This is not some fluffy article explaining the basics of SOC 2 compliance. I'm guessing you are not here because you need a basic overview. If that is what you are looking for, I covered the topic in a previous blog post here.
It's very likely that you are here because you are actively looking to get a SOC 2 compliance report. You may not have been through a SOC 2 assessment or audit before and you may not know what is needed or how to implement any of the SOC 2 controls. There is also a good chance that you don't know how much to expect to pay and have very little, if any, budget pre-allocated to the effort. All that you are sure of is that your customers and your management team is demanding SOC 2 compliance NOW!
SOC 2 compliance cost is unbalanced for small businesses
The cost question is typically the first one that comes to mind as it is an especially important one for an early stage company. Achieving SOC 2 compliance status is no small feat. The cost can vary significantly based on your organization's size and complexity. For many organizations, SOC 2 Type 2 implementation and maintenance can easily cost upwards of $100K, in addition to the added cost of the audit itself.
Most early stage companies haven't got to $100K in annual revenue yet let alone that much cash to spend on compliance. Spending more money than the business makes to protect the business does not make any sense at all, yet the lack of security and compliance attestation may be an inhibitor to growth and larger business opportunities.
To break this chicken-and-egg problem, here's a playbook of how to get your SOC 2 compliance on a shoestring budget — at a cost of almost zero outside of the annual penetration test.
Become SOC 2 compliance at near zero cost
The table below lists all of the baseline controls that are needed for an early stage technology startup to build an initial security program that will lead to a successful SOC 2 compliance audit.
A few notes:
The list provides mostly cloud-native and open-source security solutions to establish a solid baseline. Commercial alternatives can be adopted based on the organization's demand and maturity.
Some of the examples provided are based on services in AWS. Equivalent solutions are available in Azure and Google Cloud. Links to resources are provided, when available.
JupiterOne provides a completely free tier for pre-revenue startups for the first year, and 50% ongoing discount. The 50% discount is also available to startups with less than $1M in annual revenue.
Controls and Solutions
Governance | Total Cost $0.00
Control
Solution
Extra Cost
Description
Policies and Procedures
JupiterOne
$0.00
You need a robust set of formal information security policies and procedures for your organization. JupiterOne provides a library of >150 policy and procedure templates that have been field tested in actual SOC 2 audits and other assessments such as HIPAA and PCI.
Knowing what you have is the foundation to any security and compliance program. JupiterOne auto discovers cloud-based assets and allows you to upload your own via JSON/CSV/API. Free for 1000 asset entities.
Google VSAQ is an interactive questionnaire web app to support security reviews by facilitating the collection of information and the redisplay of collected data in templated form. A third party vendor registry can be kept in JupiterOne.
Risk assessment is a foundational step to any security governance program. It is a mandatory step by regulations and compliance frameworks like HIPAA and GDPR. Unfortunately, performing a risk assessment is a fairly involved process that happens every year and typically takes days, if not weeks, each time. There are many risk management software aimed at solving just this challenge, yet that's another tool, another cost. Using JupiterOne together with a issue tracking solution like Jira can help streamline this process down to hours without any additional tooling cost. See linked article for additional details.
Here's a no-cost approach to cover the compliance requirement to perform pre-employment background checks for your employees: ask them to obtain and provide their own free background check report, provided by Better Future. Plenty of paid alternatives are available, with pricing usually starting at $20 per applicant, including Checkr, ClearChecks, and GoodHire.
Leverage the onboarding / offboarding capability included in your organization's HR Service Management software (e.g. BambooHR or Gusto). Alternatively, simply set up an HR project in your existing ticketing system (such as Jira) with a templatized checklist for each ticket.
You most likely already pay for G Suite (or something similar like Microsoft 365) as part of your IT spend. There's no additional cost specific to security.
Here's a no-cost approach to cover the compliance requirement to perform pre-employment background checks for your employees: ask them to obtain and provide their own free background check report, provided by Better Future. Plenty of paid alternatives are available, with pricing usually starting at $20 per applicant, including Checkr, ClearChecks, and GoodHire.
Leverage the onboarding / offboarding capability included in your organization's HR Service Management software (e.g. BambooHR or Gusto). Alternatively, simply set up an HR project in your existing ticketing system (such as Jira) with a templatized checklist for each ticket.
You most likely already pay for G Suite (or something similar like Microsoft 365) as part of your IT spend. There's no additional cost specific to security.
If you use G Suite, you can easily set it up as your SSO provider with lots of pre-integrated SAML apps. Dedicated solutions are also available, such as Okta, OneLogin, or JumpCloud.
From time to time, you may have to share a confidential document or sensitive file with someone by email or via USB drive. Before sharing, use Deadbot and select the file to encrypt, enter a password, and … that’s it.
Cloud service providers already include data encryption as a feature for most, if not all, of their services at no extra cost. This includes encryption for data-at-rest (e.g. AWS S3, RDS, EBS, DynamoDB, etc.), data-in-transit, and encryption key management. All you have to do is enable it.
For small teams, it is completely feasible to have each team member self manage their own user device, as long as there is a way to monitor the configuration compliance. Netflix's open source Stethoscope app does exactly that, and JupiterOne provides a wrapper for easy installation and reporting.
Trend Micro Antivirus One is a free app for macOS. Windows 10 comes with Windows Defender that is enabled by default. Or you can purchase the commerical solution from Trend Micro or Malwarebytes with centralized management. JupiterOne integrations can then be enabled to provide compliance evidence.
Practicing secure by design is important for the development lifecycle. However, threat modeling exercises can get very complicated and confusing very quickly. A lightweight approach is to document major features, each with required sections for data flow, security considerations, and privacy considerations — e.g. in the form of an RFC (Request for Comments).
Enable and enforce pull requests and review approvals for your Git repos. JupiterOne integrates with all three leading Git SCM platforms — Bitbucket, Github, GitLab — to provide analysis and compliance reporting to ensure and provide evidence that code has been approved by an authorized person other than the code author.
It is important to keep track of all open source dependencies used in your code and their licenses. Misuse of open source license could result in your code being exposed to legal liabilities.
FOSSA is a solution that provides both compliance and security scans. The compliance (licensing) part is free for small teams.
Static application security testing (SAST) software inspects and analyzes an application’s code to discover security vulnerabilities without actually executing code.
AppThreat/sast-scan is a fully open-source SAST scanner supporting a range of languages and frameworks. Integrates with major CI pipelines and IDE such as Azure DevOps, Google CloudBuild, VS Code and Visual Studio. No server required!
Dynamic application security testing (DAST) tools automate security tests for a variety of real-world threats. These tools typically test HTTP and HTML interfaces of web applications. Use it to identify vulnerabilities in their applications from an external perspective to better simulate threats most easily accessed by hackers outside your organization. OWASP ZAP is a free and open source web scanner.
Travis CI and Github Actions are probably the best free solution for continuous integration and continuous deployment (CI/CD). Many alternatives are available, such as CircleCI and Jenkins.
You probably already use Jira (or something equivalent) to track issues for your development. The same issue tracking system can be used to track production change tickets and their approval. JupiterOne can be used to integrate with your CI/CD pipeline as the security decision engine / gate to make automated approval decision using a change management bot.
If your application runs in the cloud, start with a native logging solution from your cloud service provider, such as AWS CloudWatch, which includes a free tier.
AWS GuardDuty is a threat detection service that continuously monitors for malicious activity and unauthorized behavior to protect your AWS accounts, workloads, and data. It analyzes events from AWS CloudTrail event logs, Amazon VPC Flow Logs, and DNS logs. It starts at $4/month for the first million of events as of the time of this article.
JupiterOne aggregates findings, alerts, observations from different sources, including SIEM (e.g. AWS GuardDuty), and leverage graph query rules to correlate, deduplicate, prioritize, and alert.
Dispatch is an open source tool created by Netflix to manage security incidents. It integrates with existing tools used throughout an organization — Slack, G Suite, Jira, JupiterOne, etc. — and leverages the existing familiarity of these tools to provide orchestration instead of introducing another tool.
Spending more money than the business makes to protect the companies sensitive systems and data is just bad business. Let’s break the vicious cycle of companies spending outrageous sums of money to achieve compliance. Use this recommended SOC 2 compliance on a shoestring budget playbook and achieve complete SOC 2 compliance for as little as $48.00.
Erkang Zheng
I envision a world where decisions are made on facts, not fear; teams are fulfilled, not frustrated; breaches are improbable, not inevitable. Security is a basic right.
I am a cybersecurity practitioner and founder with 20+ years across IAM, pen testing, IR, data, app, and cloud security. An engineer by trade, entrepreneur at heart, I am passionate about technology and solving real-world challenges. Former CISO, security leader at IBM and Fidelity Investments, I hold five patents and multiple industry certifications.
I am building a cloud-native software platform at JupiterOne to deliver knowledge, transparency and confidence to every digital operation in every organization, large or small.
To hear more from Erkang, get our newsletter. No spam, just the good stuff once or twice a month. Sign up below.
Stay Connected
Subscribe to the latest JupiterOne news
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
As a preventative measure, Github will be deprecating the Mac and Windows signing certificates used to sign Desktop app versions 3.0.2-3.1.2 and Atom versions 1.63.0-
Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud eiut.
Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud eiut.
Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud eiut.
