In today’s world, Information Security is a top concern for all, especially for businesses. As per this 2020 report, every minute, $11.4M is lost to cybercrime. Leading companies are paying $25/minute to thwart cyber attacks. And this is just the financial cost of a breach. The less tangible factors, like diminishing brand value and declining customer trust, increase the overall cost to dizzying numbers. SOC 2 compliance ensures that organizations take measures to prevent cybercrime.
On the one hand, the rate of attacks and the cost per attack is going up. On the other, organizations in this increasingly remote post-pandemic world rely on tools and products to help build the functions of marketing, customer success, sales, product, and finance. That means, on average, an organization of 1000 employees uses 100 to 250 SaaS products. As a result, more customer data is being shared with 3rd parties than ever before. While this SaaS proliferation has helped businesses scale, it has put tremendous pressure on information security teams.
How can information security teams ensure that all the 3rd party merchants have equally strong security and Data-leakage prevention posture? Building and maintaining a security Request for Proposal (RFP) document for each vendor is becoming impossible by the day.
What is SOC 2?
A SOC 2 compliance report qualifies an organization to have strong systems and processes in place to better handle sensitive information. If an organization is SOC 2 certified, it means that the business has controls in place on five Trust Service Principles (AICPA):
- Processing Integrity
The SOC 2 audit report is for users and businesses that need assurance about the controls present at an organization relevant to the security, availability, and processing integrity of the systems. These reports can play an essential role in:
- Organization Oversight
- Vendor Management
- Internal corporate governance
- Risk Management
- Regulatory oversight
How We Started our SOC 2 Compliance Journey
Security is a foundational primitive at Quolum, and we need to communicate this commitment to our customers. A SOC 2 compliance audit certificate was a great way to announce to the world this commitment.
All of our team members have had run-ins with SOC 2 in the past. We all understood that if we did not follow a structured approach to getting to the audit, it would take us months of collective effort. We needed to optimize. Else setting for this audit would take precious time from building a value-driven product for our customers.
As we were gearing up for the commercial launch of our product, we started looking for solutions that would drastically reduce our time to get to audit.
We shortlisted three vendors who could help us achieve this goal. Eventually, due to product superiority, the promise of experts to guide us, and compliance coverage, we went ahead with Tugboat Logic. Looking back, Tugboat turned out to be a great partner in our SOC 2 compliance journey.
Before we get into how we set up the SOC 2 compliance project, let us explain a few crucial terminologies relevant to SOC 2.
- Polices: SOC 2 compliance audits include the review of organizational policies. These are policies that are formally documented, reviewed, and accepted within an organization.
- Procedures: Procedures are documents that describe how the organization adheres to the policies.
- Controls: Controls are the organization’s implementation of the systems that adhere to SOC 2 principles.
- Evidence: An evidence is a proof that the control in question is implemented by an organization
With Tugboat, we could get policy templates as guidelines to help us frame and document our organization’s InfoSec Document. Since we had the templates to guide us, these policies were framed, reviewed, and approved in a matter of days. It would have taken us weeks and a consultant’s time to build this document if not for the templates.
For controls–We were set up with a Readiness project that asked how our organization operates. Based on that, Tugboat identified a total of 75 controls that we needed to implement. We reviewed these controls between our dev, IT, HR, and operations team. The controls that were not implemented were set up as tasks for each team. Within a few weeks, all of the controls were implemented.
One of the most tedious tasks of any SOC 2 compliance audit is collecting and presenting evidence: Proof that the control in question has been implemented and implemented correctly. We had three ways to collect evidence, and we used all of them.
- Automated integrations: Since we are hosted on AWS, most of our cloud and security setup evidence was auto-collected by integrating our AWS account with the Tugboat account.
- Partial Automation: Using Tugboat’s chrome extension, we were able to manually take screenshots of evidence and map it to the right control
- Manual: For some controls, we manually gathered evidence and uploaded them against controls in Tugboat.
The audit also accomplished this exercise of evidence collection in a matter of days. And we saved 15-20 hours of manually tagging evidence to each control.
Traditionally, a SOC 2 compliance audit requires that the auditor come into the office for multiple days, sit with multiple stakeholders going through all the evidence, raise questions, ask for more proof, and possibly invite even more stakeholders into these meetings. All this would hold up critical business operations for at least 3-5 days.
In the world of asynchronous communication and optimization, this was unacceptable to our team. We got our auditors onboard, trained them on the tool for a day, provided them with auditor access to the tool. The auditor could then carry on with their audit while the rest of us continued business as usual.
If there was any insufficient evidence, policy not clear, or control not implemented; the auditor reached out to us by raising a request for more information on the tool itself. We would collect the information required and share it with the auditor within a 24-hour window.
We could complete the audit within a business week without holding a single meeting with the auditor even once with this optimization.
As of September 13, 2021, our auditor signed the audit report, making us SOC 2 Type 1 compliant.
How much time did we save with Tugboat?
Before going for a tool, back in December 2020, we had run an estimate of how much time and dollars it would take us to complete the SOC 2 compliance certification.
|Task||ETA without Tugboat||Time taken with Tugboat||External Consultant and legal fees saved|
|Policy Documentation (21 policies)||50 hours (4 hours per policy)||10 hours||$2500 ($250/hour for 10 hours of legal counsel)|
|Controls Template Listing + understanding each control||75 hours (1 hour per control)||10 hours (Templatized controls)||$1000 ($100/hour for 10 hours of security consultant)|
|Evidence collection||300 hours(4 hours per control)||50 hours (several pieces of evidence were auto-collected via integrations)||$7500 ($30/hour for 250 hours of company time)|
|Audit||40 hours (It would take a week’s sitting with the auditor to complete the audit)||2 hours (Entire Audit was asynchronous. Only two calls were required during the entire audit cycle)||$3800 ($100/hour for 38 hours of auditor time)|
Other Immediate Savings
Although we chose Tugboat for compliance, our ROI was achieved even before the SOC 2 compliance initiative kick-started. When we started our fintech journey in Dec 2020, our partner banks and our issuing processor wanted an almost impossible set of compliance documents and policies to be drafted. Having signed up with Tugboat, we saved close to 20 hours of our own time and $15K in lawyer fees. This was because all these policies were templatized on Tugboat. We just needed to tune them to our business.
Right from building a password-less application for customer onboarding to ensuring that our application runs on a modern Serverless stack, we have completed the following compliances to date:
- SOC 2 Type 1 Compliance
- OWASP Top 10
- Privacy Shield
The SOC 2 Type 1 certification continues to show our commitment towards providing a product that ensures that our application complies with the highest standard of data security and privacy. We have a roadmap of other compliances that we are planning to execute in 2022. Stay tuned.