Eden Data's Drata 14 Day Compliance Accelerator Program
DRATA CAP
Statement of Work
Eden Data is Drata's 2023, 2024 and 2025 Partner-of-the-Year and has deep expertise implementing Information Security Programs that leverage Drata as the foundation and baseline for all infosec and compliance requirements.
Auditor & Penetration Testing Selection Consultation (if needed): Discuss requirements & make vendor recommendations Policy Development: Begin formulating compliance-aligned policies for your core policies and upload them to Drata Roles and ownership: Discuss importance of Policy and Control ownership, define next steps to assign proper ownership in Drata Vendor Support: We will upload a vendor to your repository as an example to follow
WEEK 2
Week 2: Documentation & Review
Tabletop Exercises: Provide template and guidance for IR & DR tabletop scenarios System Description Document Creation: Draft and review the system description document as required (if pursuing SOC 2) Project Review and Closure: Virtually conduct a thorough review of all deliverables to ensure all objectives have been met, and identify next steps with your organization to ensure you continue to achieve your compliance and/or security objectives
Touchpoint call
WEEK 3&4
Week 3/4: Finalize deliverables from the CAP SOW
* If not completed in the first two weeks, we will extend the timeline until the SOW items are completed, at which point we will offer the project review and closure
AFTER CAP
OPTION 1 Continue independently: Follow the steps in Drata to navigate the 100+ steps to achieve audit-readiness.
OPTION 2 Graduate to Sprint: Our team will handle all the heavy lifting to get audit-ready, involving you only when absolutely required.
COMPARING SERVICE OFFERINGS
Time required
Focus
Engagement
Target client
In-house resource needs
Duration
CAP
We support and guide you to the extent you invest time and resources during program.
Upfront Drata setup to set you up for success: • Foundational and technical setup • Policy adjustments • Tabletop Exercise • Planning • System Description
Asynchronous + touchpoint calls
Companies with dedicated compliance resources that just need some upfront guidance
Dedicated in-house resources (e.g. CISO or CTO) needed to ensure smooth transition after CAP to achieve audit-readiness on desired timeline
14-30 days
Time required
Focus
Engagement
Target client
In-house resource needs
Duration
SPRINT
We handle all heavy lifting, involving you only when absolutely required.
Total Drata configuration with bespoke customization to your business and compliance objectives: • Policy customization • Implement or guide all controls and integrations • Lead all procedures and exercises • Interface with auditor
Real-time communication + recurring syncs
Scaling companies that want to offload compliance and focus on other growth initiatives
Minimal resources required beyond point(s)-of-contact to confirm business details, hands on keyboard, implement instructed processes, and physically sign off on tasks
4-6 month upfront commitment, renewed monthly
READINESS TIMELINESx
Examples based on previous engagements
SCOPE OF WORK
DRATA Compliance Accelerator Program Statement of Work Through a Drata trusted VCISO/MSSP partner, Drata offers a quickstart program to all their customers for implementing Information Security Programs that leverage Drata as the foundation and baseline for all infosec and compliance requirements.
GAP ANALYSIS Partners will conduct a compliance gap analysis leveraging Drata integrations based on the selected compliance frameworks to identify gaps across the organization.
Services included
Scope and customize compliance framework requirements and assign control owners (if applicable)
POLICY CREATION / REVIEW
Services included
Build information security policies based on Drata's policy categories (not just providing templates to be filled out).
Leverage partner templates as a starting point, which have been designed and updated from the result of hundreds of successful audits.
Establish all core policies that are categorically outlined in Drata.
Review customer's existing policies alongside partner materials and offer recommendations in response to specific questions or areas of concern
Services NOT included
Build niche procedure documents.
Combine partner-created policies with customer policies
Guarantee every policy needed for every type of audit (auditors have different request lists, and some standards, like HIPAA and NIST, require careful curation of policies vs procedures).
Handle more than one iteration of review changes from customer.
Project manage to ensure every policy is approved and acknowledged by all customer personnel.
Review customer's existing policies that are outside the scope of Drata's policy categories.
SYSTEM DESCRIPTION DOCUMENTATION (*if pursuing SOC 2)
For SOC 2 customers the Partners will guide the customer through creating this important document, ensuring it meets all standards.
TABLETOP EXERCISE GUIDANCE AND RESTORATION TEST INSTRUCTION
Partners will draft comprehensive security incident response and disaster recovery templates and provide instructions for customers to facilitate the successful completion of these mandatory tests.
What is NOT included
This service is intended to ensure that you are achieving tremendous value from the Drata platform early on in your journey. While your implementation team can support your organization beyond the 30 day Compliance Accelerator service, this service does not include support on the following:
Audit readiness for any compliance standard (i.e. SOC 2, ISO 27001, etc)
Support on completing security assessment questionnaires (SAQ)
Completion of a Disaster Recovery/Business Continuity Plan
Representation as security or compliance team
Security configuration changes for Cloud Infrastructure (AWS, GCP, Azure)
Instant Messaging / Chat Support outside of Slack
Building of custom frameworks or controls inside of Drata
Migrations from another solution (this is handled by Drata's internal CS team)
Editing current policies
Employee onboarding / offboarding
Completion of an Incident Response Plan or support in any actual security incidents