We are often asked for recommendations for cost-effective, bare minimum products and tools to help with SOC 2 compliance. Cost can be a driver or a hindrance for IT compliance initiatives, so we tend to suggest cloud-native, open-source products to our startup and small business customers.
Many IT security frameworks (SOC 2, ISO 27001) include requirements for HR practices. HR-related evidence can range from signatures on onboarding documents to maintaining key employment dates. Products in this category are also useful for identifying populations, which can be utilized for testing purposes.
Bamboo HR or Gusto (Various HR-related controls)
HR systems can provide simple, cost-effective solutions. If you only have a handful of employees, then spreadsheets and restricted file sharing are also adequate. Learn more about how Strike Graph integrates with Bamboo HR to streamline evidence collection.
Good Hire (Background Checks)
Background Checks can be a requirement for your SOC 2. We like the simplicity of this service.
Strike Graph (Control Monitoring)
The Strike Graph solution allows for continuous monitoring of controls as well as deficiency tracking.
Jira, Asana, a Google Doc, or a Google Form (Onboarding and Offboarding)
All of these products can be used for any checklist type controls.
Auth0 (Single Sign-On and MFA)
We also like the G Suite functionality.
1Password and LastPass (Password Management)
Store all of your passwords in one secure location. Upgrade to the business plan if you want to share sensitive information across your company.
ProtonVPN (VPN)
This is a solid, secure VPN that utilizes sites around the world. Check out their email solution too.
Jira (Logical Access)
Ticketing systems like Jira can capture access requests and approvals, as well as record and maintain everything needed for a solid user access review process.
Central repositories for Information security documentation and core business processes are also foundational to a strong security program.
Confluence and Google Drive (Policy and Procedures)
We like these for keeping things searchable, collaborative, and organized.
Strike Graph (Risk Assessment)
Strike Graph has the added benefit of right-sizing your information security efforts.
Hermes Secure Email Gateway (Email Security)
This free, open-source Ubuntu 18.04 Server-based email gateway provides spam, virus, and malware protection, full in-transit and at-rest email encryption, as well as email archiving.
Don't underestimate your cloud provider’s security tool suite. Many cloud providers include encryption and other security and monitoring tools. Look for and enable your provider’s versions of configuration monitoring, event alerting, application logging, SIEM, and threat analysis.
Filevault - macOS; BitLocker - Windows; Ubuntu Disk Encryption (Endpoint Protection)
We like native and free solutions.
Snort (Intrusion Detection)
Free and easy-to-use.
SecurityOnion (Monitoring and Logging)
An open-source tool that can monitor and log information about what's happening in your network.
TheHive (Incident Response)
A scalable, open-source, and free Security Incident Response Platform, tightly integrated with MISP (Malware Information Sharing Platform), designed to make life easier for any information security practitioner dealing with security incidents.
Pfsense (Firewall)
A popular open-source solution.
ClamAV (Antivirus)
An open-source engine for detecting trojans, viruses, malware, and other malicious threats.
Utilizing products and services that support the ‘security by design’ mantra set organizations up for success in change management and the system development life cycle.
GitLab or Github (Source Code Management)
Workflows to automate the steps needed to maintain separation of duties are powerful change management controls that can be added/configured in these products.
Jira (Change Management - Ticketing)
Automated workflow and approvals can be utilized for stronger controls.
Terraform (Change Management - Infrastructure)
This is a solid product for provisioning and managing cloud, infrastructure, and services.
SonarQube (Code Quality/Security)
Captures the most common security/code issues.
OpenVAS (Vulnerability Assessment)
A community-supported vulnerability assessment tool for hosts that can identify the most common security threats on network infrastructure.
OWASP Zap (DAST and Web Application Vulnerability Assessment)
An open-source tool can identify OWASP Top 10 vulnerabilities on web applications, plus other common or pre-existing identified worldwide issues.
The products and tools noted above address many of the tactical elements of an IT security program. The Strike Graph solution is designed to assist in determining which of these elements ought to be adopted based on your organization's unique risk profile. After completing a Strike Graph Risk Assessment, you will have a right-sized security roadmap to use as your guide.