At Vanta, security is intensely important: it’s literally our business! Over 800 customers use Vanta to achieve compliance, which means that Vanta’s product stores data that is particularly sensitive to security and privacy concerns. To safeguard that data, we make use of numerous best practices, from using the latest cloud infrastructure technologies to implementing concrete personnel-related policies.
Beyond implementing best practices, we knew that it would be an important step for us to complete our own SOC 2 Type II — proving to our customers that our stated security practices are in place and active.
Today, we’ll take a deep dive into our SOC 2 journey, and walk you through how we leveraged Vanta — our own platform — to become SOC 2 Type II certified.
Why SOC 2 Type II?
While we had already completed our SOC 2 Type I attestation in November 2019, we knew that achieving a SOC 2 Type II would carry more weight, since the Type I is a point-in-time compliance — demonstrating security practices during a single day — whereas Type II would measure our compliance over an entire 3 month period. (To learn more, check out what we’ve written about the importance of SOC 2, as well as the distinction between Type I and Type II attestations.) With this goal in sight, we began our preparations.
We scheduled our 3-month Type II audit period to begin September 1, 2020, and our audit preparation began in August. We identified two focus areas and assigned owners accordingly.
Our audit was primarily driven by a team of two:
- a Customer Success Manager (Camille), who handled operational and HR-related items
- a Software Engineer (Neil), responsible for technical improvements such as remediating vulnerabilities and monitoring infrastructure configurations
By splitting work between just two people, we balanced specialization and accountability — ensuring domain expertise for particular areas while also avoiding organizational overhead.
To facilitate our audit, we partnered with several vendors:
- Coalfire: Coalfire was our auditor — the independent third-party that observed Vanta’s software and practices and ultimately awarded us the certification. We’d partnered with Coalfire to complete our Type I last year, and chose to renew because Coalfire was already familiar with our business operations, systems, and controls.
- Synack: We made use of Synack to complete a penetration test. Synack’s test searched for deep, application-specific vulnerabilities, which augmented the automated vulnerability scanning conducted through Vanta’s software.
- Vanta (of course!): We made heavy use of our own software to design our control environment, set policies, and automate evidence collection.
Our audit process was subdivided to create a few milestones:
Setup: To prepare for the audit, we first refined our controls — the security commitments specific to our company to which we intended to adhere. Our Type I audit gave us a strong foundation: we started by reviewing our Type I report and updating any controls we’d need for our Type II.
We then turned to Vanta to set up our monitoring policies and procedures. This included:
- Reviewing policies and procedures (SLAs)
- Configuring employee security requirements (such as security awareness training and policy acceptance)
- Ensuring all employee laptops were monitored by the Vanta Agent for security configurations (such as hard drive encryption and antivirus software)
Audit Processes: Throughout the audit period, we made sure to carry out processes that would align with our annual security commitments. This included conducting a risk assessment, a vendor assessment, an access review, and an inventory review. Vanta facilitated these in-product, so no external documentation was needed.
Monitoring and Resolution: When the three-month audit period began, we were poised and ready for an ongoing assessment of our compliance. Again, our software helped with this: Vanta’s automated tests continuously monitored our security environment and immediately notified us if a configuration had changed or a vulnerability had surfaced. Once notified, we could quickly address any issues via Vanta’s remediation instructions.
Evidence Review: Finally, Coalfire reviewed our Vanta instance, and used it to quickly collect the required evidence proving our compliance over the audit period. Using this evidence, Coalfire was able to quickly create and finalize our SOC 2 Type II report.
Throughout our process, we drew from an invaluable source of advice: our own customers, whose lessons we were able to apply to our own practices. We invite you to do the same: we’ve shared some of those lessons here.
On top of that, we’d like to emphasize the following learnings:
- Write your policies thoughtfully: Your company policies lay the groundwork for the audit. Be thoughtful when writing your policies, and don’t commit to promises you can’t keep. Auditors can (and will) ask you to provide evidence that you’re following these policies, so be prepared to prove it. We made use of Vanta’s policy templates to quickly and rigorously define our commitments.
- Good security calls for group effort: Communicate your security goals clearly and often. While it’s important to maintain accountability for key people in the process, all employees do play some part in achieving SOC 2 compliance (and good security at large). There are several tasks that only employees can complete, such as security training and accepting policies, so it’s crucial to keep everyone engaged. We used Vanta to track completion of employee tasks, and aimed to keep our employees up to date throughout the entire process.
- Real security and compliance is continuous: SOC 2 is the most widely accepted standard for security, and getting certified is an important step to take for any company looking to prove and verify their security practices. But staying compliant and secure outside of the audit period is just as important. Completing our SOC 2 Type II has further verified our hypothesis that the future of software security lies in a standard that’s accessible, comprehensive, and continuously verified. By creating the tools to help companies get in compliance (and stay in compliance) via a continuous security program, Vanta is taking that important first step.
We're continually improving Vanta's product based on user feedback. You’ll find us regularly introducing new integrations, interface improvements, additional automated tests for security verification, and more. In the coming week and months, we’ll continue to make these improvements, taking advantage of the added insight we’ve gained from completing our own SOC 2 Type II.
Most importantly, we look forward to using our learnings to design the foundations for a truly general compliance and security solution over time. And as we do this, you can expect us to continue to monitor our security with Vanta — and renew our SOC 2 next year.