SOC 2 is a framework for evaluating and reporting on the effectiveness of a company's controls related to security, availability, processing integrity, confidentiality, and customer data privacy. To meet common SOC 2 standards, a company must procure, deploy, configure, and manage a few different types of security software. Deploying, integrating, and managing tools like Mobile Device Management (MDM) and Endpoint Detection and Response (EDR) is challenging.
Zip was purpose-built to solve this challenge.
Getting to SOC2
SOC 2 Type 1 and Type 2 reports differ in the period covered by the audit. A Type 1 report evaluates the design of controls at a specific point in time. In contrast, a Type 2 report evaluates the design and operating effectiveness of controls over a period of time, typically six months to a year.
For a SOC 2 Type I audit, you should have at least the following protections on your corporate endpoints:
- Disk Encryption — FileVault for Macs and BitLocker for Windows
- Password Protection — There should be a password required to gain access to the computer
- Screen Lock Policy — The computer should automatically ask for the password after a certain interval of inactivity
- Antivirus — Some antivirus tool should be installed on your endpoints.
Deploying MDM is the right way to enable these configurations and prove to an auditor you have done so securely. Zip provides pre-configured instances of best-in-class MDM tools with these protections before your first login.
The big difference with SOC 2 Type II is that it assesses your security posture over a period of time. This implicates new types of policies that aren’t audited under Type I.
As one example, consider the standard policy, “We will patch all high-severity vulnerabilities on our corporate computers within 30 days.” This puts a new burden on your organization. Specifically, someone needs to be:
- Monitoring for these vulnerabilities and categorizing their severity
- Deploying technical controls to patch the vulnerabilities
- Following up to ensure that the organization is compliant with the policy
Zip solves all three of these challenges for our customers.
This guide explains the SOC 2 framework for evaluating a company's controls related to security, availability, processing integrity, confidentiality, and customer data privacy — and how Zip can be used to easily meet the standard for any company considering going through an audit. Zip provides pre-configured instances of best-in-class MDM tools to enable necessary configurations for a Type 1 audit and manages the tools to ensure compliance with policies.