What does SOC2 Compliance mean?

Wiredrive is SOC2 Compliant

Wiredrive has completed a SSAE16 SOC2 Audit.  We take your data and privacy very serious, and have implemented the required controls throughout the company.   

What is SOC2 and why is it important?

Service Organization Control (SOC) reports are becoming increasingly popular in data security and compliance discussions, specifically SOC2. According to ssae16.org, SOC2 is “designed for the growing number of technology and cloud computing entities that are becoming very common in the world of service organizations.” SOC1 reports focus on financial transactions that companies make while SOC2 reports on the security behind those transactions. With data breaches and sensitive assets potentially getting leaked or jeopardized, having SOC2 compliance is crucial for data storage and file sharing companies to provide documentation showing they are secure and compliant.

Lessons learned

We thought we would share some of the trials and tribulations of achieving SSAE16 SOC2 compliance. Changing the focus of the company to security first was not only a technology and process change, but also a cultural change. Implementing everything necessary in a way that did not disrupt the day to day of the company has been a tricky but very effective way to achieve our goals.

Formalized is better than ad-hoc

Like many companies, we are lucky to have a great TechOps team, who also understands security, so many of the things we were doing were already secure.  What the SOC2 audit taught us is that we need to have repeatable processes that we can show are being done.  In other words, we needed to formalize all of the great, yet ad-hoc, things we were doing around security. 

For instance, we had a robust off boarding procedure which ensured we could remove access for users that left the company, but this was passed around different areas of the company.  The SOC2 audit made us standardize the process In such a way that there is one thread which is called “offboarding” which is recorded and tracked.  This not only made us more secure and ensured we would pass the audit, it made us more efficient.

Implementing process without change

One of the easiest things we had to do was document processes that were already in place.  Going through the process, the first pass was to document what was already happening.  From very small tasks, to a complete change management and development lifecycle documentation.  From there, we made a series of small changes to put the processes in alignment with the SOC2 standard.  Repeating this over and over again, across the entire company, we slowly changed the culture of the company to be security focused.

Training can be fun

Secure awareness training is an important part of the process.  Making the staff watch videos and answer questions certainly has it’s place, but it’s not everything.  We tried to make the training as fun as possible. Working with a vendor, we tried social engineering, on-premise hacking, and phishing with serious and ridiculous emails. Always trying to do it with a bit of humor and a lighthearted attitude helped change the culture.  Now, when a real attack comes our way, it’s caught and dealt with quickly and efficiently.

Hero_20930183_max

Shining a light in the dark corners

Undergoing any kind of audit, as painful as it can be, illuminates some of those dark corners that you haven’t looked at in a while.  This is especially relevant with an Information Security audit, where those dark corners might have things that could be exploited because they aren’t being looked at or maintained.  The SOC2 audit allowed us to ensure we had a tight, clean environment that we were operating within.

Compliance is not security

The SOC2 audit also reminds us of something that is oft-repeated in cyber security today: getting compliant with a certain standard is not the same as practicing modern cyber security principles.  As thorough as the SOC2 audit is, it still doesn’t cover everything and there is always room for improvement.  At Wiredrive, the security of our systems is of utmost importance, so we are constantly striving to find ways to improve our security and provide peace of mind to our customer that their sensitive assets are safe, independent of the audits that we may undergo. 

To read more about our security practices and compliance, visit wiredrive.com/security.

By Daniel Bondurant

Tags: ,