SOC 2 Compliance

Learn more about SOC 2 compliance and how Nightfall helps with it.

Many companies seek to become SOC 2 compliant to showcase their strong security practices for safeguarding their company’s and their customer’s data.

During SOC 2 compliance audit periods, auditors review that security controls are in place, triggered, and responded to appropriately to assess the strength of an organization’s security posture. Auditors generally look for a number of controls, including the following:

  • Information security practices that are documented & managed on an ongoing basis

  • Data classification policies and protocols that detail the security and handling of customer data

Checklist for meeting SOC 2 controls with Nightfall

Nightfall’s Customer Success team specializes in helping you leverage the platform to meet your compliance needs successfully.

  1. Configure detection rules that detect sensitive data your business handles. Select from common templates in our library for out of the box coverage.

  2. Enable real-time monitoring on business applications that house sensitive data such as Slack, Google Drive, Confluence, Jira, and GitHub.

  3. Implement manual or automated workflows and processes to remediate any findings.

  4. Run historical scans to search for sensitive data that exists in data silos today.

  5. Visualize historical scan results in a custom Nightfall dashboard.

  6. Engage Nightfall’s Managed Services team to facilitate bulk remediation of sensitive data at rest in cloud silos.

  7. Review and export scan results should they be required in the event of an audit.

The following table lists security practices and policies that companies should implement for a strong security posture. A data classification & protection platform like Nightfall can help companies enforce and manage these controls.

POLICY

WHAT DOES IT DETAIL?

HOW DOES NIGHTFALL HELP?

Data Classification & Management

Company should have procedures to classify data in accordance with classification policies and periodically monitor/update such classifications. The company stores and disposes of sensitive data, in a manner that:

  • Reasonably safeguards data confidentiality

  • Protects against the unauthorized use or disclosure of the data

  • Secures or destroys the data

Sensitive data should be validated and protected against unauthorized disclosure or modification, when in use, stored, or transported, to ensure information security and to mitigate risk against attacks.

✓ Identifies if sensitive data exists in a system or when it enters into an application in real-time

✓ Leverages variables such as internal/external visibility and permissions to prioritize findings by risk level

✓ Provides remediation capabilities

✓ Fulfills auditor checks against controls for data classification and information security policies

✓ Managed services team monitors configuration and alerting to facilitate management/improvement of the classification

Data Retention & Disposal

Company should maintain a process designed to prevent sensitive data from being exposed to unauthorized individuals.

✓ Provides remediation capabilities for real-time scans

✓ Enables companies to operationalize a process to remove or obscure sensitive data

Password Security

Company should ensure passwords and credentials are not hard coded or embedded in static code.

✓ Proprietary detectors intelligently find secrets and credentials across applications, including code repositories