Tens of thousands of dollars and hundreds of hours of time—a SOC 2 audit doesn’t come cheap or easy.
Thankfully, there is a burgeoning market of compliance software tools out there to make the job easier and save employee time. Tugboat Logic, Drata, Vanta, and Secureframe are just a few of the companies in the space.
But how exactly do these platforms work to help you build your security program? How do they make the audit process easier, ultimately saving your employees time?
We took a ride with Tugboat Logic to explore just that.
After we published the Comparison of SOC 2 Compliance Software Vendors white paper, Tugboat Logic approached us and asked if we’d like to collaborate with them on content creation. We are participating in a webinar they are hosting on August 24 (sign up here!) and they provided us with a demo account to use as the example service for this article.
Taking a Deeper Dive
In our white paper comparing various cybersecurity compliance software vendors on the market, we listed nine areas where a tool can help a company become compliant. But we didn’t explore any of them in-depth.
This article will dive into each of these areas, discuss the challenges that are presented to organizations and how a tool can help overcome them. We will also be using Tugboat Logic as an illustrative example of what these tools look like in action.
Expert Guidance Through SOC 2
A compliance program is never an easy undertaking. Organizations that embark on one for the first time usually don’t even know where to start.
Instead of just throwing the user into the deep end it’s important for a SOC 2 compliance software tool to provide built-in guidance through the whole audit process. While most vendors will provide customer success support to help in this matter as well, a tool built to logically guide and support users through the audit process can help.
Tugboat Logic does this in a couple of ways. The first thing most users will do is create a “Readiness Project.” Users complete a survey selecting what compliance frameworks they are interested in. Forms are used to ask users a series of questions relevant to their services and compliance goals. This is the basis for policy and control generation, along with what evidence tasks are required to complete a SOC 2 audit.
Lastly, there are tooltips all over the place providing users with instructions. For example, what kind of evidence would be sufficient for a given control.
This sort of functionality is common across many (but not all) of the comparable SOC 2 tools. It’s worth knowing that no single tool is going to generate the perfect set of policies, controls, and evidence needed—some manual writing and revision work will be needed. But it does provide a solid foundation of tasks that the organization requires to build and complete their SOC 2 program.
Another near-universal feature of these SOC 2 compliance tools for guiding companies through the process is a dashboard. This view lets users know how many tasks they have completed. Any tasks that the user or the tool creates are added to the total, and then progress bars are filled up automatically as the user completes tasks, making it easy to see at-a-glance where they are in the process.
Strong Tie to the SOC 2 Control Set
Going hand-in-hand with the point above, being tied to the SOC 2 control set is obviously vital for completing a SOC 2 audit—so all tools provide at least some tie in!
The SOC 2 controls should be elegantly weaved through the entire system. It should be easy to find what controls a piece of evidence is used for, which trust services criteria they are aligned with, and it should be possible to view a list of all SOC 2 controls with their reference numbers and if any evidence has been allocated to them. There should be some room for customization too, given that SOC 2 compliance is somewhat customizable to each business.
Providing strong, intelligent integration with SOC 2 controls along with multiple ways of viewing how evidence connects makes it much easier for users to understand their progress through the audit process.
Tugboat does this as well, and each piece of evidence has a sidebar list of all the controls it’s mapped to and lists the reference codes it applies to.
Finally, it’s possible to get that nice, at-a-glance overview of all SOC 2 controls and their codes by clicking “Show SOC 2 COSO View” in the Audit Projects module.
Templates for Policies and Procedures
Documented security policies and procedures are the core of any cybersecurity program. Without them, there is no program. Writing policies from scratch takes an enormous amount of time and specialized knowledge, which companies pursuing a compliance audit for the first time are unlikely to have on their staff.
SOC 2 compliance tools can overcome this by providing a pre-written library of policy and procedure templates that their users can pick up and tweak for their purposes. Again, it’s unlikely that all of the policies will be perfect right away so some manual tweaking will be needed. But policy templates alone provide a great deal of value to customers pursuing a compliance program.
We believe this is an essential feature for a SOC 2 compliance tool and failure to include it was grounds for exclusion from our comparison paper.
So what do these templates look like in action? Most tools will automatically pull some selection of policies based on an initial survey or by the scope of the organization’s SOC 2 audit. They will also provide a policy repository that users can browse and add to the security program as needed.
Tugboat Logic does both. It pulls policies off of the user’s initial Readiness Project Survey and provides an easily-accessible library.
Once added to the program, users can edit the policies, request review and collaboration from others on the team, and publish them to the organization. After they’re published, the system notifies employees to read and sign off on them and tracks completion to generate evidence.
Automated Evidence Collection
Where would most organizations be if they didn’t have Microsoft 365, Google Workspace, AWS, Google Cloud, Azure, GitHub, Jira, or any of the other dozens of tech services that go into supporting their operations?
These services are the real infrastructure of modern businesses, and they make a lot of jobs much easier. They do not, however, make cybersecurity much easier.
Each additional tool a company stores data on needs to be accounted for and have its risks managed. Compliance audits mandate that data from these tools is provided as evidence that an organization has the proper security controls in place. But it’s a time-intensive process.
SOC 2 compliance tools can again save users’ time by providing direct integration with these services so that evidence may be pulled through and checked automatically for compliance with whatever policies and controls the user’s organization is attempting to meet.
Tugboat Logic offers fairly powerful integrations with several services. For example, it can sync with Google Workspace and the employee directory, ensuring that former employees have their access removed. And it generates the evidence to document it.
Automating evidence collection can provide massive time savings, but it would all go to waste if the tool couldn’t handle all evidence in a functional manner. Is evidence clearly versioned and dated? Is it listed when it will be out-of-date or previously went out-of-date? Is there an archive of historical data? Is the evidence linked to the appropriate controls?
Simply put, good tools make it easy to find, review, update, and distribute evidence.
For Tugboat Logic’s part, evidence management functionality revolves around Evidence Tasks. Evidence Tasks are generated based on policies, procedures, and controls the user has placed in their security program. And they can also be created manually when needed.
To complete an evidence task, just upload the required evidence to the piece within the time period and Tugboat will automatically mark it as completed. The evidence is then associated with whatever policy/procedure/control in the security program, and can be sent to an auditor when it’s ready for review.
Business demands might place a big emphasis on compliance, but cybersecurity is ultimately about risk management.
Risk assessments are important tools for guiding awareness of an organization’s security posture. Without taking the time to actually assess what risks an organization faces, it’s hard to know how effective any security investment is going to be.
And after performing a risk assessment, the company must decide how risks are going to be managed. Again, these are hugely time-consuming processes where tools come in handy.
Most (but not all) cybersecurity compliance software provides some level of risk management functionality because risk assessments are a required part of every compliance audit. Some tools are really just focused on creating the required material for the audit, while others provide more robust functionality for actually doing risk management work.
Tugboat Logic’s risk module consists of two elements: the Risk Survey and the Risk Register. Like with the Readiness Survey, the Risk Survey is used to generate a set of risks for the Risk Register.
As with most library content, this provides a good foundation but some risks may not be relevant and need to be deleted. Additionally, some risks may need to be added manually.
Once the Risk Register is generated, there is a fair bit of work to do. The user needs to open up each risk and assess the risk – how likely is it to happen, and how large of an impact would it have?
Then, the user selects a risk management strategy from the four options (accept, avoid, mitigate, transfer) and links mitigating controls, if applicable.
While this is a lot of manual work, there is no automating a true risk assessment. If people in an organization aren’t thinking critically about what risks they face, there is no real risk assessment happening.
Vendor Risk Management
When a company entrusts data and infrastructure to a vendor, that vendor’s security posture begins to directly affect their own. If they do everything else right but have a vendor who is lackadaisical about security, a breach is still likely to happen. As such, vendor risk management is another element of every healthy security program.
But it’s also another time-consuming one. It’s the responsibility of each organization to email their vendors and have them fill out lengthy security questionnaires (or have them send their own SOC 2 report), and to organize them. Here, a compliance tool can step in, providing a centralized location for performing vendor risk management tasks.
Ideally, the tools will allow users to create or upload risk questionnaires and send them from within the platform. That way nobody needs to use an external email and manually upload responses. Additionally, it should be possible to upload, link, and make comments on a SOC 2 report a vendor provides.
Tugboat Logic provides a Vendor Management module, where users start by creating a profile for a vendor and assigning a risk level – Low, Medium, or High, depending on what kind of service they provide.
After adding a vendor, you can create or upload a security questionnaire and send it on its way. Responses are automatically entered into their vendor profile, where users can review, approve them, or request more information.
Tugboat Logic also provides a sample vendor questionnaire and users can add additional questions relevant to the specific vendor if necessary.
Audit Workflow for Working with Auditor
After a company has put a compliance program in place and created a ton of evidence documenting it, they’re almost there! Now they just have to complete the audit.
Delivering information to and collaborating with an auditor is another challenging aspect of the compliance process. But, it can be sped up with the help of a tool.
The ideal functionality of audit workflow tools includes the ability to publish information to an auditor when you are ready for them to review it and enabling comments and two-way communication within the platform. This way your organization and your auditor can be complete tasks as needed with transparency.
Tugboat Logic accomplishes this through its Audit Projects module. Here, data from the users’ Readiness Project including controls and evidence are arranged in-line with SOC 2 controls.
In addition to publishing evidence to the auditor, Tugboat allows for auditors to request additional evidence or other attention as needed.
Reusing Content for Future Audits and Other Frameworks
So you got your SOC 2. Congratulations!
Now you need to maintain your compliance program, or maybe even add a new framework. Traditionally, this would be an enormous amount of work full of new spreadsheets and reviewing all of the evidence associated with the new controls.
But cybersecurity compliance tools can once again assist by automatically mapping existing evidence with the relevant controls of a new framework. As with any process, this is unlikely to be completely perfect but a considerable amount of time can be saved with a little automation.
Tugboat Logic has a relatively intuitive remapping workflow. Users can revisit their Readiness Projects survey and add an additional framework. When they do this, any pre-generated policies and evidence tasks are automatically mapped and added for the new framework.
For example, pursuing ISO 27001 or PCI DSS after obtaining SOC 2 isn’t going to be easy, but there is overlap that will get you across the finish line, faster. Hopefully, the tool will make transitioning from a SOC 2 Type 1 to a SOC 2 Type 2 easier as well.
Cybersecurity programs take time and no software tool is going to be a magic bullet delivering a SOC 2 attestation in just a couple of weeks.
However, they can provide immense value in helping a company get compliant, stay compliant, and run a top-notch cybersecurity program, all while saving employees’ time along the way.
Fractional CISO will be participating in a Tugboat Logic webinar on August 24, 2021, at 2 pm eastern time. We will be discussing how SOC 2 tools like Tugboat Logic can help you run your security program and get compliant. Sign up here.