SOC 2 School

Procedures

Nov 17, 2020 2:00:00 PM / by Alex

Procedures are one of those essential pieces of documentation that every company has to have, especially when you are in the process of obtaining a large certification. Often times procedures and policies are confused or misidentified, but this week we are defining them more clearly.

Take It For A Spin

Full Transcript

 

SPEAKERS 

Vikas Bhatia - Founder & CEO, JustProtect
Bryan Urias - Security Analyst, JustProtect

Bryan Urias   

Hello, everyone. Thank you for joining us again on SOC2. This week, we're going to talk about procedures. So, Vikas, thank you for joining me again. How are you doing? 

 

Vikas Bhatia   

Hey, Brian, how are you? 

 

Bryan Urias   

Great. How about you? 

 

Vikas Bhatia   

Okay, thank you. 

 

Bryan Urias   

Good. So Vikas, last week, you said that policies are the North Star of the company? How do you enforce? How do you make sure that people are following what those policies entail? 

 

Vikas Bhatia   

That's a great question, Brian. So most people actually think that policies are a step by step instruction on what to do. That's actually a procedure. So the policy is the north side says, you know, for example, all administrative passwords will be changed every 30 days. But it doesn't say, to change an administrator password on a particular system, you need to go to this menu item, that a sort of what the procedure does a procedure is a documented set of steps to be able to demonstrate that a policy statement is being met. 

 

Bryan Urias   

So how do these procedures come to be? I mean, we know that we use certain standards like oh, Aspen different industry standards, but how do we take those and actually make a procedure? 

 

Vikas Bhatia   

You'd be surprised at how many procedures already exist within even a five-person return person firm? So what you know? What are the steps that you guys go through? When you hire someone? What do you, what do you do when you have an employee that you're terminating? What do you do when someone who's external of the company asked for sensitive data? What you need to start thinking about is the most procedures are ad hoc or informal in nature. So I hire someone, that means I got to put a job posting out means I got to interview them, that means a lot to do reference checks or background checks, I've got to make sure that they've met the cultural fit of the organization. So are these are informal processes, informal procedures that are often not documented. So I would work with when you know, as you're working through your SOC2, start highlighting or documenting, what are the various procedures that need to be documented? And ask the team, how do we do this today? So, for example, how do we make sure that our, how do we make sure that our servers don't have any vulnerabilities? How do we make sure that there aren't any redundant accounts on our critical systems? And what you'll find is that there, there will be procedures, they will be informal. And all you have to do is create a, you know, I always say too, you know, I said to my team, and I said too many times before, start with the five, five bullet-point lists. Right? When you hire someone, we do these five things; when you fire someone, you do these five things; when you check for vulnerabilities, you do these five things, etc. So once you start building a list of what those procedures are and how you action them. And that's the foundation of your procedure document. 

 

Bryan Urias   

Excellent. So how are these procedures affected by policies or procedures and policies on the same level? Two policies reign over procedures? Or how exactly do I write these procedures so that they align with my business goals? 

 

Vikas Bhatia   

As we discussed, a policy is a high-level statement that doesn't change very often. A procedure, on the other hand, is a lower level document that can change a bit more frequently. So, for example, a policy statement might say that all administrative accounts must be changed every 30 days. But all administrative passwords must be changed every 30 days. And you might have three or four different systems that so for example, you might have JIRA, or your go code repository or your email systems. And each one of those specific systems may have a different way of changing the administrator password. So your Bitbucket might need you to go into settings, users, etc., etc. Whereas Google might want something else. So you would have a procedure that is a bit more specific, and that could be tailored to meet a particular system or requirement, but you've highlighted, but it flows into the high-level statement, which is that the administrator password must be changed every so often. 

 

Bryan Urias   

So do these procedures now that we know that they are under the policy level? Do they need to be approved? What is the process of writing a procedure versus writing a policy? 

 

Vikas Bhatia   

So essentially, the policy is an organization level document. The procedure, if you think about your job description, for example, right, so you hire someone to do a job. What job description, it will say, we'll do this; we'll do that we'll do this, we'll do that. Well, each one of those statements should have a procedure attached to it. So what you need to do is you need to work out all of the people that are in your organization who do various things, right. So your CTO might have an objective that will produce secure code. For example, He might hire developers, or she might hire developers who are writing the code that needs to go through certain checks so that those checks could be, you know, step one, put it through, you know, do an NPM, whatever, whatever to do your patches and stuff. But you know, those, it's not, you're not starting from a blank sheet of paper, most people have already had a job description. And those job descriptions are the things that need to get done. What we find is that the procedures are the next step down from those job descriptions. tasks. 

 

Bryan Urias   

Excellent. So now that we know how to draft these procedures, could you explain a little bit to us on whether or not procedures are enforceable or whether or not how we can follow them through? 

 

Vikas Bhatia   

So our procedures enforceable? Well, actually, policy is the more enforceable statement; the procedure could be changed. So let's say, for example, you know, you hire an employee to check that your core backups are being performed every night. Well, if that employee has been tasked with checking that the backups would be performed, and the procedure is logged on to the system, check, the backup occurred, etc., and they're not doing their job and therefore not following the procedure, then really, it's enforceable at the job contract level or the task level, which is supported by the policy. The, you know, when the employee is checking the backups, for example, they may find that there's a better way to do it, you know, a more efficient way to do it, which therefore means that procedures can change and procedures don't really need to be approved, every time that they change. So really, the enforceable, the enforceable action is around the job, right, the job role, or the tasks. And those job roles and tasks should meet the strategic objectives or business objectives, which is supported by the policy. 

 

Bryan Urias   

Great. So yeah, thank you for the information. So as you guys know, just get with these policies, make sure they align with your procedures, make sure that your procedures are looking forward to the policies. So the cause thank you so much for your time again this week. And hope you guys enjoy this episode. Please leave your comments down below. We'd love to hear back from you guys. So leave us a comment, even if it's just saying hello. Leave a like, yep, subscribe wherever the little icon is turn on those notifications, so you know when we put it up another episode. And thank you guys for joining us again this week. 

Take It For A Spin

Tags: compliance, cybersecurity, Strategy, enterprise, SOC2, ISO, Startups, Leverage, Policy, Information, Security

Alex

Written by Alex

Comments