{"id":1446,"date":"2022-01-28T18:39:07","date_gmt":"2022-01-28T18:39:07","guid":{"rendered":"http:\/\/box5442.temp.domains\/~arpioio\/arpio-compliance-and-risk-management-2\/"},"modified":"2022-08-05T21:20:04","modified_gmt":"2022-08-05T21:20:04","slug":"configuration-and-change-management-soc2-compliance-journey","status":"publish","type":"post","link":"https:\/\/arpio.io\/staging\/8013\/configuration-and-change-management-soc2-compliance-journey\/","title":{"rendered":"Addressing the Root Causes of System Instability &#8211; Configuration and Change Management"},"content":{"rendered":"<body>\r\n<p>After addressing <a href=\"https:\/\/arpio.io\/staging\/8013\/arpio-compliance-and-risk-management\/\">compliance and risk management in the third step<\/a> of our own SOC 2 compliance journey we developed in tandem with Laika, the formal nuts and bolts of configuration and change management came next.<\/p>\r\n\r\n\r\n\r\n<p>Changes to production systems are often the root cause of system instability problems. To mitigate this risk, we embraced a change management process as part of our SOC 2 compliance. This process is documented in the configuration and change management policy.<\/p>\r\n\r\n\r\n\r\n<p>The draft policy we received from Laika was extremely formal \u2013 the kind of thing you\u2019d find in a big enterprise. It defined a change process with layers of approvals and sign-offs. We wanted something much lighter-weight, that works with the tools we already use like Jira, Github, and Slack. So we pretty much re-wrote this policy.<\/p>\r\n\r\n\r\n\r\n<p>Our change management process is built around the Jira boards we were already using before we embraced SOC 2. Nothing makes it through the Jira board without getting the eyes of the full team, and discussed on a daily basis, so we cut out all of the up-front approval process. Also, almost all of our infrastructure is managed as code, so we rely on a standard code review process for approving changes.\u00a0 We also allow for break-glass (emergency) changes to bypass this process if they are reviewed retrospectively.<\/p>\r\n\r\n\r\n\r\n<p>We were already using Jira and Github before SOC 2 came along. This policy just pushed us to mature our usage and train the team on the correct workflows.\u00a0 We\u2019re a better company for having embraced this discipline, and we didn\u2019t have to accept a lot of heavy-weight processes to get here.<\/p>\r\n\r\n\r\n\r\n<p>As we stated at the <a href=\"https:\/\/arpio.io\/staging\/8013\/soc-compliance-for-saas-in-10-policies\/\">outset<\/a> of this series, \u200b\u200b\u201dThe key point to understand is that [SOC 2] certification is about verifying that what you said you\u2019d be doing in your policies is what you\u2019re actually doing. You get to customize your policies to match the way you want to work, as long as it achieves the objectives of SOC 2.\u00a0 Keep that in mind as you\u2019re reading these posts, and considering your own SOC 2 journey. It\u2019s all about right-sizing your process.\u201d<\/p>\r\n\r\n\r\n\r\n<p>Want to make AWS downtime irrelevant with instant recovery protection for your AWS applications? Let\u2019s talk.<\/p>\r\n<\/body>","protected":false},"excerpt":{"rendered":"<p>After addressing compliance and risk management in the third step of our own SOC 2 compliance journey we developed in tandem with Laika, the formal nuts and bolts of configuration&#8230;<\/p>\n","protected":false},"author":4,"featured_media":1447,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"nf_dc_page":"","content-type":"","inline_featured_image":false,"footnotes":""},"categories":[3],"tags":[],"class_list":["post-1446","post","type-post","status-publish","format-standard","has-post-thumbnail","category-blog"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v26.9 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Our SOC-2 Compliance Journey: Configuration and Change Management<\/title>\n<meta name=\"description\" content=\"This post is the fourth installment in our series on achieving SOC-2, where we discuss configuration and change management.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/arpio.io\/configuration-and-change-management-soc2-compliance-journey\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Our SOC-2 Compliance Journey: Configuration and Change Management\" \/>\n<meta property=\"og:description\" content=\"This post is the fourth installment in our series on achieving SOC-2, where we discuss configuration and change management.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/arpio.io\/configuration-and-change-management-soc2-compliance-journey\/\" \/>\n<meta property=\"og:site_name\" content=\"Arpio Disaster Recovery Made Easy\" \/>\n<meta property=\"article:published_time\" content=\"2022-01-28T18:39:07+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2022-08-05T21:20:04+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/arpio.io\/wp-content\/uploads\/2022\/01\/Untitled-2520-x-1520-px-1-e1659733305570.png\" \/>\n\t<meta property=\"og:image:width\" content=\"960\" \/>\n\t<meta property=\"og:image:height\" content=\"579\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"Doug\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Doug\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"2 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/arpio.io\/configuration-and-change-management-soc2-compliance-journey\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/arpio.io\/configuration-and-change-management-soc2-compliance-journey\/\"},\"author\":{\"name\":\"Doug\",\"@id\":\"https:\/\/arpio.io\/staging\/8013\/#\/schema\/person\/5c7dd11a2bcc5b1eb202c473873a8c42\"},\"headline\":\"Addressing the Root Causes of System Instability &#8211; Configuration and Change Management\",\"datePublished\":\"2022-01-28T18:39:07+00:00\",\"dateModified\":\"2022-08-05T21:20:04+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/arpio.io\/configuration-and-change-management-soc2-compliance-journey\/\"},\"wordCount\":388,\"image\":{\"@id\":\"https:\/\/arpio.io\/configuration-and-change-management-soc2-compliance-journey\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/arpio.io\/staging\/8013\/wp-content\/uploads\/2022\/01\/Untitled-2520-x-1520-px-1-e1659733305570.png\",\"articleSection\":[\"Blog\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/arpio.io\/configuration-and-change-management-soc2-compliance-journey\/\",\"url\":\"https:\/\/arpio.io\/configuration-and-change-management-soc2-compliance-journey\/\",\"name\":\"Our SOC-2 Compliance Journey: Configuration and Change Management\",\"isPartOf\":{\"@id\":\"https:\/\/arpio.io\/staging\/8013\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/arpio.io\/configuration-and-change-management-soc2-compliance-journey\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/arpio.io\/configuration-and-change-management-soc2-compliance-journey\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/arpio.io\/staging\/8013\/wp-content\/uploads\/2022\/01\/Untitled-2520-x-1520-px-1-e1659733305570.png\",\"datePublished\":\"2022-01-28T18:39:07+00:00\",\"dateModified\":\"2022-08-05T21:20:04+00:00\",\"author\":{\"@id\":\"https:\/\/arpio.io\/staging\/8013\/#\/schema\/person\/5c7dd11a2bcc5b1eb202c473873a8c42\"},\"description\":\"This post is the fourth installment in our series on achieving SOC-2, where we discuss configuration and change management.\",\"breadcrumb\":{\"@id\":\"https:\/\/arpio.io\/configuration-and-change-management-soc2-compliance-journey\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/arpio.io\/configuration-and-change-management-soc2-compliance-journey\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/arpio.io\/configuration-and-change-management-soc2-compliance-journey\/#primaryimage\",\"url\":\"https:\/\/arpio.io\/staging\/8013\/wp-content\/uploads\/2022\/01\/Untitled-2520-x-1520-px-1-e1659733305570.png\",\"contentUrl\":\"https:\/\/arpio.io\/staging\/8013\/wp-content\/uploads\/2022\/01\/Untitled-2520-x-1520-px-1-e1659733305570.png\",\"width\":960,\"height\":579},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/arpio.io\/configuration-and-change-management-soc2-compliance-journey\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/arpio.io\/staging\/8013\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Addressing the Root Causes of System Instability &#8211; Configuration and Change Management\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/arpio.io\/staging\/8013\/#website\",\"url\":\"https:\/\/arpio.io\/staging\/8013\/\",\"name\":\"Arpio Disaster Recovery Made Easy\",\"description\":\"AWS Disaster Recovery\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/arpio.io\/staging\/8013\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/arpio.io\/staging\/8013\/#\/schema\/person\/5c7dd11a2bcc5b1eb202c473873a8c42\",\"name\":\"Doug\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/arpio.io\/staging\/8013\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/98d763d738bde480338f289de28be30208ce6fbcdb2e370e4e94dd5e5ec5ffb5?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/98d763d738bde480338f289de28be30208ce6fbcdb2e370e4e94dd5e5ec5ffb5?s=96&d=mm&r=g\",\"caption\":\"Doug\"},\"url\":\"https:\/\/arpio.io\/staging\/8013\/author\/doug\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Our SOC-2 Compliance Journey: Configuration and Change Management","description":"This post is the fourth installment in our series on achieving SOC-2, where we discuss configuration and change management.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/arpio.io\/configuration-and-change-management-soc2-compliance-journey\/","og_locale":"en_US","og_type":"article","og_title":"Our SOC-2 Compliance Journey: Configuration and Change Management","og_description":"This post is the fourth installment in our series on achieving SOC-2, where we discuss configuration and change management.","og_url":"https:\/\/arpio.io\/configuration-and-change-management-soc2-compliance-journey\/","og_site_name":"Arpio Disaster Recovery Made Easy","article_published_time":"2022-01-28T18:39:07+00:00","article_modified_time":"2022-08-05T21:20:04+00:00","og_image":[{"width":960,"height":579,"url":"https:\/\/arpio.io\/wp-content\/uploads\/2022\/01\/Untitled-2520-x-1520-px-1-e1659733305570.png","type":"image\/png"}],"author":"Doug","twitter_card":"summary_large_image","twitter_misc":{"Written by":"Doug","Est. reading time":"2 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/arpio.io\/configuration-and-change-management-soc2-compliance-journey\/#article","isPartOf":{"@id":"https:\/\/arpio.io\/configuration-and-change-management-soc2-compliance-journey\/"},"author":{"name":"Doug","@id":"https:\/\/arpio.io\/staging\/8013\/#\/schema\/person\/5c7dd11a2bcc5b1eb202c473873a8c42"},"headline":"Addressing the Root Causes of System Instability &#8211; Configuration and Change Management","datePublished":"2022-01-28T18:39:07+00:00","dateModified":"2022-08-05T21:20:04+00:00","mainEntityOfPage":{"@id":"https:\/\/arpio.io\/configuration-and-change-management-soc2-compliance-journey\/"},"wordCount":388,"image":{"@id":"https:\/\/arpio.io\/configuration-and-change-management-soc2-compliance-journey\/#primaryimage"},"thumbnailUrl":"https:\/\/arpio.io\/staging\/8013\/wp-content\/uploads\/2022\/01\/Untitled-2520-x-1520-px-1-e1659733305570.png","articleSection":["Blog"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/arpio.io\/configuration-and-change-management-soc2-compliance-journey\/","url":"https:\/\/arpio.io\/configuration-and-change-management-soc2-compliance-journey\/","name":"Our SOC-2 Compliance Journey: Configuration and Change Management","isPartOf":{"@id":"https:\/\/arpio.io\/staging\/8013\/#website"},"primaryImageOfPage":{"@id":"https:\/\/arpio.io\/configuration-and-change-management-soc2-compliance-journey\/#primaryimage"},"image":{"@id":"https:\/\/arpio.io\/configuration-and-change-management-soc2-compliance-journey\/#primaryimage"},"thumbnailUrl":"https:\/\/arpio.io\/staging\/8013\/wp-content\/uploads\/2022\/01\/Untitled-2520-x-1520-px-1-e1659733305570.png","datePublished":"2022-01-28T18:39:07+00:00","dateModified":"2022-08-05T21:20:04+00:00","author":{"@id":"https:\/\/arpio.io\/staging\/8013\/#\/schema\/person\/5c7dd11a2bcc5b1eb202c473873a8c42"},"description":"This post is the fourth installment in our series on achieving SOC-2, where we discuss configuration and change management.","breadcrumb":{"@id":"https:\/\/arpio.io\/configuration-and-change-management-soc2-compliance-journey\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/arpio.io\/configuration-and-change-management-soc2-compliance-journey\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/arpio.io\/configuration-and-change-management-soc2-compliance-journey\/#primaryimage","url":"https:\/\/arpio.io\/staging\/8013\/wp-content\/uploads\/2022\/01\/Untitled-2520-x-1520-px-1-e1659733305570.png","contentUrl":"https:\/\/arpio.io\/staging\/8013\/wp-content\/uploads\/2022\/01\/Untitled-2520-x-1520-px-1-e1659733305570.png","width":960,"height":579},{"@type":"BreadcrumbList","@id":"https:\/\/arpio.io\/configuration-and-change-management-soc2-compliance-journey\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/arpio.io\/staging\/8013\/"},{"@type":"ListItem","position":2,"name":"Addressing the Root Causes of System Instability &#8211; Configuration and Change Management"}]},{"@type":"WebSite","@id":"https:\/\/arpio.io\/staging\/8013\/#website","url":"https:\/\/arpio.io\/staging\/8013\/","name":"Arpio Disaster Recovery Made Easy","description":"AWS Disaster Recovery","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/arpio.io\/staging\/8013\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/arpio.io\/staging\/8013\/#\/schema\/person\/5c7dd11a2bcc5b1eb202c473873a8c42","name":"Doug","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/arpio.io\/staging\/8013\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/98d763d738bde480338f289de28be30208ce6fbcdb2e370e4e94dd5e5ec5ffb5?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/98d763d738bde480338f289de28be30208ce6fbcdb2e370e4e94dd5e5ec5ffb5?s=96&d=mm&r=g","caption":"Doug"},"url":"https:\/\/arpio.io\/staging\/8013\/author\/doug\/"}]}},"_links":{"self":[{"href":"https:\/\/arpio.io\/staging\/8013\/wp-json\/wp\/v2\/posts\/1446","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/arpio.io\/staging\/8013\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/arpio.io\/staging\/8013\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/arpio.io\/staging\/8013\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/arpio.io\/staging\/8013\/wp-json\/wp\/v2\/comments?post=1446"}],"version-history":[{"count":1,"href":"https:\/\/arpio.io\/staging\/8013\/wp-json\/wp\/v2\/posts\/1446\/revisions"}],"predecessor-version":[{"id":1660,"href":"https:\/\/arpio.io\/staging\/8013\/wp-json\/wp\/v2\/posts\/1446\/revisions\/1660"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/arpio.io\/staging\/8013\/wp-json\/wp\/v2\/media\/1447"}],"wp:attachment":[{"href":"https:\/\/arpio.io\/staging\/8013\/wp-json\/wp\/v2\/media?parent=1446"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/arpio.io\/staging\/8013\/wp-json\/wp\/v2\/categories?post=1446"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/arpio.io\/staging\/8013\/wp-json\/wp\/v2\/tags?post=1446"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}