Karbon's journey to SOC 2 compliance

Christopher JohnsonChief Information Security Officer, Karbon

Our responsibility to protect the data of our customers and maintain their trust in our service is embedded within the day-to-day culture of Karbon.

Our achievement of SOC 2 Type 2 certification demonstrates our commitment to security and the delivery of quality service, and we will continue to implement the internal controls (i.e. systems, processes, and people) required to maintain this SOC 2 certification, in addition to our other compliance requirements.

We want to share our journey to help with your understanding of SOC 2 compliance and Karbon’s security practices.

How did we achieve SOC 2 Type 2 compliance?

Our achievement of SOC 2 Type 2 compliance was a collaborative effort between our employees, our consultants, and our SOC 2 service auditors.

Working together, we implemented and evaluated the internal control processes established by our management team to secure our web application and protect your data. A gap assessment was also performed to identify the technologies, processes, and people needed to help us achieve our SOC compliance.

Our people

Our compliance with SOC 2 standards required a collective effort from our company personnel to ensure that we adhere to defined criteria and expectations.

Karbon executive management team

The involvement of the executive management team within the SOC 2 compliance process is often misunderstood. SOC 2 standards require executive management to conduct appropriate governance and oversight activities that 'set a tone at the top' for the importance of information security and risk management within the company.

This requires that the management team ensure the company has documented policies and procedures, conducts regular meetings to evaluate risks presented to the business and company resources, monitors employee activities, and several other activities that establish a foundation for ethical behavior and quality performance within the company.

Our chief officers are responsible for these corporate governance activities and accepted the responsibility for ensuring our company implements appropriate risk management and information security practices needed to protect our data.

Karbon’s Chief Executive Officer, Chief Technology Officer, and Chief Customer Officer owned the process for implementing processes and technologies needed for sophisticated security within the company and engaging consultants that contributed to refining Karbon’s security practices and preparing for SOC 2 compliance.

Johnson Risk Advisory (consultants)

We engaged external risk management and information security consultants, Johnson Risk Advisory, to serve as our internal Risk and Compliance Team and help with all activities required to successfully achieve SOC 2 compliance.

Our Risk and Compliance Team was pivotal to our SOC 2 preparation activities. They:

  • Provided education about the SOC examination process

  • Performed an initial gap assessment

  • Worked with management to address identified gaps in our security procedures

  • Implemented and refined our policies and procedures

  • Implemented a formal information security internal control program for SOC 2 compliance

  • Evaluated the design and operation of our controls to determine their effectiveness for SOC 2 compliance

  • Worked with our external auditors to coordinate and complete SOC 2 examination procedures.

This Risk and Compliance Team manages most of the leg-work involved with our SOC 2 compliance, evaluating risks within the company, monitoring our compliance process, and working with our employees and the executive management team to manage our compliance procedures.

Karbon’s system engineering team

Considering SOC 2 compliance is a security-focused SOC report, we must mention the outstanding work that our System Engineering Team did to ensure that the Karbon application is operating within a secure environment and designed with security included within the design of the system.

Under the oversight of our CTO, the System Engineering Team is committed to designing a quality web application that serves our customers and includes functionality that maintains appropriate security safeguards to protect the Karbon application itself and the data is processes.

The System Engineering Team has established, and follow, a secure software development lifecycle (SDLC) process that contributes to the delivery of a secure and functional application. These SDLC procedures include planning system development and system change activities, testing and quality assurance review of system development activities, and secure change deployment activities that restrict the ability to implement system changes to authorized personnel (under the supervision of the CTO and VP of Product).

Our SOC 2 compliance is primarily focused on our internally developed web application, (the Karbon application). Our System Engineering Team is responsible for the design and operation of the Karbon application and is committed to maintaining our compliance with SOC 2 standards. They continue to keep security within the culture of the team and performance of day-to-day activities.

Karbon’s IT help desk team

A managed-service IT help desk team, Advisory, has been engaged to manage day-to-day information technology-related activities. These activities include employee workstation management, system patching and updating, company access requests, computer troubleshooting, and any IT-related requests needed by company personnel.

Although most activities related to SOC 2 compliance are within the scope of the System Engineering Team, the IT Help Desk Team is responsible for some activities that are included within the SOC 2 examination requirements. These activities include user authentication activities to company systems, evaluation and processing of all user access request activities within the company (new access, modification of access, and termination of access), and management of employee workstation security.

The IT Help Desk Team worked with our Risk and Compliance Team and Executive Management Team to refine our user authentication, access management, and endpoint protection activities.

Karbon employees

Implementation of security practices for SOC 2 compliance was a change to the culture of our company and required a top-down commitment from all personnel within the company.

Our employees were educated on the SOC 2 compliance process and their roles and responsibilities in achieving and maintaining compliance. SOC 2 compliance is primarily focused on security practices, but all employees within the company have some involvement with SOC 2 compliance procedures.

SOC 2 standards require that all of our employees participate in activities that ensure we are protecting customer data and business resources. Some of these processes include signing a confidentiality agreement, and reading and accepting our code of conduct and information security policies and procedures. They are also required to follow established processes for requesting and managing user access to company systems and report identified system or security incidents.

Our systems for SOC compliance

Having a great team is a primary component of our SOC 2 compliance. However, the use of advanced and sophisticated systems (or technologies) is needed to ensure that our IT network is secure and protects the data that we process in connection with our Karbon application.

Karbon application

We utilize our Karbon application to assist with project management activities associated with our SOC 2 compliance.

Karbon is a pivotal component of our project management activities for SOC compliance. We use SOC 2 work items to manage the execution SOC 2 control activities and the associated evidence documentation needed to demonstrate compliance.

With the use of Karbon, we can plan the timing for our SOC 2 controls, assign tasks needed to ensure controls are executed appropriately, and work with our external auditors to share evidence documentation and any additional communication required to complete our SOC 2 examination.

Our own application has been very helpful with ensuring that we implement, plan, and execute our SOC 2 control environment to maintain our compliance.

We have published SOC 2 compliance work templates within our Karbon Template Library as a starting place for any of our customers that want to implement or perform SOC 2 compliance activities using Karbon.

Infrastructure-as-a-Service (IaaS)

We utilize a premier cloud services provider (CSP) to deliver the virtual (cloud) infrastructure technology supporting the operation and delivery of the Karbon application.

Our CSP’s environment includes virtual servers that operate the Karbon application and exist on physical servers that are operated and managed by our CSP’s Infrastructure-as-a-Service (IaaS) model.

Use of the IaaS model includes the ability to customize the security configurations to ensure that we implement security functions that enforce routing of network traffic, implementation of encryption on data transmissions to our network, network segmentation, and the ability to restrict access to underlying resources running the Karbon application.

In addition to security configurations that are managed by our team, our CSP also performs their own internal control processes to ensure security, availability, confidentiality, and privacy of their service, which provides users of their service (such as Karbon) with additional assurance that their environment is protected.

Our CSP is responsible for the overall security of their service, including protection and management of physical machine resources delivering their cloud services and logical security practices for their network resources. However, security for the cloud environment requires that our CSP and the Karbon team be responsible for implementing appropriate security configurations and procedures where needed and appropriate.

Our CSP does undergo a SOC 2 examination, in addition to several other compliance audits. We obtain our CSP’s SOC 2 report to gain an understanding of the security practices performed for their services, which is evaluated by management and considered within our risk assessment activities.

System performance and incident monitoring system

Our IT Team utilizes performance monitoring systems and services to monitor activities within our information technology network. These systems and services collect system log data and present them to our IT Team in a user-friendly and readable format to assist with observing activities performed within our computer network.

Our IT Team configured system alerting to notify them of specific system events that may indicate performance issues or incidents that may warrant investigation or correction.

SOC 2 compliance requires that compliant companies implement appropriate technology and procedures to ensure that system issues or system incidents are identified when they occur and investigated to understand the nature and extent of the issue, including whether or not the issue has an impact on our security practices, our ability to operate our business, and/ or the protection of our customer data.

Version control system

Our product development and system engineering teams utilize a version control system to manage versions of the Karbon application’s source code throughout the SDLC process.

This system ensures that the different system changes that are being performed by our developers are managed appropriately and follow a structured process for performing changes to our Karbon application.

This is an important component of the SOC 2 compliance requirement for system change management and the assurance that our system maintains its integrity when we perform changes to improve its features, functions, and overall operations.

Content delivery network

We utilize a content delivery network (CDN) service provider that provides website proxy services and end-to-end encryption of data transmission for the Karbon application. Our use of the CDN helps to deliver our application to our users faster and over encrypted connections.

Additionally, our CDN provider implements sophisticated security technologies and practices to secure their services and ensure the service is operating as intended. The AICPA’s SOC 2 standards require that we ensure our customer data is encrypted during transmission to our system.

Although encryption of data transmitted for the Karbon application is configured within our own network security, we utilize the CDN to provide an additional layer of data transmission encryption. This ensures that all connections and transmissions are secured and our application can be delivered fast to our users around the world.

Service desk ticketing system

We use service desk ticketing systems to assist with processing a variety of requests within our company, including processing user access requests, internal and external communications with our employees and business partners, and communication of system change management activities.

Our service desk ticketing system helps to manage individual inquiries and action items associated with these activities so that they can be tracked and processed accordingly. For SOC 2, service desk ticketing systems are important because they often retain evidence documentation needed to demonstrate compliance.

Identity and access management system

We utilize a trusted and secure identity and access management system to manage user authentication and access to systems used by our company personnel. Our identity and access management system enforces secure login to company systems, requiring our users to submit a username, strong password, and multi-factor authentication prior to gaining system access.

Use of an identity and access management system is pivotal in our SOC 2 compliance procedures for identity and access management procedures, allowing our IT Team to streamline user logins with its single sign-on (SSO) capability and manage user access rights via role assignments within the system.

Password management system

Our employees utilize multiple passwords during our operations and a password management system is used by all employees to store and manage company passwords.

This helps our employees manage their passwords, reducing the need to remember multiple passwords required to access company systems and providing a secure, encrypted, location to store company passwords.

Instant messaging systems

We use instant messaging systems for a variety of use cases within our organization, including communicating with our customers, communicating with our team members, and assistance with activities we perform to monitor the security and performance of our Karbon application.

The AICPA’s SOC 2 standards require that organizations implement appropriate communication processes and technologies to assist with the performance of policies, procedures, and processes implemented to ensure the security of our application and protect user data.

Background check system

An important component of SOC 2 compliance includes ensuring that an organization has implemented processes to support exercising ethical behavior within the company. One of these processes includes ensuring that companies evaluate the background and experience of employees within the organization to validate that they are qualified to perform their job role and responsibilities.

One process that supports the evaluation of an employment candidate's qualifications includes the performance of a background check. We utilize background check systems for all of our employees to ensure that we understand an employee’s criminal, educational, and work experience background prior to extending an employment offer with our company.

This is important because we want to ensure that our employees have the professional and personal background that align with our security, confidentiality, privacy, and overall business objectives.

Performance management system

Another process that we have implemented within our company to ensure that our employees are qualified and adhering to appropriate ethical behavior is our periodic employee performance evaluation process.

We utilize a performance management system to manage the employee performance review process conducted by our Management Team. This performance review process includes establishing objectives and key results (OKRs) metrics for each of our employees, which are periodically evaluated to ensure that our employees are performing their roles and responsibilities as expected.

Each employee and their direct manager collaborate to complete this evaluation process, which includes discussing performance, evaluating OKRs, defining specific actions for continued improvement, and open communication on an employee's work experience within our organization.

Our performance management system tracks all of these activities and timelines for our performance management program, which is helpful to ensure that we complete our performance review process timely for our compliance purposes.

Employee incident reporting system

We utilize an employee incident reporting system to assist with providing our employees with a method of reporting any identified or observed issues that may be a violation of our policies and procedures and/ or unethical behavior.

This system provides a web-based form that can be accessed by any of our employees to document their incident and report it to our Management Team, with their identity revealed or anonymous.

The use of our employee incident reporting system allows our Management Team to maintain a history of reported issues within the company and a centralized location to manage the investigation and resolution of human resource-related issues within the company.

Security awareness training system

Protecting company information and data requires many different elements of a company’s internal control processes for information security, including having an information technology (IT) team and implementation of security systems and processes.

In addition to these well-known information security practices, a company should implement educational procedures to promote a heightened awareness for security and data protection within all of their employees. We accomplish this through the implementation of security awareness training to all of our employees, utilizing a security awareness training system.

We deliver security awareness training to all of our employees during their employment onboarding procedures and annually. Our security awareness training system manages the timing and delivery of our security awareness training, including reporting features to assist with tracking course completion of training programs, automated reminders for employees to complete training, and delivery of interactive video training courses and quizzes that keep our employees engaged and validates their understanding of important security topics.

Our security awareness training courses educate our employees on important security topics, including common security best practices, social engineering, password protection, working remotely, and a variety of other important security and privacy-related topics.

We find that the use of a security awareness training system has significantly helped with promoting security awareness within our company and makes the distribution of training simple and effective.

Christopher Johnson
Chief Information Security Officer, Karbon

Christopher Johnson is the Owner and Managing Director of Johnson Risk Advisory Services and also acts as Karbon's CISO. He has over 8 years of experience including big four assisting companies with internal controls, information security, and data protection, and specializes in SOC examination services.

Subscribe to receive curated articles and free resources direct to your inbox.

You're subscribed. ️✔