Why (and How) We Invest in Security Audits as a Defi Company

[BTW: We’re putting together volunteer Security & Privacy Team — for folks who especially like exploring these issues! Email @james for more info!]

In our company Slack, we have a #goodreads channel where we’ll drop in articles, essays, and other interesting consumables that find on the interwebs.

Unfortunately, it is not uncommon for a team member to drop in an article about yet-another social media site performing something questionable or some new hot crypto project promising the moon when they’re much more interested in making sure you’re left holding a bag of cheese.

So why, then, would we want to build a new community platform in the midst of the crypto revolution? It certainly isn’t the easiest path we could have chosen.

But that’s exactly why we do it. We wanted to build a place for truth and community in this (harsh) landscape of ours!

We are stronger, together.

At YEN we strive to be a pro team with a pro product — at least that’s one of our internal mantras. One of the things we can’t build via sprints and code but vital to our mission is trust. As much as we want the product and experience to give the user a sense of security, we wanted to go one step further and fully audit our company from the ground up to have an independent review that we are operating with our user’s interests in mind.

At YEN, we wanted to protect that relationship from the get go. One way we’re doing that is by preparing for a SOC2 audit and attestation.

Developed by the American Institute of CPAs (AICPA) a SOC2 (or Service Organization Control 2) is a framework in which companies can structure their organizations to meet five criteria known as Trust Services Criteria (TSC) to prepare for a SOC2 attestation:

  • Security (also known as common criteria)
  • Availability
  • Processing integrity
  • Confidentiality
  • Privacy

While not all organizations need to meet all five, at minimum they must meet the Security TSC to pass a SOC2 audit.

All of that sounds great but when we started this journey, we knew that we wanted to get “certified” (certified in quotes because there is no actual certificate you get, but more of a job well done and we, “The CPAs” attest that your framework is in place and meets requirements) but didn’t really know the best way to get started and the best use of our resources. Thankfully, we found a partner in Aptible.

We were given an introduction to another company from one of our Venture Capital partners who also went through the process. While we probably could have gotten through the audit prep by ourselves but with a much longer timeline, working with a trusted partner has been a time (and sanity) saver for sure.

For starters, they’ve got a pretty neat system of walking through setting up your Information Security Management System (ISMS) which essentially lays out your company’s operating procedure to support your meeting the TSC’s you’ve chosen to be audited around.

More than just monitoring

A Few Tips — How We Got Started

For anyone reading this getting started in the process, here are a few things to keep in mind as you plan around timing and costs. We found out the requirements around each of these later in the game but we’re putting this out so you can get a head start on ramping these up. Each company’s set up is going to be different but this is how we’ve chosen to set up our ISMS.

Mobile Device Management(MDM) — VMWare WorkSpace One (formally AirWatch) — a system for accounting for all machines that would have access to your company networks. We looked for one that perform basic asset logging and application management to some more advanced features like remote tracking, remote wiping, and encryption among others.

Vulnerability/Penetration Scans — TinFoil Security — we signed up for monthly scans to be performed to identify any weak spots in our application security. These scans are great for us to an independent view at things we need to patch up. Sometimes it’s hard to see the forest in the trees.

Antivirus — Symantic Endpoint Protection — gotta keep safe in the streets, yo.

Application Monitoring — AppSignal — we use AppSignal to monitor our servers and application performance. Using their alert system, we’re able to get real time communications for incidents that need to be addressed. This ensures we’re always striving to have YEN available for everyone.

While we were preparing for our SOC2 audit, we also worked with Aptible on our GDPR readiness as well. We plan to have users all over the world so it was important (required?) for us to get GDPR compliant as well.

So through this process we were also able to get set up with a few vendors. When sending EU or Swiss user data to another county (in our case the US), an appropriate data transfer mechanism needs to be in place. There are few ways to do this but we’re working through the process of certifying with the EU-US Privacy Shield Framework.

A sub requirement of certifying with Privacy Shield is to register with an Independent Recourse Mechanism (IRM) which is a fancy way of saying an independent arbitration firm should anyone file complaints in regards to your handling of user data. We’ve registered with the International Centre for Dispute Resolution/American Arbitration Association as our representative.

Once your IRM is situated and your public facing privacy policy is up to date (Aptible will help you in developing yours), you can then register to certify with Privacy Shield.

Now, if you’re a US based company like us and don’t have physical employees based in the EU, there is some work required to meet Article 27 of the GDPR guidance. In a nutshell, it basically means you need to have a physical real life person in the EU available to handle all inbound complaints and inquiries. We currently don’t have anyone based in the EU (yet?), so we had to employ the services of a representative company. If you’re looking for one as well, this site has a listing of ones to reach out to. We signed up with Lionheart Squared as our representatives because they had the coolest name (among other reasons of course).

As you can see, the path to get a SOC2 attestation can be a long and winding one but hopefully this can serve as a resource to help get you started. This list goes over a few venders you will need to have in place to get your ISMS started right and what works for us but it doesn’t go over what you have to put in your company’s specific ISMS. That’s up to you. It also doesn’t go over actually putting that ISMS into practice at least 90 days before you schedule your SOC2 audit. So make sure to factor that into your timeline!

We’ll continue to post updates as we go along our journey so hopefully we can continue to post some helpful info along the way.

The more companies take this stuff seriously, especially in the crypto space, the better we think. If you’d like to chat about our or your setup, we’d love to connect! Drop us a line!