Opsera completed SOC2 compliance in record time. How to ace your audit?
From inception, security and customer data security have been a major priority for Opsera. To ensure that customer data safety remains beyond reproach, Opsera aced through an extensive SOC2 audit in less than a month, establishing our controls, processes and data management practices as industry-best. In short, our customers have nothing to worry about when it comes to safeguarding their details in our database.
Read on to discover our journey, what it took for us to get through it and excel the audit with flying colors.
What is SOC2 and why does it matter?
Created by the American Institute of Certified Public Accountants (AICPA), SOC2 (System and Organization Controls) is a reporting framework that sets certain benchmarks for managing customer and user data. These benchmarks are based on five Trust Services Criteria - privacy, confidentiality, security, availability, and processing integrity.
Basically, SOC2 lays out guidelines and practices which verify that customer data is protected by a company according to a specific standard of excellence.
In SOC2 audits, independent, third-party auditors (CPAs) assess and test controls relevant to the Trust Services Criteria (TSC). By accessing SOC2 reports, you will be able to learn how an organization manages vendor management programs, risk management protocols, corporate governance processes, regulatory compliance oversight, and more.
How Opsera achieved SOC2 compliance: Our Journey
The SOC2 Type 2 certification is critical for any product. In particular, it is mandatory for any SaaS provider. When Opsera started with the SOC2 Certification process, we instantly knew it wasn’t an easy process.
To start with, we had to develop and implement a series of controls and remediations in place to ace our SOC2 Type 2 audit within the stipulated time.
However, at Opsera we had the experience and knowledge to accomplish this, primarily due to the expertise brought on board by founders Chandra Ranganathan & Kumar Chivukula. Additionally, the product management and engineering team also carried the necessary experience not just in the technological sphere but also in security and compliance, thanks to the team members’ past stints in heading infrastructure, cloud and DevOps functions in Fortune 100 companies.
Opsera started the SOC2 audit journey in Jan’ 2020. As mentioned previously, SOC2 certifications are mandatory for 100% SaaS solution providers like us.
Our journey started with compiling processes around HR, onboarding, access controls, product security, compliance and quality. Consolidating this data was especially helpful when we signed up for the external audit firm to conduct the audit at the end of Nov’ 2020.
Based on our previous experience in working on product and SaaS platform security, we incorporated numerous relevant information security controls, policies and best practices in place as part of our platform architecture, design and implementation.
Vishnu Vasudevan (Head of Product Management and Security) led the efforts of this engagement and his previous experience in dealing with complex security audits helped us navigate the process seamlessly. After engaging with the audit firm, we aligned our guidelines and controls with SOC2 requirements. Given that we already had most of the controls, policies and procedures in place, it was easier for us to accelerate the SOC2 journey.
After reviewing the questionnaire from the external audit firm, the team has been informed about the SOC2 Type2 audit. The Tiger team was formed with experts from Opsera and the questionnaire was studied and analyzed down to the last dot. Fundamentally, the team listed what controls were already in place, and which of them had to be implemented further.
Beginning 2021, internal meetings were scheduled for every alternate day and the team started working on the action items that needed to be completed before the audit. Individual ownership was assigned for each audit questionnaire and the stakeholders included Board members, Founders, Product leads, Technical leads, the Marketing and Engineering teams. Our foremost priority was to make sure that the controls that we have in place are in line with the SOC2 Type 2 audit. Once we validated the controls and identified the areas for which we needed to provide evidence, it became easier for the implementation team to start collecting the required evidence to satisfy the controls.
Naturally, the pandemic situation did not help much. Opera had to go through a day-long remote audit that was set for the 1st week of Feb 2021. Given the size of our team, the initial assumption was that completing audit requirements would take anywhere between 3-4 months. Though the team was small, our alternate day meetings helped us examine and verify the requirements much quicker. Also, the overall experience of the team proved to be a major strength, as opposed to playing as an individual.
We had a dry run for the audit internally and ran through all audit requirements multiple times - starting from HR, SaaS platform and cloud security, access control compliances, product development governance, risk assessment etc. to ensure everything was in place.
The dry run helped us identify a few pending items that were examined and discussed by the team to plan for remediation. This was especially related to certain controls around the review of the SOC2 report of third party vendors(vendors like AWS, OKTA and our technology partners) and risk evaluation.
As the audit dates approached, we started meeting daily for 30 minutes and made notes on specifics of particular requirements from the owner responsible for that line item. These notes were incredibly helpful, they helped us quickly offer accurate, comprehensive information to the auditors. Consequently, this cut down on unnecessary delays, and allowed us to ace the audit quickly.
One of the key takeaways from this whole process was that - never cut corners when it comes to an audit, as it will almost definitely lead to difficulties and challenges in the future. Make sure to document the controls, build a training plan and ensure that the process is in place to manage and maintain the controls on a daily basis.
When selecting team members, identify the SME's from each domain and form a team and assign the controls based on their domain expertise and areas of responsibility. Have them run through the process and goals that need to be achieved at the end of the audit. Make sure your team knows not just the product end to end but also every aspect of the company, customers and business goals.
On the day of the audit, we were asked to show the evidence, logs, and controls in place. After only a couple of weeks we received our certification without any major issues or recommendations.
Opsera aced through the audit in less than 60 days and our preparation for the audit took less than 45 days. For a startup to achieve the SOC2 Type 2 audit in 45 days is certainly not an easy task.
However, it was made possible by the Opsera team’s focus and accountability. At the heart of achieving success with a SOC2 Type2 audit lies teamwork, knowledge and willingness to utilize both to the best of everyone’s ability.
How Opsera's SOC2 compliance helps customers
Opsera’s SOC2 compliance ensures our customers that their data and the information of their DevOps ecosystem is protected at all times with all compliance requirements. Our SOC2 Type2 certification demonstrates that the organisation maintains a high level of information security with respect to security, audit and compliance requirements.
What is next in compliance for Opsera (customers)?
Being SOC 2 Type 2 compliant assures our current and future customers that we have the proper security, privacy and compliance controls in place to manage the SaaS platform. We have the requisite tools, infrastructure and processes to protect their information with industry best practices.
Additionally, we have tools in place to recognize threats and alert the appropriate parties so they can evaluate threats and take necessary action to protect data and systems from unauthorized access or use.
We also now have the relevant data on any security incidents so we can identify the scope of the problem, remediate systems or processes as necessary, and restore data and process integrity.
We are committed to the privacy and security of our customers, and have other certifications coming soon to support that.
How Opsera's Penetration testing helps customers:
Opsera partnered with one of the industry’s leading firms that handles penetration testing for SaaS platforms and completed the testing along with SOC2 Type2 certification. The independent penetration testing ensures our customers that their data and the information of their DevOps ecosystem is continuously validated against the known threat vectors and vulnerabilities.
The assessment was performed using OWASP and other popular security testing methodologies and this is to ensure that our SaaS platform is evaluated as per the industry standards and best practices guidelines.