4 Things You Need to Know About SOC 2 Compliance

Compliance isn’t as simple as a connect-the-dots exercise. When you consider how fast companies are moving to and expanding in the cloud, and then take into account the proliferation of cloud-based security threats, compliance can be a little dizzying. We’re here to break down the complexities of compliance requirements for you, starting with SOC 2.

SOC 2 is one of the more common compliance requirements technology companies must meet today. But what does SOC 2 compliance mean, and how can you go about achieving it? In this post, we break down the four most important things you need to know. Read more “4 Things You Need to Know About SOC 2 Compliance”

Threat Stack Successfully Completes Type 2 SOC 2 Examination With Zero Exceptions — Again!

For the second year in a row Threat Stack has achieved Type 2 SOC 2 Compliance in Security and Availability with zero exceptions. We’re justifiably proud of this accomplishment, which underscores our ongoing commitment to rigorous security standards and our ability to maintain them in our company’s technology, processes, and personnel along with the highest level of security and privacy for our customers.

To an outsider, there’s no apparent difference between our 2017 and 2018 results. Threat Stack is Type 2 SOC 2 compliant in Security and Availability. CHECK AND CHECK. But under the hood, there’s a lot more to the story. The differences between the processes we used in 2017 and the way we optimized these in 2018 are significant, as are the differences in the personnel who took part in the two SOC 2 initiatives. So in this post, we’re going to talk about some of the lessons we learned and the changes we made in order to achieve the same results in an even more rigorous and efficient manner. Read more “Threat Stack Successfully Completes Type 2 SOC 2 Examination With Zero Exceptions — Again!”

Top Compliance Pain Points by Industry

Whether you are adhering to mandatory regulations or voluntary cybersecurity frameworks, taking compliance seriously can be a huge boon to your organization. It can help you avoid costly penalties, signal to your customers that you’re serious about security, and improve your organization’s overall security maturity. Meeting compliance requirements can also help open your business up to new markets, whether you’re targeting specific industry verticals or going after international customers, and finally, it can speed up your sales process along the way.

But let’s be honest: Compliance can seem like a necessary evil. It’s time consuming and complex, and it can be a huge pain in the you-know-what. Just because the benefits outweigh the costs doesn’t make the process any less painful.

Certain frameworks make their pain felt across industries. GDPR, for example, applies to any organization doing business even nominally in Europe and requires notification of a breach within 72 hours. SOC 2 is a rigorous standard that applies to any company operating in the cloud, and one of the main challenges for Threat Stack in achieving SOC 2 compliance was eliminating the disconnect between our engineering team’s tickets and the code associated with those tickets.

Other compliance frameworks reserve their pain for specific industries, and those can feel especially burdensome. What are the main pain points by industry, and, more importantly, how can you mitigate them? We dig into the specifics below. Read more “Top Compliance Pain Points by Industry”

How to Achieve Type 2 SOC 2 With Zero Exceptions — Webinar Recap

SOC 2 compliance is one of the most common customer use cases we come across at Threat Stack. Developed by the American Institute of CPAs (AICPA), the framework is designed for service providers storing customer data in the cloud, and SaaS companies among others often turn to us as they begin to feel overwhelmed by the requirements.

Having undergone a Type 2 SOC 2 examination ourselves, Threat Stack’s Vice President of Technical Operations Pete Cheslock, and Senior Infrastructure Security Engineer Pat Cable, gathered for a webinar recently to discuss exactly what we did to achieve SOC 2 compliance with zero exceptions. Read the recap below, or listen to the full webinar here. Read more “How to Achieve Type 2 SOC 2 With Zero Exceptions — Webinar Recap”

sockembot: How Threat Stack Added Automation & Visibility to its SOC 2 Change Management Process

At Threat Stack, we often talk about visibility. We have promoted visibility from an operations perspective and have given our customers visibility into their environments through our intrusion detection platform. But when it comes to change management, how do we give ourselves the same level of visibility into our internal process changes at Threat Stack? This became a very real question as we decided to roll out our Type 2 SOC 2 program over the last year, and the answer turned out to be sockembot —  an automated SOC 2 compliance checking bot that we describe in this blog post. Read more “sockembot: How Threat Stack Added Automation & Visibility to its SOC 2 Change Management Process”

How to Get Your SaaS Company SOC 2 Compliant With Minimal Headaches

SOC 2, which was developed by the American Institute of CPAs (AICPA), is specifically designed for service providers storing customer data in the cloud, which means that it applies to nearly every SaaS company operating today.

So, what is SOC 2 exactly? While the framework is a technical audit, it goes above and beyond this to require that companies establish and follow strict information security policies and procedures. The criteria for developing these policies and procedures is based on five “trust service principles” to ensure:

  • Security
  • Availability
  • Processing integrity
  • Confidentiality
  • Privacy of customer data

Compliance can be evaluated by independent auditors who assess a company’s ability to comply with these five principles.

SOC 2 is one of the more common requirements that SaaS companies must meet, but that doesn’t make compliance any simpler or dealing with an audit any less exacting. In this post we have laid out the most important requirements and the steps you should take to become compliant quickly in order to stay out of trouble with auditors and compete in a crowded SaaS market. Read more “How to Get Your SaaS Company SOC 2 Compliant With Minimal Headaches”

Threat Stack Successfully Completes Type 2 SOC 2 Examination

Threat Stack is proud to announce that we have successfully completed a Type 2 SOC 2 examination for the Security and Availability principles with Schellman & Co for our intrusion detection platform and Oversight Managed Service.

This accomplishment is especially exciting for the Threat Stack team because we were able to pass our first SOC 2 examination with zero exceptions — without having taken the organization through any similar experiences before — underscoring our commitment to maintaining rigorous security standards in our company’s technology, processes, and personnel along with the highest level of security and privacy for our customers.

In this post, we want to share highlights of Threat Stack’s SOC 2 journey — why we chose this standard, the process we followed, and our commitment to our customers. In upcoming posts we’ll provide more detailed specifics as our customers go through similar journeys. Read more “Threat Stack Successfully Completes Type 2 SOC 2 Examination”

9 Common Questions About SOC 2 Compliance

SOC 2 compliance is a crucial framework for technology and cloud computing companies today. As with many other compliance mandates, it is not a simple connect-the-dots proposition, but rather a complex set of requirements that must be reviewed and carefully addressed. But it doesn’t have to be overwhelming. Below, we’ll break down nine of the most common basic questions that we hear about SOC 2. Think of it as a 101 on SOC 2.

Read more “9 Common Questions About SOC 2 Compliance”