SOC 2 Compliance

Rizing products SOC 2 compliance and evidence gathering is maintained in the Information Security ADO Project.

Quick Links

• All not linked audit log events query
• Change Request ticket creator

Overview

All Rizing products follow similar development workflows, governance, and evidence gathering processes in order to streamline the SOC 2 reporting needs, across teams.

Use of Azure DevOps

Azure DevOps serves as a comprehensive platform for software development, enabling teams to collaborate, manage code, track work, and deploy applications. The platform is used for all development tasks within Rizing. Azure DevOps audit logs meticulously track changes within Rizing's Azure DevOps organization, capturing events such as permissions modifications, resource deletions, branch policy changes, and more. The audit logs are exported and analyzed (via an automated script) to verify that approved policies throughout ADO have not been changed without proper approval.

Summary

Policy

1. Azure DevOps (ADO) is used in each step of the software/development lifecycle (for all Rizing products)
   1. Branch policies and other permissions are used to enforce the approved/standardized development workflow
   2. Branch policies ensure that no one can move code between stages without the proper workflow and approvals
   3. Required approvers must test/approve changes before code changes can be merged (done through Pull Requests)
   4. Azure DevOps keeps track of all changes and approvers for every code change

Enforcement

1. ADO provides audit logs that record all changes throughout the product
   1. Audit logs are exported, archived, and analyzed nightly
2. Any policy or permission changes identified in the audit logs gets flagged as an event in the Information Security project
   1. A daily notification is sent to an administrator, reporting any flagged audit log events for the previous day
3. All flagged audit log events must be linked to an approved Change Request or marked as Reviewed - No Security Implications by the administrator
4. A query for all audit log events that have not yet been linked can be found here

Review

1. Each month, evidence is gathered and archived to verify that the previous month adhered to the outlined workflows/policies
   1. See Evidence Gathering section for more details on this process
2. A monthly security review meeting is held in which evidence gathering is reviewed and approved
   1. See Monthly Security Review section for more details on this process

Diagram

diagram source

Evidence Gathering

Steps for evidence gathering involve:

1. Navigate to Rizing Product Security Reports wiki page in the Information Security ADO Project
2. Expand the yearly reports section (ex: 2024 Reports)
3. Navigate to the month you're gathering evidence for (typically the previous month)
4. Gather evidence for each item listed under the "Evidence" table that is assigned to your name
5. Place the gathered evidence into the equivalent year/month in the Evidence Repository
   1. Example: Evidence Repository > 2024 > Jan > E6 > E6-8 PR Approvals - OmniSpatial.png
6. Complete all evidence gathering tasks assigned to you
7. Once all evidence has been gathered, review the security questions
   1. Enter a response of "Yes" or "No" for each qeustion
   2. Mark each question as "Done", once answered
   3. Hit Save
8. Once all evidence is gathered and all security questions are answered, check the Contributor Acceptance checkbox at the bottom

Monthly Security Review

1. Each month, a security review session takes place with all individuals involved in gathering evidence
2. The expectation is that everyone has already gathered the evidence they are responsible for prior to this meeting
3. Within this meeting, the current status of evidence gathering and security question/answers will be reviewed and discussed
4. If anyone has any questions or special items to address, they will be discussed in this meeting