How to become SOC 2 Compliant: Risk Analysis #soc2 #pci #iso #hipaa
Author: Martin Capeletto
Are you lost trying to figure out how to get your company compliant with industry standards like SOC2, ISO, HIPAA, PCI? Don't worry; this is normal since the requirements for all of this are pretty vague and hard to find for small businesses.
When we started planning our SOC2 certification in Leniolabs (the company behind MyLenio), we were in the same position, didn't knew where to start, a ton of resources that all look aimed at huge companies, having to read a lot of books... but nothing on how to get things done and start making progress.
This is one of the Serie articles: "How to become SOC 2 Compliant" (without dying in the attempt). On this, we will explain our own experience and why MyLenio can help you with a lot of your SOC2 needs. Of course, this is just our experience, but it should be an excellent reference to move forward on your journey.
In this article, we will cover Risk Analysis, which is an essential part of any compliance. Simply, you need to analyze, document, and track the progress of the most important risks your company has. You'll also need to plan to implement controls to mitigate a subset of those risks and make sure everything is up-to-date.
Analyze & Track your Risks
This first and most important part is to start making a list of all the risks that could happen with your business. At this point is ok to track everything on a simple document. We recommend setting up a meeting with each of the managers in your Company, HR, IT, CTO, CEO, etc. You should include meetings with as many of the decision-makers in the company to be sure you're covering everything. Do a brainstorming meeting with each of them and take notes of anything they find "risky."
"Risky" can mean anything that could affect your business, from IT being worried about internet connection going down on your office and your people couldn't perform the work on time. Or the CTO being worried about the use of AWS for your production servers, from Marketing worried about someone hacking the company account and hurting your branding. At this point, you shouldn't worry too much about prioritizing. We'll do that later, but on learning from everyone's perspective what can go wrong.
Something fundamental is to try not to hide anything from the Auditor. It is way worse for him to find a risk that you didn't consider than to document the risk and explain when that risk will be mitigated. Also, not all risks are going to be mitigated, Risk is part of the day-to-day of a company, and there will always be risks, so don't panic if you discover that everything can kill your company, that's exactly the point of this, find the risks, be aware, try to mitigate the most important ones and make better decisions based on Risk.
After you complete this exercise, you'll end up having a big list of things that can go wrong, so now you can panic lol, no, let's save the panic for later... So now we can start organizing those. One popular way of doing this is by working on the following Matrix and add all these risks to MyLenio.
See the example above to understand how the matrix works. You can create as many categories as you need. Anything can be a category; it is a way for you to group things. Then we have assets inside each category, and for example, for the "Public Image" category, we can have "Social Networks," "Website," "Stands in Conferences." After that, you'll add Threats, which are the things that can go wrong for each Asset. You can add only one or many.
Finally, we set the vulnerabilities/weaknesses that will completely define each Risk item. Once this is done, we will be able to assign
The total risk will be Impact * Likelihood (1..25)
The impact would be how bad would this be if this happens, with 0 "No one cares" to 5 "We are getting fired." This will give you a 0 to 25 total risk for each item, and you should do this exercise for every risk you identified in your document.
After all, this is completed, you should be happy that you had done the hardest part. Now we need to work on mitigating risks and reviewing this periodically.
Now is time to prioritize them, no one expects you to take care of all the risks, but you have to have a plan to show to your Auditor. We recommend looking for all the risks with a Total Risk greater or equal to a certain number, this number will be up to you, but in our case, it's 12.
In MyLenio, you can filter by all those risks with that score, and then you'll need to start working on each one of these. You can click on edit, and we'll see something like this:
What this means is that currently, this one has a score of 15. And we can decide to add controls (things to do) and a plan (how to do it) and then what the new scores would be if all those are implemented. In this example, implementing those controls will reduce the impact to 1, and the likelihood would stay the same. But the final score would be 5.
It's usually easier to reduce the Likelihood than the Impact, but of course, both things can be improved. This will depend a lot on the type of risk and company that you have.
After doing this with all the risk scores that were greater than 12, now you have a nice analysis of all of your risks, and you have a plan to mitigate them.
There's one more thing to do is to make sure you'll be updating and reviewing this list every 6 months. For this, you can set a Recurring Flow in MyLenio to save the process and make sure it will be executed exactly like this every 6 months, or you can set yourself a reminder :)
You don't have to start from scratch on this review, but it's good to go over all the plans and controls and see what had been implemented and whatnot, reassign risks, and document that you had done this review so you can show the history to the Auditor.
That's the main idea for Risk Analysis for SOC2 (and most of the other compliances). It is not super hard. It's a bit boring to do, and you'll become paranoid about all the things that can break your business, but after doing it, you'll have a more solid business because those things are not going to surprise you much.
We also recommend doing a meeting every 6 months with the decision-makers on your company where you review with them what are the top risks after all of your analysis. This can help a lot to fill any gap they had and for them to be able to make better decisions based on the existing risks.
Finally, we have 2 other things you might want to consider tracking on your Risk Analysis.
Track your Vendors
You'll need to track all of the vendors that you are using. In this case, we use the following vendors. At Leniolabs, we went with the easier (but sometimes more expensive way) of "we only work with SOC2 vendors", that way, we had to change our VPN and password management to one that was already SOC 2 compliant.
Doing this saves a ton of time because you don't have to do due diligence in that case. Just make sure you request the SOC 2 reports from them and save them in your secure file solution.
If you have vendors that are not SOC2, you'll need to follow best practices and document them. In MyLenio, you can add your vendors and add comments about this process.
Set your BCDR Contacts
Finally, we provide a simple too to add BCDR contacts (Business continuity and disaster recovery). Basically, who to contact when things go south, list a few people with the phone, mail, and all the information you have. It's key that when something happens, you know who to contact.
And that's all, it wasn't that bad, and now you're analyzing and tracking the risks on your business and one step closer to be SOC2 compliance. Remember, it is a hard path to get compliance because a lot of your business will change to be doing things the proper way, but it is time well spent because you'll have a way more solid company.