Product

Cambio is now SOC 2 compliant

Post by
Amber Houle

We are excited to announce that Cambio has achieved SOC 2 Type I compliance! 

What is SOC 2 Compliance?

SOC 2 is a compliance standard that helps organizations manage customer data in a secure way, focusing primarily on five principles: security, availability, processing integrity, confidentiality, and privacy. This achievement provides third party validation of our commitment to security & compliance and demonstrates the importance of building our customer’s trust. 

Why is this important to Cambio?

At Cambio, upholding a commitment to security, data privacy, and operational excellence is a top priority. It's important we adhere to best practices in order to deliver a secure and reliable product to all of our customers.

The Journey

  1. Selecting a Risk and Compliance software vendor: While SOC 2 can be a big undertaking, leveraging a security and compliance platform can significantly help streamline your compliance journey. The first step in our process was to choose a SaaS product to help us meet our compliance needs. We leveraged Vanta to integrate our key systems and guide us in implementing policies and procedures to quickly become audit ready. Though we ultimately went with Vanta, there are many other solutions that can help you meet your GRC needs such a SecureFrame, Drata or StandardFusion to name a few.
  2. Selecting a Reputable Auditor: After choosing a platform, the next step in our process was to select a reputable auditor. We partnered with Advantage Partners, to perform our SOC 2 audit.
  3. Performing Gap Analysis: Before getting to work on our systems and policies, we performed a gap assessment to understand our how our current systems, policies and processes compared to SOC compliance requirements. This analysis was important in pointing us to specific areas of improvement, which again was greatly streamlined by Vanta.
  4. Policies and Procedures: We then developed or revised comprehensive policies and procedures to meet the SOC 2 criteria. These policies and procedures are anything from Operations Security Policy, to Data Management Policy to Code of Conduct as well as employee training.
  5. IT and Engineering Systems Work: With policies in place, the next step was implementing any IT and engineering work related to systems gaps we'd identified during our gap analysis.
  6. Employee Training: Employee training is an important component of SOC 2 compliance and ensures all team members are adhering to security and compliance best practices.
  7. The Audit: After weeks of preparation, our chosen auditor came in to assess our practices. They carried out thorough checks, and tested our systems before granting us our SOC 2 Type I audit results.

Key Takeaways

One key takeaway is understanding that improving our security posture and achieving compliance is a monumental task. This took dedicated focus and time from our organization. The readiness period can take the most time but Cambio was able to make compliance a priority to get audit ready in a matter of weeks versus months. 

Cambio set a target audit date and worked backwards from this date in order to be fully prepared by the time the audit date came around.

Here are some additional lessons learned along the way:

  1. Focus on improving security posture, not checking boxes: Compliance is not one size fits all. The emphasis should be on proactive and continuous improvement within an organization rather than a treating security as a checklist item. Security needs and standards are ever evolving, and as such it should be prioritized as a part of daily team practices and routines.
  2. Start the process early: At Cambio, we found that it is easier to implement policies earlier rather than later. Building secure procedures and infrastructure are key components of a successful security program. While your systems are still fairly new, with minimal tech debt, it makes it much easier to incorporate key security standards from the get go.
  3. Know your stakeholders in the compliance process: You will need to decide which internal stakeholders are needed for policies, procedures, and engineering tasks. SOC compliance goes beyond your IT and Security teams - your entire organization will be involved in improving security and adhering to procedures. Every team member will need to complete security training, accept new security policies and be involved in some way or another! It is helpful to communicate the scope of the project broadly across all team members so they can understand what their role will be in the process and what the impact will be on their day to day in the months leading up to your audit date! Diligently assigning tasks to the relevant stakeholders, and using a divide and conquer approach to address outstanding compliance work helped us efficiently reach our SOC 2 goals.

Conclusion

Achieving SOC 2 Type I compliance marks a milestone for Cambio, underscoring our commitment to security, data privacy, and operational excellence. This accomplishment not only validates our dedication but also reinforces the trust our customers place in us. Our journey towards SOC 2 compliance involved strategic decision-making, detailed roadmapping, and collaboration across various facets of our organization, which was well worth the investment. We believe embedding data security and privacy practices early on is crucial, making it an integral part of Cambio's organizational culture.