Much Ado About SOC 2: Best Practices for Healthcare SOC 2 Audits

Subscribe on your favorite platform:

About the Podcast: The CyberPHIx is a regular audio podcast series that reports and presents expert viewpoints on data security strategy for organizations handling patient health or personal information in the delivery of health-related services. These timely programs cover trends and data security management issues such as cybersecurity risk management, HIPAA and OCR compliance strategy and vendor risk management. Meditology Services, the healthcare industry's leading security and compliance firm, moderates the discussions with leaders in healthcare data security.

Cyberattacks against healthcare organizations and their business associate vendors have begun to threaten patient safety and fundamental business operations. As a result, SOC 2 audit reports have become one of the most common and cost-effective vehicles for healthcare organizations to demonstrate adoption of controls relevant to security, availability, confidentiality, processing integrity and privacy. 

However, acquiring a SOC 2 audit report can be a challenge for many organizations and there are often questions that arise about how to achieve SOC 2 compliance with the least amount of cost, effort, and time.  

Join us for this episode of The CyberPHIx where we hear from Paul Gray, Chief Information Security Officer for Meditology Services.

Paul provides insights from his decades of experience with SOC 2 best practices and answers some frequently asked questions: 

  • What is SOC 2 compliance? 
  • What are the different types of SOC audits including SOC 1, SOC 2, and SOC 3? 
  • Why do healthcare organizations obtain SOC 2 audit reports? 
  • Are healthcare vendors required to obtain SOC 2 reports?
  • What are the AICPA Trust Criteria? 
  • What other certifications are available for healthcare organizations? 
  • What should healthcare organizations do to prepare for a SOC 2 audit? 
  • What are critical success factors for a successful SOC 2 engagement? 
  • What are some common pitfalls for healthcare organizations seeking to obtain a SOC 2 audit report? 


Brian Selfridge: [00:00:20] Hello. Welcome to The CyberPHIx, your audio resource for information security, privacy risk, and compliance for the health care industry. I'm your host, Brian Selfridge. In each episode, we bring you pertinent information from thought leaders in health care, cybersecurity, and privacy. And today, in this episode, we'll be speaking to Paul Gray. Paul is the Chief Information Security Officer for Meditology Services and will be sharing his insights with us from as many years of experience, providing virtual CISO services and technology and security leadership for a variety of organizations. 

Brian Selfridge: [00:00:48] Specifically, we'll be speaking with Paul about his experience managing SOC 2 audits, both as a CSO and as an auditor with respect to our topic of SOC 2 audits cyberattacks against health care organizations and their business associate vendors have begun to threaten patient safety and fundamental business operations as a result. SOC 2 audit reports have become one of the most common and cost-effective vehicles for health care organizations to demonstrate adoption of controls relative to security, availability, confidentiality, processing, integrity and privacy. 

Brian Selfridge: [00:01:19] However, acquiring a SOC 2 audit report can be a challenge for many organizations, and there's often questions that arise about how to achieve SOC 2 compliance with the least amount of effort, cost and time. So we're going to tap into Paul's experience to get his insights into how to do this whole SOC 2 thing the right way, and we'll talk about some of the wrong ways too. And hopefully, that will be insightful as well. So let's dive into another great conversation with yet another amazing guest, Paul Gray. 

Brian Selfridge: [00:02:03] Hello. Welcome to the CyberPHIx, the leading podcast from Information Security and privacy, specifically for the health care industry. I'd like to welcome my guest, Paul Gray. Paul is the Chief Information Security Officer for our own organization, Meditology Services. Prior to Meditology, Paul's had management and leadership roles for a variety of organizations, including Smith and Howard, Lockstep Technology Group, Conklin Intercom, XIT Communications, MicroFour, Inc., and others. His consulting experience has included serving as a virtual CISO to build and manage security programs both within and outside the health care industry. Paul's been on both the auditor and the audited side of security certifications like SOC 2 examinations, which makes him the perfect person to talk to about our topic today, which is much ado about SOC 2 best practices for health care SOC 2 audits. So we have a lot of ground to cover today and looking forward to learning from Paul's insights on SOC 2 audits. So with that, Paul, thank you so much for taking the time to join us today on this CyberPHIx. We're very excited to have you. 

Paul Gray: [00:03:05] Well, thanks for having me. I appreciate being invited. I hope I can be of some use and knowledge to your audience there. So let's get started. 

Brian Selfridge: [00:03:17] Great, I'm sure you will. There's a lot to dig into here, so I guess before we get into the nitty-gritty of this topic, let's do a little bit of level setting with our audience. Could you help us with briefly describing a little bit about what a SOC 2 audit is at a high level? And also, I guess to preface that a little bit. I've heard it called many things SOC 2 audits SOC 2 certifications, SOC 2 examinations, attestations. Maybe you can start us off with what's the right term and then maybe, maybe what? What is a SoC to audit at a high level would, I think, help us just understand what we're talking about here? 

Paul Gray: [00:03:52] Ok, well, let's break down the question a little bit. So to talk about what is it as a SOC 2 type of audit as attestation or whatever? Let's talk about the framework then. So the SOC 2 is done by is governed by an organization of the AICPA, and they also do SOC 1 audit. So it comes out of an accounting background for that audit framework comes from. And so there's other frameworks, as you know, HITRUST and ISO and the other frameworks, and they all come from different backgrounds, so they are all done differently. The SOC 2 is an actual audit because it comes from a CPA background. And there's the SOC 2 type one. I'm sorry, there's the SOC 1 type audit, which is the financial audit and then the SOC 2 is the IT technical where they add those criteria and those controls in there so that you can see how while you're meeting certain criteria. So it is a SoC to audit you go through that. But if you want to talk about, you can do a SOC 2 readiness, you can also do a scaled down type, things the different consulting firms will do, and a SOC 2 attestation. There is no such thing as those that I'm aware of, but you can get a consulting firm that will tell you that your SoC to ready or whatever, but there's only one official SOC 2 audit certification that comes to once you have completed an AICPA certified organization to provide that. 

Brian Selfridge: [00:05:41] Can we tease out that whole SOC 1, SOC 2, SOC 3 thing a little bit more? I know that's that you mentioned sort of the financial aspect of that, but why? Why would an organization get us SOC 1 or SOC 2 or SOC 3? Do they ever get all three of them? Maybe, maybe. How does that work? 

Paul Gray: [00:05:56] Ok. So yeah, that's an easy thing to answer. There SOC 1's is basically a financial audit that goes through and verifies that the financials are being done by a certain framework in standard. So an organization many times will have a SOC 2 you along with a SOC 1 audit. When you get into a. There are different types of audits, though. When you have a type one audit, that basically means you've gone through and you've provided all of the policies and procedures and everything along with that goes along with the framework and they verify that you have all of that. A SOC 2 type II audit is not only where you show that you have all the policies and procedures and you also show and you prove that it's being done. You have samples taken out of your documentation out of your policies and processes. You will pull out configurations out of your systems. You'll look into your auditing logs, you'll look into your monitoring where you've done. You'll show your change management and prove that you've done something. So SOC 2 Type II because we're I'm not just saying I'm doing it and I'm actually proving that I'm doing it. So that's the big difference between a type one and a SOC 2 Type II between a psych ward and a SOC 1 is financial. One is the technical side of it, and the SoC 3 is more of a marketing audit. So it's not a full in depth like a SOC 2 is and you're not proving everything, but you're it's that one actually is more of an attestation of saying that I'm doing this and it's generally used as a marketing tool and that one's published out on a company's websites. The type, the SOC one and the SOC 2 audits will you'll never see them published on someone's website. You'll generally have to request for them because they do contain confidential or. A. The confidential information, they'll show certain risk and everything about a company so you don't want to publish those outwardly. 

Brian Selfridge: [00:08:23] Now for health care, is there is there one flavor of such audit that's more dominant than others? Do organizations get the type one, the Type II type three more? More frequently than others are pretty even spread from your experience? 

Paul Gray: [00:08:36] Well, from my experience, most of them get the SoC 2 type II. And generally, what happens there is that they do it because their customers are asking that to verify that certain security measures are being taken and that certain practices are done. They want to protect their own interests. They want to protect their own data and therefore the customer will request. And sometimes they have policies that they'll only do business with companies that are to certified. They'll be in their agreements as well. 

Brian Selfridge: [00:09:14] Yeah, sometimes I hear the term SOC 2 compliance, I think people when they think compliance, a lot of times it's focused on regulatory mandates and now must do this or that must do that type of thing are stuck to audits required for vendors or is there any law or regulation that supports them? Or is it just more of a contractual sort of preference from the customer? 

Paul Gray: [00:09:36] There are no legal requirements for anybody to have them at this time. There are only contractual agreements that will end up having those, and that's when companies have certain standards that they have to meet in the health care industry. As you know, there are the government ones are generally HIPAA standards on the privacy and everything like that, but those that is not the case with the SOC 2 framework. 

Brian Selfridge: [00:10:06] From from a HIPAA compliance standpoint, is there any benefit to getting a SOC 2 certification, going through the process, getting your policies in order? Does that help you with your true compliance, your HIPAA compliance in any way? Or is it you think it's totally separate and distinct? 

Paul Gray: [00:10:23] Well, when it comes to HIPAA, SOC 2can help you greatly. HIPAA doesn't have any kind of testing framework, it's more of an, you know, this is a guidelines of what you have to do and you have to do due diligence and the way to prove that due diligence could be through a SoC to audit. They'll go through and the controls will be specific for your for your industry and for your environment of how you have all these implemented, and they'll define how you're meeting certain security in certain framework measurements. And so it'll definitely help support your hip. It'll make sure that it's in. It'll also validate whether it's effective or not, and if it's actually doing what you think you have it configured to do. And if it's not, it'll identify what the gap is. 

Brian Selfridge: [00:11:22] So I know with other certifications like HITRUST, for example, there's the HITRUST common security framework that forms the basis for the audit and the assessment against, you know, the specific controls that you need to pass or fail or comply with to get HITRUST certified NIST as an example. But for SOC 2, what is what is the sort of control framework that's driving the assessment that organizations need to match up against? 

Paul Gray: [00:11:47] Ok, so the AICPA has defined certain critical criteria, and they have them categorized into groups and they could be things like change management, risk assessments, monitoring, you know, availability, confidentiality and then they break out into defined categories of you want to you want to meet a certain thing and then. It gives you suggestions of what kind of control it can be, and then you define that control for that critical criteria. Look for a testing objective inside of your environment, how you're meeting that critical criteria, whereas HITRUST is more direct on saying you will do this. Whereas the AICPA says you need to make sure that you keep your data confidential. Tell me how you do that and then you talk through and you define the controls now that being said, there is a pretty, you know, cookie cutter commonality between all the audits because most of them guide certain things and certain things. Are you auditing for this or you monitoring this? Yes or no? You know, do you do backups? Are you doing, you know, role based access? Some of these are pretty much direct, but you get to put your own flavor of how you're meeting it, and it doesn't have to be. You're doing this way. You could say, I'm doing it my way, but I am doing it and then you show how you do it, and that gives you the flexibility to use different tools, this and that and the other. It also allows you to move from a cloud environment. Whether you have a hosted environment, you can have hybrid environments. It allows you to provide those solutions in whatever kind of IoT menu and be flexible. But it also allows you to scale down and also one of the things with an audit. When you scope it out, you don't have to do everything you want. You can scope it down into what is applicable for this area that you're trying to address and apply all of these security items in oversight. 

Brian Selfridge: [00:14:09] I'm glad you mentioned the scope aspect of it, because I know some organizations say, well, we're SOC 2 certified, but often that might be for a subset of the environment or some some portion of the environment. What have you seen be the typical scope for SOC 2 audits? Is it the entire organization enterprise wide? Is it a single application and the supporting maybe infrastructure? How have you seen sort of the scope generally applied to SOC 2 audits? 

Paul Gray: [00:14:39] Well, that's that's a good question. And in today's world, especially with a lot being in the cloud, it's important to scope these correctly and define it to an area that you actually have the ability to control the environment. So with Covid and worked from working from home these days, if you define your environment down to where that data actually resides and the interface into that data and basically keep it lean and mean. Down to the exact area that you need to do and you apply your controls, that allows you to be more effective, more efficient and supply a better product and secure, that system gives a better delivery system. So scoping out, scoping out buildings, scoping out end users, if you treat your end users with the work from home, just like you would treat any other customer coming in that allows you to scale it down and do a lot better job at delivering these controls. 

Brian Selfridge: [00:15:49] So my understanding is there's there's a reporting period with SOC 2 that, I guess, is the audit period the time that you're looking at time point in time, you're looking at the controls. Could you tell us a little bit about what that's all about? And is that something that's used for other certifications? Is that just a SOC 2 thing? Why? What is the reporting period and are there are there different options for that? 

Paul Gray: [00:16:12] Well, the reporting periods are different between different frameworks, and generally what happens on a SoC, too, is that you try to get that reporting period. They prefer six months and that is the intended period. But after that, they generally want to go year after year. We're doing that. And what you're doing by defining that period is saying we have been doing this during this period of time. And so you get that updated on a yearly basis and ISO and HITRUST, they all work off the same kind of cycle as those do. But you're testing. During those periods that you are delivering this when you get certified, you're basically saying I have been tested during this period and proved that this is what I'm doing. And so it's a good idea to if it's your first time, it's a good idea to plan well ahead in advance so that you have time to go through and assess where you are now. Leave time so that you can remediate and then go back and have a period to prove that you've been doing that. If you're not doing certain items during the initial period, that is going to throw your testing period off because you have to be doing it at the very least three months. 

Brian Selfridge: [00:17:38] Is that the most common three months that organizations will do, or do they go all the way out to six months a year in some cases? And why would they why would they do that? 

Paul Gray: [00:17:47] Well, the most common to start out is six months, and that is basically from AICPA. The auditors actually get they have peer reviews and they'll allow so many three months audits to pop in there. There are time frame constrictions that happen, and they understand that, but they prefer six months as a governing organization to start out. And then after that, they prefer the 12 months as an ongoing period thereafter. And there is really no reason not to be going 12 months after you've gotten SOC 2 audit. 

Brian Selfridge: [00:18:32] You mentioned the kind of AICPA requirements and peer review. Maybe could you talk a little bit about can any organization you work with do a SoC to for you, any consulting firm? Or are there any? Or does it have to be certain types of firms? How does that work for organizations that are looking to to shop around for a SoC to auditor? 

Paul Gray: [00:18:53] Well, as far as being able to prep for want to get ready, I mean, there's a lot of organizations that can help. Good consulting firm out there, but it's recommended to have whoever is going to do your audits actually do your assessment. The reason for that is no matter where you're getting audited, it's generally the interpretation of the auditor of whether the control is actually being met or not. So it's a good idea to have whoever is going to give your certification do the assessment because they will let you know as you're implementing the controls, whether they meet them or not. Now, who can deliver those? You have to be an auditor. You have to be part of an auditing firm that's accredited. They have to be a CPA firm first and foremost, and then they have to be able to prove that they are doing it, according to AICPA standards, because they will be reviewed by them as well. And our industry of the health care, one of the things I can tell you, especially doing a lot of different, I've done a lot of different industries. You will find a commonality when you hit into different industries. The health care, as everybody knows, there's a very specialized industry and does things different than most every other industry. If you can find a firm that specializes in health care, you're going to have a lot. A lot better experience getting prepped, remediated, and staying on track with that CPA. Part of that in the health industry and delivering that year after year, and you'll get a lot better product if you can find that. 

Brian Selfridge: [00:20:44] Now, a SOC 2 is not the only certification in town, you know, are there others we mentioned HITRUST earlier. Others that compete, quote-unquote with Sock 2? And why would an organization choose to pursue a SOC 2 certification over some of the other flavors that are out there? 

Paul Gray: [00:21:03] Well, as far as different flavors of them, you know, HITRUST, as we said, HIPAA is actually a standard that you don't really get a certification or anything on. There are there's ISO, which is. The overlap of ISO and SOC 2 is only about 50 percent, so half of what's required on SOC 2 is required in ISO, and half of what's required in ISO is only required in sight to the reason to get any defined framework is more or less dependent upon what your customers are asking for and for what industry standards are you trying to live up to within your operations as well, and which fits the better guideline. Iso is another framework that is like HITRUST, where it is more directive saying You will do this and this is how you would do it. It's not as flexible as a SOC 2 audit is. So for an industry such as the health care industry, you have a plethora of environments within there that you're going to have clinics, you're going to have hospitals, you're going to have doctors offices, you're going to have pharmaceutical companies, you're going to have, you know, all kinds of different companies that are basically doing health care but delivering those services in a different way. The SOC 2 gives you a lot more flexibility and functionality to put it to how you're operating and what you're delivering and showing that you're meeting certain standards. Instead of you having to force your business model into another framework it allows, it does allow a lot more flexibility. 

Brian Selfridge: [00:23:03] Is there a degree of difficulty or cost range when you're looking at a SOC 2 versus a HITRUST versus ISO is one quote-unquote easier than the other to get? Or are they about the same in terms of level of effort cost? 

Paul Gray: [00:23:19] Well, I can tell you, ISOs are not cheap. They can be very difficult to to do depending on how what you already have in place, and I from my background, I've noticed that generally someone will have another standard in place before they have ISO. They don't put ISO in first. The. As far as Costco, a SOC 2 is probably the most cost-efficient if you're coming in at the front end and you want to put a framework in and prove to your customer base or potential customer base that you have security practices in place. The fact that you can. Right, do you own your own controls that meet that critical criteria allow you the flexibility of what kind of tools you're using and how you're doing it? It'll also allow you to put in scope just a certain part of your business whereas when you deal with certain other frameworks, you don't have a choice of what goes in scope. Sometimes if you're whatever this touches has to be in scope and we're asked, you don't have to do that. You can define your scope. You have more flexibility in defining your scope, what you're delivering. So the SOC 2 can be a lot more cost-effective and it's easier to grow with anyway. And that's one of the things about a Stockton framework and audit is that you're not looking for the status quo every year. Every year you're getting the audit done, you're looking for growth, you're looking for maturity, you're looking for things to improve every year and every year. If you're having your audit done properly, you'll end up with office and caps at the end of every audit and things to do to improve. And it should be a path of growth and maturity. It's the same with the other ones, but they can be a lot more costly to even get that first, especially to get the first certification. 

Brian Selfridge: [00:25:29] 2 organizations ever get more than one certification, a SOC 2 plus something else, and you know what would be some considerations for kind of getting multiple certs if that's a thing, 

Paul Gray: [00:25:40] They get multiples all the time. It's very common to have a HITRUST and SOC 2 certification. One of the reasons for that is because they have the requirements from their customer base. Bottom line, depending on, you know, depending on who that vendor, who that customer is, they're dealing with, and what kind of customer they are is what requirements they're going to make of their service provider there. And so while some companies may require a SoC to audit, others will definitely require a HITRUST audit to be done, and the ISO ones are not as demanded as much as they used to be. They there it is. They're all international in the first place, but the ISO comes out of a different background and framework industry standards. 

Brian Selfridge: [00:26:39] Now is SOCed to is it just a security thing like some of the other certifications, HITRUST in large part as a security certification or they have some privacy options, is there or is there a way to get SOCed to privacy certified? Does anybody actually do that? How does that work? 

Paul Gray: [00:26:56] Well, there's actually five categories on it. The the SOC 2's come in security, which is the core frame. So whenever you have a SOC 2 it, you're always going to get the security of it. But they have different categories as well. There's availability, there's confidentiality, there's the processing integrity and there's privacy. So the the availability is where you prove and anybody that's aware of the triad, you know, confidential integrity and availability is making sure that you have all the information stored and readily available as needed. So you've got to prove that you do backups, that you have disaster recovery, business continuity, things along those lines. Confidentiality, that's where you want to make sure that you're proving that you're you're protecting the data. So you're going to show that your data is classified, that it's reviewed. If there is a policy procedure or if there is a standard that you must, we must delete certain data after six years, eight years, 12 years, depending on what industry standards you may be trying to show that you implemented and that you follow. The confidentiality allow you to prove that that is being completed and in place on a regular basis. 

Paul Gray: [00:28:21] Processing integrity basically is the accuracy of data. And so that shows that you are verifying that the data is accurate and how you test it and how it's implemented. So you're showing that you do that. And privacy, of course, is a big thing these days. We're all familiar with it, and there's kind of like an overlap here with certain others, like the California and the GDPR privacy part of a sort to audit so that you're very aware of how you collect the data, how long you retain it, how it's disclosed anything along those lines. And so you show that you show that your policies and procedures for it and you prove how you're completing that as well. So it is very flexible. One of the most common is what we call a SOC 2 SAC, which generally does the security, the availability and confidentiality. Those are the biggest, the most common ones. And the reason they're the most common is because that's what customers are requesting to prove. So that's that will depend on what kind of audits that someone generally has. 

Brian Selfridge: [00:29:35] Excellent. I want to switch gears with you a little bit from the sort of 'what is SOC 2?' type of discussion into the process. So let's say an organization wants to go down this route of obtaining a SOC 2 audit report or certification. How long does it typically take to go through that process from end to end? I know there's variance, I'm sure, depending on the scope and organization sides, but you know, in general, that's always a tough question to put to practitioners in general. But how long, how long from your experience does it typically take? Well. 

Paul Gray: [00:30:10] It this is one of those things that depends on the entity themselves. It depends on where they're at in the process, but it can take anywhere from three years and it can be three to five years, depending on large organization that was not compliant. Starting from scratch. That could be three to five years, and you'd have to be dedicated. And I've seen customers turn around and do it within a year as well. So say like, we're going to do it now, they do a readiness, they get remediated, and then they're audited. So I've seen it happen within a year as well. In fact, I had one last year went from scratch, did a readiness, did a SoC to type one, and then a SoC to type II all within the year. So it depends on the customer. But the big things that you have to think about if you're going to go down this path is you need to do your homework up front. You have to realize and understand what the criteria is and have a plan of how you're going to meet those criteria. Define what you want your controls to be. 

Paul Gray: [00:31:15] Work with a firm that you're going to have. Do the audit for you so that you know the path to find that path, get on that path, go through, then test them upfront, make sure that they're effective. Make sure your policies and procedures in place. Give yourself time to roll out policies and procedures so you can train your people, train the organization, get everybody on board. And this is one of those things too. It really needs to come from the top down of an organization you need to have from the very top of leadership all the way through so that you can help implement the changes and operational because it is one of those things that will change the way you do business. It'll change the way you operate and it'll change the way that you look at things. And one of the things I've always said is security is a mindset. It's not a technology thing. And if you can adapt that mindset through and buy into that and understand what's trying to be done, it's easier to implement and that'll make your timeframe actually even faster. 

Brian Selfridge: [00:32:31] Does it get easier every time you go through the process? My Understanding SOC 2 is an annual event for many organizations does if you've been doing it for a year or 2 years, three years and you have those corrective action plans sort of cropping up each time, is it does it get easier to get through the process year over year or is it just about the same level of effort every time you go through the wringer? 

Paul Gray: [00:32:52] It's easier every year. And one of the reasons that it gets easier every year is because. You're learning more and more about what it is you're trying to do, the more you learn it, the more you understand it, the better you can do it. And then not only that, one of the things that happens along there, you know what to expect when you start going through the audits, you understand what the deliverables are. It will also help. You can get better year after year because you can start automating processes. You can start understanding what I'm monitoring. And while I've become an effective tool and then it's easier to give the data when it's time for the audit to happen as well. It'll help you keep records better because now you know what you're expecting to deliver every year. And the thing is because these are controls that you talk about your own process, it helps you improve your own processes internally. It helps you define your workflows, understand your workflows, make them more effective and efficient. And that's one of the things that a lot of people don't understand about, like security. Security isn't just about protecting data, it's about being effective and efficient and making sure that it's that data is available and that it is accurate. And so you're learning how to take better care of what you have and you get better at it every year and it gets so it gets faster every year and people understand it better year after year. 

Brian Selfridge: [00:34:25] Yeah, I suspect in the last year or 2 the idea of availability and its and its criticality and from a security, standpoint has become more prominent with ransomware and everything else, which is basically just a big old attack on availability. And you know, it seems like years ago, it was more security discussion was around compliance and confidentiality and integrity, those types of things. But that availability piece is just huge. And while we're talking about the last couple of years, has the pandemic introduced any changes in the way SOC 2 audits are conducted? You know, for example, can they be done remotely, 100 percent remotely or do they require field audit work or what? What's changed from what you've seen based on the new reality we're all swimming in? 

Paul Gray: [00:35:13] Well, I've seen it in all the frameworks. Definitely. The pandemic has changed the way that the world operates. And you mentioned ransomware. Ransomware put us into a whole new mindset about business continuity and disaster recovery, and the pandemic has put us into a new mindset about how we perform our day to day functionality and how we maintain business continuity as well. So we get better at doing these things when we actually experience them. And that's part of the thing in a SOC 2 audit. You're supposed to do tabletop exercises or were you emulate if I had a, you know, I test my business continuity plan, test my incident response plan. And so. It prepares you to do this, and I'll tell you a really funny story about this, I was working when the pandemic started. I was actually working with a law firm about if a pandemic hit, how would we operate? And then 2 months later, it came out. And because of what we were doing, we actually hit right into it. We thought we were being funny when we use this as a tabletop exercise, and then it happened. But it actually kicked into gear, though a lot faster. How do you get people the availability to work at home and get secure connections and secure that data while they're doing it. But how do you maintain business? You got to keep all that data available. You got to keep it accurate and you got to keep it secure. So it has changed that. 

Paul Gray: [00:36:57] And so what that's translated into, though, while we're doing audits, is how do we verify certain things are being done because like the physical environment, how do I know that you have cameras everywhere? How do I know that you have a visitor's log? How do I know you have locks on the doors? How do I know your your data closet is locked? How do I know it has an air conditioner? Fire suppression and environmental controls all these things? Well, of course, everybody's got an iPhone now or, you know, an Android device that has a camera on it. So we learned ways to adapt and to prove these things. Now that being said? During we know that the things are loosening up, we've become more flexible, there are clients that still have their policies and procedures of nobody on site. But there are other ones that are open their doors and they want you to be on-site and they want that face-to-face interaction. There is a lot more to be gained on a brick-and-mortar audit of being able to go on-site and look at them. Whereas if I'm doing a cloud-based audit and when I say that, I mean, if it's just in scope for the cloud environment, does it matter whether I go on-site or not because everything's in the cloud anyway? So it depends on your environment, what you're trying to do, but it's definitely changed the face of the auditing world. 

Brian Selfridge: [00:38:27] So for organizations that have gone through this to process pre-pandemic or during the pandemic or and by the way, now we know who to blame for the pandemic, it sounds like you triggered it with some you jinxed us by introducing that, that specific scenario. But for four organizations that have gone through it, do you have any war stories, any pitfalls, any just total train wrecks of how to how to do such 2 audits the wrong way? You know, don't name names. We'll keep all everybody innocent here. But you know, what's what's the wrong way to go about this? If you've seen that that costs more time money and effort to get through the process? 

Paul Gray: [00:39:04] Well, yes, I can tell you several train wrecks. There's quite a few of those stories, and a lot of them generally stemmed from the fact that it's the attitude and perspective of coming into this. And this is why I say it has to be bought in at the top. I've seen it and the marketing people come in. It's like we have to be audited because our customers are now requiring this. And then leadership, though won't, won't give them the budget, won't give them the tools and tell them to figure things out. You're not going to meet the requirements, so you have to. That's why I say, do your research upfront if you start getting demands from your customers or requests from this. And this is how all the industries are going anyway. Because with, you know, private information and the data everybody's storing these days, you want to know that who you're doing business with is doing their due diligence and they can not just say it, but that they're proving it. And so these audits do that. They show that you are doing you're investing the proper amount of resources and time into your data and the data that they're going to share with you. So, yeah, if you've got to. You've got to dedicate. Personnel, and if you're just coming into an audit to some of the biggest pitfalls I've seen, we're going to write our own policy and this guy is going to do it, but he's going to do his regular job and you meet with them. 

Paul Gray: [00:40:39] I've met with them on, you know, a monthly basis to week basis. Six months a year later, the guys made, you know, he's gotten 2 sheets written up because he's got to do his regular job. You have to dedicate resources to this and you need to dedicate them upfront so that you get the framework you get. You get it designed, built, and implemented correctly upfront, it's easier to maintain if you're just trying and you're struggling with this to go through on and on. It's going to be very hard to do it. Actually, there's one recently, another customer that I know a friend of mine is working on it, another company. The owner is dead, set on. He is going to be able to implement all these tools and everything himself without. And we keep, you know, we kept explaining it to him. There's all these tools. There's all this stuff out there that's already designed, built and it's been out there for years. Don't try to recreate the will, find the best tool that fits your environment. Buy it and get it in. Don't try to build it yourself. It's going to take 2 bites. It does. It doesn't mean you don't have the skill set. Doesn't mean you don't understand anything. It's just keep focused on your business and let the specialist in implementing and keeping these frameworks going. Do their job because they're just as good at their job as you are at delivering your products and services. 

Brian Selfridge: [00:42:15] Well, what's talk to just a quick point there, so I know organizations that do have deficiencies and haven't quite gotten their act together. My understanding is that they can still get the report, but it's going to have noted deficiencies, maybe. How does that work and how should organizations customers beware of vendors that provide a SoC to report and say we're SOCed to certify, but maybe there's a lot of dirty laundry in there, like do you actually to read the report? Like, How does that work or is it all just to pass or fail? Type, type thing? 

Paul Gray: [00:42:45] No, this is a very good point because a lot of people. A lot of people do playoff, and they do it with some of the other frameworks too. Yeah, I got a report, but that doesn't mean that you have done what you said. When you go through an audit, you can end up with exceptions in your audit. Now, depending on what it is, it can be something that's critical or not critical. That being said, I mean, you can look at the big boys and look at their audits. They're going to have exceptions in them as well. So you could have an equipment failure. And then when you get audited. The auditor could ask you just so happen to ask you for the log files that happened while you had that equipment failure. Now does that mean you're not doing due diligence or anything? No, it just means you have an issue happen that you resolve it. So when you show that exception, it's just going to be a minor exception. But if you're doing something to whereas I need to show that I have separation of duties and you're not doing that at all. That means that. You have a serious problem with the guy can do bad work. Not no, he's done bad work, approve his own work, put it out there, and everything. And now your data is exposed, which means much more. 

Paul Gray: [00:44:12] It to a customer that if you have an equipment failure and you're doing something like that, so you need to look at the report and look at the exceptions, see what kind of exceptions they are in the area that they're in. These reports will not. They're not always pass or fail. They're more of an overview of what's happened now. A lot of times you get them all the time where people don't really have exceptions, but you'll have you'll still have caps because there are things that notice that happen. They were meeting it, but they were doing it. In an ad hoc manner, let's say. So instead of that, you want to make improvement, of course, office opportunities for improvement, this is like, listen, if you automate this system, you're going to be a lot better off or if you implement a tool here, you're going to be a lot better off. And so, yeah, don't take it just because somebody's gone through an audit that they that they're doing everything in there. But that's not what that means. It just means that they've been audited. Look at it and see what it says, and that goes the same with the other ones as well. There are other frameworks that there's a difference between an attestation and a certificate as well. You need to make sure you know what you're looking at. 

Brian Selfridge: [00:45:28] Well, Paul, you've given us a lot to think about and some great insights into this whole SOC 2 monster, and I'm sure for folks that have follow up questions, we'll get you in touch with them, but you've given us some great insights to work from. So I want to thank you so much for taking the time to be here with us today. I think I learned a lot and hopefully, our listeners have as well. 

Paul Gray: [00:45:50] You got no problem, my pleasure being here, and I look forward to meeting a lot of our potential customers and people with the questions, we're here to help them. We're happy to do it.  

Brian Selfridge: [00:54:34] Again, I would like to thank my guest, Paul Gray, who is the Chief Information Security Officer for Meditology Services. I learned a ton about the SOC 2 audit process and some of the pitfalls and challenges and ways to get ahead of this, as well as how SOC 2 compares to a lot of the other certifications on the market. As always, we'd like to have your feedback and hear from you, our listeners, so feel free to drop us a note about what topic you'd like to hear about or a thought leader you'd like to hear from. Our email address is [email protected]. Thanks again for joining us for this episode of CyberPHIx, and we look forward to having you join us for another session coming up soon.