It’s that time of year again.
Remember back in the day you had to call your accountant, spend days and tons of money preparing your tax returns? It seems like an eternity ago. Now you have tools like TurboTax to help you through the process so quickly and easily that you probably take it for granted.
So why are you still using a similar archaic method to prepare for InfoSec audits such as SOC 2, PCI, and ISO 27001? People are still using consultants to help them prepare for their audits in much the same way we used accountants to prepare our taxes. Then they combine that practice with using outdated tools such as spreadsheets, screenshots of evidence, and email or on-site visits to their office to collaborate with their auditors. You deserve better than that! You’re smart. You’re technical. You may even code. So why can’t you do this yourself with just a little help?
The answer is “Of course you can do it!” But you need a little help from technology. If only there was a tool for InfoSec program management like TurboTax. Well, the day has finally come – Tugboat Logic has built such a tool so you can get your life back, you sanity back, and your money back.
“TurboTax for InfoSec”
Tugboat Logic has built much of the same guidance and automation workflow of TurboTax to remove the mystery and misery from preparing for InfoSec audits. Some parallels:
- Demystifies what you need to do
- Tugboat Logic has an easy-to-use InfoSec Program Creation Survey that will ask you “plain English” questions about your InfoSec goals, your product/service, and your infrastructure in order to create an instant scope of required policies and controls to implement. It is your guidebook for what you need to do. We have done all the heavy lifting here for you – from writing the policies, to providing implementation help for all security controls, to providing guidance on what evidence your auditor is likely to request during an audit. This gets you ready for the test!
- Assigns and tracks completion of security tasks
Once you’ve defined your plan, Tugboat Logic has an intuitive central dashboard for you to track these tasks – what policies have been reviewed and published, what controls have been implemented, and what evidence has been collected to prove the controls have been implemented.
Automates evidence collection
Tired of collecting evidence by taking screenshots? Forget to gather evidence for the period of time that your auditor is inquiring about? Well, no more! Tugboat Logic has made this effortless through our “Automated Evidence Collection” suite of integrations and built-in tools.
Some examples are:
- Code reviews: Automatically collects records from GitHub of all pull requests by repository and branch to prove that they have been reviewed by distinct people and what was done during the code review.
- Firewall rules: Gathers the configuration information for your AWS firewalls on a periodic basis automatically.
- Access controls: Pulls the user and group access controls for your AWS environment on a periodic basis.
- Data encryption: Collects configuration information from your AWS S3 environment to ensure it is encrypted and not exposed to the public.
- Employee awareness training: Automatically conducts and tracks employee awareness training, sends reminders, and serves as evidence of who has completed it for audits.
- Vendor risk assessments: Comprehensive “Vendor Risk Management” tool for conducting annual risk assessments for all of the partners you do business with.
- Internal audits: Easy-to-use “Audit Project Management” tool to conduct annual internal audits of your InfoSec program in advance of your third-party audits.
- And more coming every month!
Collaborate with your auditor in one place
Once you are ready for your audit, invite your auditor into Tugboat Logic to see your handiwork and verify your evidence. Our automated “Audit Project Module” allows you to upload auditor evidence request lists into our platform, converts them into easy to manage tickets/tasks, and helps you conveniently collaborate with your auditor using our commenting functionality. No more getting stuck or frustrated – and see your audit progress at a glance!
Automatically generates shareable assurance reports
A common request from customers is to see a copy of your InfoSec policy to help assure them that you will be a secure custodian of their sensitive data. With Tugboat Logic, we have created multiple automated ways to put your customers at ease. Instantly export a client-facing “InfoSec Policy Document” that is a true reflection of your InfoSec program, and/or use our “Security Assurance Report” to create a comprehensive report of what your company does, what data you collect, solution architecture diagrams, which audits you have passed, etc. It has been our experience that proactively sharing these reports with your customer at the beginning of an engagement can avert having to complete a more rigorous security questionnaire 25% of the time.
You Can Be a Security Pro, too
So now that there is an automated solution for this problem, it’s time to ditch the ways of the past and become a security pro yourself. With a little guidance from the folks at Tugboat Logic, anyone can learn how to create a modern InfoSec program that will have you flying through your next audit with ease, and help you win more business by assuring your clients that you are a secure partner. Like with TurboTax, soon the misery of getting secure will become a distant memory.