Written by: Rachel Mains, Director of Information Security
Since 2008, Strategic Risk Associates (SRA) has worked closely with financial institutions across the nation to help customers build a more mature risk management program. As former veteran bankers and regulators, we understood how technology could help financial institutions aggregate data from across the organization to offer actionable insights and the foresight needed to manage risk and performance. With this knowledge and experience, SRA developed Watchtower, an integrated risk and performance management SaaS solution hosted on both AWS and Google cloud.
Watchtower aggregates 1,000s of KRI and KPI risk data points that roll up into multiple dashboard visualizations. While the dashboards are designed to be intuitive and easy to understand for the end user, behind the scenes Watchtower is firing on all cylinders, transforming customer file exchange flows into organized lines of code, powered in the cloud. From day one SRA made security and privacy our #1 priority.
A SOC 2 Type 1 Compliance is an external audit accompanied by comprehensive report findings that is performed on a service organization’s system and the suitability of the design of controls. The report describes the current systems and controls in place and reviews documents around these controls. It ensures design sufficiency and validation for all administrative, technical and logical controls.
Because of a strong desire to demonstrate to SRA customers that we maintain thorough internal controls and policies, we pursued and achieved a SOC 2 Type I compliance. SRA wanted to further substantiate not only the organization’s dynamic procedural documentation, but also, the comprehensive and detailed processes in place to protect our systems and safeguard our data.
“I am extremely proud of SRA, our IT team, and our trusted partners who all pitched in to focus on this achievement. Designing and implementing controls that focus on the security of Watchtower and our internal processes puts us in a great position to continue to provide industry leading services to our clients. Being able to participate in helping build and execute on mature processes shows that we have the character and fortitude to do what’s right for our existing team members and clients, while also paving the way for growth.” - Joe George, SRA Chief Technology Officer
Consequently, in early 2021, we initiated a SOC 2 Readiness Assessment engagement by retaining an external auditing firm, to help ensure all internal controls were comprehensive and all-encompassing. As of December 31, 2021, by attaining a SOC 2 compliance, SRA proved adherence to the requirements relevant to the AICPA’s Security Trust Principle. Likewise, validating and documenting that SRA securely retains, stores, and processes proprietary client data. The SOC 2 Report provides our organization, as well as our clients, an assurance that all reporting controls are appropriately designed, well in place, and our client’s proprietary data is appropriately securely managed.
While going through the SOC 2 certification process we picked up many best practices along the way, here’s what we learned:
Bring in auditors who specialize in SOC 2 Readiness Assessments; don’t waste time with management consultants – bring in a reputable auditing firm to perform a readiness engagement and have them assist with the creation of the control criteria matrix.
Begin with a Type 1, focusing on the security trust criteria; a small scope and affords the ability to create a solid foundation, keeping it simple and succinct! By limiting the scope, it provides the ability to get meaningful controls in place and operational, then you can slowly and methodically broaden your audit scope, while preserving and improving upon these existing controls.
The rip tide is stronger than you are, so fighting against the current won’t get you anywhere and will leave you exhausted and flailing. Therefore, for this compliance marathon, ensure it originates from leadership, with unwavering top-down support, from upper management.
Communicate, communicate, and then communicate, yet again! With most organizational culture changes there’s typically vast innovation coupled with hopeful promises, whether new processes or modified procedures, engage all stakeholders! Do not ignore the importance of retaining the current company culture via organizational change management. Develop a communication strategy that incorporates transparency, so everyone is aware, well-informed, and part of the overall effort. This will ultimately create a sense of ownership, by bringing the team together in alignment to focus on the common compliance goal, rather than any newly established process rigor.
Take the time to build a Compliance Roadmap and utilize a project management methodology, to oversee the compliance effort. It’s tempting to jump right in, however take time to develop the initiative’s objectives, scope, and constraints, then spend time planning the overall effort.
Ensure that your internal controls are meaningful and sustainable. Don’t over-engineer, but standardize; controls should be recurring mechanisms, such as policies, procedures, and technical safeguards implemented to protect your organization’s assets by preventing errors and inappropriate actions.
Once you achieve SOC 2 Compliance, continue to adjust and revise the organization’s internal controls as the org continues to grow and mature. Ensure there’s an individual that’s accountable to maintain the controls, as well as to continue to gather and monitor control evidence.