How Resolver Achieved InfoSec Compliance Using Software

As a SaaS provider, our InfoSec Team is also responsible for the DevOps environment, including a number of AWS services used to deliver our services to customers.   That’s why in addition to the full-time job of protecting the company from threats, the InfoSec team also spends their time responding to information requests from prospects and customers, who want to verify that Resolver is operating at the highest level of protection. These requests typically come in the form of RFPs or questionnaires, each of which are unique to the company issuing them and generally vary in length and requirements. To simplify the process and ensure that we are always providing best-in-industry responses to customers and prospects, the Resolver team undertook the process of certification.

In 2018, we undertook 3 certifications — SOC 2 Type 2, HIPAA and ISO 27001 using a manual process. The InfoSec team was on the hook for all of it. They engaged an external SOC 2 consultant to help scope applicability of the citations in the authority document, identify gaps and define the controls required.

During this process, Vladimir was the control owner for all required controls. He managed the delegation of evidence collection through the manual distribution of controls, personally trained end-users and answered any and all questions they had. Then, he interfaced directly with the auditors and managed all remediation efforts. The entire process was managed using Excel, online directories and emails.   As you can imagine, this was very time consuming.

In the end, the team persevered. The process took 7 months, they collected 900 pieces of evidence, and only had 3 minor findings in the SOC 2 audit.

This excitement would be short lived. In 2019, the SOC 2 changes meant that there were even more requirements that they had to comply with, all while working to add additional certifications.

Something had to change.

“Before we used the IT Risk and Compliance application, our process was a nightmare. I had to create multiple Excel sheets and manage hundreds of shared folders to collect the evidence required for compliance from each of the company’s control owners. I was constantly chasing people to provide their documentation. Communication was also challenging. Since everything was managed through email or instant message, there were several instances of miscommunication resulting in control owners producing the wrong documentation and having to redo their work. It was a long, frustrating and often redundant process for everyone involved.” — Vladimir Finkinshtein, Information Security Analyst, Resolver

Implementing the tool was a game changer for Vladimir and the InfoSec team.

They implemented the IT Risk and Compliance application to centralize and simplify their certification process. The newly changed SOC 2 framework was automatically updated in the system. The SOC 2 control content was automatically available in the software, saving the cost of an external consultant.   Each control owner had their own personal view of their tasks and due dates with instructions describing the evidence required and how to submit it. Reports tracking the status of progress of compliance against each framework were available at a glance, and all communication with control owners and auditors was done directly in the system.

“Our process had finally become repeatable. The automation simplifies and streamlines the entire process. I no longer have to spend my time chasing after control owners. The application automatically sends them email reminding them that they have a task to provide evidence and/or documentation to achieve compliance. Each control has a description which makes it much easier to follow and provides the explanation of what I’m looking for. It has eliminated a lot of the back and forth and has enabled the end-user to be able to quickly give me the information my team needs to ensure compliance.” — Vladimir Finkinshtein, Information Security Analyst, Resolver

By streamlining their process, the InfoSec team could focus on achieving certifications and providing documentation instead of responding to custom RFPs. The transferred control ownership from InfoSec to appropriate business owner means that all required parties were involved and had a hand in the process. With all requests and interactions taking place through the application, Vladimir’s team could ensure that they were always working with the most current, up-to-date information. Control owners, and auditors now have access to interact directly through the tool, where they can ask questions and get quick clarity into any issues.

Using the application for their certifications, the InfoSec team collected almost 3x the evidence as the previous year, with the same number of resources. They increased the quality — the engagement and interaction with control owners allowed them to remediate 55 control gaps before audit and they exited the audit with 0 findings.

“This year, in the same time (seven months), we collected more than 2,500 pieces of evidence. Last year we had a few minor findings. This year our final report looks even better. No findings at all. This makes our auditors and our customers very happy. This makes me very happy.” — Vladimir Finkinshtein, Information Security Analyst, Resolver

Technology is critical to the effective operations of your company and it is up to you to protect your assets, employees and customers from attackers. After implementing Resolver, your team will be able to readily provide evidence and certification to customers to prove that you adhere to the highest standards in the industry.

Resolver’s IT Risk and Compliance Management Software automates IT risk and compliance processes to reduce cost, resources and effort required to effectively manage cybersecurity programs, provide risk oversight to executives and the board and achieve IT certifications such as SOC 2, ISO 27001 and others.