Our resource center for all things Compliance
The most common questions we get.
A Type-1 audit is conducted at a point in time. Type-1 shows what’s in place to get compliant. A Type-2 audit is a much broader and comprehensive audit which inspects the effectiveness of control operations across a period of time (usually 6-12 months). Type-2 shows how you’re staying compliant over time. We provide evidence collection, monitoring, and real-time auditor feedback over that entire span of time.
Unlike PCI, only a CPA firm can provide a signed SOC-2 report. We help you Control the SOC 2 Compliance process, prepare and facilitate the audit, and act as an internal audit team to help you pass without the pain. But we cannot grant a SOC-2 report. We're happy to connect you with one of our audit partners to get it done quickly!
There are currently five Trust Services Criteria: Security, Availability, Confidentiality, Privacy and Processing Integrity. Most organizations start their compliance journey focused on Security, then build a compliance roadmap across other criteria over time.
Control is the Very Good Security’s Compliance Platform. Many compliance frameworks have common criteria. This means that, for example, adherence to a PCI Control, can also apply to a HIPAA control. We cover multiple compliance frameworks, including ISO 270001, PCI, HIPAA, GDPR, CCPA and more.
SOC 2 applies to a much broader range of organizations, and focus on the security, availability, confidentiality, processing integrity, and/or privacy of customer data. PCI on the other hand, has a narrower focus, specific to organizations that accept, store, process, or transmit cardholder data.
No. There’s obvious benefits that you should seriously consider; like immediate compliance across dozens of data related control criteria. But it’s not a requirement. We see many customers starting with Control and adding the VGS Vault as they grow their security posture.
We fully support your security journey on Control in two different ways. The first is through a dedicated account manager, security engineer and compliance expert who will always respond in under 48 hours to your questions or concerns. The second is through an optional shared Slack channel upgrade, where you get immediate access to that same team of experts.
The short answer? No. Endpoint agents are a confusing option for achieving SOC 2, especially when companies intentionally create confusion and security theater to sell their product. Let’s take a moment to think about endpoint agents from a security standpoint, instead of a compliance one.
Control’s approach to endpoint agents is to encourage you to use meaningful enforcement when the time is right for your business. This is why we integrate with tools like Jamf, Microsoft Intune, Google Workspace device management and Jumpcloud: all of these agents enforce security controls instead of perpetuating security theater and harming your security posture from day one.
For smaller companies just trying to check the compliance box we recommend an onboarding process. During an audit for small businesses, this does mean taking around 3 screenshots, but it also means you didn’t deploy an extra piece of adware to your entire device and server fleet. Use this process to check the box, and then scale into a real device manager over time.
Our aim with Control is to both check the box for you in the easiest way possible, and then to scale into meaningful security with you in the long run. A monitor only endpoint agent perpetuates security teams worst nightmares: security theater and alert fatigue.
We run our monitors once a month by default but can run them as frequently as you would like for your team. Because an auditor is looking for improvement over time from an evidencing standpoint, the monthly cadence is best from their standpoint. We are also concerned about avoiding alert fatigue, so we'd suggest a cadence that makes alerts feel meaningful to your team.
We love getting this question because it shows that you’re thinking correctly about security as a whole, and means you’re probably in a great state as a business to go through an audit. By default we create a role with read only access into the entire account, and that’s our general philosophy with all the integrations. We’re confident you can trust our access because we store your credentials in the same Vault that holds consumer card information for large financial institutions that we guarantee the safety of. That being said, we understand any concerns and have designed the integrations in such a way that if access is denied, that piece of evidence is just dropped from the platform without any hiccups. Basically, more visibility = more automation and monitoring, but less visibility will not impact your ability to use the platform. So feel free to customize the policies in cloud platforms however you’d like, it just means potential manual evidence for the audit.
Issues related to payments or invoicing.
VGS Control is an annually renewed platform in order to provide value over time in renewing your audits. The annual fee can be paid all once, or in monthly installments.
Contact your account representative, or email us at firstname.lastname@example.org
While we don't offer referral codes, please let your account manager know anything that may be determining your budget. We're happy to work with you on pricing!
Issues related to logging in, out, or about multiple devices.
Our accounts automatically timeout your login after 24 hours, if you're losing access faster than that, check that your cookies and cache are not being automatically cleared. Try turning off any browser extensions on our page. If you continue to have any issues, please contact your account representative.
Please contact your account representative directly or email us at email@example.com
We should connect to determine which compliance frameworks you're pursuing, if we can help by providing an auditor or pentester, and to walk you through some of our cool paid features.
We support SSO via Google login, as well as regular email based accounts. MFA is coming soon! We also support RBAC for user accounts invited to the platform.
If you didn’t find what you needed, these could help!
Do you need more information? Schedule a demo to learn more about how we can help you take Control.
Thanks, we'll be in contact soon!
© 2021 Very Good Security - All Rights Reserved