CASE STUDY

Instilling Confidence With a SOC 2 Report

Aquia’s customer is a software company that offers an all-in-one cloud-based platform run on AWS that powers self-service retail operations.

Although highly mature with a Payment Card Industry Data Security Standard (PCI DSS) certification, the absence of a SOC 2 report was impacting the company’s industry standing and had the potential to impact new business. If left unaddressed, the software company faced the possibility of enterprise clients delaying or deferring contracting with the company due to the lack of security validation.

Acquiring a SOC 2 report could not only streamline the sales process but also instill confidence in the software company’s information systems, facilitating business growth and opportunities.

Leveraging AWS to Drive Performance and Compliance

The company chose to use AWS as the cloud platform for their SOC 2 compliance for two main reasons. First, AWS is a renowned leader in cloud services, offering a reliable infrastructure with global reach. This allows them to ensure high performance, low-latency access for their applications and end consumers by leveraging AWS's strategically located data centers worldwide.

Second, AWS provides a comprehensive suite of security features and services that align well with the requirements of a SOC 2 assessment. AWS follows stringent security practices, including physical security, network security, and data encryption, which helps the customer meet regulatory compliance. With security tools like AWS Identity and Access Management (IAM), AWS Key Management Service (AWS KMS), and AWS CloudTrail, the software company can effectively address the security controls outlined in SOC 2.

Furthermore, choosing AWS as their cloud provider also offers advantages in terms of PCI compliance. AWS has made significant investments in developing a robust PCI DSS compliant infrastructure, which is crucial for securely handling credit card transactions. By utilizing AWS's PCI DSS compliant services such as Amazon Elastic Load Balancing (ELB), Amazon Relational Database Service (RDS), and AWS Web Application Firewall (AWS WAF), the company can streamline their PCI compliance efforts and ensure the secure storage and processing of sensitive cardholder data.

Navigating a Complex Compliance Landscape With Expert Guidance

Aquia brought a deep understanding of industry standards and regulatory requirements to the engagement, enabling them to tailor compliance programs specifically to meet the software company’s needs. This expertise enabled the customer to streamline their processes, enhance internal controls, and ensure adherence to SOC 2's stringent security and privacy requirements.

“Our goal was to take the customer from an immature state of controls to readiness for a successful audit so they could demonstrate their environment is secure and in compliance with SOC 2 controls,” said Mario Lunato, senior security engineer, Aquia. “To do this, our team developed comprehensive risk management strategies and in-depth readiness assessments — helping the customer build a secure infrastructure that aligns with SOC 2 guidelines and safeguards sensitive data.”

Accelerating SOC 2 Readiness

Aquia and the software company kicked off the engagement with a comprehensive gap analysis and readiness assessment, which allowed Aquia to identify areas for improvement to meet SOC 2 requirements. Armed with this information, Aquia established a detailed project plan, well-defined milestones and deliverables, and weekly meetings with the project team to strategize for efficient progress. Additionally, weekly project calls were scheduled to delve into the specific details and milestones of the compliance journey and address any concerns or obstacles as they arose.

In addition, Aquia provided the customer with policy templates that served as a framework for developing robust internal controls and procedures. These templates streamlined the process of creating comprehensive policies aligned with SOC 2 requirements, saving the customer valuable time and effort.

Leveraging their expertise in cybersecurity and compliance, Aquia assisted the software company in the implementation of controls and the development of necessary artifacts and evidence. Aquia also assisted its IT team with the creation of processes and procedures to be used as guidelines for the organization’s daily operations, which will be reviewed and updated on an annual basis.

Aquia utilized their expertise to meticulously prepare the customer for the SOC 2 report. They ensured that all of the essential components were in order and thoroughly documented, covering crucial security areas such as access management; change management; customer management; data backup; data classification (including data at rest, in motion, and output); incident response; security control monitoring; access and role management; security system maintenance and support (along with necessary backup and offline storage); annual management review of security controls; and the selection, documentation, and implementation of security controls.

As the on-site audit approached, Aquia guided the customer in preparing responses to the auditor's information request list. They reviewed the documentation, provided valuable insights, and ensured that the software company’s responses were thorough and aligned with SOC 2 standards.

Demonstrating a Commitment to Data Security

Following a thorough evaluation of the organization’s controls and processes, the software company received a successful SOC 2 certification from a respected American Institute of Certified Public Accountants (AICPA) firm. The SOC 2 report demonstrates the company’s commitment to maintaining best-in-class security standards for its customers.