Weekly or even daily calls with your team
Our SOC2 consulting and implementation experts will work closely with your management, IT, and engineering teams to get your organization SOC2 certified.
Collaboration with your external SOC2 auditors
We will work together with your SOC2 auditors, participate in all calls and meetings and ensure that your mitigation changes are effective and efficient, beyond just compliant.
Our SOC2 Preparedness service is a great place to start and will highlight many vulnerabilities in your IT infrastructure that could leave you at risk of a dangerous cyber attack.
Our SOC2 preparedness service examines your IT administration practices and current setup against AICPA’s SOC2 type 1 requirements. We will prioritize any urgent recommendations to implement against the risks to your business. This means you can rest assured your business is safe allowing you to focus on other parts of the business.
A SOC2 Preparedness assessment checks how resilient is the core of your IT infrastructure and your applications to an attack or human error. Its scope depends on the size of your company and your objectives. The assessment might mean a comprehensive security review of all your IT assets.
We audit the controls in place (or their absence). These controls might be administrative, or in other words, the practices employed by your administrators. They could also be technical or even physical.
Planning for the project
Before starting your preparedness process, we always have a series of preparation meetings with company executives and IT administrative personnel.
These meetings help establish the reasons behind the SOC2 certification process and your strategic security objectives. Is your desire to become SOC2 compliant driven by your clients? Were you a victim of a security breach? Or do you want to have full visibility into how prepared you are for a hacking attack?
Here is our SOC2 Readiness Process:
“Give me six hours to chop down a tree and I will spend the first four sharpening my ax.”
― Abraham Lincoln
Besides the mandatory pre-audit meetings with management, the client usually has to undergo internal preparation for the IT Security assessment service.
On the client’s side, the following items need to be taken care of:
There might be technical details such as what is the auditor allowed to access and what information can they ask for as proof, as well as how this information will be stored and analyzed safely.
Communication is key in every business process.
Active Directory security audits are no exception, and we need to add a few extra requirements and dependencies.
Do you suspect a security breach happened prior to initiating the assessment? Can the attackers listen in on any internal email communication? In that case, most audit-related communications need to happen outside your corporate network. In other words, they have to happen over the phone or via secure instant messaging, avoiding your corporate email service.
There are several key stages during which communication is key:
The report you receive sometimes has the tendency to heat up political discussions and start the process of blaming each other for the faults discovered. This is not productive.
What we encourage our customers to do is see the report as an excellent opportunity to get better at everything you do and beat your competition at it. Rest assured, if we went to your competitors, we might find similar or even worse findings. So be happy you were the first to discover your faults and get ready to be the first to fix them!
Your AD Security Audit Report will contain an executive section for senior management and a technical section for IT and security personnel.
The Executive Section of the report usually focuses on the business impact of the findings and on prioritization advice. This way management can request specific actions to be expedited and will know about their own responsibility to fund these efforts. Sometimes this also means hiring extra pairs of hands.
The technical section of the report will also be split in High Criticality, Medium Criticality, and Low criticality findings.
Each finding will be paired with its respective advice on fixing the finding – focus on the fix rather than finding who to blame for the finding, it is the only productive way to read and act upon your IT security audit report.
Yes, depending on your IT team’s availability and on the speed with which your organization can adopt changes. SOC2 preparedness is achievable in as little time as you can implement a few hundred changes in your processes, practices and technology.
The cost of your SOC2 preparedness depends on the time it takes and the involvement needed from our side. We can guide or help you implement the required changes, which affects the price.