What does a new engineer do during their first week at a SOC 2 Compliant startup? Write code? Maybe. Deploy code? Hopefully. Create accounts? Certainly. Ad nauseam.
After creating my task tracking and document sharing accounts, half the items I saw on my TODO lists were about creating accounts on more services. Also on my calendar was to attend training for one of LaunchDarkly's newest initiatives: SOC 2 Compliance.
At LaunchDarkly, we maintain mission critical services for our customers (feature flags!). And for those who opt for premium services, we also store sensitive data about their clients as part of our analytics features. It is essential to our business that we protect not only access to control over customer application behavior, but to all client data we store on behalf of our customers.
After our security training, each member of my incoming class made a commitment to:
- Create a unique password for every service. Use a password generator and a password manager!
- Enable 2-factor authentication for every service that offers it.
- Avoid sharing passwords and accounts with team members to keep a precise audit trail.
- Restrict browser plugins to the minimum necessary to do your job. Those plugins can read your data.
- Secure your laptop with FileVault and lock screens.
- Limit connected applications with access to Gmail, GitHub and other accounts.
- Secure customer data. (Obfuscated links don't cut it!)
These are all great practices even if your business doesn't need SOC 2 certification. Now to deploy some code (if I can just remember where I've written down my SSH key…).