SlideShare a Scribd company logo

SOC2 Intro and Mindfulness

E
EmilyGladstoneCole

Emily Gladstone Cole presents an introduction to SOC 2 compliance, highlighting its importance for SaaS companies and distinguishing it from other certifications like FedRAMP and HIPAA. She emphasizes that SOC 2 is about compliance rather than security, detailing the trust services criteria and the process to achieve certification. Additionally, Cole discusses mindfulness as a tool for awareness and relaxation, suggesting techniques for reducing tension and improving well-being.

Technology
1 of 24
Downloaded 13 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
SOC 2 Intro and Mindfulness Emily Gladstone Cole PancakesCon 3
Who is this Emily Person Anyway Background Fun Facts ● UNIX SysAdmin/Operations/DevOps background ● Experience in Security Incident Response, Security Research, Security Engineering ● Mentor for SANS’ Women’s CyberTalent Immersion Academy ● Opinionated about SOC 2 ● Currently recovering from burnout ● My favorite computer game is Nethack ● Only one of the cats you will see here today is mine
My goofball cat
My pancakes of choice: latkes aka potato pancakes
Why SOC 2 1. SALES 2. Useful for SaaS companies when they are ready for customers 3. Not as difficult to get as FedRAMP, PCI, or HIPAA 4. SALES
SOC 2 Background ● SOC stands for System and Organization Controls (formerly Service Organization Controls) ● The AICPA sets the standards for these reports: they’re auditors and CPAs ● SOC 1 is all about a company’s financials ● SOC 2 is about a company’s security SOC 2 is about COMPLIANCE, not SECURITY.
Key Vocabulary Trust Services Criteria: formerly Trust Principles, the 5 areas you can get certified in Policies: you need a set of policies that define how your company does security Control Item: an individual thing you have to do to meet your Trust Services Criteria Type 1 and Type 2: Type 1 is a point in time report. Type 2 shows that you meet the requirements over a period of time. Auditor: you have to have one. Remember this is a CPA and not a security person
Trust Services Criteria (formerly Trust Principles) ● Security (aka the Common Criteria, every SOC 2 cert includes it) ○ Access Control: protect against unauthorized access and disclosure ● Availability ○ systems are available as needed ● Processing Integrity ○ processing is complete, valid, accurate, and timely ● Confidentiality ○ information designated as Confidential is protected ● Privacy ○ personal information is only collected, stored, used, and disclosed as necessary
SOC 2 Simplified 1. Pick your Trust Services Criteria. 2. Make sure you do the things that you need to meet your Control Items. 3. Write policies and processes that match what you do. 4. Pick an Auditor. 5. Prove to the Auditor that you do what you say you’re doing.
SOC 2 can help your security team There are a few key things that you can do that will help your SOC 2 efforts and also help security. ● Single Sign On: this will greatly simplify all of the Access Control requirements ● Centralized Logging: you need somewhere to examine your logs and alert based on oddities. ● Protecting Production: set up protections around pushing code (Change Management), and accessing production (Roles, not direct user access)
SOC 2 - can I automate that? You can do all of the work of proving your policies are backed up by your actions by hand. However, there are vendors that will allow you to automate much of the work of tracking your progress and collecting evidence. ● A-Lign ● Drata ● Tugboat Logic ● Vanta
Opinions from a weary security/compliance person 1. Don’t try to use SOC 2 to build your security program. That’s not what it’s for. 2. Make sure your executives understand what they’re committing themselves and the company to before you agree to work toward any compliance certification, including SOC 2. If you hear any executive at your company say that they don’t want to learn about Security, it’s a bad sign. 3. Start with only the Common Criteria (Security) for your first year, you can always add on later, especially if you’re at a smaller startup. It’s much harder to reduce the scope of your work after the fact. 4. Make friends with the SRE/infrastructure team. They will help you integrate everything and get you your evidence.
Mindfulness
What Mindfulness Isn’t Mindfulness is a tool to help you become more aware of your feelings and the world around you. It won’t fix any problems, but it can reduce tension and help you relax. “You cannot self-love your way out of systemic oppression.” - Ragen Chastain
Mindfulness is the basic human ability to be fully present, aware of where we are and what we’re doing, and not overly reactive or overwhelmed by what’s going on around us. ● Reducing tension ● Body awareness
A Quick Exercise: Shoulder Tension and Relaxing 1. Start in a neutral position with your shoulders down. 2. Raise your shoulders up toward your ears as high as you can. 3. Hold for 5 seconds. 4. Lower your shoulders back to neutral.
A Quick Exercise: Breathing 1. Breathe in for 5 seconds. 2. Breathe out for 10 seconds. 3. Repeat. Optionally, say a few words to as you inhale and exhale, like “It’s OK… let it go.”
Peaceful Place
Progressive Tension/Relaxation You work your way through the major muscle groups, starting from your feet and moving up your body. Tense, hold for 5 seconds, then relax. Do this either when sitting with your feet flat on the floor, or when lying in bed.
Other Ideas for Relaxing ● Animal Web Cams (I’m fond of the Monterey Bay Aquarium Jelly Cam) ● Mindfulness meditations on YouTube (including ones with profanity) ● An app for that: the Calm app
Next Steps with Mindfulness - Body Awareness Tension in a specific part of the body can be tied to a specific emotional state or mood.
Closing thoughts
Thank you!
References ● https://us.aicpa.org/content/dam/aicpa/interestareas/frc/assuranceadvisoryservices/downl oadabledocuments/trust-services-criteria.pdf ● https://fractionalciso.com/soc-2-compliance-software-vendors/ ● https://latacora.micro.blog/2020/03/12/the-soc-starting.html ● https://positivepsychology.com/history-of-mindfulness/ ● https://www.mindful.org/meditation/mindfulness-getting-started/ ● https://www.physiomed.ca/carrying-the-weight-of-the-world-why-our-emotions-cause-m uscle-tension/ ● https://www.montereybayaquarium.org/animals/live-cams ● Mindfulness with profanity: https://www.youtube.com/watch?v=92i5m3tV5XY ● Calm app: https://www.calm.com/ ● https://www.painawaydevices.com/exercises-relieve-neck-shoulder-pain/ ● https://www.pexels.com/search/cat/

More Related Content

What's hot (20)

PDF
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Edureka!
 
PPTX
Iso 27001 awareness
Ãsħâr Ãâlâm
 
PPT
IT Audit methodologies
genetics
 
PDF
Steps to iso 27001 implementation
Ralf Braga
 
PDF
NIST Cybersecurity Framework 101
Erick Kish, U.S. Commercial Service
 
PPTX
Awareness iso 22301 danang suryo
Danang suryo Wardhono
 
PDF
NQA - ISO 27001 Implementation Guide
NA Putra
 
PPTX
CISA Training - Chapter 2 - 2016
Hafiz Sheikh Adnan Ahmed
 
PDF
SOC 1 Overview
Schellman & Company
 
PDF
Introduction to Cybersecurity
Krutarth Vasavada
 
PDF
Building an effective Information Security Roadmap
Elliott Franklin
 
PPT
SOC presentation- Building a Security Operations Center
Michael Nickle
 
PPTX
Soc 2 attestation or ISO 27001 certification - Which is better for organization
VISTA InfoSec
 
PPTX
27001 awareness Training
Dr Madhu Aman Sharma
 
PPTX
Information Security Awareness
SnapComms
 
PPT
ISO 27001 - Information Security Management System
Muhammad Faisal Naqvi, CISSP, CISA, AMBCI, ITIL, ISMS LA n Master
 
PDF
IBM QRadar Security Intelligence Overview
Camilo Fandiño Gómez
 
PPTX
Security Information Event Management - nullhyd
n|u - The Open Security Community
 
PDF
ISO27001: Implementation & Certification Process Overview
Shankar Subramaniyan
 
PDF
SOC-2 Compliance Status Report sample v10.0
Mark S. Mahre
 
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Edureka!
 
Iso 27001 awareness
Ãsħâr Ãâlâm
 
IT Audit methodologies
genetics
 
Steps to iso 27001 implementation
Ralf Braga
 
NIST Cybersecurity Framework 101
Erick Kish, U.S. Commercial Service
 
Awareness iso 22301 danang suryo
Danang suryo Wardhono
 
NQA - ISO 27001 Implementation Guide
NA Putra
 
CISA Training - Chapter 2 - 2016
Hafiz Sheikh Adnan Ahmed
 
SOC 1 Overview
Schellman & Company
 
Introduction to Cybersecurity
Krutarth Vasavada
 
Building an effective Information Security Roadmap
Elliott Franklin
 
SOC presentation- Building a Security Operations Center
Michael Nickle
 
Soc 2 attestation or ISO 27001 certification - Which is better for organization
VISTA InfoSec
 
27001 awareness Training
Dr Madhu Aman Sharma
 
Information Security Awareness
SnapComms
 
ISO 27001 - Information Security Management System
Muhammad Faisal Naqvi, CISSP, CISA, AMBCI, ITIL, ISMS LA n Master
 
IBM QRadar Security Intelligence Overview
Camilo Fandiño Gómez
 
Security Information Event Management - nullhyd
n|u - The Open Security Community
 
ISO27001: Implementation & Certification Process Overview
Shankar Subramaniyan
 
SOC-2 Compliance Status Report sample v10.0
Mark S. Mahre
 

Similar to SOC2 Intro and Mindfulness (20)

PDF
behavior based safety
Ahmed Mohammed Alhntoshi
 
PPTX
How Fast and Slow Thinking Helps in Agile
Advance Agility
 
PPTX
5-Human Performance Improvement-Why Is It Important.pptx
alphazone47
 
PDF
10 Things an Operations Supervisor can do Today to Improve Reliability
Ricky Smith CMRP, CMRT
 
PPTX
Great Learning & Information Security - English edition
Chuan Lin
 
PPTX
7 Must Follow Steps For Safe and Secured Workplace
Altura Communication Solutions
 
PPTX
Icinga Camp Amsterdam - Monitoring – When to start
Icinga
 
PPTX
Icinga camp ams 2016 icinga2
Assaf Flatto
 
PPTX
Ooda loop Smart decision process model
Ferdinando Bettinelli
 
ODP
Monitoring - When To start (or Metrics led development)
Assaf Flatto
 
PDF
Tri Net Wp Complete Rif Checklist
Tim Weyland
 
PPTX
Product Agility: 3 fundamentals from the trenches
Pedro Teixeira
 
PDF
Emergency Decision Making in Business
Mike Shama
 
PDF
All about compliance mantra
Prateek Compliance Mantra
 
PDF
Slide Deck - CISSP Mentor Program Class Session 1
FRSecure
 
PDF
GrrCON 2018: Stop boiling the ocean!
Joel Cardella
 
PPTX
LifeSavingRules_LeadershipEngagement.pptx
FranciscoQuaranta3
 
PDF
11) HND_SEC_W11_Security Policies_111312.pdf
DulaOmesh
 
PPSX
The Productive Entrepreneur
Life Hacks 24
 
PDF
Modern agile devspace - 2017-10-14
Daniel Heater
 
behavior based safety
Ahmed Mohammed Alhntoshi
 
How Fast and Slow Thinking Helps in Agile
Advance Agility
 
5-Human Performance Improvement-Why Is It Important.pptx
alphazone47
 
10 Things an Operations Supervisor can do Today to Improve Reliability
Ricky Smith CMRP, CMRT
 
Great Learning & Information Security - English edition
Chuan Lin
 
7 Must Follow Steps For Safe and Secured Workplace
Altura Communication Solutions
 
Icinga Camp Amsterdam - Monitoring – When to start
Icinga
 
Icinga camp ams 2016 icinga2
Assaf Flatto
 
Ooda loop Smart decision process model
Ferdinando Bettinelli
 
Monitoring - When To start (or Metrics led development)
Assaf Flatto
 
Tri Net Wp Complete Rif Checklist
Tim Weyland
 
Product Agility: 3 fundamentals from the trenches
Pedro Teixeira
 
Emergency Decision Making in Business
Mike Shama
 
All about compliance mantra
Prateek Compliance Mantra
 
Slide Deck - CISSP Mentor Program Class Session 1
FRSecure
 
GrrCON 2018: Stop boiling the ocean!
Joel Cardella
 
LifeSavingRules_LeadershipEngagement.pptx
FranciscoQuaranta3
 
11) HND_SEC_W11_Security Policies_111312.pdf
DulaOmesh
 
The Productive Entrepreneur
Life Hacks 24
 
Modern agile devspace - 2017-10-14
Daniel Heater
 
Ad

More from EmilyGladstoneCole (6)

PDF
My AWS Access Key Nightmares... and Solutions
EmilyGladstoneCole
 
PDF
Technically Compliant: the best kind of compliant
EmilyGladstoneCole
 
PDF
Getting Started with AWS Security
EmilyGladstoneCole
 
PDF
LISA18 - How to be your Security Team's Best Friend
EmilyGladstoneCole
 
PDF
Security and DevOps are Really Best Friends
EmilyGladstoneCole
 
PDF
How to be your Security Team's Best Friend
EmilyGladstoneCole
 
My AWS Access Key Nightmares... and Solutions
EmilyGladstoneCole
 
Technically Compliant: the best kind of compliant
EmilyGladstoneCole
 
Getting Started with AWS Security
EmilyGladstoneCole
 
LISA18 - How to be your Security Team's Best Friend
EmilyGladstoneCole
 
Security and DevOps are Really Best Friends
EmilyGladstoneCole
 
How to be your Security Team's Best Friend
EmilyGladstoneCole
 
Ad

Recently uploaded (20)

PDF
State-Dependent Conformal Perception Bounds for Neuro-Symbolic Verification
Ivan Ruchkin
 
PDF
Per Axbom: The spectacular lies of maps
Nexer Digital
 
PPTX
What-is-the-World-Wide-Web -- Introduction
tonifi9488
 
PDF
Responsible AI and AI Ethics - By Sylvester Ebhonu
Sylvester Ebhonu
 
PDF
The Past, Present & Future of Kenya's Digital Transformation
Moses Kemibaro
 
PPTX
Agentic AI in Healthcare Driving the Next Wave of Digital Transformation
danielle hunter
 
PPTX
AI Code Generation Risks (Ramkumar Dilli, CIO, Myridius)
Priyanka Aash
 
PDF
Build with AI and GDG Cloud Bydgoszcz- ADK .pdf
jaroslawgajewski1
 
PDF
Basics of Electronics for IOT(actuators ,microcontroller etc..)
arnavmanesh
 
PDF
Brief History of Internet - Early Days of Internet
sutharharshit158
 
PPTX
AI in Daily Life: How Artificial Intelligence Helps Us Every Day
vanshrpatil7
 
PPTX
IT Runs Better with ThousandEyes AI-driven Assurance
ThousandEyes
 
PDF
TrustArc Webinar - Navigating Data Privacy in LATAM: Laws, Trends, and Compli...
TrustArc
 
PPTX
Farrell_Programming Logic and Design slides_10e_ch02_PowerPoint.pptx
bashnahara11
 
PDF
Market Insight : ETH Dominance Returns
CIFDAQ
 
PDF
RAT Builders - How to Catch Them All [DeepSec 2024]
malmoeb
 
PPTX
python advanced data structure dictionary with examples python advanced data ...
sprasanna11
 
PDF
Economic Impact of Data Centres to the Malaysian Economy
flintglobalapac
 
PDF
Make GenAI investments go further with the Dell AI Factory
Principled Technologies
 
PPTX
AVL ( audio, visuals or led ), technology.
Rajeshwri Panchal
 
State-Dependent Conformal Perception Bounds for Neuro-Symbolic Verification
Ivan Ruchkin
 
Per Axbom: The spectacular lies of maps
Nexer Digital
 
What-is-the-World-Wide-Web -- Introduction
tonifi9488
 
Responsible AI and AI Ethics - By Sylvester Ebhonu
Sylvester Ebhonu
 
The Past, Present & Future of Kenya's Digital Transformation
Moses Kemibaro
 
Agentic AI in Healthcare Driving the Next Wave of Digital Transformation
danielle hunter
 
AI Code Generation Risks (Ramkumar Dilli, CIO, Myridius)
Priyanka Aash
 
Build with AI and GDG Cloud Bydgoszcz- ADK .pdf
jaroslawgajewski1
 
Basics of Electronics for IOT(actuators ,microcontroller etc..)
arnavmanesh
 
Brief History of Internet - Early Days of Internet
sutharharshit158
 
AI in Daily Life: How Artificial Intelligence Helps Us Every Day
vanshrpatil7
 
IT Runs Better with ThousandEyes AI-driven Assurance
ThousandEyes
 
TrustArc Webinar - Navigating Data Privacy in LATAM: Laws, Trends, and Compli...
TrustArc
 
Farrell_Programming Logic and Design slides_10e_ch02_PowerPoint.pptx
bashnahara11
 
Market Insight : ETH Dominance Returns
CIFDAQ
 
RAT Builders - How to Catch Them All [DeepSec 2024]
malmoeb
 
python advanced data structure dictionary with examples python advanced data ...
sprasanna11
 
Economic Impact of Data Centres to the Malaysian Economy
flintglobalapac
 
Make GenAI investments go further with the Dell AI Factory
Principled Technologies
 
AVL ( audio, visuals or led ), technology.
Rajeshwri Panchal
 

SOC2 Intro and Mindfulness

  • 1. SOC 2 Intro and Mindfulness Emily Gladstone Cole PancakesCon 3
  • 2. Who is this Emily Person Anyway Background Fun Facts ● UNIX SysAdmin/Operations/DevOps background ● Experience in Security Incident Response, Security Research, Security Engineering ● Mentor for SANS’ Women’s CyberTalent Immersion Academy ● Opinionated about SOC 2 ● Currently recovering from burnout ● My favorite computer game is Nethack ● Only one of the cats you will see here today is mine
  • 4. My pancakes of choice: latkes aka potato pancakes
  • 5. Why SOC 2 1. SALES 2. Useful for SaaS companies when they are ready for customers 3. Not as difficult to get as FedRAMP, PCI, or HIPAA 4. SALES
  • 6. SOC 2 Background ● SOC stands for System and Organization Controls (formerly Service Organization Controls) ● The AICPA sets the standards for these reports: they’re auditors and CPAs ● SOC 1 is all about a company’s financials ● SOC 2 is about a company’s security SOC 2 is about COMPLIANCE, not SECURITY.
  • 7. Key Vocabulary Trust Services Criteria: formerly Trust Principles, the 5 areas you can get certified in Policies: you need a set of policies that define how your company does security Control Item: an individual thing you have to do to meet your Trust Services Criteria Type 1 and Type 2: Type 1 is a point in time report. Type 2 shows that you meet the requirements over a period of time. Auditor: you have to have one. Remember this is a CPA and not a security person
  • 8. Trust Services Criteria (formerly Trust Principles) ● Security (aka the Common Criteria, every SOC 2 cert includes it) ○ Access Control: protect against unauthorized access and disclosure ● Availability ○ systems are available as needed ● Processing Integrity ○ processing is complete, valid, accurate, and timely ● Confidentiality ○ information designated as Confidential is protected ● Privacy ○ personal information is only collected, stored, used, and disclosed as necessary
  • 9. SOC 2 Simplified 1. Pick your Trust Services Criteria. 2. Make sure you do the things that you need to meet your Control Items. 3. Write policies and processes that match what you do. 4. Pick an Auditor. 5. Prove to the Auditor that you do what you say you’re doing.
  • 10. SOC 2 can help your security team There are a few key things that you can do that will help your SOC 2 efforts and also help security. ● Single Sign On: this will greatly simplify all of the Access Control requirements ● Centralized Logging: you need somewhere to examine your logs and alert based on oddities. ● Protecting Production: set up protections around pushing code (Change Management), and accessing production (Roles, not direct user access)
  • 11. SOC 2 - can I automate that? You can do all of the work of proving your policies are backed up by your actions by hand. However, there are vendors that will allow you to automate much of the work of tracking your progress and collecting evidence. ● A-Lign ● Drata ● Tugboat Logic ● Vanta
  • 12. Opinions from a weary security/compliance person 1. Don’t try to use SOC 2 to build your security program. That’s not what it’s for. 2. Make sure your executives understand what they’re committing themselves and the company to before you agree to work toward any compliance certification, including SOC 2. If you hear any executive at your company say that they don’t want to learn about Security, it’s a bad sign. 3. Start with only the Common Criteria (Security) for your first year, you can always add on later, especially if you’re at a smaller startup. It’s much harder to reduce the scope of your work after the fact. 4. Make friends with the SRE/infrastructure team. They will help you integrate everything and get you your evidence.
  • 14. What Mindfulness Isn’t Mindfulness is a tool to help you become more aware of your feelings and the world around you. It won’t fix any problems, but it can reduce tension and help you relax. “You cannot self-love your way out of systemic oppression.” - Ragen Chastain
  • 15. Mindfulness is the basic human ability to be fully present, aware of where we are and what we’re doing, and not overly reactive or overwhelmed by what’s going on around us. ● Reducing tension ● Body awareness
  • 16. A Quick Exercise: Shoulder Tension and Relaxing 1. Start in a neutral position with your shoulders down. 2. Raise your shoulders up toward your ears as high as you can. 3. Hold for 5 seconds. 4. Lower your shoulders back to neutral.
  • 17. A Quick Exercise: Breathing 1. Breathe in for 5 seconds. 2. Breathe out for 10 seconds. 3. Repeat. Optionally, say a few words to as you inhale and exhale, like “It’s OK… let it go.”
  • 19. Progressive Tension/Relaxation You work your way through the major muscle groups, starting from your feet and moving up your body. Tense, hold for 5 seconds, then relax. Do this either when sitting with your feet flat on the floor, or when lying in bed.
  • 20. Other Ideas for Relaxing ● Animal Web Cams (I’m fond of the Monterey Bay Aquarium Jelly Cam) ● Mindfulness meditations on YouTube (including ones with profanity) ● An app for that: the Calm app
  • 21. Next Steps with Mindfulness - Body Awareness Tension in a specific part of the body can be tied to a specific emotional state or mood.
  • 24. References ● https://us.aicpa.org/content/dam/aicpa/interestareas/frc/assuranceadvisoryservices/downl oadabledocuments/trust-services-criteria.pdf ● https://fractionalciso.com/soc-2-compliance-software-vendors/ ● https://latacora.micro.blog/2020/03/12/the-soc-starting.html ● https://positivepsychology.com/history-of-mindfulness/ ● https://www.mindful.org/meditation/mindfulness-getting-started/ ● https://www.physiomed.ca/carrying-the-weight-of-the-world-why-our-emotions-cause-m uscle-tension/ ● https://www.montereybayaquarium.org/animals/live-cams ● Mindfulness with profanity: https://www.youtube.com/watch?v=92i5m3tV5XY ● Calm app: https://www.calm.com/ ● https://www.painawaydevices.com/exercises-relieve-neck-shoulder-pain/ ● https://www.pexels.com/search/cat/