SOC2 - fundamental pieces

Infosec

https://latacora.micro.blog

#1: Single Sign-On

You’re going to sign up for Okta or Google Cloud Identity, tie as many of your applications (first- and third-party) into it, and force 2FA.

#2: PRs, Protected Branches, and CI/CD

You’re already doing this, but just to be sure: you’re going to lock your deploy branch and require PRs approval to merge to it, and you’re going to automate deployment.

#3: Centralized Logging

You’re going to pick a logging service with alerting and use it for as close to everything as possible.

#4: Terraform Or Something

You’re going to do all your cloud provisioning with something like Terraform and keep the configs in Github, using the same PR process as you do for code.

#5: CloudTrail And AssumeRole

You’re going to set up CloudTrail logs and require your team to use AssumeRole to get to anything interesting in your AWS configuration.

#6: MDM

You’re going to pick an MDM system – it’s probably going to be Jamf Pro – and install it on all your desktops and laptops, and then use it to make sure everyone’s got encrypted disks and up-to-date patches.

#7: VendorSec

You’re going to start tracking all the software you subscribe to, buy, or install in a spreadsheet and start doing some simple risk tracking.