The NROC Project (NROC) works with leaders in education to develop technologies that improve the student learning experience and increase college and career readiness. Focusing on open and low-cost educational platforms, NROC aims to provide high-quality, safe educational tools to as many students as possible. Its growing suite of solutions includes EdReady, HippoCampus, NROC Math, and NROC English.
After many years as an educational nonprofit, NROC found itself in a position of exciting growth when the organization began working with a rising number of large educational institutions. NROC was a small organization with “grand ambitions,” says Ahrash Bissell, NROC Project President. With the expansion of both its tools and audience came the necessity to take in more data from the organization’s participants than ever before.
This growth and increase of data also brought the realization that there were more standards around infrastructure NROC would need to comply with, including the strength of its cybersecurity. In the EdTech space, 70% of breaches come from a third-party vendor. This made NROC’s cybersecurity immensely important to its users. Additionally, the ambiguity surrounding FERPA, the largest federal regulation regarding privacy in the education world, also created a challenge. Different institutions vet for FERPA compliance in dramatically different ways. Finding a way to satisfy all of those needs was a difficult task.
While NROC was growing its relationships with major partners, the human capital of the nonprofit organization remained small at 18 people. The organization needed to determine the best possible ways to address its cybersecurity needs with its limited resources. And, as a nonprofit, NROC knew these actions needed to directly serve its mission, which is to increase access to secure, high-quality educational tools.
NROC’s journey hit a turning point during its partnership with the North Carolina Department of Public Instruction. Due to a new state mandate, NROC learned that it would be required to achieve SOC 2 compliance by the end of 2021 in order to maintain this partnership. Bissell reflects that “if we were really going to meet those grand ambitions, there was a whole set of additional obligations we had to rise to, and SOC 2 was for sure one of those obligations.”
NROC decided to reach out to Strike Graph. A SOC 2 audit can feel overwhelming, even to large organizations with more resources. Not fully understanding SOC 2 themselves and lacking the ability to hire additional staff to run the compliance process, turning to Strike Graph was the strategic next step for NROC leaders.
Strike Graph functioned as both a preparation platform and a mentoring partner to guide NROC through the process of becoming ready for the SOC 2 auditor. The organization completed its Strike Graph Risk Assessment, a core element to strengthening overall cybersecurity. Team members then identified existing controls and processes that needed more attention, like user access reviews and more formal change management processes.
Within six months, NROC completed a SOC 2 Type 1 audit and was so well-positioned with its IT control environment that the organization was able to complete a Type 2 by the end of the year. Some might view SOC 2 Type 2 as more difficult to achieve than Type 1 because it requires certain controls being in place over periods of time. However, NROC discovered that going through the complex process of achieving Type 1 with Strike Graph actually accelerated the organization’s ability to achieve Type 2 successfully. Completing both in under a year was a huge achievement.
Strike Graph also made sure to build a blueprint for NROC’s success that was appropriate to the size of the organization, which is small but focused. “Due to the size of the NROC team, we not only right-sized controls but configured their account to ensure that the frequency at which they monitored their controls made sense,” says Lizzie Whetstone, Director of Customer Success at Strike Graph.
Both the SOC 2 Type 1 and Type 2 audits were clean, and NROC met its commitment to the State of North Carolina. “We not only made North Carolina happy with a timely and clean SOC 2, but we have been able to leverage our SOC 2 to open up revenue and sell into other states,” says Nancy Cook, NROC Managing Director.
NROC also describes how its initial anxieties toward the process were calmed by the project’s completion. Employees were concerned about the time commitment and concerned that they would be asked to meet requirements written for companies with 1,000 employees in comparison to their own 18.
But, because Strike Graph right-sizes the compliance process for each organization they work with, employees were happy to find that they actually saved time in the process. And, because the NROC roadmap for success was strategically designed, the organization could focus on implementing controls that were most important to its overall success.
NROC felt the benefits from Strike Graph’s help beyond the label of compliance. “We needed the advice and expertise of Strike Graph. It gave us a lot of insight into our practices and where we could improve. It helped us shore up any potential or perceived gaps in our security posture,” Bissell explains. NROC is now positioned to comfortably maintain the level of security it achieved through compliance in order to continue landing large contracts and grow the organization. Ultimately, this growth keeps NROC aligned with its mission — providing safe access to high-quality educational tools.
In its ongoing partnership with Strike Graph, NROC appreciates the periodic reminders that assist them in continuously monitoring their controls — a helpful, automated feature of the Strike Graph platform. With Strike Graph, the NROC team feels prepared for its next annual SOC 2 audit and confident that the organization’s security will remain robust.
NROC also continues to grow by teaming with organizations that require the same cybersecurity standards. The NROC team knows that achieving compliance with SOC 2 has helped them manage the amount of data the organization’s tools require and has also been an excellent way to communicate trust to future business partners. NROC leaders are confident that taking this step in their compliance journey will keep them aligned with their mission of providing high-quality educational tools that are safe and secure.