Security & Compliance
May 23, 2024
12-15 min
Hypercore's journey to SOC 2 Type 2 compliance is a testament to its commitment to data security. Ohad Nissim, the Business and Operations Manager, shares his experiences in leading this process and the challenges they overcame. From understanding compliance needs to choosing a vendor, managing employees, and preparing for compliance tests, Ohad provides an in-depth view of the complexities of achieving compliance. The result is a strengthened security profile and increased customer trust.
Ensuring data security while maintaining compliance is a complex task for any organization. For us at Hypercore, obtaining SOC 2 Type 2 compliance was a noteworthy achievement, demonstrating our unwavering commitment to data security.
My name is Ohad, and I am the Business and Operations Manager at Hypercore.
Today, I am eager to share my experiences in leading this process and navigating the complex world of compliance, with Vanta serving as my reliable guide.
Our decision to enhance security procedures stems from our commitment to protecting the data of our current and future customers and maintaining industry standards. Once I received this project, I understood that the initial step was to identify the most appropriate certification framework for information security and data management compliance, considering our industry and clientele.
Upon understanding the differences between various SOC reports and ISO certificates, and presenting this information to our founders, we decided to pursue a SOC 2 Type 2 report. This report validates that our systems are effectively designed and operated to secure data over a particular period, offering a deeper understanding of our security measures.
Once we identified our needs, I began searching for recommended vendors to guide us. I quickly realized the market was saturated with diverse SOC2 vendors, including private consultants, consulting agencies, and automated platforms. This was somewhat overwhelming.
I compiled a list of approximately 14 potential vendors and collected relevant data to evaluate their value. I considered features, reviews, and suggested timeframes, and cross-referenced the details. Eventually, I narrowed down our options to a shortlist of four potential vendors.
An important consideration is that, since security frameworks recur and bind annually, you should compare multi-year contracts across vendors. This comparison could potentially sway your decision towards a different vendor.
Eventually, we chose Vanta. our decision was affected by numerous recommendations, their competitive pricing, their technical approach, and the high level of service we experienced during the evaluation process.
Despite initially gaining access to Vanta's platform via the free trial, I had to wait for an onboarding email containing a link to start connecting integrations, downloading policies, and so on. I was also expected to be contacted by an implementation manager and a customer success manager for assistance with our compliance tasks. Once assigned a CSM, she provided me with a walkthrough of the platform and briefly explained each component. Following this, I was able to start working on our compliance tasks using Vanta's framework. You may be tempted to start reading about controls and perhaps attempt to comply with them or prepare policies. However, I can assure you that the process is quite different from what you might expect. You'll have plenty of time to delve into it in the subsequent sections.
The initial stage involved reviewing every policy in the SOC 2 framework and its templates provided by Vanta. These templates served as a solid foundation for us to build our processes, tailoring them to our specific way of executing SOC 2 controls.
After reviewing the policies with the founders, we adjusted the templates to align with our operations. We incorporated elements we considered important and excluded those irrelevant to our current phase or more applicable to non-SaaS companies.
During this phase, we also identified which founders were best suited to oversee the policy, based on their company roles and expertise. If your platform doesn't support assigning owners to policies, I recommend creating a table. This will help track which founder is responsible for each policy, making it easier to manage, especially at first when it can be confusing.
Subsequently, I formed groups for each department and the company. These groups were linked with checklists I developed, which compiled the relevant tasks and policies each department's employees needed to understand and follow.
After establishing company department groups and employee checklists, I ensured all employees completed their security onboarding tasks on Vanta. I held a joint meeting to explain their new duties and responsibilities under the SOC 2 framework. This included reading and accepting relevant department policies, watching training videos, and perusing the security training guide.
Needless to say, I was always available to answer any questions from our employees during their onboarding. Each of them was onboarded at different times within the first couple of days, and it was their first experience working in those areas. This has improved my understanding of the distinct roles and tasks of each employee in every department. This knowledge was essential for ensuring that compliance tasks were managed appropriately.
Vanta offers integrations with specific vendors in each service segment commonly used by companies. This allows tests that involve third-party vendors, such as background checks or cloud services, to be monitored and evidenced automatically.
To achieve this, I discussed with each founder the type of technology stack their department uses and our work's nature with those tools. This exercise was intriguing, as it helped me gain a better understanding of the tasks and tools of each department. For efficiency, I recommend asking each department head in your company for a list of software their department uses. Gathering this information may take time, but it's best to integrate all of them from the start.
Moreover, it revealed how many vendors we use, which was surprisingly not trivial, and highlighted the potential data migration points within our company.
In this context, my advice would be that if you're considering pursuing compliance reports or certificates with Vanta or any other vendor, I suggest researching the vendors they integrate with before embarking on this journey. Doing so will streamline the process and save you considerable effort.
Remember, maintaining security certificates and reports is an ongoing task that requires annual control assessments. That's why, in the long term, it's worth the effort.
After clearing the tests related to policy assignment and approval, along with those automatically managed through integrations, we still had a substantial number of tests and documents requiring our attention. I decided to begin with the necessary documents that needed uploading, targeting the "low-hanging fruits".
For instance:
• Documents already in our possession that merely needed structuring according to the SOC2 framework.
• Documents describing existing processes that required documentation for uploading to Vanta.
• Tests requiring specific configurations within our vendors' platform accounts, which required minimal work.
Initially, I began developing tests and drafting documents. Sometimes, I used Vanta's templates, and other times, I created them from scratch with assistance from the relevant founder.
However, given my limited expertise and experience in compliance, I quickly accumulated numerous questions about each test or document we needed to produce. These included both administrative questions from our CEO and technical queries from our CRDO and CTO. Resolving these questions was crucial before we could continue drafting documents and gathering evidence.
At first, I tried to address these issues by emailing our dedicated CSM back and forth. However, this approach soon proved to be chaotic, prompting the need for a more efficient system.
I decided to create a shared, accessible document for the CSM and myself. This enabled us to centralize and record all our questions in one place, facilitating discussions about the same tests while eliminating the need to search through our emails for each query.
I created a separate clause for each issue, outlining the problem and linking it to the specific test or document on Vanta. We used the comment feature to ask and answer questions, avoiding lengthy threads in the document and allowing for easy navigation between issues. This shared document proved to be a valuable tool, making the process of testing and document iteration more streamlined and efficient.
Additionally, this approach offered a significant advantage by allowing me to effortlessly involve the founders in any specific issues or questions. Rather than forwarding emails or copying and pasting content into Slack, I could simply tag them directly within the comment thread. This not only streamlined communication but also ensured that the founders always had the necessary context for each issue at hand as they could review the entire thread.
In the end, this document consisted of 20 pages with 42 distinct clauses, each addressing a different issue related to a test or document. Without this system, managing this information through approximately 50 emails would have been incredibly disorderly!
Nevertheless, I held bi-weekly meetings with our CSM to maintain communication and ensure we were always clear on our next steps once we reached a certain percentage of test/document completion. Upon reaching 90% of completed tests on the platform, I began the process of finding an auditor. This is because when you approach 96%, it's time to initiate the audit window.
This procedure was necessary as some tests and documents were intended to be uploaded only during the audit window. Thus, it was impossible to reach 100% completion before engaging an auditor.
This part was relatively straightforward. Vanta proposed to connect us with Advantage Partners, an audit company founded by former Vanta employees. This means they have a comprehensive understanding of the platform and how Vanta operates. We considered a couple of vendors and ultimately decided that Advantage Partners was the best fit for us. Their familiarity with Vanta's platform and process, along with their pricing, made the most sense to us.
After completing 96% of the tests and documents and securing an auditor, we were ready to enter the audit observation window. Before doing so, we needed to take some final steps. Specifically, we had to ensure that only systems in the production environment were marked as in-scope on Vanta's integrations page.
We needed to confirm that all resources in the production environment of integrated systems were marked as in-scope, while those in development and test environments were out of scope. We uploaded all relevant documents and ensured that control owners reviewed the control language and understood their roles and responsibilities. This process aimed to ensure our team could confidently explain how they followed the controls and contributed to the company's security.
After these steps, I began to address the remaining tests to be uploaded during the audit window. It was crucial to uphold our pre-determined service level agreements (SLAs) regarding the evidence provided during this period. Vanta emphasized the importance of consulting with the auditor about any necessary changes. I recommend strictly adhering to this advice by conducting discussions internally, with the auditor, and with your platform's CSM before making each move, to avoid mistakes during the audit window.
During this time, we onboarded new interns and off-boarded the previous ones for the first time. This raised some questions on our end, but I kept our auditors informed at each step. They were quick to respond and provide assistance.
Finally, I received an email confirmation from our auditors indicating that we have completed our SOC 2 Type II audit window and have now entered the project's next stage. This means the auditor's team has begun documenting all evidence and started drafting our SOC 2 report. During the reporting period, the auditors had a few follow-up items. We promptly responded to these, assisting them in confirming and addressing the issues. According to our auditors, this process typically takes between 4-6 weeks, and in our case, it took a bit over 6 weeks in total.
After completing the audit, the auditor sent us a draft of the report and a Management Representation Letter for signing. Upon our review of the draft report and signature of the Rep Letter, they issued our SOC 2 Type 2 report and instructed us on how to access the final document.
As a company, we started with a minimal understanding of data security frameworks. Now, we're in a completely different position.
Looking back at our SOC 2 compliance journey, the experience was rewarding and transformative. It not only strengthened our customer trust but also significantly enhanced our organization's security profile. Throughout this process, I found myself shouldering significant responsibility, not just during the implementation phase, but also moving forward. Additionally, I observed a profound shift in our founders' approach to compliance matters. Their commitment to attaining this report instilled a broader appreciation for the importance of information security across all company workflows. It was truly enlightening to witness this transformative journey.
In the complex world of compliance, Vanta has proven to be an invaluable partner for our journey. I strongly recommend Vanta to any SaaS company navigating through compliance challenges. Their platform simplifies the compliance process by efficiently managing tasks and collecting evidence. The time and effort saved through Vanta's automated integrations were significant. Honestly, I can't imagine how I would have managed without their expert guidance and support.
If you're embarking on a similar journey, remember that there are no shortcuts. Conduct extensive research from multiple sources. Whether it's about finding the right framework for your company, the correct vendor, or understanding the meaning of controls and tests, it will save you time in the long run and ensure you're on the right path.
Our journey toward compliance was complex yet successful, thanks to dedication, attention to detail, and the right tools. Our experience can guide other companies beginning their compliance journey, highlighting the dual benefits of enhancing customer trust and strengthening data security.
If you're interested in discussing this process further or hearing more about our experience, please feel free to contact me.
Ohad Nissim, Business & Operations Manager ohad@hypercore.ai
Data Management
Nov 03, 2024