One of the most important things to be done in a CoE is gaining or maintaining compliance with various standards. And as you’re painfully aware, there are plenty of standards to be complied with…In addition to the old standbys like SOX, HIPAA, PCI-DSS, FISMA, and GLBA, we now have GDPR if your business touches the EU in any way, and the CCPA is heading down the tracks from California.
If you’re a SaaS company (like we are at iGrafx), you also have SOC-2 (Service Organization Control-2) to contend with. SOC 2 compliance is a component of the American Institute of CPAs (AICPA) Service Organization Control reporting system. In a nutshell, it’s an auditing procedure to make sure that service providers securely manage client data.
Becoming SOC-2 certified isn’t easy. It’s a rigorous process where a CPA firm conducts a comprehensive audit of a company’s availability, security, privacy, confidentiality and system integrity. You might care about this for a couple of very important reasons: 1) You’re choosing a service provider that will be storing your personal data (or your company’s data) in the cloud; and/or 2) You’re a service provider that needs to go through the process of becoming certified. Likely, and wisely, you’ll be thinking about both.
As the head of iGrafx’s engineering department, I just led our team through the process of becoming SOC-2 certified, and I’m happy to say that we passed without issue after the very first audit. I’d like to say that my own personal brilliance earned us the result, but honestly, I had an ace in the hole – our own iGrafx software!
Here’s a quick example of how iGrafx used iGrafx to achieve SOC-2 compliance. First of all, because iGrafx is essentially the system of record for a CoE, it allows the simple creation of relationships between Roles and Resources and Processes and Documentation. You can also input risks and controls and generate reports such as heat maps, all of which allow you to see any compliance gaps that may exist.
After that, the iGrafx workflow ability helps you maintain compliance. In the case of SOC-2, for example, you will need to ensure that each employee has a job description and that the employee understands their role, with a checkpoint every year. You will also need to highlight where a role might be related to security (i.e. have access to personal data). By building and linking roles, documentation, approval requirements and reports, you can relatively easily become compliant with the part of SOC-2 that relates to having job descriptions for each employee and an audit trail that employees have discussed their roles with their managers at least once a year. If the role has access to secure data, you can create a relationship for that, too!
I’d be happy to talk to you about all of the ways that iGrafx used iGrafx to achieve SOC-2 compliance, so please comment or reach out to me directly. While we’re chatting, I can also tell you how iGrafx used iGrafx to become GDPR compliant!
For more information you can also download our latest press release, iGrafx Completes Service Organization Controls 2 (SOC 2) Report under AT-C Section 205. Enjoy!