Achieving any kind of compliance can be grueling. Ensuring your organization is SOC 2 compliant is often a particularly laborious endeavor, requiring extensive resources to obtain and maintain.
SOC 2 is a comprehensive cybersecurity compliance framework developed by the AICPA (American Institute of Certified Public Accountants). It helps guarantee third-party service providers handle customer data with appropriate security measures. In short, it's an assurance of protection when entrusting sensitive information to external entities.
In previous blogs, we highlighted the importance of considering compliance as the first step in your security strategy and how to use Tines to help you automate common compliance processes.
In this post, we look at how we used our no-code automation platform to transform the entire SOC 2 process and achieve compliance in record time. Using just two easy automation Stories, we reduced the time and effort involved by 250 human hours! And in total, the entire process took us just four months to review and provide evidence for 110 controls from start to finish.
Why do SOC 2 audits matter?
At Tines, like most security-centric companies, SOC 2 is essential to our commitment to customer trust. Though it's only one element in a sound cybersecurity strategy, conducting and completing the audit process requires significant time and resources – making its successful completion cause for celebration internally and externally alike!
Our recent experience reflects how Tines’ automation platform can revolutionize core IT use cases and open new paths for workflows outside security.
Using Tines and Drata to automate evidence collection
By connecting Tines to Drata, we were able to ensure we're compliant with 110 controls through automated auditing.
Drata works by allowing you to plug in all of your different systems, like AWS, Jira, Slack, and Google Workspace, and then Drata goes in and checks whether you're meeting the controls for each one. For example, we encrypt our data in AWS by default, so we use Drata to look at all the RDS databases and bring any configurations without encryption to our attention. This helps us ensure and prove we’re meeting all of the compliance controls; if not, Drata lets us know so we can go and fix them.
Here are two automation workflows that helped us get the job done even faster:
Auditors comprehensively assess your business processes as part of a SOC 2 audit. From background checks for every employee to stringent endpoint controls - including encryption, updates, and anti-virus protection - a SOC 2 audit examines each element of your organization's operations.
This process usually requires a lot of manual work to collect the necessary evidence for auditors. While Drata can integrate with your MDM (Mobile device management) provider to automate endpoint evidence collection, we used a vendor who didn’t have an integration available at the time. To accelerate this, we used Tines to connect to Drata’s API and create a list of all employees for whom we didn’t already have this evidence. Then, we created resources in Tines for these evidence requests and uploaded them to the Drata platform using Tines. This Story saved us a lot of work and is really only a basic version of what’s possible. Instead of manually uploading a screenshot for each employee and going through a process typically taking days or weeks, we accomplished all of this in a matter of hours.
The beauty of this process is that other employees were not involved; we gathered evidence passively and corrected and fixed the findings. We ensured that no employee or endpoint had controls unchecked - everything was validated and verified with a piece of evidence. When our auditors were checking this, they had all the information they needed to decide that we were meeting the control framework for SOC 2 compliance.
Four months from start to finish: We started onboarding in October and wrapped up the entire process in January.
Uploading the evidence to Drata using Tines saved us over 100 hours of manual work.
GitHub production changes
Our SOC 2 auditors challenged us with the ambitious request for evidence of each and every change to our production code. A daunting task, given that 7,000 merges were made during this period!
With Tines, our team quickly and effectively created a comprehensive Story that tracks the changes made in our production database every month. This enabled us to provide auditors with an organized list of every single change, including titles of all alterations and their associated GitHub users, plus links confirming every change had been approved.
This Story took us 30 minutes to build and test, automating a process that would have otherwise taken us up to 150 hours to accomplish. Without Tines, we would have had to create a script or Python application to produce this level of evidence at scale and lean heavily on our engineering team for input. And, if engineering had needed to walk me through this volume of changes, they would have had to sacrifice another priority to get me the data we needed. Instead, we were able to pull all of this information together ourselves. As a result, our engineers could continue with their regular operations without being distracted by this project - they weren't even aware it was happening!
150 human hours saved
Zero friction between teams
Achieving SOC 2 compliance doesn’t have to be a long and arduous process – as our IT team at Tines has proven. In just four months, we were able to successfully onboard Drata, validate our controls, and automate the manual evidence collection necessary for our auditors to review our program. This not only saved us 250 human hours but also streamlined the entire process, which will help us maintain our SOC 2 compliance in the future.
If you’re looking for ways to automate your SOC 2 compliance workflows, check out our Story Library. There, you can leverage dozens of ready-to-use compliance-related automation Stories and explore how Tines can help you achieve your own SOC 2 certification in record time!