SOC 2 Examinations: Prepare for Success


By Stephen Halbrook, Manager, BrightLine

Is your organization ready for a SOC 2 examination? Here are five steps to help successfully prepare for one:

  1. Validate the nature of the request. Does your client base understand the various SOC reporting options and what they are asking of your organization from a compliance reporting perspective? Is there a connection to internal controls over financial reporting (ICFR) of the services that you provide to your clients, or are you looking at general controls of a system that are relevant to security, availability processing integrity, confidentiality, and privacy? SOC 1 can oftentimes be misused by the general public as a generic reference to third-party audits. There is misconception in the marketplace; help prevent it.
  1. Understand the trust service principles. Experience has shown that the best way to reach an effective solution is by considering the needs of customers and other interested third parties. First, communicating and determining the information the user organization will want, need, and expect should help determine the best trust service principles (TSP) to select. Also, service organizations must look at their control environment and identify which TSPs are applicable based on the criteria. Several times an organization or the interested third party will demand specific TSPs, however, after reviewing the criteria, the organization’s business processes, and the control environment, the principal would not even be applicable in the service organization’s environment. For example, a cloud service provider most likely will not need to focus on processing integrity, but it is vital for a payroll provider.
  1. Determine preparedness. Once you understand the different TSPs, consider your options and preparedness prior to determining how to proceed. If the environment to be audited is relatively new and has never been through an audit, it might be best to start with a readiness assessment and/or Type 1 examination, and then move to a Type 2 engagement. Be mindful of the review date and review period as they relate to Type 1 and Type 2, respectively.
  1. Identify key person(s) within the organization. This person(s) will be responsible for the overall audit effort. Determine whether your organization has the bandwidth necessary to provide the time and resources required of the engagement. Although not mandatory, oftentimes it is helpful to assign an internal point person with audit experience to the engagement.
  1. Contract and start planning. It is necessary to perform due diligence when selecting your service auditor. Speak with at least three different firms. Confirm that the firms have the proper licensing and credentials to operate in the state(s) that your services are located, have skilled and credentialed personnel, and are a good fit overall with your organization. Remember, the least costly firm is not always the best option. Some questions to ask:
    • How many SOC 2 engagements have you performed as a company?
    • How many SOC 2 engagements have been performed for other companies in your industry?
    • How much experience do your personnel have in performing SOC 2 engagements?
    • How do you provide pricing?

A properly planned engagement with an experienced audit firm will help your SOC 2 examination be successful.  Good luck!




By Brandon Cook, Director of Product Marketing, Skyhigh Networks

Clueless TN

CIOs, CISOs, analysts, journalists, and employees alike are always curious about which cloud services are…like…the most popular and frequently used in the enterprise. This type of information is useful in that it indicates employee demand for services, divulges potential locations of corporate data in public clouds, and highlights adoption trends.

However, obtaining reliable data here from vendors or employees can be next to impossible. Survey data measure perception at best. But, with data from over 10.5 million employees across over 200 corporations, Skyhigh has real usage data on the most popular cloud services in the enterprise. So, without further ado, here are both the top 20 most popular enterprise cloud services and top 20 most popular consumer apps in the enterprise.

Top 20 Most Popular Enterprise Cloud Services
top 20 enterprise blog
The Top 20 Enterprise Cloud Services list offers insight into the cloud apps and services that business are standardizing on and provides CIOs with a short-list of services that have reached mass-adoption across enterprises.

The data shows that four vendors have successfully transitioned their legacy on-premise software to the cloud (i.e. Microsoft Office 365, SAS On Demand, Informatica Cloud, and Ariba – an SAP company).

Three companies on the list have successfully accomplished multi-billion dollar disruptions (i.e. Saleforce, ServiceNow, and SuccessFactors – an SAP company). And one company on the list has created a new category, Web-Conferencing, replacing the legacy office rituals of in-person meetings.

Several services, including Splunk Storm, SurveyMonkey, Qualtrics, and Get Satisfaction showed remarkable growth rates but have not yet cracked the Enterprise Top 20. The top four categories represented are Collaboration (4 services), Business Intelligence (2) Development (2), and Marketing (2).

Top 20 Most Popular Consumer Apps in the Enterprise
Top 20 consumer blog
While our primary focus is on trends in enterprise cloud usage, it is also important to be mindful of consumer apps used in the enterprise. There are legitimate reasons employees are using consumer apps in the enterprise – for example, a social media manager posting on the company’s Facebook page to engage with users, or a UX designer using Pinterest to create a design “look-an-feel-book” for an upcoming project.

However, consumer apps can present real risks to enterprises. Data loss in consumer apps can occur due to malware or insider threat. Skyhigh routinely sees and alerts its customers to incidents where sites such as Twitter, YouTube, and Pinterest are used to exfiltrate data. Data loss can also occur due to the acceptance of terms and conditions related to IP ownership. Additionally, one popular site, VK, has a history of piracy-related usage.

For example, users of Prezi, the cloud-based presentation and collaboration service, grant the company “irrevocable and royalty-free rights to use, distribute, and otherwise exploit” the content that the users upload. Additionally, apps in categories such as Content Sharing and Media Services can have significant implications on bandwidth.

Google, Yahoo, and Facebook dominate the list, and the top three categories represented are Content Sharing (7 Services), Social Media (7), and Collaboration (4).

To see all the data and discover more interesting facts about today’s enterprise cloud usage, download the full Q2 Cloud Adoption and Risk Report here.