The MSP's Guide to SOC 2: How to Get Started and What to Expect

[00:00:03] Well, come to MSP Business School led by our Dean's of Business Development, Brian Doyle, Tim McNeill and Rob Rogers.

[00:00:11] Each week MSP Business School is committed to delivering you proven strategies, tips and tactics,

[00:00:18] for MSPs to accelerate their business growth and revenue through better sales, better marketing, and true account management.

[00:00:27] Classes start now, so let's get started. Let's throw it to the Dean's!

[00:00:31] Hey, good afternoon everyone and welcome to the latest installment of MSP Business School as always.

[00:00:42] I'm Brian Doyle and I'm really excited to be here with y'all today.

[00:00:46] This is an topic that's becoming more and more near and dear to many MSP hearts.

[00:00:51] We're going to talk a little bit about SOC 2 in the process for that today.

[00:00:56] And I'm really excited to introduce a couple people that have been working in helping us out both over at BCI out of Tulaox and Cybrans.

[00:01:03] As we start embarking on that journey as well, a little bit deeper.

[00:01:08] And I want to bring them to you so that you can learn a little bit about what that looks like.

[00:01:13] So I want to welcome today from Render Compliance.

[00:01:17] I've got Boba Toe and I've got Angelica Mayan with me today.

[00:01:22] So I'm really excited. They've been a fun group for us to get to know over the last couple months and I'm excited to share them with all of you.

[00:01:29] Welcome guys.

[00:01:31] Thanks for having us on.

[00:01:34] Thank you for having us over.

[00:01:36] You bet. So I love to kick things off first with learning a little bit about the people that are speaking and let you share a little bit about yourselves as well with them.

[00:01:44] So in Jellica, I'm going to start with you. Tell me a little bit about your background in how you ended up in the world of auditing and you know how Render got started.

[00:01:53] Absolutely.

[00:01:54] So yeah, my name is Angelica or Angelica both are correct and I'm using them constantly because I don't even know how to say my name.

[00:02:02] I'm a Polish.

[00:02:04] I came to United States in 2014 for a summer break during law school to work in Yellowstone National Park where I met my husband and shifted my career path towards the niche world of security compliance.

[00:02:19] After I obtained my law degree a few years later, I obtained management information system degree from University of Montana in Mizzula.

[00:02:31] After college, I got first job at Moss Adams as IT compliance where I met Boe.

[00:02:40] And the rest is the history as we worked.

[00:02:47] As we worked together, we realized that we very much like working together and we had some ideas we wanted to implement and decided to start Render compliance together.

[00:03:00] Awesome. Thank you for sharing. I'm here in a couple things in there too.

[00:03:04] Like I did not know you also had a legal background as well. That's a little stealth.

[00:03:10] You got to watch out for you. You're the smart one smart quiet.

[00:03:14] She's a cheap little officer.

[00:03:17] No, I do like this.

[00:03:20] This costs things.

[00:03:23] And Boe have out yourself. Tell us a little bit about your background.

[00:03:27] Yeah. So I have a less exotic history. I grew up in Seattle, Washington and went to school in Seattle, Washington and I'm living in Seattle, Washington.

[00:03:39] I like to keep it consistent.

[00:03:42] But yeah, I started started my career in financial audit and did that for a couple years before pivoting over to auditing IT security.

[00:03:56] And yeah, worked in a couple of frameworks over the years. But definitely the bread and butter has been sought to for SaaS companies, a lot of SaaS companies.

[00:04:09] And yeah, otherwise, living here with my wife and her two kids and a dog and making it work.

[00:04:21] The American Dream as they say, right? But that's good stuff. Well, you know, as I love to shift, you know, hearing a little bit about the backgrounds it allows me to get to know you a little bit better too. So thank you for that.

[00:04:34] You know, what I'd like to talk about a little bit today is, you know, we've seen at that the MSB community is really looking at sock to a little differently.

[00:04:43] Before it was something we really just held our vendors to write. We were looking for our vendors that we were using to have that.

[00:04:49] But we're seeing now as we're getting more and more involved with security and compliance requirements on behalf of our customers in conjunction with our customers.

[00:04:58] That there's becoming a trend where we need to be sock to MSPs as well. And I know a lot of my, you know, my mature MSPs of already embarked on that journey and go on down that road.

[00:05:08] And so we're seeing more and more of that occurring in the industry as is everybody kind of gets a little bit more educated to what that really means.

[00:05:17] But the big question that always comes up, especially as I'm talking about GRC with my clients is where do we start?

[00:05:24] You know, I'm an MSP and I want to think, or really any company and I want to think about getting obtaining a sock to one of the steps I should be taking.

[00:05:32] And one of the steps, where should I be engaging people to help me? Because I think that's the big question too. When do I pull on that string to get that support? So I don't know who would like to take that first.

[00:05:44] Yeah, I could take that. Those are those are awesome questions to be asking and.

[00:05:51] In one way this answer will be nothing new, you know, try to use the people process technology framework because that's a timeless way to look at things right so.

[00:06:05] And yeah, I think like I think.

[00:06:09] For MSPs that are, you know, considering getting their own sock to report and.

[00:06:16] That's an awesome way to learn the process and then be able to kind of turn that around as a.

[00:06:23] Manage offering for your clients as well too, so these principles will probably apply to both of those situations.

[00:06:31] But yeah, I like anything like getting new endeavors start with people.

[00:06:37] Figure out do you have someone in house who has experience implementing sock to or equivalent framework.

[00:06:45] So do they have that experience and do they have the time needed to research it or organize it, etc. Right.

[00:06:54] So if you don't have that person in house, then then look for a consultant, you know, you don't have to hire a person probably full time to do that depending on your your scope, but find find a good consultant.

[00:07:10] You know, we have a lot of great consultants we could recommend that we work with that can.

[00:07:18] The streamlined your process there and.

[00:07:23] And then this is something we were chatting about early.

[00:07:27] I would say touch base like find it fine to good auditor early on and touch base within early on.

[00:07:33] I think folks are hesitant to do that like you mentioned because like you don't want to start a contract, you know, six months before you have to get a sock to but.

[00:07:46] But at least for us and probably a lot of other auditors like we love to talk to people early on, no commitment and just figure out what they are.

[00:07:54] What other needs and help them figure out, oh yeah I need to do a sock to you type one by this day I need to do a type two by this date.

[00:08:06] And just help them play in for it so and that yeah touching find your good consultants and finding a good auditor early on and communicating your needs with them consistently.

[00:08:19] And that would be huge right there.

[00:08:22] From that perspective before we we kind of dive in a little deeper you know I should you just shared that you know and I'll say my experiences in the past and I shared it with you prior to the call was my honor that I had when we were running our data center concerns.

[00:08:35] And I'm sorry because they shared some of the controls for us to consider as opposed to us kind of going through the gas work.

[00:08:42] And by doing that it really helped us streamline the process and definitely reduce the workload because we were thinking much much more broadly than they were thinking but we were also looking at things that were truly irrelevant to actual operations but things that we figured touch securities that we better throw them in there.

[00:08:59] And that is a good point and if I can chime in.

[00:09:04] The one thing also is the which I'm sure if you're working with correct people they will definitely underline it that yeah we can like shared with you the templates what makes sense for example for that a base but the big thing is to actually understand that on the end those are your controls and.

[00:09:25] And so that's the thing that you have to have.

[00:09:28] So that's the thing that you have to have unless it's a risk assessment that something you do needs to have.

[00:09:35] Therefore, it is important to understand that on the end those are your controls and they have to make sense for you because if they want then you won't really.

[00:09:47] Make sure that they are not followed.

[00:09:51] Yep, that accountability is huge and into your point Brian like it.

[00:09:57] I went through the process a while back of trying to like.

[00:10:03] Think through okay if I was one of my clients implementing sock to for the first time where would I where would I start where would I go you know just like going on the AICP website downloading the criteria and everything.

[00:10:18] And it's it's just so complex you know trying to do that from scratch like you have the criteria you have there.

[00:10:26] They map them to point of focus but even that won't tell you those.

[00:10:31] Control statements and gel because talking about that you need to that you need to own for your company you need to find for your company.

[00:10:39] So yeah, really you need someone with experience who's gone through the audit process before can tell you yeah this is for this step of systems go this is a standard control said that that you can start with there.

[00:10:55] And you know I know a lot of the MSPs that we work with our are kind of standardizing on particular frameworks a lot of either going to see a mc because they worked in the government sector or they're leaning on more broad ones like this.

[00:11:08] Cyber security framework 2.0 or CIS version 8 as an example for really kind of building and managing their own internal controls can those frameworks support what we're doing and trying to achieve and in sock to and is that a maybe a good place to kind of get released initially organized.

[00:11:28] Yeah, I would say definitely if you're already tracking control framework like like that I would say definitely start with that and just map out what are the gaps.

[00:11:42] From there I think there will probably be a few gaps sock to tends to be more high level looking at overall organizational risk rather than rather than super prescriptive technical controls.

[00:11:57] For example it's going to sock to is going to require that you have user access controls logical access controls in certain areas but it's not going to mandate.

[00:12:07] You have to have this type of encryption on this type of server you know like like some of the frameworks do so so I would say yeah if you already have one of those frameworks start there work with somebody to map out what are the gaps set of time line to.

[00:12:23] To remediate those gaps.

[00:12:26] And that's probably a perfect place to engage somebody like you know yourselves in in that early part of the process here's what I know here's what I've already been able to prove out underneath my framework assessment.

[00:12:37] Now help me understand what I got to bring to the party in order to get through this process so you know probably you know that's where I would see most of you as MSPs thinking about engaging because I know you are going against things like the frameworks we talked about or a comptia trust mark.

[00:12:53] Which is gaining traction in our industry as well, but there are those gaps I know when I was looking at sock it are when we were looking at sock it definitely went beyond just our technical you know requirements.

[00:13:04] Yeah, yeah.

[00:13:06] Now maybe we can segue a little bit there right so now embarking on this sock journey.

[00:13:12] What is the big difference between sock to type one in sock to type two that's another one that comes up often and you know whatever some of the key differences between each.

[00:13:26] I can yeah.

[00:13:28] Yeah, I want to.

[00:13:29] A timeline.

[00:13:31] Well the difference between type one and type two is that type one exam assess the description and controls S.

[00:13:39] off a point in time while type two is over a period of time and a period of time.

[00:13:47] Usually it would be 12 months, but it could be nine or six or as little as three months period.

[00:13:55] So that's the first step.

[00:13:57] Therefore, therefore with type one exams I didn't really see any type one exams with an exception because let's say you you're working towards the.

[00:14:13] Having sock to type one.

[00:14:16] At a station and there's out you actually don't have something implemented but you thought you did you can just push the date and work with the other there to push that date and implement it and like come back and do examination kind of again.

[00:14:32] And then you should report because again is like as of time how your controls are designed while type two is how the controls are designed and how.

[00:14:42] So if they are operating effectively over the period of time that happened in the past therefore.

[00:14:50] If the control says that the access will be for the terminated users will be removed with 24 hours and it wasn't.

[00:15:01] Therefore there's an exception which yeah hopefully that answers the question.

[00:15:06] I think it does because what we're not what I'm hearing here and keep me honest is you know really in type one your designing the controls so you can actually show what you're going to ultimately end up measuring and you're going to show that those controls at least have a level of effectiveness on that date but you're not putting any proof to that you're actually adhering to control of that stage.

[00:15:25] And then my correcting kind of that summation of level one and then level two really we kind of are type two excuse me really becomes the right now we've got the proof in the pudding.

[00:15:34] We got to run these controls for a period of time and once we get to the end of that we got to show that we've done them and of course if we missed anything along the way the auditor's going to put that in this exception.

[00:15:44] We're going to take a corrective action and I think something to underline is that with type one we still test like we would still ask for your information security policy risk assessment for a sample of the termination of the terminated user and we'd still look at the.

[00:16:04] Configuration settings are proof showing that yeah the access was disabled within and depending what the control says 24 hours for hours it's so on.

[00:16:13] The thing is that we would not with the type two we have a population so let's say within the last one year and the period is 12 months.

[00:16:25] You had 20 people who are terminated we would ask for example for five samples randomly and then we would test whether that access was removed or was not removed.

[00:16:39] Terrific I mean that and that's a great distinction because you know I myself was wondering me what was the level of testing that actually occurs at type one where is it just strictly outlining what your controls are.

[00:16:51] Do you see people skipping type one and going straight to type two as well, you know just saying like we know we're any if we've got our design and now we're going to go to you know to the full compliance component or is type one ever requirement.

[00:17:04] Yeah yeah you definitely see it and that's always part of our conversation when clients are implementing sock to for the first time is do we start with type one or go straight for type two.

[00:17:18] And so it's definitely.

[00:17:21] And it's definitely a pros and cons and figuring out what's right for your company because.

[00:17:28] Let's say let's say you have a very mature control environment and your your confident your controls are in place if communicated well with your auditor leading up to it and you you just want the type two report in hand as soon as possible.

[00:17:50] Those are all that big great scenario to just skip the type one and go straight for the type two.

[00:17:58] You know the big pro there's you save all the time and money of.

[00:18:03] Going through the type one is often cheaper from odd at fees than it's then a type two but it's still going to be you know maybe 80% of the.

[00:18:14] 70% of the take to odd at fees so still a big lift.

[00:18:19] But conversely you know what what can happen there is.

[00:18:24] You go straight for the type two.

[00:18:27] The auditor comes in you know three months later let's say and it's looking back at that three month period and let's say you're you were wrong, you know you you had a whole bunch of things.

[00:18:38] That you're not doing those will show up as exceptions on the stop to report and that case, you know.

[00:18:48] That's okay still like there are it's certainly common to see exceptions on a sock to report.

[00:18:57] But you just have to be aware that that can happen right and like the.

[00:19:04] Be prepared to have those conversations with your clients who are reading your port saying why do you have this exception, you know.

[00:19:12] So.

[00:19:13] There's a back and add to it. It's not only exceptions, it's also definitely heavier on your team like you don't that the team doesn't really know what to expect they might have some experience but.

[00:19:29] Even if they do have experience and they know how the process would look like like it's a.

[00:19:33] It's a new company is a new control sits in your organization is a new system.

[00:19:38] Therefore there's no requirements to do type one before type two, but it makes sense.

[00:19:46] Yeah, could be just a good best practice because especially if you're early in the process right to to get yourself established and know that you've got the right controls in place and have somebody validate that.

[00:19:57] You could see a very strong need for type one, but you know certainly if you've been doing it for 10 years in your controls or mature and and you know what your outcomes are that you're expecting are really just the new controls that come up as things evolve that might be.

[00:20:10] You know a little bit more challenging at that stage.

[00:20:13] You know you touched upon something else to about the exceptions that's intriguing to me because obviously you know the goal for this is really to prove trust right that's a big part of why we go through this process with our end user customers.

[00:20:25] And if you've got you know while everybody will have some level of exceptions some exceptions carry more weight than others some exception you know too many exceptions can turn somebody off and you'll use to joke when I was in the data center world it was as much a marketing experience as it was a.

[00:20:40] Controls and trust experience for us because if you know is kind of that rubber stamp when people are coming to our data center are you sock to type to yes okay that that checks the box.

[00:20:50] So I think those that are looking at those reports if you've got a sock to type to but you've got too many exceptions against the caution.

[00:20:59] The cost of the opportunity to work with some people I'm sure right we were just speaking with a perspective client this morning is basically asking.

[00:21:09] You know like so how bad is it to get an exception on your sock to report and.

[00:21:17] And yeah definitely depends on who your report readers are some industries are going to like you said like.

[00:21:25] Take those words seriously than others some people are just going to look at that as a red flag even that you have an exception.

[00:21:33] Some are going to look at it is a completely normal thing it just depends right yeah but.

[00:21:38] But yeah I would say in general like it is normal to get some testing exceptions like you see that on the biggest on the sock to reports for the biggest software providers out there you know sometimes like Microsoft or and this on here auditors will find.

[00:21:55] And it's very normal part of the process you know the testing will show up for for two out of 20 samples users are sample accounts or whatever it is.

[00:22:09] This was not enabled that will be the finding right and then.

[00:22:14] Management will have a chance on the report to explain the context around that or their their mitigating actions what they did after the finding was.

[00:22:24] And covered fixed the process etc so yeah I think it's a I think is a normal part of the process to get some of those minor exceptions you could get.

[00:22:37] But but yeah then there there are more I was explaining to our perspective customer like as the auditor everything we evaluate everything to the lens of risk right.

[00:22:49] And so there are some exceptions that are worse and could end up.

[00:22:55] So what we're doing through the sock to report is giving our opinion right and a good opinion is an unqualified opinion.

[00:23:04] Meaning yes your system is operating as you described it and but a bad opinion is basically could be a modified or qualified opinion saying.

[00:23:16] In this area you did not your system to not operate as as you described it consistent with these criteria and so if there are some of those significant exceptions let's say for example.

[00:23:31] You just don't have a process to remove access for terminated employees right let's just say you just leave them to access after they actually leave the company.

[00:23:43] That would be bad that would be something that we would say would qualify our report opinion.

[00:23:50] So yeah that's kind of a overall summary there I think.

[00:23:55] So less is more when it comes to audit that be a sitting you know if you're getting simple replies that's what the expect it is if there has to be any.

[00:24:04] Color commentation added to it you probably got something that might be a little at least loose from a continuous perspective.

[00:24:11] So you know we're getting near the end of our time but I do have one other thing that I would love to you know get your feeling for our people talk a little bit about like the timing of this and what that lift in burdens going to look like.

[00:24:23] And of course the big thing out there you know what is the average cost of doing this process from an external factor stand.

[00:24:31] Maybe those are some things you can share I'm sure they range based on sizing complexity of customers but you know what is you know what does an engagement look like what should somebody expect in terms of time and duration.

[00:24:44] So I can take that question from the point of timeline.

[00:24:49] So our process is designed that it would on average take around nine weeks from the time when we meet with the client defined the scope assuming that the client has already the list of controls.

[00:25:06] Created from defining the scope that client provides us with the list of controls based on that we create the list of evidence that we need to test those controls.

[00:25:21] Then we meet with the clients drink the fieldwork week for around eight to twelve hours depending again of the complexity and what is within the scope.

[00:25:34] Where we talk with the control owner of each control to understand the process and to be able to test each of the control.

[00:25:46] After that within two weeks from the fieldwork we provide to the client the draft report and as we have a mutual agreements there we issue the report around nine weeks from where the process started.

[00:26:04] Anything to add their bow.

[00:26:07] No yeah just just speaking to the other aspect of that question kind of closing the loop on we covered people that's that was a lot about the process and then.

[00:26:19] You're supposed to wait until you've defined those two things to look at technology right that's best practice so yeah hopefully you've defined your requirements you've defined your your people and then.

[00:26:31] And then you can look at what's the best technology platform to get this done and there's a lot of there's a lot of good options out there I mean yeah there's this there's everything from you can be successful using excel and you know tickets to.

[00:26:50] To like a fully automated evidence collection system that's designed for frameworks like sock to.

[00:26:59] And I mean yeah that's you didn't ask for a product plug here Brian but that's like something that your your tool can greatly your platform can greatly.

[00:27:13] Adeline is keeping everything in one place organized getting tasks to the right owners for for each type of action right so.

[00:27:23] So after you define that many can look at the text stack.

[00:27:28] And I'm saying the other question that you asked is about pricing, right yeah just kind of a blog we actually we actually are pretty transparent and we put the our pricing on the website.

[00:27:40] It starts from, it obviously depends of the size of the business, complexity,

[00:27:48] a number of controls, maturity program and so on.

[00:27:50] But it would start for, since from 16,000 for succ to type 1,

[00:27:56] up till 40,000 for succ to type 2.

[00:28:00] Perfect.

[00:28:01] Perfect.

[00:28:02] Perfect.

[00:28:03] Second is everybody kind of a sense out in the marketplace of what that effort will cost you.

[00:28:08] You know, certainly numbers vary everywhere.

[00:28:10] But that's in line with what we were paying previously.

[00:28:13] So it seems to be pretty standard throughout the industry.

[00:28:18] Well, you know, Bob and Jalakha really appreciate you guys coming on to find Bowen and Jalakha.

[00:28:23] You can go to rendercompliance.com and when you're there, make sure you go to the resources section,

[00:28:28] rendercompliance forward slash resources.

[00:28:31] They've got a lot of great material to help you get started and get organized as you embark

[00:28:36] on your type 2 as well.

[00:28:38] As always, we'll be putting their LinkedIn profiles with all of our notes that go with

[00:28:43] our videos up on YouTube.

[00:28:45] And of course, anywhere that you download your podcast from as well.

[00:28:48] I want to thank both of you for joining me today.

[00:28:51] I'll stop here and just ask any closing thoughts before we say goodbye.

[00:28:55] Yeah, no, thanks.

[00:28:58] Thanks very much for having us on, definitely feel free to reach out with any questions.

[00:29:05] Maybe you're getting this going as a product offering for your MSP.

[00:29:11] We'd love to just be a resource for you, again, no commitment, feel free to reach out and

[00:29:18] being with any questions.

[00:29:20] Absolutely.

[00:29:21] As you noticed, we love talking about boring suck too.

[00:29:24] For myself.

[00:29:25] I'm pretty sure I'll do as any time and we will be happy to help.

[00:29:30] So thank you so much Brian for having us.

[00:29:32] I just remember that boring is only to the beholder, right?

[00:29:36] Would you guys talk about it's very interesting to me what I talk about is not interesting

[00:29:40] to my mother and all.

[00:29:41] So it's all about your audience.

[00:29:44] Thank you so much, guys.

[00:29:45] Really appreciate you joining me today and it's always been a pleasure work with you looking

[00:29:48] forward to do it more of it.

[00:29:49] Thanks, Brian.

[00:29:50] Thanks, Brian.