We looked at a dozen of companies that became compliant with SOC 2 in the last 12 months, and compiled a list of 7 compliance mistakes they wished they had not done in the past.
Compliance mistakes that have already been made.
The first category is related to mistakes that have already been made by a business before making the decision to become compliant:
- The Super Admin View: Having an internal admin tool to look and modify your customer data without fine-grained permission will be frowned upon and is very difficult to justify. Your employees will rely on it to do their job and taking it back is very difficult. Sales will use it for lead-gen purposes. Product to build a roadmap. Engineering for debugging. Customer Success to help with onboarding. Auditors frown upon those tools because there is rarely any access control or logs to review what an employee did. It gets even worse when the tool has write access and any employee can change data without anyone knowing.
- Manually managed infrastructure: Not having a tool to manage your infrastructure is a problem. With AWS it's so easy to configure everything with clicks on the admin console without accountability. Implement Cloudformation, Pulumi, or Terraform early on, and follow the same processes as the rest of your engineering department. Pull requests, code review, different environments to test (staging vs production). Infrastructure as code makes auditing much easier.
- Exporting production data to laptops for development purposes: SOC2 is now accessible to small businesses running in the cloud due to the existing controls put in place by AWS or GCP. By exporting data to a laptop you are leaving a secure environment and adding your laptops to the scope of the audit.
Compliance mistakes made after committing to becoming SOC 2 .
The second category is about mistakes made after a company has decided to become compliant:
- Not all auditing firms are created equal: Picking a cheap auditing firm is a big mistake. If the price is too good to be true, then it's a red flag. Those firms hire inexperienced employees and your project will be passed around from one team to another. Context gets lost and a considerable amount of time is wasted on internal resources, costing you way more time than it should and creating frustration with your employees.
- Not getting buy-in from the exec team: SOC2 is usually driven by the sales department, however, sales have very little to do with the implementation of SOC2. Having buy-in from the executive team and making compliance part of the company goal will guarantee everyone's involvement. Following-up on that:
- Underestimating everyone's involvement: There is a misconception that SOC2 is achieved by implementing a few IT controls. It is not. HR, Recruiting, Engineering, and Customer Success are way more involved. As a matter of fact, IT is only involved to roll out an MDM solution such as Fleetsmith or JAMF. Scope a report to Production and always try to scope out the company's office/HQ. AWS's data centers go through a SOC2 audit every 6 months so that your data can be secured. Your office doesn't, why include it!
Compliance mistakes made after becoming compliant.
Not having a plan in place to share your SOC2 report: After working towards a report for months, most companies do not have a plan to share their report. A SOC 2 report is loaded with confidential information and should be protected by a Non Disclosure Agreement (NDA). Pima can help reduce the steps required to share your SOC 2 report and get the conversation started with your customers right away.