How were you involved in this project? What were the challenges?

ML: I was responsible for managing the whole SOC 2 project and was deeply involved in the design and implementation of security controls with IT Operations and Engineering teams. The challenges were not necessarily technical since we have a great pool of talented engineers at Devolutions that work hard to deliver high quality products and services. However, changing the way they were working was a true challenge. As an example, Engineering and IT Operations teams had to start documenting their work in tickets, version control, and pipeline systems in a way that every code and infrastructure change to production was easily traceable. It is hard for humans to change their behavior at someone else’s request. But it had to be done, and we succeeded by leveraging organizational culture, productivity requirements, tooling availability and enhancement, executive commitment, risk management, and transparent communication.

GB: For my part, I was mainly involved in the design and implementation of organizational and risk assessment / mitigation controls. This included having all required information security policies and procedures drafted and approved, implementing a thorough risk management and mitigation program, and making sure that our upper management remained committed and aligned with our SOC 2 requirements during the whole process. Regarding this last point, I must say that we received tremendous support from our management team, which was an important factor in the timely achievement of our SOC 2 objectives.

What was the result of the audit? Did we pass?

ML: At the end of the day, the deliverable of the SOC 2 audit is a detailed report that includes the opinion of our auditor on the system description and the consistency of the controls, our description of the system and its environment, a management assertion, and the result of each tested control within the scope of the audit. There is no real notion of pass or fail during this exercise since all the facts are included in the report. Our customers and partners will therefore have to judge, based on the content of the report, the level of confidence they can have in us based on the integrity of our auditor and ours. But to this date, we’ve had no significant deviation from all the controls we were audited for.

GB: “It’s not the destination, it’s the journey”, as we often say. Well, I couldn’t agree more here. Putting aside the report (which is in itself very positive), I think that, from an internal point of view, the most valuable input of this whole SOC 2 process for our organization was (and still is) how we increased our global awareness and commitment to information security within our company. There is now a common understanding among our management team and employees that information security is not just a simple feature that needs to be taken into account, but that it is rather a strong value which must guide all our processes and decisions. This represents a major shift in our business culture and the SOC 2 process really helped us to get there.

Do customers have access to the complete report?

ML: Yes, they do. They simply have to visit our security portal available from our website and directly download it from there.It is also important to note that an SOC 2 report is complex and is intended for an audience that can understand such a document.

GB: I will simply add that given the confidential nature of the information disclosed in the report, each person requesting a copy of our SOC 2 report will be asked first to review and accept the terms of our non-disclosure agreement to preserve the confidentiality of its contents.