What is an SOC 2 report?
A SOC 2 report serves to establish trust between a service provider and its customers. It's a document that is becoming less of a "nice to have" but more like a "must-have" to stay competitive in the market. If you store, transmit, or process any kind of customer data, you most certainly will need to be SOC compliant.
It leaves you more room to fulfill requirements than the PCI or many other security frameworks. Those have a better defined and more specific set of criteria to pass.
A SOC 2 report has 5 trust categories:
- Processing Integrity
You don't have to cover all of these in a SOC 2 report. You can prepare a report only for one of the categories and for only a selected system within your organization.
SOC 2 also differentiates between SOC 2 Type 1 and Type 2 reports. In layman's term, SOC 2 Type 1 contains the description of the data security controls you put in place. SOC 2 Type 2 has the description, but also the effectiveness of those controls over an examined period of time.
SOC 2 and PCI reports from Jira
Auric Systems is a data security company, helping businesses secure billions of dollars worth of payments and transactions.
They also use Jira for their daily project management, so naturally, that's the platform where they manage and store internal processes and business workflows. When the SOC 2 or PCI audit comes, they are exporting the information they need to prove their compliance.
We caught Raymond Côté, CTO of Auric Systems International, for a few quick questions about how they create SOC 2 and PCI reports from Jira data.
How long have you been working with Atlassian tools at Auric Systems?
It's been over 5 years now.
How do you create SOC 2 and PCI reports from Jira?
We used to use the built-in export feature in Jira, but that wasn't sustainable professionally. The document layout it produced was alright in the beginning, but then Atlassian changed the export layout which we couldn't accept.
We decided to look for a dedicated app on the Atlassian Marketplace to export Jira data to a preferred document format. We also wanted to be able to control how the document is structured and what Jira issue information is exported.
Better PDF Exporter allows us to easily gather evidence for our PCI and SOC 2 assessors. It's a more robust solution for generating documents from Jira, as we can also customize every detail of the PDF report to our needs.
Did you try similar apps?
First we tried the other Midori product, Better Excel Exporter for Jira. We could see that it was also very useful, but the Excel format just wasn't the right one for the type of report we needed.
Then we found Better PDF Exporter on the Atlassian Marketplace, and it was the perfect choice for us.
What benefits does Better PDF Exporter bring to your use cases?
We found it very easy to export all relevant Jira ticket information to PDF. It handles not only the default Jira data, but it integrates with lots of third-party Jira apps, as well.
For example, it was vitally important to us to be able to include the work hours in our PDF exports. Our team uses Tempo Timesheets for worklog reporting in Jira, so we needed the exporter app to be compatible with Tempo Timesheets.
In conclusion, I think that when it comes to official documents that you need to compile from Jira data, you will need a decent tool. You need something that takes the industry standards into consideration and leaves you as much room for customization as possible to deliver professional outputs. We have been able to do that with Better PDF Exporter perfectly.