Are you looking for product guides, support articles and setup instructions?

SOC 2 Bootcamp (4 parts)

cheryl_rasmuson
edited September 9 in SOC2

In May 2021 we ran a "SOC 2 Bootcamp" that shows what the audit process looks like using our tool. The Bootcamp was split into four sessions: Choosing an Auditor, Policies and Controls, Evidence Collection, and The Audit.

Part 1: Choosing an Auditor

Part 1 Timestamps

00:00 - 01:30 Introduction and housekeeping

02:05 - 04:05 Importance of buy-in when getting certified

04:10 - 13:00 Selecting an Auditor

13:05 - 17:00 Deciding on the size of an audit firm that's best for you

17:05 - 23:40 Expanding on the Auditor selection process

24:00 - 29:00 Trust service criteria overview

29:05 - 37:25 Determining your scope/ Scoping survey demonstration on Tugboat Logic

37:35 - 41:58 Service organization description controls

Questions

42:08 - 44:00 If you are paying the Auditor how can they be considered independent?

44:05 - 47:10 Trust service criteria are based on your business but you can choose which criteria to start with? Can you expand on this?

47:15 - 48:42 Can you use your RFP or vendor management process to procure an auditor?

48:45 - 50:37 Can your Financial Auditor also be your SOC Auditor?

50:54 - 54:30 A lot of SOC compliance seems to be based on the Auditor's judgment can you expand on the variation of guidelines based on uniquely on each auditor?

Part 2: Policies and Controls

Part 2 Timestamps

00:00 - 01:42 Introduction and housekeeping

06:40 - 18:50 Policy overview/ Tugboat Logic demonstration

19:00 - 21:05 Controls overview

21:10 - 24:20 Analysis of Business Continuity Plan as an example of a control

26:30 - 31:00 Risk Assessment and Mitigation

31:19 - 37:16 Vendor Compliance Review for a vendor with a SOC2 report

37:20 - 38:30 Vendor Compliance Review for a vendor without a SOC2 report

38:32 - 43:25 How to mitigate risk when working with a small firm vendor

Question

43:30 - 44:25 Do you need to share your controls with a third party or is sharing the policies enough

44:40 - 47:40 What is the difference between procedures and controls

47:45 - 51:00 For the implementation of controls, policies, risk management, reviews, approvals, etc is there an order that you recommend tackling these tasks?

51:10 - 52:25 If you already have your SOC2 Type 2 how easy is it to transfer your policies into Tugboat Logic

52:30 - 54:35 What is the minimum list of SOC2 policies that should be accepted by all employees?

Part 3: Evidence Collection

Part 3 Timestamps

00:00 - 02:00 Introduction and housekeeping

03:00 - 08:51 Evidence overview

09:00 - 10:50 Evidence collection methods

11:00 - 15:02 Business Continuity Recovery policy (example in Tugboat Logic)

15:10 - 16:00 Submitting your Business Continuity plan as evidence

16:05 - 16:50 Other evidence tasks that require a plan or document cannot be done via automation

16:52 - 22:00 Submitting evidence tasks that can be automated

22:05 - 26:20 Analyzing segregation of customer data control

26:35 - 29:30 Reviewing vulnerability scanning and remediation

29:35 - 36:10 Overview of a Penetration test

36:12 - 37:40 General business Penetration test vs SOC2 penetration test

37:44 - 42:30 Process proceeding Penetration test

42:48 - 44:20 Different evidence collection methods for SOC2 Type 1 vs Type 2

Question

44:23 - 48:00 How can you guarantee a Penetration tester is testing against all known as well as the latest variations of cyber attacks?

48:03 - 51:50 In general with evidence would you advise collecting evidence more frequently than you need to in case you miss a cycle?

51:55- 53:10 What is the observation period for a Business Continuity plan?

Part 4: The Audit

00:00 - 01:20 Introductions and housekeeping

01:25 - 03:57 Readiness Assessment overview

04:00 - 04:35 Does every SOC 2 need a signing partner to sign off on it?

04:40 - 07:10 What should be prepared for an audit?

07:15 - 09:15 The difference in preparation for a Type 1 vs Type 2

09:30 - 11:20 How do you start a Readiness Assessment?

11:30 - 12:00 Type 1 audit timeline

12:15 - 19:15 Type 2 audit timeline

19:19 - 21:20 SOC2 Type 2 year 2 audit timeline

21:25 - 28:29 Expectations when doing your inquires and observations with Tugboat Logic

28:30 - 31:10 When can you expect your report

31:12 - 34:40 What to expect at the end of the audit

34:46 - 40:26 How to utilize your report

40:30 - 48:10 Sections of a report

48:15 - 50:36 Who can you share the report with

50:50 - 54:25 Does your report expire?


If you have any comments or questions, feel free to leave them in the comment section below!

Categories