Full management of Information security program and SOC 2 attestation process for a health technology firm.

Company overview

This firm provides products (Software as a Service) to support the health and wellness of individuals and employees of businesses. Their products collect critical information such as Protected Health Information, and Personally Identifiable Information, and have separate components hosted with different cloud providers. They are subject to CCPA, GDPR, and local data and privacy laws.

Problem

Customers required a SOC 2 Type 2 attestation to fulfill Third-Party risk and to attest to the security of the Products they own. The lack of a SOC 2 attestation impacted obtaining new client business and subjected them to a yearly security questionnaire. Additionally, their information security program lacked sufficient cloud security implementations and practices, and their application security process did not consider a secure code review.

Solution

The most critical items of secure best practices formed the basis of this engagement. KN Cyber implemented manageable and easy-to-monitor secure best practices for the entire organization. We encouraged communication of security awareness across the board, implemented trainings for teams, and understood the pain points of non technical teams as it relates to security.
We proceeded to implement a documented information security program that covered cloud services, secure procedures that IT, DevOps, and the Dev teams could easily follow through. We identified areas of improvement and gave a helping hand to resolving the issues. We conducted a SOC 2 readiness assessment after all processes were implemented. This cut down the readiness assessment time in half and saved the organization money in billable hours.

Outcome

Improved security posture, happy customers, better sales outcome, evidence of security posture and the organization’s practices. Got the employees thinking about their practices and how security is affected. Encourage team communication.