Deciphering integrations and automation in SaaS IT compliance tools
14 July, 2021
Cybersecurity compliance is complex. Strike Graph is an intelligent compliance platform that automates 86% of prior compliance efforts. Our customers achieve positive audit results faster and with less pain.
Strike Graph is a compliance SaaS solution that simplifies SOC 2 efforts. Our intelligent platform and expert staff means that you’ll never be nervous about your audit.
Our platform covers 100% of the Trust Services Criteria. Ensure you can achieve the scope of your SOC 2 that your buyers require.
Critical controls and evidence need owners. Strike Graph tracks those responsibilities and alerts when validation activities are needed.
Our customers never fail their audits. Our platform and team make sure that important evidence is collected and fully prepared. Scared of your audit? Not with Strike Graph.
We have all the policy, process, and playbook templates for SOC 2. Strike Graph provides the intelligence to know which to adopt.
Strike Graphs provides intelligent technologies. Utilize our risk assessment and audit readiness dashboard to identify what you already have in place and what you need to work on to meet compliance milestones.
Strike Graph can help you select the right auditor whether cost or prestige is a concern. But we won't lock you in. Strike Graph works with any auditor.
SOC 2® refers to a report issued by an independent CPA that states that an organization's data management practices are meeting a set of criteria issued by the AICPA. A SOC 2 is one of the most common 'certifications' (technically, it is an attestation) that service organizations can obtain and is becoming a requirement for security-conscious enterprises that rely on cloud service providers, such as software as a service (SaaS) vendors. A SOC 1® refers to outsourced financial controls and a SOC 3® is a public facing SOC 2 report.
SOC stands for System and Organization Controls, and is based on five main Trust Services Criteria, or TSCs (described below). Unlike more prescriptive frameworks such as PCI DSS and ISO 27001, the SOC 2 allows organizations to identify relevant controls to show how they are meeting each Criteria. Organizations can receive a SOC 2 Type 1 or a SOC 2 Type 2 attestation report.
● A Type 1 refers to an audit as of a point in time and the auditor will assess the design of the controls and whether they adequately cover the criteria.
● A Type 2 adds an additional audit to assess whether controls have been operating over a period of time.
Any technology service provider or organization that stores, processes, or transmits customer data can benefit from a SOC 2. This includes managed service providers, banking and financial services, software as a service (SaaS) providers, data centers, and cloud storage providers. Being SOC 2 compliant demonstrates to customers that the organization has adopted a robust security program to protect their customer data in the cloud. The SOC 2 report, issued after a technical audit, is a competitive advantage to winning and closing deals faster.
Organizations select which of the five Trust Services Criteria are most relevant to include within their SOC 2 compliance program. Each Criteria is composed of multiple Points of Focus, which are akin to hints that organizations can use to identify the controls they have in place to demonstrate each Criteria.
The Common Criteria are comprised of:
Communication and Information
Risk Assessment
Monitoring Activities
Control Activities
Logical and Physical Access Controls
System Operations
Change Management
Risk Mitigation
The other four TSCs are Availability, Confidentiality, Processing Integrity, and Privacy.
*In rare scenarios, the Security TSC can be excluded from the scope of the SOC 2. We can help you through this decision process.
Availability refers to the set of controls that management has in place for the operation, monitoring and maintenance of the system, as well as mitigation of potential external threats.
Confidentiality refers to the data lifecycle controls that an organization has in place to ensure that confidential or sensitive data is protected.
Processing Integrity refers to the controls an organization has in place to ensure the completeness, validity, accuracy, timeliness, and authorization of system processing.
The SOC 2 compliance journey leaves organizations with a deeper understanding of the cybersecurity risks that their users face. The SOC 2 journey is slightly different for each organization, but generally looks like the following:
Compliance is not a one-time event, but a continuous process of maintaining internal controls. To stay compliant, organizations should:
