline so organization like it's a great question how long is this going to take so I would say this is a very generic timeline on the left-hand side here is when we typically do readiness and type one so that's you know often around a six-month time period like you said earlier you can go faster than that if and if organization is really motivated but six months is kind of a default time you usually do planning upfront and then in the middle sections you do our wielder readiness assessment the client will go back and remediate we'll do the sock to type one audit once you're done finish remediating and you get yourself to type one report and then on towards the right-hand side you see that you begin doing the sock to type to the audit period here in this example we said it was a 12-month audit period that you can do as little as a three-month audit period or or often comment as a six-month audit period and which audit period you choose your first year is typically driven by how fast you need to report in hand so if you have a client or customer saying hey look I need a report by end of year then you might you know do a an awkward audit period that first year 3 or a 5 month or 6 months to make sure you have a report in hand to meet the clients requirements but thereafter like I said you'll go into a 12 month audit period the nuance to the type 2 I would say because the auto periods are so long we typically do planning upfront then we'll do kind of a midpoint check-in where we'll examine a little bit of evidence and that that way we're not at mad - there towards the end and then we'll do a final audit period towards the end and outs to that first check-ins usually a few days just looking at policies gathering a little bit of evidence checking in to make sure the clients doing well the end of the audit period just the bulk of the work or gather the rest of the audit evidence finalize documentation and then we'll issue that sock to type to report and then you'll get into that role in cadence 12-month cadence thereafter anything you want to add as far as timeline CW now I think you I think you nailed it the one thing I will say is as you're implementing sock to you for the first time and in getting that first type to report typically what we'd recommend is a six-month report you mentioned three months sometimes there's a reason to do that especially if a client deadline is on the horizon but the I CPA I'd say they discourage that a little bit just because three months isn't a lot of time for those controls to operate and so some readers of the report might take might say there's limited value and a report shorter than six months but it definitely can be done yeah and for most companies the first year is really about transparency with your customers so if someone's forcing you to get a sock - and that's their expectation my advice is always be very transparent with them about where you're at in the process often will even provide a letter of engagement saying hey look they're going through that process so the client has knows that our clients are committed to this and if they want a three month four then let's go through that process but if they're okay of the six or twelve months then let's do that so just an open conversation and dialogue with all the impacted parties is usually the best way to figure that up yeah that's huge I think really communicating that we like to call it roadmap to maturity often solves a lot of the communication issues or expectations with clients as long as they know that you you've got something underway and and you're working toward that now they're usually accommodating and then another great question I think that usually comes up is you know we have audit work that we're doing behind the scenes as the client provides evidence but the client wants to know what what kind of burden is that's gonna put on my team to go through Sauk - because there's costs associated with taking engineers or or leadership out of pocket to go through walkthroughs or provide evidence so so you know you can kind of bounce through what is the typical lift for a client when they're going through talk - sure so for for new clients going through sock - you know we like to get kicked off with a set of walkthroughs and call that five to six walk throughs to really give us lay of the land understand the business so that'll that'll take you have some time from engineering product management security HR that we usually try to keep those meetings around an hour and that'll help us get to design and then really the bulk of the effort is going to come in with remediation and that that's hard to know at the beginning how much remediation will be needed and the other piece is just providing that audit evidence and so sometimes companies will centralize the collection of evidence do a single a project manager put sometimes they'll distribute that among their team but I think kind of how we've broken down the effort estimation it's probably fair for year one over on the right-hand side there yep yeah so I think at the end of the day is it's doable for most order nations a lot of times I've had companies ask if they're gonna need to hire a dedicated person to manage sock to and I usually tell them no you might want a part-time coordinator like during the the heat of the audit like the week or two that we're actually doing the audit but typically can be distributed throughout the team and we specifically use a GRC platform that we provide to clients that helps kind of manage that audit evidence where we can exchange that and everybody can collaborate there so that I think cuts down a lot only on the effort but in general very doable for a team they don't need to hire additional people they can kind of just share the responsibilities among amongst the teaming and get to it pretty easily so that's kind of the nuts and bolts here there are a lot of questions that often come up CW so I wanted to kind of add these and then have an opportunity to ask you about them so for people who have the same question they little answer them so we'll just go through a few of these I think the most common question we get is you know all right I'm completely cloud based how does that impact my sock to you sure and that's that's kind of the story of I think the modern company is is you know moving to the cloud or even you know being in the cloud from the outset so how that impacts off to you is we would consider those cloud service providers to be what's called the sub service organization and that that sub service organization would be operating some controls on behalf of either company and so we would describe those in the report I want controls they may be operating on your behalf to meet the softube criteria and then we would go ahead and carve out those controls and rely on that third party to provide the operating the operation of those controls so so basically at the end of the day what that does is it reduces the scope and the effort for the company seeking certification or seeking that report yep so for me it makes it easier if anything for using AWS one of those tools there's endless tack ons and configurable things that will help you get through stock to likely in a more efficient manner so what if my whole is it in line with moving to the cloud we have clients that do not have an office they're completely distributed across the globe everyone working from home how does that impact us talk - sure so we consider you know what's what's the nature of the risk around that from a physical security perspective often that's something that we might rely entirely on the cloud service provider for those controls to meet the criteria because there's no office space so there's no need for everything from a visitor log to badge access so we would just consider on a company by company basis the nature of how the company is distributed whether there's any on-prem or office base or shared office space and then kind of assess the impact based on that and bottom line is if you're completely remote you can get a stock to report that's very common not an issue at all there's clients that we do the entire audit remotely just like we're doing this webinar not an issue and that comes do you have to come on-site when do you need to come on-site to do the audit so if there is a physical location we won't we want to get on-site at least to do physical walkthroughs often that's a great time an opportunity for us to collaborate in person which is very effective but if a company doesn't have a physical presence everyone's just should be remotely we're often able to leverage videoconferencing and other tools to get what we need from an audit perspective so I would say there's flexibility there depending on the nature of the business yeah absolutely so I'm gonna do this last one I'll skip around a little bit so you know when you're doing some type of certification or a report there's also additional things you have to do that come up penetration testing being one of them sometimes there's other things so if I'm achieving a sock - should I also go ahead and budget for plan for having to do pen testing if I'm not already doing that I would I would recommend it that is one of the most common things we'll see as an external security assessment for the company and even what we see in the marketplace is often that's something that has asked it's like okay well you great you got governance you've got controls around information security what do you have from a technical testing standpoint and often penetration testing is the best way to address that you don't necessarily have to get one if you're doing some sort of other security assessment throughout the year but often penetration testing is the lowest hanging fruit or the the one that's expected from clients yep absolutely I'm gonna skip around just a little bit because I think this one's important what what if I outsource development because we have these clients that either uh either outsource entirely their whole development or partially to get additional resources how does that impact - talk - yeah absolutely so again we would we would look at how that relationship is structured sometimes the outsource development might be a subsidiary or sister company or sometimes that might be a third party entirely with no shared governance so in that case we would consider that company to be a third party and we would consider what controls are in place and how the company is handling the vendor risk for outsourced development yeah so typically I think that manifests itself in the form of treating them like a vendor so doing a lot of their due diligence around them or treating them like almost like a an internal employee and hope and forcing them to abide by your own security policies in line with what they would do if they were internal um so here's here's one that everyone's wondering how much does a sock to report cost that that is a great question and then the short answer is always it depends and why does it depend well there's a few factors scope is a driver so a number of locations number systems or products and scope and also who are you getting the sock report from if you're gonna go with the big four accounting firm often what you're paying for at that point is brand versus necessarily for the nature of the work so really the things I would recommend to companies to consider or why are you getting the sock report do you just need a report are you trying to implement a program do you want something that's sustainable do you need a brand on the report so many reasons right but generally what I'd say as a planning factor is you know budget between 30 and 50 K per year for sock - sometimes it's slower sometimes it's higher but that's usually the ballpark that we see most sock to reports yeah and I think I'm we've seen some that are if you're using a prestige of a very large firm I would say you you might see a 4x cost versus if you're using a boutique firm so there's a lot of variability there I think when shopping around I always say you know choose three at least three firms which is not uncommon but maybe choose a variety of firms within there so maybe you choose a larger firm kind of a middle sized firm and more maybe a boutique firm in there just to see what story they tell what kind of clients they're working with what the cost variances are because you know there's a lot of good firms that are smaller firms that might suit those needs yeah and what I recommend too is you know ask you know how tactically you know that company may help you you know implement sock to or advise around sock to because there is a pretty broad spectrum as far as how companies tactically advise over sock - well since we're talking about I'll bounced on number 12 how do I choose a good audit firm partner if you put your buying hat on and helping advise the client what some of the things they should look for yes the first thing I would ask is you know who's the team I'm gonna get what experience do they have with sock - do they advise over best practices do they customize my design and controls to fit my company or do I just get a generic set of controls that I'm forced to implement because that's the preference of the CPA firm so really understanding how that that works and how that might fit with my company's priorities is very important I mean some of the things I would ask for is I'd want to speak to the team I'm actually gonna be working for because a lot of times we're talking to a member of the sales team or member of leadership who's done this a million times and they're fantastic but then the people actually deployed on-site are totally different so I'd want to know upfront who I'm working with I love what you said about the advisory side of it you know how are they gonna be able to help advise you through that rather than just being a report shop also like what tools and technology do they have available to you so like one of the things that we do is we have failings GRC that we provide for free to clients so they get a whole GRC platform we have a policy portal so if they need templates along the way you're doing a ton of advisory around consulting them to to right-size their program and customize controls vessel that may be that doesn't seem unique if you've never been through this but most firms don't do any of that stuff and some some do have some version of that so trying to identify those nuances of how they're gonna serve you I think is a really important part of it so let me do one more question here and we'll wrap up CW so what do I do if I have multiple requirements so I have you know they have no PCI sock to HIPAA and how can sock to help solve some of those problems yeah absolutely so this this is kind of a larger conversation around unified compliance and I know you've done a webinar on that as well but you know as companies grow often there and Industry changes there are generally other compliance requirements that come down the pipeline whether it's new customers asking for stuff new industry norms and expectations gdpr was a big one that you know came down a few years ago that has force companies to just change how they do business um so what we try to do is take a holistic approach to compliance and say you know what are the things that you want to do as a business what are your business priorities how does security fit into that and then how can we streamline compliance as a supporting function of the business to help you achieve those objectives so often that's what does that look like well aligning examination periods auto periods may be leveraging sauk to to meet requirements around HIPAA or even high trust in lieu of high trust things like that and so really that comes down to strategy and I know that's something that you like talking about you know how do we unify things to support the business objectives yeah if people are interested in that like you said we did a webinar on that called the unified compliant it's revolution highly recommend reading through that if your company's coming burdened with multiple compliance requirements I think the bottom line is there's really a Venn diagram of security frameworks that there's probably you know between 20 and 80 percent overlap depending on the framework and they're using different words to say the same thing and we're kind of inside baseball so we know where those overlaps exists so rather than auditing you four separate times there's opportunities to audit someone one time and unify a framework and a program so you get all of those reports but one work stream and that's I think our strategy for clients that have a lot of different compliance requirements so thanks CW I'll pause there because I think we're gonna wrap this up there there's a few resources that I want to point everyone to one is on our blog there's a link there to it you can go into the blog and search by the sock category I think we post something almost every week this kind of a nuance about sock or how it's impacting the industry or even detailed criteria so great resource for organizations looking for specific questions or just trying to educate themselves on sock to other resources we have dozens of white papers out there that you can go read we have soft process overviews if you're trying to put a business case together for your business we have things around that if you just want to understand the framework we have some sock framework overviews that dive into that also if you want to reach out to Christian white you can see his email there Christian not white it was 360 com he's our sock to practice leader subject matter expert can also reach out to myself their Christian dehoyos 360 comm and also check us out on YouTube we have a lot of webinars we try to post one every week where you can kind of listen as you drive and educate yourself so Thank You CW for your time I appreciate you sharing your expertise absolutely thank you thanks everybody for listening all right