Professional Documents
Culture Documents
Blissfully SOC 2 Playbook 2020 PDF
Blissfully SOC 2 Playbook 2020 PDF
Blissfully SOC 2 Playbook 2020 PDF
BLISSFULLY’S
SOC 2 Compliance
Playbook
blissfully.com/soc-2
The Blissfully Guide to SOC 2 Compliance
Internal Workflows
Vendor Management
SaaS Discovery, Security, and Monitoring
SaaS Codex and System of Record
IN SUMMARY
blissfully.com/soc-2 2
The Blissfully Guide to SOC 2 Compliance
blissfully.com/soc-2 3
The Blissfully Guide to SOC 2 Compliance
A SOC 2 Overview
SOC 2 isn't a set of hard and fast rules. Rather, it is a framework that sends a
strong signal that an organizaJon prioriJzes key a^ributes: security, availability,
processing integrity, confidenJality, and privacy.
CompleJng a SOC 2 cerJficaJon on its own is generally not enough to prove that
you are 100% secure as an organizaJon, but it’s a very good start and will go a
long way toward insJlling trust in your customers.
Before SOC 2, the original standard for audiJng service organizaJons was known
as a SAS 70 (Statement of AudiJng Standards No. 70). SAS 70 audits were
performed by CerJfied Public Accountants (CPAs) with the original intent to
report on the effecJveness of internal financial controls. These were introduced in
the early 1990’s.
Over Jme, the audit started to be used as a way to report on the effecJveness of
a company’s internal controls around informaJon security more broadly. Around
2010, SOC 1 and SOC 2 reports were introduced by the AICPA (The American
InsJtute of CerJfied Public Accountants) with the explicit purpose of addressing
the growing need of companies to externally validate and communicate their state
of security.
Today, SOC 1 reports are centered around controls impacJng financial reports,
similar the original SAS 70. SOC 2 reports, on the other hand, are wri^en on
audits against the Trust Services Criteria (TSC) standard, which we’ll explain below.
This standard is ideal if you’re looking for a way to simultaneously improve your
company’s maturity around business processes and security.
blissfully.com/soc-2 4
The Blissfully Guide to SOC 2 Compliance
Security
The foundaJonal security principle, common to all audits.
ConfidenSality
ProtecJon from unauthorized disclosure of sensiJve data.
Availability
ProtecJon that systems or data will be available as agreed or required.
Integrity
ProtecJon that systems or data are not changed in an unauthorized manner.
Privacy
The use, collecJon, retenJon, disclosure, and disposal of personal informaJon is
protected.
blissfully.com/soc-2 5
The Blissfully Guide to SOC 2 Compliance
All SOC 2 audits include “Common Criteria”. This is the biggest secJon of the audit
and touches on every aspect of informaJon security controls. Companies can start
with a Common Criteria audit if they’re looking to keep the scope small. Common
Criteria includes aspects of all principles noted below.
blissfully.com/soc-2 6
The Blissfully Guide to SOC 2 Compliance
When ready, an organizaJon will hire a licensed CPA auditor to conduct the audit.
The actual process involves scoping, arJfact document collecJon, and an on-site
visit. The Jme commitment is typically several hours of introductory phone
conversaJons and two days in-person at your office. While in your office, the
auditor will conduct interviews and review submi^ed material. When starJng to
scope a SOC 2 audit, there a few key decisions that will need to be made up front.
First, do you want a Type I or Type II audit? This terminology can be confusing to
newbies because of the mix of numbers and Roman numerals.
blissfully.com/soc-2 7
The Blissfully Guide to SOC 2 Compliance
SOC 2 Type I
An audit conducted against the Trust Services Criteria standard at a single point in
Jme. This audit answers: Are all the security controls that are in place today
designed properly?
SOC 2 Type II
An audit conducted against the Trust Service Criteria standard over a period of
Jme. This period typically covers six months the first Jme, and then a year
thereaZer. In other words, this audit answers: Did the security controls that were
in place from January 1 through July 31st operate effecJvely? This means you’ll
need a system of record.
Type I reports are, as you might imagine, quicker to prepare for and conduct
because you don’t have to wait for historical data over six months. However, while
Type II reports take more Jme, they are also that much more valuable in the hands
of customers, prospects, board members, partners, insurance companies, and so
on. They report on what you’re actually doing, rather than what you aspire to do.
Because of this added value, my general recommendaJon is to get started early
and work directly toward the Type II report. This approach emphasizes immediate
acJon taken toward improving your security, and because Type II also covers Type
I, there are financial savings in the long term if you start with Type II from day one.
blissfully.com/soc-2 8
The Blissfully Guide to SOC 2 Compliance
Large companies can oZen recover from a security incident like this because they
have the financial resources and brand recogniJon to move past a single slip-up.
Small companies and startups aren’t always so lucky. Loss of a single large
customer due a security compromise, or reputaJonal damage that impacts a
company’s ability to raise addiJonal rounds of VC funding can be devastaJng for a
small or young business.
While there is no way to absolutely guarantee security, the SOC 2 report and Trust
Services framework give companies external validaJon that they are managing
risks appropriately.
blissfully.com/soc-2 9
The Blissfully Guide to SOC 2 Compliance
If you don’t have SOC 2 compliance as a vendor, you will probably have to fill out
more than a few security quesJonnaires before you can work with any enterprise-
scale customers. While that might sound easier than a SOC 2 audit on the surface,
the quesJonnaires can be quite detailed and overwhelming, and they are oZen
hard to fill out if you don’t already know the security lingo, have tooling in place,
and know how to document processes. In other words, if you haven’t already gone
through the process of seqng up and enforcing policies as you would for SOC 2,
you may find yourself stuck when the quesJonnaires arrive.
In a nutshell, being SOC 2 compliant will both help you sell to the enterprise, and
force you to follow a set of strong best pracJces when it comes to keeping your
company’s and customers’ data safe. Security is (or at least should be) a major
concern for all technology-focused companies today, as we’ve wri^en about in our
previous eBook: Blissfully’s PracJcal Guide to People-First SaaS Security.
Achieving SOC 2 compliance is a good way to demonstrate that you do indeed
have security at heart in all you do as an organizaJon.
blissfully.com/soc-2 10
The Blissfully Guide to SOC 2 Compliance
Regardless of whether customers or prospects are knocking down your door for a
SOC 2 report, it’s crucial to start SOC 2 preparaJon as early as possible. Even if
don’t plan to have an audit conducted for a while, starJng early will set your
company up for success in many arenas.
It Improves Security
The formulaic approach necessitated by SOC 2 will improve your overall security.
This process will miJgate potenJal a^acks while building a strong security process
that will help you win new business by be^er answering risk quesJonnaires.
Security and compliance should be approached as an ongoing process, rather than
a single event, and SOC 2 pushes organizaJons to build sustainable programs.
It Provides DocumentaSon
It’s never too early to get your documentaJon in order. Do you have policies and
procedures? Do you have internal standards documentaJon? Having these
processes well-documented will improve internal communicaJon and consistency,
which in turn enables you to meet legal and compliance challenges, close more
sales, and prepare for financial changes like a merger or acquisiJon or a new round
of VC funding.
blissfully.com/soc-2 11
The Blissfully Guide to SOC 2 Compliance
It’s a good idea to consider becoming SOC 2 compliant early in your company’s
journey if you know you are going to be selling technological services to
enterprises and will be storing and/or accessing sensiJve customer data of any
sort.
blissfully.com/soc-2 12
The Blissfully Guide to SOC 2 Compliance
SaaS is taking over the business world, empowering teams to drive producJvity
using apps they love. In fact, Cisco esJmates that 75% of workloads will be SaaS-
only by 2021.
This rise of SaaS has distributed IT management across the enJre organizaJon,
creaJng an overall lack of visibility. While extensive toolsets exist to manage the
tradiJonal IT stack (things like networking, infrastructure, and hardware), no
equivalent existed for the IT business operaJons (SaaS) stack.
blissfully.com/soc-2 13
The Blissfully Guide to SOC 2 Compliance
SOC 2 is a framework to build processes around. Use this guide and the SOC 2
criteria to embed security and compliance into your core culture and business
processes. Developing processes around the common criteria and trust principles
will give you a foundaJon that you can build and scale from, rather than as a once-
per-year scramble for evidence.
blissfully.com/soc-2 14
The Blissfully Guide to SOC 2 Compliance
Most companies wait unJl their B or C round (or later) to start tackling key
industry security audits and compliance cerJficaJons. We think that's a mistake.
StarJng early embeds security and compliance into your company culture and
processes from the start, making it easy to grow and scale.
At Blissfully, we undertook our first SOC 2 audit when we were just 5 employees,
over 3 years ago. Strong security is fundamental to our vision of the company we
wanted to build. Our mission is to simplify how organizaJons manage IT, and this
means being deeply embedded in their organizaJon, and having access to
sensiJve informaJon. Geqng companies to work with us requires trust. And
achieving SOC 2 compliance helps us demonstrate to our customers that we are
trustworthy, and take security, privacy, and compliance seriously enough to invest
in it. We did it so early in our company lifecycle because we wanted to create a
culture that treats security as a central tenet from the start, not something that we
bolted on years later with some outside consultants.
blissfully.com/soc-2 15
The Blissfully Guide to SOC 2 Compliance
We developed the SOC 2 Pyramid to give you a visual representaJon of the SOC
2 Compliance process.
It consists of three levels, the foundaJon are your policies, these document what
you do. i.e. governing the behavior of employees, vendors, contractors, etc. to
meet security requirements.
Above policies are your procedures, these demonstrate how your policies work
opera2onally, i.e. what steps you take in response to key events to manage data.
In this playbook, we will also explain what documentaJon you will need to stay in
compliance across each of the three categories.
We will also list a bevy of recommended tools to manage the audit process and
ongoing maintenance.
By following this playbook, you can begin to build your SOC 2 strategy and start
to form your project management teams.
blissfully.com/soc-2 16
The Blissfully Guide to SOC 2 Compliance
Policies
Each policy is related to a piece of your overall security of company and customer
data.
These are the general policies related to a SOC 2 exam that you must comply
with:
blissfully.com/soc-2 17
The Blissfully Guide to SOC 2 Compliance
Procedures
These procedures will serve as the basis for future audits and include the day to
day implementaJon of your key policies.
For example, your Access Control Policy procedures include requirements for
authenJcaJng users, reviewing user access, using role-based access control and
authorizing, modifying, and removing users.
These procedures also include how access to privileged accounts is controlled, and
the type of access or systems that require two-factor authenJcaJon.
Here at Blissfully, we've created a series of policy and procedure documents that
you can use to make your SOC 2 audit easier. Simply download them in Google
Docs, NoJon, or MS Word, and customize them with specific company
informaJon.
Standard tools that help with this can be Google Docs and NoJon to manually
document changes and the procedures surrounding them. This can be a Jme-
consuming task if your records from the past aren't well-organized.
blissfully.com/soc-2 18
The Blissfully Guide to SOC 2 Compliance
The goal of Common Criteria is for vendors to make claims about the security of
their products and that independently run tesJng laboratories can determine if
they meet those claims.
Below are the nine Common Criteria that are typically associated with SOC 2
compliance for SaaS providers and vendors.
blissfully.com/soc-2 19
The Blissfully Guide to SOC 2 Compliance
Goal: Assure that management and the Board of Directors place a high value on
integrity and security.
Details: Management is commi^ed to the security of customer data and takes this
into account when hiring personnel, evaluaJng processes and reporJng
compliance.
blissfully.com/soc-2 20
The Blissfully Guide to SOC 2 Compliance
Goal: Create quality policies and procedures to ensure customer data and
operaJonal security.
Details: Your organizaJon must generate and use quality informaJon and
documentaJon to ensure secure workflows and controls.
AcJviJes and Deliverables: Produce high-quality policies and procedures that are
available through online documentaJon that is easily accessible to staff.
Establish internal tools that will validate secure communicaJon, both internally
and externally.
blissfully.com/soc-2 21
The Blissfully Guide to SOC 2 Compliance
Goal: Create clear objecJves, analyze risks to achieve objecJves, and monitoring
how procedural changes impact risk.
blissfully.com/soc-2 22
The Blissfully Guide to SOC 2 Compliance
AcJviJes and Deliverables: Evidence that shows risk control acJviJes and defined
risk management procedures.
blissfully.com/soc-2 23
The Blissfully Guide to SOC 2 Compliance
Goal: Develop precise process controls and using technology to achieve company
objecJves while miJgaJng risk.
Details: The company develops controls for both workflow processes and
technology tools to miJgate risk while sJll achieving pre-defined objecJves. Also,
defining transparent policies to establish expectaJons and procedures to ensure
compliance.
blissfully.com/soc-2 24
The Blissfully Guide to SOC 2 Compliance
This is a big one. What we typically think of as “Security”. Possibly the most
important CC.
Framework: The security of the physical premises where the organizaJon houses
data is the most important and in-depth.
Goal: Ensure only the right people have access to criJcal data, secure and encrypt
data at all Jmes, and physically protect servers storing data.
AcJviJes and Deliverables: Providing sound security pracJces for physical servers,
workstaJons, and employees, and evidence that these pracJces are working.
blissfully.com/soc-2 25
The Blissfully Guide to SOC 2 Compliance
Key Documents: Business ConJnuity and Disaster Recovery Plan and Incident
ReporJng.
blissfully.com/soc-2 26
The Blissfully Guide to SOC 2 Compliance
Goal: Changes to technical infrastructure are well tested and approved before
going live.
AcJviJes and Deliverables: Clear controls for how technical infrastructure (The
System) changes, and evidence the changes were tested before going into
producJon.
SoZware Recommended: Github for pull requests and a task manager such as
Clubhouse or JIRA for engineering workflows.
blissfully.com/soc-2 27
The Blissfully Guide to SOC 2 Compliance
Goal: MiJgate risk through defined business processes and vendor management.
blissfully.com/soc-2 28
The Blissfully Guide to SOC 2 Compliance
blissfully.com/soc-2 29
The Blissfully Guide to SOC 2 Compliance
When you use Blissfully for SOC 2 compliance, all your workflows are
documented as exportable logs. When you decide to undertake a SOC 2 audit,
you can easily pull these logs and present them as evidence to your auditors.
Vendor Management
Blissfully solves this through a vendor management module. Within the module,
you will find four essenJal tools to help you meet your compliance objecJves:
Document management
The vendor workflows module creates an audit trail using an intuiJve document
management system. As you consume SaaS resources, we listen in on all your
subscripJons and collect and organize all your contracts, SLAs, invoices and other
important documents. Such a documentary audit trail is vital during a SOC 2 audit.
Enrichment
Do you know whether your vendors have SOC 2 compliance? How about GDPR,
ISO 27001, and CCPA? Blissfully pulls in vendor compliance statuses right into
your vendor dashboard. With this data, you can curate a compliance matrix across
your enJre vendor network, an exercise crucial to demonstraJng vendor
compliance.
blissfully.com/soc-2 30
The Blissfully Guide to SOC 2 Compliance
Renewals
Blissfully vendor management brings in all your renewal data to one place. With
such access, you can evaluate vendors for compliance factors before renewing. In
this way, using Blissfully for SOC 2 transforms renewals from a passive acJvity
into an acJve compliance-centered acJon.
App discovery and tracking give you a single source of truth as support for your
SOC 2 compliance documentaJon.
Through this data, you can demonstrate the measures you have taken to modulate
logical access control across all your organizaJon’s apps. Using Blissfully for SOC 2
compliance gives you a centralized view of all third-party SaaS apps in use in your
organizaJon, and tools to help you manage how your personnel interacts with
them.
blissfully.com/soc-2 31
The Blissfully Guide to SOC 2 Compliance
You have mulJple vendors. Blissfully collates all these vendors and pulls vendor
data from the SaaS codex. Blissfully then automaJcally collects and compiles
usage data on each. Such data will include users, admins, access rights, costs, and
others.
With this data, we create for you a complete picture or system of record of your
enJre organizaJon’s app ecosystem and usage. From this snapshot, you can create
and enforce risk miJgaJon measures.
As you undertake risk miJgaJon measures, using Blissfully for SOC 2 will help you
maintain a real-Jme system of record ready for your next audit.
blissfully.com/soc-2 32
The Blissfully Guide to SOC 2 Compliance
In Summary
Using Blissfully for SOC 2 gives you the tools to help you meet requirements
across four of the nine common criteria. Underpinning all these tools is an
integrated system of record. Through this system of record, Blissfully gives you
real-Jme insights and data into your SaaS ecosystem.
Using these insights and data, you can generate reports usable as credible proof
towards your SOC 2 compliance. Whether you are seeking SOC 2 compliance or
need greater visibility and control over your SaaS app ecosystem, Blissfully gives
you the tools to drive your agenda.
Learn More
blissfully.com/soc-2 33
The Blissfully Guide to SOC 2 Compliance
TM
www.blissfully.com
AAA AAA AAA AAA
AAA AAA AAA AAA
AAA AAA AAA AAA
blissfully.com/soc-2 34