Balancing Requests and Enforcing Cybersecurity Across the Organization
As a SaaS provider, our InfoSec Team is also responsible for the DevOps environment, including a number of AWS services used to deliver our services to customers. That’s why in addition to the full-time job of protecting the company from threats, the InfoSec team also spends their time responding to information requests from prospects and customers, who want to verify that Resolver is operating at the highest level of protection. These requests typically come in the form of RFPs or questionnaires, each of which are unique to the company issuing them and generally vary in length and requirements. To simplify the process and ensure that we are always providing best-in-industry responses to customers and prospects, the Resolver team undertook the process of certification.
In 2018, we undertook 3 certifications — SOC 2 Type 2, HIPAA and ISO 27001 using a manual process. The InfoSec team was on the hook for all of it. They engaged an external SOC 2 consultant to help scope applicability of the citations in the authority document, identify gaps and define the controls required.
During this process, Vladimir was the control owner for all required controls. He managed the delegation of evidence collection through the manual distribution of controls, personally trained end-users and answered any and all questions they had. Then, he interfaced directly with the auditors and managed all remediation efforts. The entire process was managed using Excel, online directories and emails. As you can imagine, this was very time consuming.
In the end, the team persevered. The process took 7 months, they collected 900 pieces of evidence, and only had 3 minor findings in the SOC 2 audit.
This excitement would be short lived. In 2019, the SOC 2 changes meant that there were even more requirements that they had to comply with, all while working to add additional certifications.
Something had to change.
“Before we used the IT Risk and Compliance application, our process was a nightmare. I had to create multiple Excel sheets and manage hundreds of shared folders to collect the evidence required for compliance from each of the company’s control owners. I was constantly chasing people to provide their documentation. Communication was also challenging. Since everything was managed through email or instant message, there were several instances of miscommunication resulting in control owners producing the wrong documentation and having to redo their work. It was a long, frustrating and often redundant process for everyone involved.” — Vladimir Finkinshtein, Information Security Analyst, Resolver