2. Who is this Emily Person Anyway
Background
Fun Facts
● UNIX SysAdmin/Operations/DevOps background
● Experience in Security Incident Response, Security Research,
Security Engineering
● Mentor for SANS’ Women’s CyberTalent Immersion Academy
● Opinionated about SOC 2
● Currently recovering from burnout
● My favorite computer game is Nethack
● Only one of the cats you will see here today is mine
5. Why SOC 2
1. SALES
2. Useful for SaaS companies when they
are ready for customers
3. Not as difficult to get as FedRAMP,
PCI, or HIPAA
4. SALES
6. SOC 2 Background
● SOC stands for System and Organization Controls
(formerly Service Organization Controls)
● The AICPA sets the standards for these reports:
they’re auditors and CPAs
● SOC 1 is all about a company’s financials
● SOC 2 is about a company’s security
SOC 2 is about COMPLIANCE, not SECURITY.
7. Key Vocabulary
Trust Services Criteria: formerly Trust Principles, the 5 areas you can get certified in
Policies: you need a set of policies that define how your company does security
Control Item: an individual thing you have to do to meet your Trust Services Criteria
Type 1 and Type 2: Type 1 is a point in time report. Type 2 shows that you meet the
requirements over a period of time.
Auditor: you have to have one. Remember this is a CPA and not a security person
8. Trust Services Criteria (formerly Trust Principles)
● Security (aka the Common Criteria, every SOC 2 cert includes it)
○ Access Control: protect against unauthorized access and disclosure
● Availability
○ systems are available as needed
● Processing Integrity
○ processing is complete, valid, accurate, and timely
● Confidentiality
○ information designated as Confidential is protected
● Privacy
○ personal information is only collected, stored, used, and disclosed as necessary
9. SOC 2 Simplified
1. Pick your Trust Services Criteria.
2. Make sure you do the things that you need to
meet your Control Items.
3. Write policies and processes that match what
you do.
4. Pick an Auditor.
5. Prove to the Auditor that you do what you say
you’re doing.
10. SOC 2 can help your security team
There are a few key things that you can do that will help your SOC 2 efforts and also
help security.
● Single Sign On: this will greatly simplify all of the Access Control requirements
● Centralized Logging: you need somewhere to examine your logs and alert based
on oddities.
● Protecting Production: set up protections around pushing code (Change
Management), and accessing production (Roles, not direct user access)
11. SOC 2 - can I automate that?
You can do all of the work of proving your policies are backed up by your actions by
hand. However, there are vendors that will allow you to automate much of the work of
tracking your progress and collecting evidence.
● A-Lign
● Drata
● Tugboat Logic
● Vanta
12. Opinions from a weary security/compliance person
1. Don’t try to use SOC 2 to build your security program. That’s not what it’s for.
2. Make sure your executives understand what they’re committing themselves and
the company to before you agree to work toward any compliance certification,
including SOC 2. If you hear any executive at your company say that they don’t
want to learn about Security, it’s a bad sign.
3. Start with only the Common Criteria (Security) for your first year, you can always
add on later, especially if you’re at a smaller startup. It’s much harder to reduce
the scope of your work after the fact.
4. Make friends with the SRE/infrastructure team. They will help you integrate
everything and get you your evidence.
14. What Mindfulness Isn’t
Mindfulness is a tool to help you become more aware of your feelings and the world
around you. It won’t fix any problems, but it can reduce tension and help you relax.
“You cannot self-love your way
out of systemic oppression.”
- Ragen Chastain
15. Mindfulness is the basic human ability to be fully present, aware of where we
are and what we’re doing, and not overly reactive or overwhelmed by what’s
going on around us.
● Reducing tension
● Body awareness
16. A Quick Exercise: Shoulder Tension and Relaxing
1. Start in a neutral position with
your shoulders down.
2. Raise your shoulders up toward
your ears as high as you can.
3. Hold for 5 seconds.
4. Lower your shoulders back to
neutral.
17. A Quick Exercise: Breathing
1. Breathe in for 5 seconds.
2. Breathe out for 10 seconds.
3. Repeat.
Optionally, say a few words to as you inhale
and exhale, like “It’s OK… let it go.”
19. Progressive Tension/Relaxation
You work your way through the major muscle groups,
starting from your feet and moving up your body. Tense,
hold for 5 seconds, then relax.
Do this either when sitting with your feet flat on the
floor, or when lying in bed.
20. Other Ideas for Relaxing
● Animal Web Cams (I’m fond of the
Monterey Bay Aquarium Jelly
Cam)
● Mindfulness meditations on
YouTube (including ones with
profanity)
● An app for that: the Calm app
21. Next Steps with Mindfulness - Body Awareness
Tension in a specific part of
the body can be tied to a
specific emotional state or
mood.