2023 SOC 2 Type II Attestation

Key Takeaways for SOC 2 Compliance

Why is a SOC 2 attestation important as a service provider? 

In today’s tech world, it is often difficult to determine which businesses you can rely on to keep your data secure and the cost of cybercrime is predicted to hit $8 trillion globally in 2023. See Forbes, Cybersecurity Trends & Statistics for 2023. Cybersecurity threats are on the rise, with ransomware, malware and threats from artificial intelligence and machine learning software foremost in our minds, and supply-chain threats are on the rise for all companies (big and small).

With growing security concerns, obtaining a SOC 2 report (a gold standard for implementation of cybersecurity controls and processes) instills trust and attracts customers by proving that a company’s security framework is reliable. At Aidentified, we want our customers and partners to rest assured knowing that Aidentified’s security controls have been independently evaluated and rigorously tested in areas such as:

• Incident response
• Disaster recovery
• Access controls
• Vulnerability scanning and monitoring

We continue to adhere to high cybersecurity standards as we grow and evolve. Frankly, our customers demand that we have fundamental security building blocks in place to be able to do business with us and SOC 2 is key to our growth and ultimately, our success. 

In 2021, we began our SOC 2 journey and are proud and excited that our small but mighty company has once again been able to obtain our SOC 2 Type 2 attestation. This is a significant milestone for a small company of about 30 employees and you may be interested in how we achieved and continue to achieve SOC 2 compliance. 

Here are a few key takeaways for small and mid-size companies with respect to the SOC 2 compliance process:  

• Once your company has determined that it wants to pursue SOC2 compliance, it is important to pick your SOC2 partners and tools. 

Not all tools are created equal, choose yours carefully. Aidentified partnered with Vanta as our Governance, Risk and Compliance (“GRC”) SOC2 compliance tool (GRC tools are very helpful, especially for small and mid-size companies to assist with implementing and monitoring of internal security programs with appropriate policies, security training, monitoring of devices, testing software vulnerabilities, vendor management, and more). Aidentified also interviewed and picked our independent SOC 2 auditors, Geels Norton, very early on in our SOC2 journey (make sure your auditor “fits” your company and also is willing to provide some advisory services as you build out your SOC 2 program, i.e., our auditors are adept at working with technology start-ups and are also a preferred assessor for Microsoft).

• Make sure you have buy-in for SOC 2 compliance at all levels of the company, including your Board of Directors. 

Becoming SOC 2 compliant typically entails wide-spread changes to how you implement your internal company processes, and your company needs to understand this and should be committed at all levels and with all teams to prioritize SOC 2 requirements (from HR to customer service, to product and technology).

• Choose your SOC 2 team wisely.

You do not necessarily need to have employees with dedicated security information titles to be able to put a SOC 2 team together. You will need your Chief Technology Officer and designated security personnel on your technology team, and at a minimum, a program manager (can be an operations/legal operations dedicated resource) and one or two (non-technology related) back-end process resources. Aidentified also benefitted from the assistance of a compliance security consultant. 

• Once you receive your first SOC 2 attestation, make sure you continue to monitor and improve your internal processes.

Do not make the mistake to become complacent once the first attestation is achieved: continue to schedule your regular security review meetings, your access reviews, policy updates and SOC2 remediation check-ins (based on the priorities included in your management letter to-do’s).

Juliana is the General Counsel and Chief Privacy Officer for Aidentified, a leading AI-powered relationship-based prospecting and data enrichment technology provider. She brings decades of legal experience and privacy expertise to her pointed in-house legal insights, having worked as counsel for both small data technology start-ups and powerhouse data services companies such as Dun & Bradstreet and Dow Jones/Factiva. She enjoys sharing her insights about compliance, privacy and security issues to help organizations do the right thing and understand the importance of these issues for their ultimate business success.