Walking the walk: SOC 2 Type II
At Vanta, security is intensely important: it’s literally our business! Over 800 customers use Vanta to achieve compliance, which means that Vanta’s product stores data that is particularly sensitive to security and privacy concerns. To safeguard that data, we make use of numerous best practices, from using the latest cloud infrastructure technologies to implementing concrete personnel-related policies.
Beyond implementing best practices, we knew that it would be an important step for us to complete our own SOC 2 Type II — proving to our customers that our stated security practices are in place and active.
Today, we’ll take a deep dive into our SOC 2 journey, and walk you through how we leveraged Vanta — our own platform — to become SOC 2 Type II certified.
Why SOC 2 Type II?
While we had already completed our SOC 2 Type I attestation in November 2019, we knew that achieving a SOC 2 Type II would carry more weight, since the Type I is a point-in-time compliance — demonstrating security practices during a single day — whereas Type II would measure our compliance over an entire 3 month period. (To learn more, check out what we’ve written about the importance of SOC 2, as well as the distinction between Type I and Type II attestations.) With this goal in sight, we began our preparations.
We scheduled our 3-month Type II audit period to begin September 1, 2020, and our audit preparation began in August. We identified two focus areas and assigned owners accordingly.
Our audit was primarily driven by a team of two:
- a Customer Success Manager (Camille), who handled operational and HR-related items
- a Software Engineer (Neil), responsible for technical improvements such as remediating vulnerabilities and monitoring infrastructure configurations
By splitting work between just two people, we balanced specialization and accountability — ensuring domain expertise for particular areas while also avoiding organizational overhead.
To facilitate our audit, we partnered with several vendors:
- Coalfire: Coalfire was our auditor — the independent third-party that observed Vanta’s software and practices and ultimately awarded us the certification. We’d partnered with Coalfire to complete our Type I last year, and chose to renew because Coalfire was already familiar with our business operations, systems, and controls.
- Synack: We made use of Synack to complete a penetration test. Synack’s test searched for deep, application-specific vulnerabilities, which augmented the automated vulnerability scanning conducted through Vanta’s software.
- Vanta (of course!): We made heavy use of our own software to design our control environment, set policies, and automate evidence collection.
Our audit process was subdivided to create a few milestones:
Setup: To prepare for the audit, we first refined our controls — the security commitments specific to our company to which we intended to adhere. Our Type I audit gave us a strong foundation: we started by reviewing our Type I report and updating any controls we’d need for our Type II.
We then turned to Vanta to set up our monitoring policies and procedures. This included:
- Reviewing policies and procedures (SLAs)
- Configuring employee security requirements (such as security awareness training and policy acceptance)
- Ensuring all employee laptops were monitored by the Vanta Agent for security configurations (such as hard drive encryption and antivirus software)
Audit Processes: Throughout the audit period, we made sure to carry out processes that would align with our annual security commitments. This included conducting a risk assessment, a vendor assessment, an access review, and an inventory review. Vanta facilitated these in-product, so no external documentation was needed.
Monitoring and Resolution: When the three-month audit period began, we were poised and ready for an ongoing assessment of our compliance. Again, our software helped with this: Vanta’s automated tests continuously monitored our security environment and immediately notified us if a configuration had changed or a vulnerability had surfaced. Once notified, we could quickly address any issues via Vanta’s remediation instructions.
Evidence Review: Finally, Coalfire reviewed our Vanta instance, and used it to quickly collect the required evidence proving our compliance over the audit period. Using this evidence, Coalfire was able to quickly create and finalize our SOC 2 Type II report.
Throughout our process, we drew from an invaluable source of advice: our own customers, whose lessons we were able to apply to our own practices. We invite you to do the same: we’ve shared some of those lessons here.
On top of that, we’d like to emphasize the following learnings:
- Write your policies thoughtfully: Your company policies lay the groundwork for the audit. Be thoughtful when writing your policies, and don’t commit to promises you can’t keep. Auditors can (and will) ask you to provide evidence that you’re following these policies, so be prepared to prove it. We made use of Vanta’s policy templates to quickly and rigorously define our commitments.
- Good security calls for group effort: Communicate your security goals clearly and often. While it’s important to maintain accountability for key people in the process, all employees do play some part in achieving SOC 2 compliance (and good security at large). There are several tasks that only employees can complete, such as security training and accepting policies, so it’s crucial to keep everyone engaged. We used Vanta to track completion of employee tasks, and aimed to keep our employees up to date throughout the entire process.
- Real security and compliance is continuous: SOC 2 is the most widely accepted standard for security, and getting certified is an important step to take for any company looking to prove and verify their security practices. But staying compliant and secure outside of the audit period is just as important. Completing our SOC 2 Type II has further verified our hypothesis that the future of software security lies in a standard that’s accessible, comprehensive, and continuously verified. By creating the tools to help companies get in compliance (and stay in compliance) via a continuous security program, Vanta is taking that important first step.
We're continually improving Vanta's product based on user feedback. You’ll find us regularly introducing new integrations, interface improvements, additional automated tests for security verification, and more. In the coming week and months, we’ll continue to make these improvements, taking advantage of the added insight we’ve gained from completing our own SOC 2 Type II.
Most importantly, we look forward to using our learnings to design the foundations for a truly general compliance and security solution over time. And as we do this, you can expect us to continue to monitor our security with Vanta — and renew our SOC 2 next year.
FEATURED VANTA RESOURCE
The ultimate guide to scaling your compliance program
Learn how to scale, manage, and optimize alongside your business goals.
PCI Compliance Selection Guide
Determine Your PCI Compliance Level
If your organization processes, stores, or transmits cardholder data, you must comply with the Payment Card Industry Data Security Standard (PCI DSS), a global mandate created by major credit card companies. Compliance is mandatory for any business that accepts credit card payments.
When establishing strategies for implementing and maintaining PCI compliance, your organization needs to understand what constitutes a Merchant or Service Provider, and whether a Self Assessment Questionnaire (SAQ) or Report on Compliance (ROC) is most applicable to your business.
Answer a few short questions and we’ll help identify your compliance level.
Does your business offer services to customers who are interested in your level of PCI compliance?
Identify your PCI SAQ or ROC level
The PCI Security Standards Council has established the below criteria for Merchant and Service Provider validation. Use these descriptions to help determine the SAQ or ROC that best applies to your organization.
Good news! Vanta supports all of the following compliance levels:
A SAQ A is required for Merchants that do not require the physical presence of a credit card (like an eCommerce, mail, or telephone purchase). This means that the Merchant’s business has fully outsourced all cardholder data processing to PCI DSS compliant third party Service Providers, with no electronic storage, processing, or transmission of any cardholder data on the Merchant’s system or premises.
Get PCI DSS certified
A SAQ A-EP is similar to a SAQ A, but is a requirement for Merchants that don't receive cardholder data, but control how cardholder data is redirected to a PCI DSS validated third-party payment processor.
Learn more about eCommerce PCI
A SAQ D includes over 200 requirements and covers the entirety of PCI DSS compliance. If you are a Service Provider, a SAQ D is the only SAQ you’re eligible to complete.
Use our PCI checklist
A Report on Compliance (ROC) is an annual assessment that determines your organization’s ability to protect cardholder data. If you’re a Merchant that processes over six million transactions annually or a Service Provider that processes more than 300,000 transactions annually, your organization is responsible for both a ROC and an Attestation of Compliance (AOC).
Automate your ROC and AOC
Download this checklist for easy reference
Learn more about how Vanta can help. You can also find information on PCI compliance levels at the PCI Security Standards Council website or by contacting your payment processing partner.
The compliance news you need. Delivered securely to your inbox.