Vic-Bhatia | 8 months ago | on: Excalidraw+ Is Now SoC 2 Certified
Vic-Bhatia's comments
Vic-Bhatia | 1 year ago | on: Home insurers are dropping customers based on aerial images
Hi, This is a very informative post. I am trying to learn more about how the insurance industry works. Would you be open to sharing any resources (websites, books etc) that teach the 0 to 1 of insurance? Or can I DM you with a couple of questions? Thanks!
Vic-Bhatia | 1 year ago | on: Anatomy of a credit card rewards program
I would recommend Payment Systems in the US and, Global Payments: And the FinTech Innovations Changing the Industry, for anyone looking to learn more about how value (aka payments) gets transferred, and the various players / their incentives along the value chain.
Vic-Bhatia | 2 years ago | on: Ask HN: How many of you are self employed?
Long-time lurker, first time poster. Here goes… Founder CEO of a bootstrapped compliance engineering startup. Ex-FAANG who got really frustrated by the engineering toil caused by audit and compliance management. Most compliance tasks are manual, repetitive, tactical, and lack enduring value. As an engineer who spent 20 years dealing with auditors and regulators globally and who understands compliance really really well, I knew I had to change things or I would never forgive myself. If you’re an engineer who’s had to face auditors you know what I am talking about :-)
Anyways, building out an automated cloud compliance platform. MVP is coming out in the next few months. B2B subscription based SaaS platform for automated SOC 2 compliance in AWS. Post MVP looking at PCI and then some of the data privacy regulations. Also reviewing upcoming compliance requirements for AI and Electric Vehicle Charging Management Systems (EVCMS).
PS: Happy to answer any engineering questions or share tips on how to become compliant with least toil. Regulators aren’t engineers and engineers don’t understand what needs to be minimally done to get the auditors off their back, so this is my way of giving back to the community. Traveling internationally and will respond here on a best effort basis, or my LinkedIn (listed in my HN profile) is the best way to reach me.
Cheers! Vic
page 1
Some minor nits. One can't be SOC 2 "certified". You can only receive an attestation that the controls are designed (for the Type 1) and operating effectively (for the Type 2). So, the correct phrase would be that Excalidraw+ has received its "SOC 2 Type 1 attestation" for the x,y,z Trust Services Criteria (usually Security, Availability, and Confidentiality. Companies rarely select the other two - Privacy, and Processing Integrity - unless there's overlap with other compliance frameworks like HIPAA, etc.)Reason this is important is because phrasing matters, and the incorrect wording indicates lack of maturity.
Also, as others have said, no one "fails" a SOC 2 audit. You can only get one of four auditor opinions - Unmodified, Qualified, Adverse, and Disclaimer (you want to shoot for Unmodified).
As fyi, the technical areas that auditors highly scrutinize are access management (human and service accounts), change management (supply chain security and artifact security), and threat and vulnerability management (includes patch management, incident response, etc). Hope this information helps someone as they get ready for their SOC 2 attestation :-)
Similarly, the report areas you want to be very careful about are Section 3: System Description (make sure you don't take on compliance jeopardy by signing up for an overly broad system scope), and Section 4: Testing Matrices (push back on controls that don't apply to you, or the audit test plan doesn't make sense - auditors are still stuck in the early 00's / "client server legacy data center" mode and don't really understand modern cloud environments).
Finally, if you're using Vanta/Drata or something similar - please take time to read the security policy templates and don't accept it blindly for your organization - because once you do, then it gets set in stone and that's what you are audited against (example - most modern operating systems have anti-malware built in, you don't need to waste money for purchasing a separate software, at least for year one - so make sure your policy doesn't say you have a separate end point protection solution running. Another one, if you have an office that you're using as a WeWork co-working space model only, most of the physical security controls like cameras, badge systems etc either don't apply or are the landlord's responsibility, so out of scope for you).
Hope this comment helps someone! SOC 2 is made out to be way more complicated (and expensive) than it actually needs to be.