Penguin SOC1 & SOC2 Case Study
Case Study: Helping Penguin International Achieve SOC1 and SOC2 Compliance
Client Background: Penguin International is a leading provider of integrated research services to the consulting and offshore industries. With a commitment to securing sensitive healthcare, financial and operational data, the company sought to enhance its internal controls and ensure the highest standards of cybersecurity and data protection for its clients and stakeholders.
Challenge: Penguin International aimed to pass both SOC1 and SOC2 audits, ensuring compliance with industry standards to build trust with Global clients and stakeholders. The company approached MYITMANAGER for assistance in navigating the more rigorous SOC1 and SOC2 audit process.
Solution: MYITMANAGER provided end-to-end guidance for Penguin International’s SOC1 and SOC2 audit preparation, leveraging their deep expertise in IT controls, security frameworks, and regulatory compliance. MYITMANAGER also helped us in achieving ISO 27001:2022 and now working on GDPR Compliance. Since MYITMANAGER are CISM and CIPP/E, we have hired them as our vCISO and DPO to manage all our IT Security, Compliance and Data Protection on monthly retainership basis.
Key Phases of Engagement:
- SOC1 Audit Success: MYITMANAGER’s initial focus was on helping Penguin International pass the SOC1 audit. This audit, focusing on financial reporting controls, was successfully completed with MYITMANAGER’s help in ensuring that Penguin’s internal controls were properly documented and aligned with industry standards.
- SOC2 Audit Preparation: With the SOC1 audit successfully completed, Penguin International shifted focus to SOC2, which evaluates an organization’s controls related to Security, Availability, Processing Integrity, Confidentiality, and Privacy of data. MYITMANAGER implemented a strategic roadmap for the company to meet the requirements of SOC2, focusing on critical technical and operational controls.
Technical Approach:
- Control Gap Assessment: MYITMANAGER conducted a thorough assessment of Penguin International’s existing IT infrastructure, identifying gaps and vulnerabilities. This helped prioritize control improvements across the five SOC2 Trust Services Criteria.
- Control Enhancements:
- Access Management & Authentication: MYITMANAGER helped implement multi-factor authentication (MFA) across all systems to ensure that only authorized personnel had access to sensitive data, addressing Security criteria.
- Data Encryption: End-to-end encryption was applied to sensitive data in transit and at rest to ensure data confidentiality and integrity, which satisfied Confidentiality and Processing Integrity requirements.
- Incident Response Plan: MYITMANAGER collaborated with Penguin International to design and implement a comprehensive Incident Response Plan, ensuring that the company was prepared for potential security breaches. This addressed Availability and Security criteria.
- Audit Trails & Logging: MYITMANAGER established robust logging and monitoring systems to track user activity and system access. These logs were maintained securely and regularly reviewed to meet SOC2’s Security and Availability requirements.
- Continuous Monitoring and Testing: MYITMANAGER set up a continuous monitoring system to detect any anomalies, potential breaches, or issues that could threaten data availability or security. This was critical to fulfilling the ongoing monitoring requirements of the Availability and Processing Integrity criteria.
- Documentation and Reporting: MYITMANAGER assisted Penguin International in ensuring that all security policies, procedures, and controls were properly documented and readily accessible for the auditors during the SOC2 audit. This documentation served as proof of their compliance with the Privacy and Confidentiality criteria.
Results and Impact:
- SOC2 Compliance Achieved: Penguin International successfully passed the SOC2 audit, assuring clients and stakeholders of its robust security practices and controls.
- Improved Trust and Client Confidence: By achieving both SOC1 and SOC2 compliance, Penguin International enhanced its reputation as a trusted partner in the maritime and offshore industry.
- Enhanced Cybersecurity Posture: The engagement led to strengthened security controls and practices that are now ingrained in the company’s daily operations, protecting both client data and operational integrity.
CEO’s Appreciation: “We are extremely pleased with the outstanding support and expertise MYITMANAGER provided during our journey to achieve SOC2 compliance. Their team not only helped us pass the SOC2 audit but also strengthened our internal controls, ensuring that we are well-prepared to protect our clients’ sensitive data. Their approach was thorough, practical, and aligned with our business needs. Thanks to MYITMANAGER, we have built a more robust cybersecurity framework and can now confidently assure our clients of our commitment to the highest standards of data protection. We truly value their partnership.” — CEO, Penguin International