On a project I've been working on, I've been preparing for SOC 2 Type II certification. My responsibilities have mostly been on the engineering/IT side, ensuring that our SaaS is deployed and developed according to SOC 2 processes.
This isn't something a developer would willingly or enthusiastically take on, right?
I can’t believe I’m saying this out loud, but actually... it hasn’t been that bad. The biggest reason for this has definitely been Vanta.
Vanta has distilled the rather hard-to-decipher process descriptions into actionable items. As far as I know, SOC 2 isn’t a one-size-fits-all (SaaS provider) certification; it differs according to the stack - which makes sense. Plugging in all our services, from cloud providers to issue trackers, spits out a tailored task list.
The task list can even include literal Terraform code examples, which you can copy-paste with minor changes. You could kind of get a similar list from AWS Audit Manager or AWS Security Hub, but Vanta is cloud-agnostic.
It’s like a ticketing template on steroids - or one of those rare automated security tools that actually proves useful. It ensures that secure practices continue in our organization, not only during the audit period but continuously. It also provides a trust center page for transparency where the customers eventually can download our SOC 2 report 🤞
The biggest benefit is definitely the automated integration with cloud providers. If you add all third-party services, you can get an offboarding and access review list out of the box.
Regarding process documentation, Vanta provides pre-filled document templates based on some basic information you provide about your organization - saving at least some time. They also outline the steps clearly, making it easier to follow.
Committing to a process like SOC 2 is something that, on the whole, is good for an organization. Sure, all of these certifications have their oddities, and some requirements can feel like pure waste. But as with a well-structured codebase, clearly defined boundaries in all-around engineering process are a definite plus.
Comments
Post a Comment