If you haven’t read post 1 in this series, the tl;dr is that we’re sharing the details of our SOC 2 compliance journey so you’ll better understand what the process entails. We’re looking at this policy-by-policy, explaining what our policy says and how we’re complying with it.
Let’s start with the information security policy. This is the policy that our customers are most interested in when we’re talking about Arpio and how we are being good stewards of their data.
Our draft policy came from Laika, but it had to be right-sized for a small SaaS business. Coming in, we felt that we were in pretty good shape and have been directionally aligned with where we should be. As an organization, we’re lucky to have technical leadership that has dealt with compliance before.
The security policy mandates a set of security practices across our organization, both within the production environment, where our SaaS product runs, and our IT environment, consisting of our laptops and other devices. It’s mostly about following current best practices.
The information security policy covers things like:
- Use of firewalls
- Use of antivirus software
- Encryption at rest and encryption in transit for when customer data is being stored or moved
- Minimizing access to sensitive data so that people who don’t need it don’t have access to that data
- Patching systems and security update
- Using multi factor authentication where possible
- Process for onboarding and even more importantly, offboarding employees
- Physical security
- Monitoring and logging of security access related events
We already had most of these practices in place, and for that reason this wasn’t a huge amount of work for us to implement. Companies that haven’t thought through this from the beginning might find that there’s a heavier lift here.
We’ve had encryption at rest and in transit from the very beginning. From a patching perspective, our production environment runs serverless so AWS handles most of it for us. We only have two people in our entire organization that have access to the production environment, so that’s already as locked down as it could be. We’ve used multi factor authentication everywhere from day 1. From a physical security perspective, our stuff runs in AWS so they handle physical security of the data center. Beyond that, we are a fully remote team and don’t have an office building that we have to deal with for physical security and access to.
We did need to adopt an enterprise endpoint protection solution in order to be compliant with the policy. This is similar to antivirus software, but it goes beyond monitoring for malware on your systems and makes sure that all our machines are appropriately configured. We opted for Bitdefender because we needed support for Linux, Mac, and Windows.
Lastly we needed to formalize our employee onboarding and offboarding practices and checklists, which was super easy to do.
So to summarize: for this part of SOC 2 we took the information security policy template and tweaked it as necessary to be what we wanted and then implemented Bitdefender as an endpoint protection solution and formalized best practices for onboarding and offboarding employees.