There is a ton of preparation for SOC 2 and Torii can help reduce the workload across the team. Here are the best practices of using Torii to help prepare for your SOC 2.
Gathering Control Data
You will need to gather proof of your control data to pass a SOC 2 review. There are several notable ways Torii can be used to create these control and be the source of proof.
Onboarding New Employees
Torii can be used to create and manage the onboarding process of new employees. Not only can you automatically add users to your core tools before their first day, but you can also do the following:
Alert appropriate teams that a new employee is starting automatically
Send a checklist of steps that need to be taken for the employee
Send a checklist on steps that need to be taken by the employee
Send employee responsibilities and company policies to the employee
Add employees to user groups on different systems automatically
Annual Access Review
Torii provides you with a real-time view of the systems that employees are using from the moment they join the company, until the time they leave. For your core tools, you can use Torii to not only see who is a current and active user but also what access rights they have. This allows you to do the following:
Remove users who no longer need access to the application
Remove admin rights to users who no longer need privileged access
Add users and admins who should have access to the application
Set up an automated workflow to send alerts whenever an employee accesses a retired application
Using our SSO audit report you can review what method employees are using to sign up to the different systems.
Offboarding Terminated Employees
Torii can be used to create and manage the offboarding process. In addition to automatically offboarding employees from core tools, you can do the following:
Send automated alerts to remove the employee from all applications
Send automated alerts to employees responsible for none SaaS application tasks
Automatically transfer files from one employee to another as part your onboarding process
Real-time report and audit of the offboarding process of each employee
Torii helps with several aspects of vendor management. You can store all relevant information (e.g. contracts, contacts, use cases) and manage the renewal. You will receive notifications when renewals are upcoming so you can begin your security process. If you will be ending a relationship with a vendor you can close this application within Torii and keep all data for historical and audit purposes.
Confidentiality Agreements with Vendors
You will need to ensure that your vendors have the same level of confidentiality commitments as you do. This can include signing NDAs and DPAs.
Store all of these documents, at the application level, for easy storage and access across all teams.
Keeping an Audit Trail
Having the controls in place is part of the battle. Being able to audit your work and prove the controls are working is just as essential. Any automated work completed by Torii and updates made within the platform are kept for this purpose. You will have access to the following:
Who was onboarded and what actions were taken
Who was offboarded and what actions were taken
All applications discovered
All documents stored
All information added, included who changed them and when
Storing Data for Easy Use and Discovery
Torii can be your Source of Truth for all SaaS applications. Having a one-stop-shop for all this information increases visibility across the organization and saves time for finding important documentation. This is incredibly valuable when preparing for your SOC 2.
Planning for the Next Annual Review
These reports will be needed every 6 to 12 months. Having the right tool to gather, maintain and share your data is key to completing SOC 2 as efficiently as possible.
If you would like to discuss further how Torii can help with your SOC 2 preparation please reach out to your CSM or firstname.lastname@example.org.