As a startup, you’re doing a million things at once: building a product, answering customer tickets, developing a sales playbook, trying out different marketing hacks, and keeping the lights on. Security, besides having a password that isn’t “password123”, is probably not a major priority.
That is, until you’ve got a major enterprise deal close to the finish line. Except they’re starting to ask questions about your security controls and if you have this thing called a SOC 2 report.
You’re now pulling engineers to answer security questionnaires, and you’ve just learned that getting a SOC 2 report will take 6-8 months to prepare for the audit, plus another 6-12 months to complete the audit itself. And your prospect will not sign without a report. Deal: closed-lost.
The reality is all large companies, and more and more mid-market companies, will require a SOC 2 report from their vendors. Unfortunately, the process is long and can feel like a black box for startups starting from scratch. At Secureframe, we help companies get enterprise ready by streamlining SOC 2 compliance and get them ready within weeks, rather than months.
There’s a lot to do to become SOC 2 compliant and unlock enterprise customers; there are over 200 security requirements. However, we wanted to share 5 security changes you can make today to help you streamline the process down the line.
1 – Schedule a Penetration Test
A penetration test (often called a pen test) is a simulated attack by a third-party to expose vulnerabilities in a company’s infrastructures, systems, and applications. Once you’ve selected a pen test provider, they’ll identify potential vulnerabilities in your systems, exploit them, and provide you a report with their findings and ways you can resolve any vulnerabilities found.
Services such as Federacy, Cobalt, Hacker One, and NCC Group can be used for your pen test. It’ll take 2-4 weeks to complete. While a pen test isn’t a firm SOC 2 requirement, most SOC 2 reports include them, many auditors require one, and customers often request one.
2 – Setup Single Sign-on and a Password Management System
SOC 2 requires that companies have multi-factor authentication on critical systems and infrastructures, and policies for password strength and management. Meet this requirement by setting up single sign-on and 2-factor authentication wherever possible, and use a password management system.
Some well-known providers of SSO include Google Cloud Identity for companies using GSuite, Azure Active Directory for companies using Office 365, and Okta if you’re a larger company with more complex needs.
For password management, 1Password and LastPass are popular options.
3 – Get a Mobile Device Management (MDM) Solution
SOC 2 requires companies to have policies and processes in place for access control and termination, asset inventory management, and device encryption. An MDM solution is a great way to meet these requirements.
Some popular MDM solutions are Fleetsmith (Mac), Jamf Now or Pro (Mac), Microsoft Intune (Mac, Windows), Hexnode (Max, Windows), and Jumpcloud (Mac, PC, Linux).
4 – Setup a Version Control system with security best practices in mind
SOC 2 has many requirements around your version control system and how you review code. We’ll assume you’re already using a system like Github, Gitlab, or Bitbucket. Follow our recommendations below, always review code with security in mind, and you’ll be good to go.
If you need a Pull Request Template, here is ours.
5 – Configure Your Infrastructure
While there are many steps to getting your infrastructure setup ready for a SOC 2 audit, below are some simple settings you can start with, if you’re using AWS or GCP (Secureframe also supports Azure).
By implementing these 5 security changes, you’ll have finished some of the more time-consuming elements of getting SOC 2 ready. However, you’ll still have to find an auditor, set up your policies and controls, collect information about your organization and its internal processes, review all your vendors, collect evidence, run security awareness training for your employees, and more.
Blog post sponsored by Secureframe