Skip to content

Coalfire-Research/SOC2-guide

 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

10 Commits
 
 
 
 
 
 
 
 

Repository files navigation

SOC2 Guide

SOC 2 is a security standard written by the American Institute of Certified Public Accountants (AICPA).

Reading Material

Overview: SOC 2 compliance guide for startup

In depth: The Ultimate Guide to SOC 2 Compliance

Budget & Costs

Expect to spend $30-$50 CAD first year getting started.

Timeline

  • 1-3 Months prep
  • 1-2 Months Report Prep after Audit/Observation Period

Type 1

  • Pick a point in time

Type 2

  • 3 month observation period possible first year
  • 6 months observation period

Decisions

Type 1 or Type 2.

"In a SOC 2 Type 1 audit, a startup defines its best practices. Type 1 essentially presents a snapshot of security controls at a certain point in time. It collects evidence that shows the security controls that have been put in place and how the company is fulfilling them."

"In a SOC 2 Type 2 audit, a startup produces a sample set of evidence that proves its security controls have been followed over time. Type 2 is a six-month to a year longitudinal audit that evaluates the constancy of controls through the lens of security."

Scope of Audit

What parts of the company will be SOC 2 compliant? Maybe exclude your marketing efforts.

Tools

✅   We used them.

Audit Prep: Vanta

Background checks:

  • Certn
    • Vanta integration

Password Manager:

  • 1Password
    • $12 CAD/month/user paid monthly
    • Need to go with the Business (not teams plan) in order to get access to the team wide password/security tools we needed
    • Use 1password.ca for data storage in Canada 🇨🇦
  • LastPass

Vendor Assessment:

Single Sign On:

  • GSuite ✅
    • Vanta integration
  • Okta
  • OneLogin

Pentesting:

Security Monitoring:

Security Training:

Auditors:

  • Barr Advisory ✅
    • Vanta Referral

Auditable Infrastructure:

  • Terraform ✅
  • AWS ✅
    • Vanta integration
  • Heroku
  • Google Cloud

MFA/2FA:

  • Google Aunthenticator App ✅
  • Yubico Key

Staff Security Training:

  • Cybrary
    • Recommended by Vanta
    • Free if self registered

Vulnerability Scanning - Internal

Scanning packages and dependencies for vulnerabilities.

  • GitHub Security (Dependabot) ✅
  • Ruby Advisory Database via Bundler Audit gem ✅
  • Vanta ✅
  • Yarn Audit ✅
  • NPM Audit via audit-ci package ✅
  • Snyk ✅
  • Trivy ✅
  • AWS ECR Container Scanning ✅

Review Password Requirements of Vendors

Plan & Notes

  • Migrating from Public & Private Heroku spaces -> AWS
    • Worked with contractors to accelerate migration to disrupt internal focuses and roadmap as little as possible

Vendor Security Locations/Links

Google Workspace & Cloud

Freshworks

Heroku

Slack

AWS

  • https://aws.amazon.com/compliance/soc-faqs/
  • Self Service via AWS Artifact
  • SOC 2 self service available, NDA required
  • AWS SOC 3 Security, Availability & Confidentiality Report, publicly available as a whitepaper.
  • AWS SOC 2 Security, Availability & Confidentiality Report, available to AWS customers from AWS Artifact.

Certn

Mailchimp

CloudConvert

Twilio

Github

CloudFlare

Wistia

AWS Specific Configuration Considerations

Guides for Expected Configuration

About

Documenting SOC 2 tools and processes

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published