What’s even more challenging than periodic compliance? Real-time compliance.
Many IT teams and CIOs view System and Organization Controls (SOC) 2 compliance as a painful annual exercise. This is understandable. SOC-2 is a rigorous reporting framework published by the American Institute of Certified Public Accountants (AICPA) as guidelines for independent, third-party auditors to assess and test IT security processes and controls relating to the Trust Services Criteria (TSC) of Security, Availability, Processing Integrity, Confidentiality or Privacy. Many companies now require that any SaaS provider they work with holds SOC-2 compliance. This is a blunt way of managing risk.
The reality is, in the era of Zero-Trust IT asset management, SOC-2 is a basic step but not a sufficient one. More and more organizations are testing their vendors with compliance requests as part of their due diligence process. This has become even more pronounced as more GDPR enforcement efforts have launched in the European Union, coupled with the rise of a number of class-action suits in California related to CCPA. While passing SOC-2 is a pain, you may actually need to do better to keep customers happy. Your IT team may have to demonstrate superhuman capabilities to respond to requests for asset information quickly and comprehensively, on a surprise frequent basis. Sound like a nightmare? It doesn’t have to be.
Key Metrics of Real-Time Compliance for Asset Management
First, let’s think through what are the key drivers of real-time compliance capabilities. To start with, your customers may be asking for it. But why? Chances are, they are driven both by their own cybersecurity concerns and any concerns they might have about using your product for the management of their own customer and employee data. The new regulatory environment is far less forgiving for IT organizations that cannot quickly and comprehensively answer the three big questions: Who, What, Where?
Who: Real-Time Asset Ownership
A key part of IT asset compliance for SOC-2 is the ability to tie any asset back to a particular owner or responsible party. This covers hardware, software, SaaS, and cloud. Answering the question “Who owns an asset?” is an important core of SOC-2 compliance in establishing robust accountability for systems and actions. Answering “who” can also dictate quickly what other compliance checks and audits must be considered if “who” is a CEO or a key solutions architect with access to critical systems versus a lower-level employee who has much less access to critical information resources.
To be sure, answering “who” is not a specific element to SOC-2 but it’s a clearly implied element – and one that customers requesting compliance tests care about – a lot. When an asset appears to be logging into key IT systems and infrastructure at strange times of day, the “who” question can trigger other important questions like “Why is the CTO logging in at 3 in the morning?” The answer may be that they are traveling and in a different timezone. But the ability to even ask the question in the first place and accurately answer it is a core element of Real-Time Compliance.
What: Real-TIme Asset Status
SOC-2 compliance strictly mandates that IT assets are properly patched and protected. Teams conducting SOC-2 compliance audits require screenshots from employees and attestations, for example, that they have installed and are running malware detection apps. The reality is, those attestations are snapshots in time. Real-time compliance can verify that every IP connected to key systems on the network is running all the proper endpoint protections and is properly patched. Just like sub-ITAMs focused on specific device types and operating systems, endpoint protection systems tend to be siloed. Real-time compliance requires that all endpoint protection status validation is unified, available to search and check, and accurate up to the present point in time.
Where: Real-Time Asset Location Awareness
The third and final question that needs to be answered immediately is “where?”. When an asset logs into the company VPN from an IP address somewhere outside of its normal location, this can only be identified as a compliance risk and a threat if the IT team knows the actual normal location of the device. This was an issue prior to COVID, when many companies tried to enforce “semi-hard perimeter” rules of some services being accessible only on-premises. Today, knowing where is far more critical because the workforce is scattered and it is harder to know which asset locations require scrutiny. Where also has implications because different jurisdictions have different penalties and different laws.
Conclusion: Do Your SOC-2 But Also Be Ready for Real-Time Compliance Checkups
As more CIOs are turning to third-party SaaS and cloud infrastructure to improve operational agility and reduce capital expenditures, they are pressured by their legal and security teams to more rigorously verify compliance. The best companies can not only point to a SOC-2 certification but also agree to respond to more real-time requests to prove that compliance processes work as advertised – and they can put their trust and data in your organization and infrastructure. With compliance, faster is always better.