SOC 2 compliance is one of the most common customer use cases we come across at Threat Stack. Developed by the American Institute of CPAs (AICPA), the framework is designed for service providers storing customer data in the cloud, and SaaS companies among others often turn to us as they begin to feel overwhelmed by the requirements.
Having undergone a Type 2 SOC 2 examination ourselves, Threat Stack’s Vice President of Technical Operations, Pete Cheslock, and Senior Infrastructure Security Engineer, Pat Cable, gathered for a webinar recently to discuss exactly what we did to achieve SOC 2 compliance with zero exceptions.
Analyzing the Gaps
Before undergoing a compliance exam, we brought in a third-party auditing firm (Schellman & Company) to see exactly where we were falling short. This can be an enlightening process for any company as you become aware of basic business requirements that aren’t necessarily tech related — making sure that job descriptions match up with reality, that financial controls are in place, for example.
Since we were already using Jira for business operations and some engineering, we defined it as the source of truth for the entire SOC 2 auditing process, though you may choose to use other software for documentation, such as GitHub Issues or Trello. While it’s possible to use multiple sources for tracking work, this may cause headaches when it’s time to submit your documentation to auditors, so we suggest sticking to one.
Making the Most of SOC 2
We decided that the goal of compliance for Threat Stack would be to go beyond the audit’s seal of approval, to achieve overall improvement of processes and standards throughout the organization. We wanted to integrate some of the key processes and workflows involved in SOC 2 compliance into our engineering, sales, business, and other operating processes. Because some employees were understandably anxious about the changes that compliance would bring about, it was important for us to explain our overall business goals in order to get all stakeholders on board.
The Trial Run
With suggestions from the auditing firm in hand, we then underwent an extensive internal self-evaluation in preparation for the actual SOC 2 exam. While there was nothing truly wrong before we began our internal review, we decided to endure short-term pain for long-term value as we evaluated, improved, and optimized internal processes.
One of the main pain points we discovered during this period was a disconnect between our engineering team’s tickets and the output or code associated with those tickets. Threat Stack was growing quickly, and with the addition of more people and more code, we knew we would have to adjust work processes in order to keep track of everything. Namely, we would need to follow a defined ticketing and change management process and deploy code only when it was ready.
Automating With sockembot
To help, we developed sockembot to provide visibility into the entire SOC 2 change management process and to automate away some of the pain points that we found during our test period. The bot became a highly effective way to check compliance at every stage of our gating process.
Before any code is released into production, sockembot displays a helpful message tying together everything we need to know about the code’s compliance status in a digest. If the code is compliant, sockembot outputs a digest that allows the user to inspect the changes that are about to be shipped into production. If the code is not compliant, sockembot blocks the noncompliant code from being shipped to production.
Our new software enabled operations to move faster and created tremendous peace of mind about our compliance status as we entered into our six-month SOC 2 examination period.
As the title of our webinar indicates, the changes we put in place allowed us to achieve compliance with zero exceptions. In doing so, we had to consider how to modify the Threat Stack platform in ways that meet compliance requirements and also results in improvements on the backend. During the process, we were able to identify and deal with a number of issues that enabled us to improve the product, operations, and overall security.
On a broader level, undertaking a Type 2 SOC 2 audit gave us the opportunity to document all of our processes and improve on them. By achieving SOC 2 compliance in the way we did, Threat Stack is letting everyone know that the platform, the people behind it, and the processes in place can be trusted to continuously adhere to strenuous compliance standards.
Many of our customers have found that Threat Stack can help them improve their operations, strengthen their security, and achieve SOC 2 compliance, relying on the platform’s capabilities that include file integrity monitoring, intrusion detection, and specific out-of-the-box rulesets. These not only serve as a way to help you achieve continuous SOC 2 compliance, but also help to improve and strengthen your security posture over time.
If you’re interested in learning more about how Threat Stack can help your organization improve the maturity of its security and operations, take our Cloud SecOps Maturity Assessment.