ALL RESOURCES
SOC 2
Who is responsible for SOC 2?
BlogsSOC 2

Who is responsible for SOC 2?

Most people think of SOC 2 as a technical or engineering project, and in part, this is true. SOC 2 controls are built around protecting your data, and many of those controls involve creating and maintaining electronic or code-based barriers that keep your data away from unsafe hands. However, data security doesn’t only exist in cyberspace.


Through our years of working with businesses on their SOC 2 reporting, we’ve noticed that this common misconception tends to slow down and delay the reporting process. We often see businesses that don’t have the engineering staff they need to put the SOC 2 security controls in place, so they put off the process until they’ve carried out a lengthy talent search and hiring process. Or, they may have the engineers they need, but those engineers may be working on a higher-priority project so the SOC 2 compliance is put on hold until the current project is done.


The truth is that there are plenty of non-technical staff members that have roles to play in your SOC 2 compliance, and getting started with those tasks while you’re hiring engineers or waiting for engineers to finish other projects will allow you to get your compliance process underway so it can finish sooner.


To help your business better plan your SOC 2 compliance, we’re breaking down the roles that both technical and non-technical staff have to play.

Human resources and administrative staff

In hacking and data theft, much of the process is actually done through social engineering rather than programming or technical hacks. As a result, every employee and contractor in your business affects your information security, and that is why human resources and administrative professionals play a key part in SOC 2 compliance.


For one, these members of your team are generally responsible for employee onboarding and offboarding. Part of onboarding and offboarding needs to involve your specific security protocol for each employee. For example, you may need to set up an access control key for each employee when they join your organization, as well as teach them your security practices. When an employee leaves, that access control key must be deactivated and you may need to take other measures to keep your data secure.


Your HR and administrative teams are also responsible for developing and maintaining security policies for your SOC 2 compliance. For instance, you’ll need policies for security practices employees need to follow, policies for reporting potential data breaches, and so on. Members of your non-technical staff will need to draft these policies in addition to getting employees’ signatures to ensure that everyone is aware of and prepared to follow the policies.


Another important way HR and administrative staff take part in SOC 2 compliance is by organizing and implementing security awareness training. This training must bring your employees up to speed on common tactics used by hackers and data thieves and teach employees how to avoid these security threats.

Engineering staff

In general, your administrative and HR staff will be spearheading the employee-focused aspects of SOC 2 compliance. Your engineering team, on the other hand, focuses on all the technical security components to prepare for your SOC 2 report.


The exact duties of your engineering team will depend on your business, your information security system, and so on. It could include implementing firewalls, establishing encoding practices, selecting and installing antivirus software, programming access controls, investigating the security of your various platform and tool integrations, and so on.

What does this breakdown of responsibilities mean?

Now that you have an understanding of how both technical professionals and certain non-technical professionals play a role in SOC 2 compliance, why does this matter? How does it impact your SOC 2 reporting process?


It means that you don’t have to wait until you have a team of security engineering specialists hired and available before you start working toward SOC 2 compliance. While you’re hiring engineers or waiting for your own engineers’ time to become available, your administrative and HR staff can be working on security policies, employee onboarding and offboarding processes, planning and organizing security awareness training, and so on.


If you’re in this stage and you’re ready to get started, the best way to jump in is to get the guidance of an automated platform.

How does Vanta make SOC 2 compliance easier for both technical and non-technical professionals?

Vanta is an automated SOC 2 compliance platform that helps you through the necessary security controls in your SOC 2 report. It assesses your system’s readiness and gives you detailed checklists of what you’ll need, and that’s just a start. In fact, Vanta can make the work easier for both technical and non-technical professionals.


For your HR and administrative staff, Vanta allows you to create custom workflows for employee onboarding and offboarding. This way, you can ensure that no security measure is missed during these workflows. You’ll also have an access control center where you can see each employee’s access at a glance, so you can make sure everyone has the permissions they need but nothing more.


Vanta helps with policy development as well. In fact, this tool includes in-depth templates for your security policies. There’s no need to start from scratch and spend hours with an attorney trying to make sure all your bases are covered.


Further yet, Vanta eases your burden with security awareness training by including detailed training plans you can easily implement. Your staff doesn’t need to invest hours into researching and designing a training program of their own or finding one elsewhere.


When it comes to your engineering team, Vanta offers straightforward help with SOC 2 compliance. The automated software scans your system for the necessary security controls and gives you a precise list of which controls you’ve already met and which ones are lacking so your engineers can cut straight to the chase.

Written by
No items found.
Access Review Stage Content / Functionality
Across all stages
  • Easily create and save a new access review at a point in time
  • View detailed audit evidence of historical access reviews
Setup access review procedures
  • Define a global access review procedure that stakeholders can follow, ensuring consistency and mitigation of human error in reviews
  • Set your access review frequency (monthly, quarterly, etc.) and working period/deadlines
Consolidate account access data from systems
  • Integrate systems using dozens of pre-built integrations, or “connectors”. System account and HRIS data is pulled into Vanta.
  • Upcoming integrations include Zoom and Intercom (account access), and Personio (HRIS)
  • Upload access files from non-integrated systems
  • View and select systems in-scope for the review
Review, approve, and deny user access
  • Select the appropriate systems reviewer and due date
  • Get automatic notifications and reminders to systems reviewer of deadlines
  • Automatic flagging of “risky” employee accounts that have been terminated or switched departments
  • Intuitive interface to see all accounts with access, account accept/deny buttons, and notes section
  • Track progress of individual systems access reviews and see accounts that need to be removed or have access modified
  • Bulk sort, filter, and alter accounts based on account roles and employee title
Assign remediation tasks to system owners
  • Built-in remediation workflow for reviewers to request access changes and for admin to view and manage requests
  • Optional task tracker integration to create tickets for any access changes and provide visibility to the status of tickets and remediation
Verify changes to access
  • Focused view of accounts flagged for access changes for easy tracking and management
  • Automated evidence of remediation completion displayed for integrated systems
  • Manual evidence of remediation can be uploaded for non-integrated systems
Report and re-evaluate results
  • Auditor can log into Vanta to see history of all completed access reviews
  • Internals can see status of reviews in progress and also historical review detail
Incident.io
Lumos
IcePanel
Epsilon3
Supabase
EasyLlama
Qualifi
Toku
FEATURED VANTA RESOURCE

The ultimate guide to scaling your compliance program

Learn how to scale, manage, and optimize alongside your business goals.

DOWNLOAD FOR FREE

You might also like:

Product updates
New in Vanta | February 2023
CCPA
CCPA, CTDPA, VCDPA…Oh My! Digging into US Data Privacy in 2023
Security
Access reviews are mission critical: Here’s how to get security risk management right

Table of contents

This is some text inside of a div block.

Share this article

Share this article

PCI Compliance Selection Guide

Determine Your PCI Compliance Level

If your organization processes, stores, or transmits cardholder data, you must comply with the Payment Card Industry Data Security Standard (PCI DSS), a global mandate created by major credit card companies. Compliance is mandatory for any business that accepts credit card payments.

When establishing strategies for implementing and maintaining PCI compliance, your organization needs to understand what constitutes a Merchant or Service Provider, and whether a Self Assessment Questionnaire (SAQ) or Report on Compliance (ROC) is most applicable to your business.

Answer a few short questions and we’ll help identify your compliance level.

1
2
3
4
!
👍

Does your business offer services to customers who are interested in your level of PCI compliance?

Yes
No
RESTART QUIZ

Identify your PCI SAQ or ROC level

The PCI Security Standards Council has established the below criteria for Merchant and Service Provider validation. Use these descriptions to help determine the SAQ or ROC that best applies to your organization.

Good news! Vanta supports all of the following compliance levels:

SAQ A

A SAQ A is required for Merchants that do not require the physical presence of a credit card (like an eCommerce, mail, or telephone purchase). This means that the Merchant’s business has fully outsourced all cardholder data processing to PCI DSS compliant third party Service Providers, with no electronic storage, processing, or transmission of any cardholder data on the Merchant’s system or premises.

Get PCI DSS certified

SAQ A-EP

A SAQ A-EP is similar to a SAQ A, but is a requirement for Merchants that don't receive cardholder data, but control how cardholder data is redirected to a PCI DSS validated third-party payment processor.

Learn more about eCommerce PCI

SAQ D
for service providers

A SAQ D includes over 200 requirements and covers the entirety of PCI DSS compliance. If you are a Service Provider, a SAQ D is the only SAQ you’re eligible to complete.

Use our PCI checklist

ROC
Level 1 for service providers

A Report on Compliance (ROC) is an annual assessment that determines your organization’s ability to protect cardholder data. If you’re a Merchant that processes over six million transactions annually or a Service Provider that processes more than 300,000 transactions annually, your organization is responsible for both a ROC and an Attestation of Compliance (AOC).

Automate your ROC and AOC

Download this checklist for easy reference

DOWNLOAD NOW

Questions?

Learn more about how Vanta can help. You can also find information on PCI compliance levels at the PCI Security Standards Council website or by contacting your payment processing partner.

Related resources

ON-DEMAND WEBINAR
Compliance frameworks

Convos with Customers: ResoluteAI

Eléonore Dixon-Roche, Senior Product Manager at ResoluteAI, explains how Vanta helped her step outside of her role and take on managing security and compliance for her company.

Blog
Product updates

New in Vanta | January 2023

Vanta has made some pretty exciting updates already in 2023. Learn about Trustpage by Vanta, our newest integrations, and the most recent improvements to the platform.

ON-DEMAND WEBINAR
ISO 27001

ISO 27001:2022 What's changed and what it means for your business

In late 2022, ISO 27001 rolled out changes to the Annex A controls, minor updates to the clause language, modernized controls, as well as 12 new controls. Whether you have ISO 27001 and want to learn more about these updates, or are pursuing ISO for the first time, this on-demand webinar is for you. Join Matt Cooper, Senior Manager of Privacy, Risk, and Compliance at Vanta, and Steve Conley, IT Audit Director at Insight Assurance, to dive in.

Blog
Security

When is the right time for vulnerability scanning?

As new cybersecurity threats emerge, when is the right time for vulnerability scanning? We give an overview of how to time vulnerability scans for improved security.

The compliance news you need. Delivered securely to your inbox.

Subject to Vanta's Privacy Policy, you agree to allow Vanta to contact you via the email provided for marketing and other purposes

Vanta is the easy way to get and stay compliant. Thousands of fast-growing companies depend on Vanta to automate their security monitoring and get ready for security audits in weeks, not months. Simply connect your tools to Vanta, fix the gaps on your dashboard, and then work with a Vanta-trained auditor to complete your audit.

Products
SOC 2ISO 27001GDPRHIPAAPCI DSSCCPAAdditional FrameworksIntegrations
Customers
Customer Case Studies
Resources
BlogsGuidesGlossaryVideosAll Resources
Company
AboutCareersPressSecuritySystem StatusTrust Report
Manage CookiesTermsPrivacy