How Small and Mid-Sized Businesses Can Achieve System and Organization Controls (SOC 2) Compliance

Steps To Implement Cyber Controls and Processes

By Juliana Spofford, General Counsel and Chief Privacy Officer, Aidentified

In today’s tech world, it is often difficult to determine which businesses you can rely on to keep your data secure, and the matter continues to grow in importance as the cost of cybercrime is predicted to hit $8 trillions globally in 2023. Cybersecurity threats are on the rise, with ransomware, malware and threats from artificial intelligence and machine learning software foremost in our minds, and supply-chain threats are on the rise for all companies.

With growing security concerns, obtaining a System and Organization Controls (SOC 2) report, a gold standard for implementation of cybersecurity controls and processes, instills trust and attracts customers by proving that a company’s security framework is reliable. Every business wants their customers and partners to rest assured knowing that security controls have been independently evaluated and rigorously tested in areas such as:

• Incident response
• Disaster recovery
• Access controls
• Vulnerability scanning and monitoring.

In 2021, Aidentified began our SOC 2 journey and obtained our SOC 2 Type 2 attestation. This accomplishment is a significant milestone for a small company, and you may be interested in how we achieved and continue to achieve SOC 2 compliance.

Here are key takeaways for small and mid-size companies with respect to the SOC 2 compliance process:

• Once your company has determined that it wants to pursue SOC2 compliance, it is important to pick your SOC2 partners and tools.

Not all tools are created equal, choose yours carefully. Aidentified partnered with Vanta as our Governance, Risk and Compliance (“GRC”) SOC2 compliance tool. GRC tools are very helpful, especially for small and mid-size companies to assist with implementing and monitoring internal security programs with appropriate policies, security training, monitoring of devices, testing software vulnerabilities, vendor management and more. Aidentified also interviewed and selected independent SOC 2 auditors, Geels Norton, very early on in our SOC2 journey. Make sure your auditor aligns well with your team and tools and is willing to provide advisory services as you build out your SOC 2 program. Our auditors, for example, are adept at working with technology start-ups and are also a preferred assessor for Microsoft.

• Make sure you have buy-in for SOC 2 compliance at all levels of the company, including your Board of Directors.

Becoming SOC 2 compliant typically entails wide-spread changes to how you implement your internal company processes, and your company needs to understand this and should be committed at all levels and with all teams to prioritize SOC 2 requirements – from HR to customer service, to product and technology.

• Choose your SOC 2 team wisely.

You do not necessarily need to have employees with dedicated security information titles to be able to put a SOC 2 team together. You will need your Chief Technology Officer and designated security personnel on your technology team, and at a minimum, a program manager. This person can be an operations/legal operations dedicated resource, and one or two non-technology related back-end process resources. Aidentified also benefitted from the assistance of a compliance security consultant.

• Once you receive your first SOC 2 attestation, make sure you continue to monitor and improve your internal processes.

Do not make the mistake of becoming complacent once the first attestation is achieved. Continue to schedule your regular security review meetings, your access reviews, policy updates and SOC2 remediation check-ins based on the priorities included in your management letter to-do’s.

Achieving SOC 2 Type 2 attestation is a sizeable undertaking for any company, but the designation is possible with the right plan and people in place. As cybercrime continues to grow in sophistication and frequency, we have a responsibility to ensure reliability of our security frameworks.

About the Author

Juliana is the General Counsel and Chief Privacy Officer for Aidentified, a leading AI-powered relationship-based prospecting and first-party data enrichment technology provider. She brings decades of legal experience and privacy expertise to her pointed in-house legal insights, having worked as counsel for both small data technology start-ups and powerhouse data services companies such as Dow Jones/Factiva and Dun & Bradstreet. She enjoys sharing her insights about compliance, privacy and security issues to help organizations do the right thing and understand the importance of these issues for their ultimate business success. Juliana can be reached at our company website https://www.aidentified.com/