Page 24 - Cyber Defense eMagazine January 2024
P. 24

•  Access controls
               •  Vulnerability scanning and monitoring.

            In  2021,  Aidentified  began  our  SOC  2  journey  and  obtained  our  SOC  2  Type  2  attestation.  This
            accomplishment  is a significant  milestone  for a small  company,  and you may be interested in how we
            achieved and continue to achieve SOC 2 compliance.



            Here are key takeaways for small and mid-size companies with respect to the SOC 2 compliance process:

               •  Once your company has determined that it wants to pursue SOC2 compliance,  it is important to
                   pick your SOC2 partners and tools.

            Not  all  tools  are  created  equal,  choose  yours  carefully.  Aidentified  partnered  with  Vanta  as  our
            Governance,  Risk  and  Compliance  (“GRC”)  SOC2  compliance  tool.  GRC  tools  are  very  helpful,
            especially for small and mid-size companies to assist with implementing and monitoring internal security
            programs  with  appropriate  policies,  security  training,  monitoring  of  devices,  testing  software
            vulnerabilities,  vendor  management  and more.  Aidentified  also  interviewed  and selected  independent
            SOC 2 auditors, Geels  Norton, very early  on in our SOC2 journey.  Make sure your auditor  aligns well
            with your team and tools and is willing to provide advisory services as you build out your SOC 2 program.
            Our  auditors,  for  example,  are  adept  at  working  with  technology  start-ups  and  are  also  a  preferred
            assessor for Microsoft.


               •  Make  sure you have  buy-in for SOC  2 compliance  at all levels  of the company,  including  your
                   Board of Directors.
            Becoming  SOC 2 compliant  typically entails  wide-spread  changes  to how you implement  your  internal
            company processes, and your company needs to understand  this and should be committed at all levels
            and  with  all  teams  to  prioritize  SOC  2  requirements  –  from  HR  to  customer  service,  to  product  and
            technology.

               •  Choose your SOC 2 team wisely.

            You do not necessarily  need to have employees  with dedicated  security information titles to be able to
            put  a  SOC  2  team  together.  You  will  need  your  Chief  Technology  Officer  and  designated  security
            personnel  on your  technology  team,  and  at  a minimum,  a program  manager.  This  person  can  be an
            operations/legal  operations  dedicated  resource,  and  one  or  two  non-technology  related  back-end
            process resources. Aidentified also benefitted from the assistance of a compliance security consultant.

               •  Once you receive  your first SOC 2 attestation,  make sure you continue to monitor and improve
                   your internal processes.

            Do  not make  the mistake  of becoming  complacent  once  the  first  attestation  is  achieved.  Continue  to
            schedule  your  regular  security  review  meetings,  your  access  reviews,  policy  updates  and  SOC2
            remediation check-ins based on the priorities included in your management letter to-do’s.






            Cyber Defense eMagazine – January 2024 Edition                                                                                                                                                                                                          24
            Copyright © 2024, Cyber Defense Magazine. All rights reserved worldwide.
   19   20   21   22   23   24   25   26   27   28   29