Data

SOC it 2 ‘em

February 25, 2022

SRA Achieves SOC 2 Type 1 Compliance!

Written by: Rachel Mains, Director of Information Security

Since 2008, Strategic Risk Associates (SRA) has worked closely with financial institutions across the nation to help customers build a more mature risk management program. As former veteran bankers and regulators, we understood how technology could help financial institutions aggregate data from across the organization to offer actionable insights and the foresight needed to manage risk and performance. With this knowledge and experience, SRA developed Watchtower, an integrated risk and performance management SaaS solution hosted on both AWS and Google cloud.

Watchtower aggregates 1,000s of KRI and KPI risk data points that roll up into multiple dashboard visualizations. While the dashboards are designed to be intuitive and easy to understand for the end user, behind the scenes Watchtower is firing on all cylinders, transforming customer file exchange flows into organized lines of code, powered in the cloud.  From day one SRA made security and privacy our #1 priority.

What’s a SOC 2 Type 1 Compliance Report?

A SOC 2 Type 1 Compliance is an external audit accompanied by comprehensive report findings that is performed on a service organization’s system and the suitability of the design of controls. The report describes the current systems and controls in place and reviews documents around these controls. It ensures design sufficiency and validation for all administrative, technical and logical controls.

SOC 2 Audit Process

Why is SOC 2 so Important to SRA?

Because of a strong desire to demonstrate to SRA customers that we maintain thorough internal controls and policies, we pursued and achieved a SOC 2 Type I compliance. SRA wanted to further substantiate not only the organization’s dynamic procedural documentation, but also, the comprehensive and detailed processes in place to protect our systems and safeguard our data.

“I am extremely proud of SRA, our IT team, and our trusted partners who all pitched in to focus on this achievement.  Designing and implementing controls that focus on the security of Watchtower and our internal processes puts us in a great position to continue to provide industry leading services to our clients.  Being able to participate in helping build and execute on mature processes shows that we have the character and fortitude to do what’s right for our existing team members and clients, while also paving the way for growth.” - Joe George, SRA Chief Technology Officer

Consequently, in early 2021, we initiated a SOC 2 Readiness Assessment engagement by retaining an external auditing firm, to help ensure all internal controls were comprehensive and all-encompassing. As of December 31, 2021, by attaining a SOC 2 compliance, SRA proved adherence to the requirements relevant to the AICPA’s Security Trust Principle. Likewise, validating and documenting that SRA securely retains, stores, and processes proprietary client data. The SOC 2 Report provides our organization, as well as our clients, an assurance that all reporting controls are appropriately designed, well in place, and our client’s proprietary data is appropriately securely managed. 

7 Lessons Learned While Getting in SOC 2 Shape

While going through the SOC 2 certification process we picked up many best practices along the way, here’s what we learned:

1.  Say No to Imposters

Bring in auditors who specialize in SOC 2 Readiness Assessments; don’t waste time with management consultants – bring in a reputable auditing firm to perform a readiness engagement and have them assist with the creation of the control criteria matrix.

2.  Just KISS it

Begin with a Type 1, focusing on the security trust criteria; a small scope and affords the ability to create a solid foundation, keeping it simple and succinct! By limiting the scope, it provides the ability to get meaningful controls in place and operational, then you can slowly and methodically broaden your audit scope, while preserving and improving upon these existing controls.

3.  Don’t ever fight a RIP Tide

The rip tide is stronger than you are, so fighting against the current won’t get you anywhere and will leave you exhausted and flailing. Therefore, for this compliance marathon, ensure it originates from leadership, with unwavering top-down support, from upper management.

4.  Walk the Talk

Communicate, communicate, and then communicate, yet again!  With most organizational culture changes there’s typically vast innovation coupled with hopeful promises, whether new processes or modified procedures, engage all stakeholders! Do not ignore the importance of retaining the current company culture via organizational change management. Develop a communication strategy that incorporates transparency, so everyone is aware, well-informed, and part of the overall effort. This will ultimately create a sense of ownership, by bringing the team together in alignment to focus on the common compliance goal, rather than any newly established process rigor.

5.  The Road to Success is Always Under Construction…

Take the time to build a Compliance Roadmap and utilize a project management methodology, to oversee the compliance effort. It’s tempting to jump right in, however take time to develop the initiative’s objectives, scope, and constraints, then spend time planning the overall effort.

6.  Rinse and Repeat

Ensure that your internal controls are meaningful and sustainable. Don’t over-engineer, but standardize; controls should be recurring mechanisms, such as policies, procedures, and technical safeguards implemented to protect your organization’s assets by preventing errors and inappropriate actions.

7.  We did it!

Once you achieve SOC 2 Compliance, continue to adjust and revise the organization’s internal controls as the org continues to grow and mature. Ensure there’s an individual that’s accountable to maintain the controls, as well as to continue to gather and monitor control evidence.

 

To learn more about Watchtower and how we keep our customers' data secure, contact us today for a live demo.

navigate risk. drive growth.

See how

SRA watchtower

can help you do both.

SCHEDULE a demo

EXPERIENCE. WISDOM. KNOWHOW.

Book an

SRA CONSULTING

discovery session

SCHEDULE NOW
Three ways to tap into the people, technology and insights of SRA.
We're focused exclusively on the serving the financial industry.

DISCOVERY 
SESSION

Schedule a 30 minute consult with an SRA Risk Management Practitioner to understand your challenges, opportunities and potential paths to success.
SCHEDULE NOW

WATCHTOWER
DEMO

Look inside the SRA Watchtower platform and understand how it helps executives navigate risk and drive growth.
BOOK TODAY

SRA 
WEBINAR

Learn how SRA practitioners and their clients are tackling the most important and pressing issues facing the financial services industry today.
REGISTER

MOre FROM

SRA Newsroom

navigate risk. drive growth.

See how

SRA watchtower

can help you do both.

SCHEDULE a demo