What tools have been most helpful to gather evidence for a SOC 2 audit?

SOX Compliance - At Yext we are SOC 2 Type 2 certified, which means that we have specific controls around confidentiality, availability, and security of our customer data. We have different teams that require access to databases - from Operations to Analytics and Developers. We need to make sure that those teams can be productive and access and data, but from the security and compliance side, we need to make sure that we can audit what's going on.

We use strongDM to manage database permissions and log every query. Before strongDM we had to ensure that logging was turned on for each MySQL database and hope to catch a specific query in real time. We don’t normally keep MySQL logging on because of the abuse of IO and disk space requirements (especially on a busy database) so only after the fact would we have to make that judgement call. With strongDM we’re able to pull that log data in real time with no impact to the database. Having forensic data of every query run is very, very important from an auditing perspective and helped us achieve SOC 2 compliance.

5 comments

https://www.pulse.qa

Pulse User

At Yext we are SOC 2 Type 2 certified, which means that we have specific controls around confidentiality, availability, and security of our customer data. We have different teams that require access to databases - from Operations to Analytics and Developers. We need to make sure that those teams can be productive and access and data, but from the security and compliance side, we need to make sure that we can audit what's going on.

We use strongDM to manage database permissions and log every query. Before strongDM we had to ensure that logging was turned on for each MySQL database and hope to catch a specific query in real time. We don’t normally keep MySQL logging on because of the abuse of IO and disk space requirements (especially on a busy database) so only after the fact would we have to make that judgement call. With strongDM we’re able to pull that log data in real time with no impact to the database. Having forensic data of every query run is very, very important from an auditing perspective and helped us achieve SOC 2 compliance.

Pulse User

https://www.alienvault.com/solutions/soc-2-compliance

Pulse User

The right person with knowledge and skills in dealing with audits and auditors is more important than which tools to use. The bonus is that the 'right person' will probably know which tools are best suited to what audit.  My opinion only...

Pulse User

For our SOC2 audit we are not using a 3rd party tool for documentation collection. We simply use Excel and a folder hierarchy.

Pulse User

Assuming you have some work loads in AWS there are a number of good solutions. I have looked closely at Orkus (full disclosure that I recently was asked to become and advisor). StrongPoint is also one to consider for relevant business applications