Strategic Policy Development.md - Juan-bit94/Ops401D10 GitHub Wiki

Strategic Policy Development

Why does this topic matter?

  • Strategic Policy Development is important for companies of all sizes that will handle client data. There are legal and compliance requirements that a company must adhere to in this digital age, if a company does not follow frameworks that incorporate strategic policy development it could lead to less trust with the public.
  • The lack of trust could cost time and money to fix. For example, if a company is wishing to provide services at the enterprise level then they need to have policies in place to ensure security, confidentiality, and integrity. If said policies do not exist then clients will be wary of the risk associated with the lack of standard policy development and implementation.

How would you convince your future company to pursue SOC2 compliance?

  • I would propose to my future company that a SOC 2 compliance will benefit us tremendously in terms of being trusted. SOC 2 will enable us to establish an elevated level of trust with clients, investors, and prospects. The compliance process will motivate the company to implement controls, documentation, and security refreshers. If we pass the type two audit, we will show the publice how we value the security of data, else if we do not pass then we have a road map and fresh eyes to implement the things we need in order to demonstrate trust.

What are the five SOC2 Trust Principles?

  • The five trust principles are:
    1. Security: A foundational principle and common to all audits.
    2. Confidentiality: Protection from unauthorized disclosure of sensitive data.
    3. Availability: Protection that systems or data will be available as agreed or required.
    4. Integrity: Protection that systems or data are not changed in an unauthorized manner.
    5. Privacy: The use, collection, retention, disclosure, and disposal of personal information is protected.

How would you explain the three levels of the SOC2 pyramid in an analogy your friends or former colleagues would understand?

  • I would explain the three levels of SOC 2 pyramid like so: The pyramid represents the SOC 2 process, the bottom level are policies, the middle section is your procedures, and the top is proof. The pyramid is built on documentation that governs the behavior of employees and other stakeholders, procedures are policies at work, and proof is more documentation proving the results of policies and procedures that are being applied to the company.

Things I want to know more about

  • I would like to know if any principles of agile are used when preparing for a SOC 2 audit.
  • Also, as businesses implement SOC 2 considerations early in the business cycle, do they have an easy time with the audits or are there any pitfalls?