Facilitating SOC 2 compliance, or compliance with other systems, takes work—and meticulous attention to detail.
Mathieu Marcotte, an information security, risks, and compliance analyst at Poka, had to find a system that would minimize risk and the opportunity for human error while also ensuring their records were always up-to-date.
Poka is a connected worker application built for manufacturers. With Poka, factory workers are empowered to learn continuously, solve problems and share knowledge in real-time directly on the production floor.
They looked for software that would support their information security and compliance processes, but everything they found wasn't what they needed. It was too old, too expensive, or not agile enough for their startup.
That's when they decided to create their own system using Zapier.
"Zapier was able to help us achieve that vision while keeping things simple," Mathieu says. "Zapier was the glue between all our internal tools."
With Zapier, they designed their own processes using the tools they already had: Slack, Jira, Google Sheets, Google Calendar, Gmail, Github, and Intercom. This gave them the flexibility to create their own SOC 2 controls that exactly fit their needs.
Scheduled reminders for necessary tasks
One example is that every year employees need to complete security awareness training to maintain SOC 2 compliance. In the past, Mathieu used a form that asked people whether they read all the policies, and used that answer as an acknowledgment that they had done the training.
Now, he uses Zapier. Every week, Schedule by Zapier checks with their learning management system to see if everyone has done the training. If someone has not, then every week a message is sent to anyone who still needs to complete the training.
"In the past, I needed to go check every week, then write a message not to forget to complete it," he said. "I'm pretty sure I'll improve it in the future, but like a classic Zapier use case, I take in a manual task that I didn't like to do, I automate the task, and now it's automatic."
They also use Zapier to remind them of things that need to be done on a cadence, whether that's several times a year, or every week.
"It's real easy to just forget about things that need to be done," he said. "You're so in the day-to-day of other tasks that you forget about those things. Sometimes it's just simple reminders, but then the sky's the limit. If you want to alert everybody in the company, you can do so. Zapier gives you the flexibility to do what you want."
Here are some starting places for Schedule by Zapier reminders:
Send regularly scheduled Slack messages with information from Google Sheets
Poka also uses Zapier with Google Calendar for more fine-tuned reminders. For tasks that need to be done every three or four months, they create a recurring calendar event, and then use Zapier to automatically create a task in Jira and to send messages in Slack.
Visit the App Directory to explore how to connect Google Calendar and Jira Service Desk using Zapier.
Kicking off security reviews
Poka uses Zapier to assist with a few different types of security reviews. One helps them ensure all code merged into production has been reviewed, even if it's an emergency fix. And the other ensures employees who need access to services are able to be added quickly.
Code reviews
Poka has a control that requires a review for every code change that will go into production. When you're using GitHub or GitLab you can enforce a code review before merging changes. During the workday, this is simple to manage, but a few times a year, there may be emergency changes that need to be done.
"If something needs to be fixed quite quickly, say it's in the night and you're the engineer on call, you will need to wait for someone to wake up and check the code and then approve," Mathieu said.
That's not ideal for a true emergency that needs to be fixed right away. Poka has set up their system so that employees who are on call can merge without a review, and they use Zapier to ensure the team gets an alert when that happens. "It's a control for emergency changes," Mathieu said.
Using Zapier ensures that someone knows a review is needed. They're not relying on someone who may be working at night on a weekend to remember to tell someone to review. Without the automatic alert, "we wouldn't have any trace of that."
They can be flexible and still have monitoring controls in place.
Their Zap starts with GitHub, looking for a new commit, then uses a script that interrogates their API, and if there's a problem, sends a webhook out to create an incident, and alerts the security team in Slack.
Here are some ways to get started with GitHub and Zapier:
Requesting access to SaaS apps
They also use Zapier to manage a process of giving employees access to approved SaaS applications.
Employees who want access to an app fill out a form, then Zapier checks the app against a Google Sheet that lists the SaaS apps and who can give access, and then posts in a specific Slack channel tagging the person who requested access and the person who manages access.
The person who manages access can react with a checkmark emoji, which then alerts the requestor that access will be granted.
"It's really seamless because everything is happening in Slack," Mathieu said.
The first Zap uses the form submission as the trigger, then has a search action in Google Sheets to look up a spreadsheet row, and then an action in Slack to post the message about access.
Learn more ways to use Zapier to turn Slack into the ultimate place to get work done.
Keeping the team focused
Using automation keeps them all focused on the most important work.
"On a personal basis, I would say that Zapier saves me about 3-5 hours per week," Mathieu said. "We lose less time on things that we forgot that we needed to do."
Mathieu and others are always looking for ways to add automation to make their processes more efficient and effective.
"Even though I'm not an engineer or a programmer, I have that spirit in me," he said. "When I need to do stuff and I have some time, I think about what could I do better or differently?"
He keeps two questions in mind: Does it make sense to automate that task and is human error a risk factor in this process? If the answer to either of those is yes, then he begins to map out the process and think about the steps to see what's possible.
"I think about what I would like to do," he said.
For example, if he wants a user informed quickly, and thinks Slack would be the best tool, he then goes into Zapier and looks for the apps available to support that workflow.
"Like I say to people here at Poka, it's just like riding a bicycle," he said. "There's no magic recipe, you just need to go and try and you'll learn that way. Yes, you will crash a lot of times, but that's totally normal. It's the same with Zapier. You'll try to create something and the worst scenario is you'll lose an hour or 20 minutes. It helps a lot to try."