So what does SOC 2 compliance have to do with HR?
- HR is responsible for developing and enforcing solid consistent hiring processes. These include background checks for all new employees before they are granted access to business systems. There are specific SOC 2 controls that address regular user access reviews and timely removal of credentials for terminated or transferred users. HR must partner with the business to ensure onboarding and offboarding activities include timely provision and removal of access to networks and systems.
- SOC 2 compliance can help protect your company from fines and penalties associated with violations of privacy protections such as the GDPR and the California Consumer Privacy Act (CCPA).
For these and other reasons, HR leaders must be involved in your company’s SOC 2 compliance efforts.
At Trustero, our HR leader, Head of People Sheryl Marymount, became the leader of our initial SOC 2 compliance efforts. In this interview, Sheryl shares her experiences as a “newbie” to both SOC 2 compliance and Trustero Compliance as a Service (CaaS) and some lessons learned that might help you.
Sheryl, what was your role in Trustero’s initial SOC 2 compliance journey?
I was the project manager for Trustero’s SOC2 Type 1 efforts. I assigned all of the actions associated with SOC2, such as policy mapping and compliance with specific controls, to our internal team members. I was also the liaison between our internal team and our auditor, managing all requests and actions. In addition, I was also the responsible party for all HR policy creation, management, and supplying of evidence for each HR-related control.
If others were involved with you, what were their roles?
Each department leader was responsible for their respective team’s policies and controls. For example, our engineering leader was responsible for all engineering- and IT-related policies, controls, and evidence.
What relevant experience, if any, did you bring to your assigned role?
As an HR leader, I was familiar with compliance generally, but I was never involved in a SOC2 compliance program or process previous to my experience here at Trustero. And I had read that HR is the most common source of exceptions that cause SOC 2 controls to fail. This was brand new to me, but I was confident that all of my policies would be solid and that my supporting evidence would also be flawless! 😁
What were your first impressions of Trustero CaaS?
As one of the first five members of Team Trustero, I had the opportunity to contribute directly to the product! It was the first time in my career that I have been able to contribute in this way as an HR professional. I’ve been close to the product before, but not this close!
My first impression was that we had built a functioning product that I, or anyone else who’s not a compliance expert, could use! 😁
Did your perception of Trustero CaaS change as you became more familiar with it? If so, how?
The more I used it, the easier it was to use. I said I’d love to see more automation of HR evidence collection, which led us to build receptors for some of my tools. The more I can automate HR processes internally, the more automated evidence I can produce. I love that!
How would you assess the results of your efforts, and how did Trustero CaaS help (or hinder) those efforts?
We used the Trustero platform to guide us through the process and store all of our evidence. Our auditor also used Trustero CaaS to review policies, controls, and evidence. We passed our SOC2 Type 1 audit with flying colors which prepared us to move forward with SOC2 Type 2.
I’d say using the Trustero software made my life easier. The interface is easy to navigate. The dashboard summarizes the most important information about our compliance profile. And the user guide and descriptions of controls and policies are written in plain, clear language. All of these features help me avoid creating compliance-threatening exceptions to our controls, manage our compliance more effectively and minimize business risk, something I try to do in my daily life in all ways!
What key takeaway or takeaways from your experience would you like most to share with others considering or pursuing a similar compliance journey?
I think the compliance education experience provided by using the Trustero platform contributed to mitigating more risk in our environment, which is a key takeaway. Security and compliance really go hand in hand! Trustero saved me time, money, and confusion!
How Trustero Can Help
We enable SOC 2 compliance that’s simple, fast, automated, and complete.
Trustero Compliance as a Service (CaaS) is a cloud-based, AI-powered compliance automation platform. It works with you and your trusted auditor to achieve and sustain compliance year after year, effectively, efficiently, and economically – and without prohibitively expensive technology investments. Trustero also offers solution packages that include a guaranteed successful SOC 2 audit and complete report by a certified, reputable auditor.
If you’re new to SOC 2, download a copy of our free ebook, “SOC 2 Compliance: Why it Matters and How to Get There.” And to learn more about Trustero CaaS or to schedule a demo, visit https://go.trustero.com/startup_assurance_package.