Step-by-Step SOC 2 Implementation Guide
Getting Started with Data Upload and
Analysis
Follow these detailed steps to upload and analyze your organization's data effectively:
1. Access the Data Upload Interface:
· Open the menu on the left side of your interface.
· Scroll down to the "Assessments and Reports" section.
· Select "Organization" and then "Files" to be directed to the correct page for data upload.
2. Upload Your Documents:
· Click on the “Upload File” button.
· Upload crucial files such as your organization’s annual report, business plan, financial statements, product descriptions, and other relevant documents.
3. Alternative Document Upload:
· If certain documents like vision and mission statements or detailed business plans are not readily available in file form, navigate to your organization's website.
· Convert the relevant web pages to PDF format by going to the web page and clicking CTRL+ P then save PDF.
· Upload these PDFs using the same “Upload File” button.
4. Begin Data Analysis:
· Once your documents are uploaded, the AI analyzer will automatically process the information.
· This system is designed to extract key data from your files and enter it into the app, which helps in streamlining future processes and enhances data-driven decision-making.
Updating and Enhancing Organizational Details
Here’s how you can use uploaded data to update and refine your organization's profile efficiently:
1. Review Uploaded Data:
· After uploading your documents in the "Files", navigate away from this page by scrolling up.
· Click on the "Profile" page in the “Organization” section to view the information.
2. Automatic Data Population:
· Observe that the data from the uploaded files has automatically populated most of the fields under “Organizational Details.”
3. Edit Organizational Details:
· If you spot any inaccuracies or if updates are necessary, click on "Edit" located at the top right corner of the page.
4. Refine Details with AI Assistance:
· As you edit, look for fields marked with little yellow stars.
· Clicking on these stars will prompt the AI to provide suggestions, helping you refine your organizational information effectively.
5. Save Changes:
· Once you have made all necessary modifications, click “Back.”
· Your changes will be automatically saved, ensuring that your organizational profile is updated and accurate.
Analyzing Context
1. Access Governance Section:
· Navigate to the menu and scroll to locate the "Governance" section.
2. Open Context Settings:
· Within the Governance section, click on "Context."
3. Use Organization Context Analyzer:
· After uploading your files in the “Organization” section under “Files,” proceed to click on "Organization Context Analyzer." This tool will automatically analyze the files and populate the organization context for you.
4. Edit Organization Context:
· If adjustments are needed, click "Edit" to modify the information manually or utilize the AI-assisted features.
5. Utilize AI for Enhanced Editing:
· On the editing page, look for yellow stars next to some fields. These stars indicate that AI suggestions are available to assist you in refining the content.
6. Save Your Modifications:
· After making all necessary changes, click on the save icon to ensure that your updates are preserved.
7. Return to Previous Section:
· Once you have completed updating the organization context, click “Back to Context Page” to navigate back to the previous section.
Adding Company Departments
To expand and organize your organization's structure by adding new departments, follow these steps:
1. Navigate to the Identify Section:
· Go to the menu on the left side of your screen and locate the "Identify" section.
2. Access Department Settings:
· Click on "Departments" within the Identify section to manage departmental information.
3. Add New Departments:
· To begin adding departments, click on "Add New Departments."
4. Enter Department Details:
· Fill in the required details for each new department you want to add. Ensure all information is accurate to facilitate effective organization management.
5. Save Your Entries:
· After entering the details, click on "Save" to secure the information and officially add the departments to your organization.
Adding and Managing Company Members
Follow these steps to efficiently manage and expand your organization's membership through the Department section:
1. Access Governance:
· Select “Governance” from the main menu.
· Click on “Departments”.
2. Edit Department:
· Find the department to add members to and click the “pen icon” next to it.
3. Add Member:
· In the department's page, click on “Add Member”.
· Select “Add New Member”.
4. Enter Member Details:
· Fill in the form with the member’s information.
· Click “Save” to finalize the addition.
5. Verify Addition:
· Ensure the new member appears in the department’s member list.
Uploading Your Network Diagram Files
Network diagrams are essential tools for visualizing the layout of your network infrastructure. They help in understanding virtual operations and managing assets efficiently, which is critical for enhancing security. Here’s a step-by-step guide on how to upload your network diagram files or create one if you don’t already have it.
1. Access the Upload Feature:
· Navigate to the department section within your system. Look for an “Upload File” button located in the top right corner.
2. Upload Your File:
· Click on the “Upload File” button and select your network diagram file from your computer. Make sure the file is in a format that your system supports.
3. Create a flow chart:
· If you don’t have one just go create on in any flow chart app (e.g. Draw.io)
· Then save the image of your flow chart and upload it to the MapleGRC app.
Managing and Adding Assets
Adding and managing your organization's assets can be streamlined with the following steps:
1. Begin by Accessing the Departments Section:
· In the "Departments" section, start managing your assets. Locate the pen icon next to each listed asset to make edits.
2. Utilize the Assets Discovery Assistant:
· On the asset editing page, click on "Assets Discovery Assistant." This AI-powered feature facilitates the process of uploading and registering all your assets simultaneously.
3. Bulk Upload Assets:
· Select "Bulk Upload" to add multiple assets at once. You can upload an Excel sheet containing detailed information about your assets. The system will analyze the file and automatically incorporate the assets into your system.
4. Manual Upload for Hardware Assets:
· If you don't have an Excel sheet ready, click "+ Add Hardware Asset" to manually enter details for each hardware item.
5. Add Software Assets:
·
Use
the dropdown menu to select and add your software assets.
6. Repeat the Process for Other Asset Types:
· Follow the same steps to add "hardware assets" and "virtual assets," ensuring all categories of assets are updated and managed correctly.
Standards and Regulation
To incorporate specific standards and regulations into your organizational processes, follow these detailed steps:
1. Access the Organization Section:
· In your application menu, scroll to the bottom and click on "Organization."
2. Navigate to Standards and Regulations:
· Within the Organization section, select "Standards and Regulations."
3. Initiate Addition of New Standards:
· Click on "Add Standard and Regulations" to start incorporating new standard into your organization.
4. Select the Standard:
· From the drop-down menu that appears, select on the “SOC 2 “ standard. Add this standard to begin aligning your processes with this regulation.
5. Assign Owners for Each Standard:
· Select an “owner” who will be responsible for overseeing the implementation and compliance of the SOC 2 standard within your organization.
6. Save and Apply Settings:
· After selecting the ”SOC 2” standard and assigning the owner, click on "Save" to confirm your choices and apply these settings.
Implementing and Managing Policies
To effectively set up and manage your organization's policies, follow these steps for each of the eight policies under the "Governance" section:
- Navigate to the Governance Section:
- Scroll down to the "Governance" section and click on "Policy."
- Select the First Policy:
- Begin with the "Risk Management Policy" and use this procedure for each subsequent policy.
- Auto-Fill Policy Details:
- Click on the "Analyze Policy Suggestions" button to automatically populate the policy details.
- Edit the Policy:
- If modifications are necessary, click on the “Pen Icon” to edit the policy manually.
- Utilize AI Suggestions:
- Look for the "Yellow Stars Icon" for AI suggestions, which provide a helpful starting point for customizing the policy content to fit your specific needs.
- Save Each Section:
- After editing, click on the "Save Icon" for each section to record your inputs. Ensure that no fields are left empty, as these will not be included in the final version of the policy.
- Generate the Policy Document:
- Once all sections are edited and saved, click on the "Generate Policy Document" button to finalize the creation of the policy.
- Repeat for Remaining Policies:
- Follow these steps for each of the eight policies to cover all governance areas.
Once all policies are created:
- Access Policy Manager:
- Scroll down to the “Policy Manager” section.
- Preview and Review Policies:
- For each policy, click on the “Download Button” to preview. Then, “Assign the Reviewer” to choose a company member to review the policy.
- Activate and Circulate Policies:
- Click on “Activate and Circulate” to distribute the policy for all company members to read and sign.
- Procedure Statement:
- After you “Activate & Circulate” the “Policy Manger” page will change and will have a “Active Policy” Section.
- In “Active Policy” Section click on “Procedures"
- For each section you will fill the “Procedure Statement” and once you filled it out don’t forget to click on the “Save Icon” on the top left side corner of the box.
- You will repeat the same thing to each Section and return back to the previous page
- View Organizational Policy Report:
- Click on “View Organization Policy Report” to see an overview of policy statuses and compliance.
Initiate Policy Training
- Start Policy Training:
· Click on “Go to Policy Training” to initiate and circulate the training for each policy across the company.
· Which will take you here to start the policy training.
Implementing Procedures for Asset Protection
To effectively manage and secure both critical and non-critical assets within your organization, follow these detailed steps:
Initial Setup
1. Navigate to the Protect Section:
· Go to your menu and head to the "Protect" section, then select "Guidelines".
2. Generate Procedures:
· Click on "Generate Procedures" to create procedures for the assets you've added under "Departments".
3. Select Appropriate Regulation:
· In the "Select Regulation" part, choose " ACIPA TSC:2017 " as the standard you are implementing.
4. Focus on Critical Assets First:
· start with Critical Assets" for better prioritization and management. Click on "Critical Assets".
Procedure Implementation for Each Asset
5. Review and Process Critical Assets:
· Upon selecting "Critical Assets", the relevant assets will appear under "Overall Procedures". Go through each asset individually.
6. Work Instructions:
· Start by clicking on the work instructions for each asset. These are detailed steps aligned with the SOC 2 Control.
7. Assign Work Instructions:
· Each work instruction, accessible via a link, redirects to a document with steps to comply with the SOC 2 control. Assign each instruction to a suitable team member.
8. Complete and Document Steps:
· After completing the steps in the document, take a screenshot as evidence.
9. Upload Evidence:
· Click on "Evidence", then on "Add New Package". Follow the instructions to upload the necessary evidence files and then click on "Save".
10. Update Status to Done:
· Once evidence is uploaded and saved, change the status of the work instruction to "Done".
11. Repeat for Each Work Instruction and Asset:
· Continue this process for each work instruction and for each critical asset.
Process for Non-Critical Assets
12. Proceed with Non-Critical Assets:
· After completing critical assets, click on "Non-Critical Assets" and repeat the same procedure.
Employee Training Process
1. Start the Training Plan:
After adding a member, you can initiate your employees' training plan. Navigate
to the “Protect” section, click on “Training,” and
then select “General Training.” Each employee will be assigned
all 12 topics of the general training.
2. Track Progress:
To monitor each employee's training progress, go to the “Training
Report” section. It's crucial that all employees complete their
training to comply with audit requirements.
3. Create Annual Training Plans:
You can also develop a comprehensive training plan for the year, divided into
quarters, to both refresh general training topics and introduce new ones. To do
this, scroll to “Training Plans” and click on “Detailed
Plan.”
4. Then click on a quarter then click on pen icon to edit Edit Quarterly Plans:
· Select a quarter and click on the pen icon to edit the plan.
· Fill out the necessary details in the form that appears.
· Click “Save” to store the changes.
5. Publish and Document Training:
Once your training plan is finalized and published, it will be accessible as
configured. To document completed training, click on “Evidence” and
upload the required proof of completion.
Vendor Assessment Process Guide
To effectively manage and assess your vendors' compliance and certifications, follow these detailed instructions within your system's "Identify" section. This process helps ensure that all vendors meet your required security and quality standards.
Accessing Vendor Assessment
1. Navigate to Vendor Assessment:
· Open the main menu and locate the "Identify" section.
· Click on "Vendor Assessment" to begin evaluating your vendors.
Adding a Vendor
2. Add a Vendor:
· In the Vendor Assessment section, click on “Add Vendor” to start the process of entering a new vendor into your system.
3. Fill in Vendor Details:
· Once you click on “Add Vendor,” a form will appear. Fill in all the necessary details about the vendor.
4. Save Vendor Information:
· After filling in the details, click on “Save” to add the vendor to your system.
Uploading Vendor Certifications
5. Upload Vendor Certifications:
· For each vendor, you will need to upload relevant certifications such as ISO, SOC2, Cybersecure Canada, etc.
· Click on “Upload File” next to the respective vendor’s name.
6. Select Certificate Type and Upload:
· In the “Tag” dropdown menu, select the type of certification you are uploading.
· Click on “Upload File” to choose the certificate file from your local system.
· After selecting the file, ensure you click on “Save” to securely store the certificate in the vendor’s profile.
Requesting Certifications from Vendors
7. Template for Requesting Certificates:
· If you do not currently have the necessary certifications from a vendor, click on “Template for Requesting Certificates.”
·
This
option provides you with a pre-formatted template that you can use to email
vendors requesting their certifications. It also includes an attachment that
should be included in the email to make your request clear and professional.
8. Send Requests and Manage Responses:
· Use the provided template to send out requests to all vendors from whom you need certifications.
· Keep track of received certifications by updating the vendor profiles with the new documents.
9. Review and Compliance Check:
· Regularly review the uploaded certifications for validity and compliance.
· Ensure all vendor information and certifications are up to date and follow up with vendors as necessary.
Managing Risk Scenarios and Developing Incident Plans
Follow these streamlined steps to manage risk scenarios and create incident plans in your system:
1. Navigate to Risk Management:
· Go to the “Identify” section.
· Click on “Risk Management” and then select “Risk Scenario”.
2. Select a Scenario:
· Choose one of the listed risk scenarios to manage.
3. Initiate Mitigation:
· Click on “Mitigate”
· Review the linked assets and the controls in place to assess their implementation status.
· to ensure comprehensive risk management across your organization.
4. Link to Incident Plan:
· Scroll to the bottom of the page.
· Click on the link provided (marked as “here”) to redirect to the Incident Plan page.
5. Create or Update Incident Plan:
· Now in the “Response and Recover” section, under “Incident Management”, navigate to “Incident Plans”.
· Now you will find an incident plan created for your organization for the risk scenario.
6. Repeat for All Scenarios:
Repeat steps 2 through 5 for each risk scenario
Managing and Exporting Risk Assessment
To effectively manage and document risk assessments within your system, follow these steps:
1. Navigate to Risk Management:
· Go to the “Identify” section of your platform.
· Click on “Risk Management” and then select “Risk Assessment”.
2. Review Risk Assessment Table:
· On the risk assessment page, locate the table that includes a list of risk IDs.
· Each risk ID is associated with Risk Scenarios that were mitigated earlier.
3. Edit Risk Details:
· Scroll to the right within the table until you find the “Pen Icon” next to each risk ID.
· Click on this icon to edit the respective risk.
4. Update Risk Information:
· In the form that appears, fill out or update the details related to the risk.
· Ensure all necessary fields are completed to accurately reflect the risk and its mitigation measures.
5. Save Changes:
· Click on “Save” after editing each risk to ensure that your updates are recorded.
6. Repeat for All Risk IDs:
· Continue this process for each risk ID in the table to ensure all risks are up-to-date.
7. Export Risk Assessment Report:
· Once all risk IDs have been edited and saved, click on “Export Risk Assessment”.
· This action will generate a report of the risk assessment, which can be used for auditing purposes or further review.
Setting up Your Cyber Risk
Management Strategy
To effectively manage and analyze your organization's cyber risk, follow these detailed steps:
1. Access the Governance Section: Navigate to Cyber Risk Strategy.
· Scroll through the menu to locate and select the "Governance" section.
· Within the Governance options, choose "Cyber Risk Strategy."
2. Use the Cyber Risk Management Strategy Analyzer:
· Click on "Cyber Risk Management Strategy Analyzer." If financial documents have been previously uploaded, the tool will automatically assess your cyber risk tolerance, appetite, and capacity.
3. Manual Input if Necessary:
· If no financial statements are available, click "Edit" to manually input the required information.
4. Enter Data Manually or Use AI Suggestions:
· On the editing page, you have the option to manually fill out the data or utilize AI-generated suggestions by clicking on the "Yellow Stars Icon."
5. Save Your Work:
· After entering the necessary data, click the "Save Icon" next to the AI suggestions to ensure that all your modifications are preserved. This step is crucial to prevent any loss of data.
6. Return to Previous Page:
· Once all entries are complete, click on the "Back" button. This action takes you back to the previous page, allowing you to confirm that all changes have been saved correctly and that no information is missing.
SOC 2 Audit
To ensure your organization is fully prepared for a SOC 2 audit, follow this step-by-step guide to fill out the compliance report in the Assessments & Reports section of your application.
Accessing the Compliance Report
1. Navigate to the Compliance Report:
· Go to the main menu and select “Assessments & Reports”.
· Click on “Compliance Report”.
2. Select the SOC 2 Audit:
· Within the Compliance Report section, find and click on “SOC 2 Audit”.
Filling Out the Audit Table
3. Review the Audit Table Structure:
· The table is divided by grey sections representing different areas of the standard.Each section corresponds to specific parts of the SOC 2 Standard.
4. Understand Each Control:
· For each control, note the “ID” and “Title”. This helps in identifying what specific requirement or control the evidence needs to support.
5. Provide Evidence Location:
· For each control, provide guidance on where the evidence can be found within your application. This might include a description like “Evidence Guideline MapleGRC” followed by a direct link to the evidence.
6. Select Conformity Status:
· Click on “Conformity” for each control. Choose “Conform” if your practices are in line with the standard. If not, select the appropriate status that reflects your situation (e.g., "Non-Conformity", "Minor Non-Conformity").
7. Upload the Evidence:
· For each control, click on “Evidence” and upload the required documents, such as screenshots or PDF reports, that provide proof of compliance.
Repeat for All Controls
9. Complete Each Control:
· Repeat steps 5 to 8 for each ID in the table. Ensure that every control listed in the SOC 2 Standard is addressed and documented with appropriate evidence.
Final Steps Before the Audit
10. Review Your Entries:
· After filling out the table for all controls, review your entries to ensure everything is accurately documented and that all evidence accurately reflects your compliance status.
11. Prepare for the Audit:
· Once you have completed the compliance report and uploaded all necessary evidence, you are ready for the SOC 2 Audit.
Related Articles
Step-by-Step ISO 27001 Implementation Guide
Getting Started with Data Upload and Analysis Follow these detailed steps to upload and analyze your organization's data effectively: 1. Access the Data Upload Interface: · Open the menu on the left side of your interface. · Scroll down to the ...Step-by-Step CyberSecure Canada Implementation Guide
Getting Started with File Upload To start setting up your environment, it helps to start by uploading pdf file that explains your organization context. This could be your business plan, product catalough, or a PDF print of your website about and ...Introduction to CyberSecure Canada Implementation
Introduction to CyberSecure Canada Implementation CyberSecure Canada Implementation Training This training video covers the basics of implementing CyberSecure Canada standards. It includes an introduction to information security management systems ...Introduction to Cyber Security Management using Maple GRC
Cyber Security Management Overview Cyber security management involves maintaining a balance between cyber risks and controls to ensure that productivity and efficiency are not compromised. This process requires ongoing assessments and audits to ...