Resources

compliance guide
leadership team
case studies

What is SOC 2?

SOC 2 (Service Organization Control 2) is an auditing procedure developed by the American Institute of Certified Public Accountants (AICPA). It's designed to ensure service providers securely manage data to protect their organization's and clients' interests. SOC 2 is particularly relevant for technology and cloud computing companies that offer online services and store customer data in the cloud. 

SOC 2 is based on five Trust Services Criteria:
  • Security: The system is protected against unauthorized access, both physical and logical.
  • Availability: The system is available for operation and use as committed or agreed.
  • Processing Integrity: System processing is complete, valid, accurate, timely, and authorized.
  • Confidentiality: Information designated as confidential is protected as committed or agreed.
  • Privacy: Personal information is collected, used, retained, disclosed, and disposed of in conformity with commitments and criteria.
Types of SOC 2 Reports

There are two types of SOC 2 reports:

  • Type I: Describes a vendor's systems and assesses whether their design is suitable to meet relevant trust principles at a specific point in time.
  • Type II: Details the operational effectiveness of these systems over a period of time (usually 6-12 months) and includes the auditor's opinion.
The SO2 Audit Process
  • Preparation: The organization prepares by documenting policies, procedures, and controls.
  • Scoping: Determine which trust services criteria are applicable.
  • Readiness Assessment: Conduct an assessment to identify gaps and areas for improvement.
  • Remediation: Address any gaps identified in the previous step.
  • Audit: An independent CPA firm conducts the audit, which includes testing controls and gathering evidence.
  • Reporting: The auditor issues a report detailing findings and an opinion.
Benefits of SOC 2 Compliance
  • Builds trust with clients and partners
  • Improves risk management and security posture
  • Provides a competitive advantage in the market
  • Helps meet regulatory requirements
  • Streamlines security processes
  • Demonstrates commitment to data protection
Challenges in Achieving SOC 2 Compliance
  • Time-consuming and resource-intensive process
  • Requires ongoing maintenance and monitoring
  • May necessitate significant changes to existing systems and processes
  • Can be costly, especially for smaller organizations
  • Requires commitment from all levels of the organization
SOC 2 Implementation Best Practices
  • Start with a readiness assessment to understand your current posture
  • Clearly define the scope of your SOC 2 audit
  • Implement a strong security awareness training program
  • Use automation tools to streamline compliance processes
  • Regularly review and update policies and procedures
  • Engage stakeholders across the organization
  • Consider working with a SOC 2 compliance expert
Conclusion

SOC 2 compliance is becoming increasingly important in today's data-driven business environment. While achieving and maintaining compliance can be challenging, improved security, trust, and competitive advantage make it a worthwhile investment for many service organizations. By following best practices and maintaining a commitment to security and privacy, organizations can successfully navigate the SOC 2 compliance process and demonstrate their dedication to protecting sensitive information.

Our Leadership Team

Jonathan Major

Founder - Fractional CISO / San Francisco, CA

Jonathan Major is a highly experienced technology and security leader with a robust 25-year career in engineering, information security, and compliance. As the founder of Risk/Response, Jonathan brings his wealth of knowledge to help businesses build and protect their digital assets, instilling confidence in his clients.

With career-spanning roles at industry giants like BlackRock, Barclays Global Investors, and IBM, Jonathan has honed his skills in cloud engineering, cybersecurity, and compliance.

Jonathan's entrepreneurial spirit led him to co-found Proga Digital, a low/no-code application development company, and serve as the founding VP of Engineering and Chief Security Officer at Crux Informatics. These experiences have equipped him with a unique perspective on modern businesses' challenges in the digital landscape.

At Risk/Response, Jonathan offers fractional CISO, CTO, and related services, leveraging his deep knowledge of cloud platforms, infrastructure as code, and cybersecurity best practices. His approach combines strategic thinking with hands-on expertise to deliver transformative solutions that support businesses in pursuing growth and security.

With a passion for driving innovation and a track record of success, Jonathan Major is dedicated to helping businesses navigate the complex world of technology and security, enabling them to thrive in an increasingly digital economy.

Maire Sogabe

Fractional CISO / Seattle, WA

Maire Sogabe is an experienced Cybersecurity Consultant with a proven track record of securing IT and OT environments and advancing information security and risk management programs.

She has held leadership roles at Eolas Cyber Solutions LLC, Generate, Engie, and Pacific Gas & Electric (PG&E), where she has implemented complex technology solutions, facilitated digital transformation, and enabled next-generation energy management.

Maire is a two-time energy hackathon winner and has been recognized by the Irish Technology Leadership Group as one of the "Silicon Valley 50" for her technology leadership.

She is an "In Residence Thought Leader" for the Munster Technology University M.Sc. in FinTech Innovation program in Ireland, along with an M.A. in Community Development from NUI Galway and an M.Sc. in Information Systems from Golden Gate University in San Francisco, California.

Case Studies

Building a Robust Security & Compliance Program for Bitvore Corp

The Challenge: Our client, bitvore.com, an AI surveillance and analytics SaaS company, was facing increasing demands from customers and prospects to demonstrate robust security and compliance practices. With a lean in-house team and limited cybersecurity expertise, they recognized the need for external support to implement a comprehensive security and compliance program and partnered with Risk and Response.


The Solution: We worked closely with the Bitvore team to understand their requirements and business objectives. Our approach blended specialized cybersecurity expertise with leading security products and technologies.

People: Our experienced cybersecurity professionals provided guidance and hands-on support throughout the process, including:
  • Conducting a thorough risk assessment to identify potential vulnerabilities and areas for improvement.
  • Developing and implementing robust security policies, procedures, and controls aligned with industry best practices and regulatory requirements.
  • Providing ongoing training and awareness programs to enhance the security culture within the organization.
Security Products: We implemented a suite of best-in-class security solutions tailored to the client's needs, including:
  • Implementing controls and processes to meet the Trust Services Criteria for Security and Availability
  • Conducting regular internal audits and assessments to ensure ongoing compliance.
  • Facilitating the external SOC 2 audit process, providing necessary documentation and evidence.
Compliance Framework: Our team helped Bitvore establish a comprehensive compliance framework aligned with SOC 2, managed on the Drata platform, including:
Conclusion

The Outcome: Through our collaborative efforts, Bitvore successfully achieved SOC 2 compliance, demonstrating their commitment to security and data protection. This accomplishment not only strengthened their credibility with existing customers but also provided a competitive advantage in winning new business opportunities.


Bitvore CIO, Vera Silver, stated, "The expertise and guidance provided by Risk and Response was invaluable in helping us establish a robust security and compliance program. Their blend of people and technology solutions enabled us to navigate the complex landscape of cybersecurity and compliance, ultimately achieving SOC 2 certification and enhancing our credibility in the market."

Contact us

Schedule a Call
Message Us