STATEMENT OF WORK

Eden Data is Drata's 2023, 2024 and 2025 Partner-of-the-Year and has deep expertise rapidly implementing Information Security Programs and achieving compliance objectives for 500+ mutual clients.

GOALS

• Full audit-readiness for any compliance standard
• Support on completing security assessment questionnaires
• Representation as security or compliance team

GAP ANALYSIS

• Conduct a Drata gap analysis leveraging integrations based on the selected compliance frameworks to identify improvement points across the platform and establish a baseline of progress towards audit readiness.
• Review and confirm scoped SOC 2 and other relevant framework(s) based on customer needs.

• No action required

INTEGRATIONS

• Verify that all connected systems are showing as connected and pulling the required compliance-related data into Drata to populate control evidence and monitoring.
• Perform a review of data points to ensure key information is flowing:
• Background Check
• Infrastructure (e.g., AWS, GCP, Azure)
• Human Resources Information System (e.g., HRIS)
• Identity (e.g., Google Workspace, Microsoft 365)
• Version Control (e.g., GitHub, GitLab)

• Debug or reverse-engineer API issues.
• Confirm appropriate access provisioning.
• Manual mapping of individual data points.
• Validate 3rd-party tool accuracy (e.g., confirming whether GitHub data itself is correct).

POLICY CREATION & REVIEW

• Customize information security policies using best practices from thousands of successful infosec reviews and audits, rather than boilerplate one-size-fits-all policies.
• Provide one iteration on comments to establish a core set of policies that are categorically outlined and assigned to controls and frameworks in Drata.
• Review customer's existing policies as they relate to the partner materials shared during the program and offer recommendations in response to specific questions or areas of concern.

• Review and confirm accuracy of policy statements to current business practices.
• Build procedural documents and policies for frameworks not covered by CAP.
• Project management to ensure every policy is approved and acknowledged by all personnel.

ROLES AND OWNERSHIP

• Guidance on the process of identifying appropriate owners based on job function and existing responsibilities.
• Assistance in assigning clear ownership for Vendors, Policies, and Controls to ensure accountability within the Drata platform.
• Guidance on setting proper access levels in Drata to reflect ownership and responsibility for managing compliance tasks and evidence collection.

• Assignment of specific users in the Drata platform.
• Restructuring internal team roles or functions to accommodate ownership assignments.
• Ongoing monitoring of role effectiveness or reassignment of roles after implementation.

VENDOR MANAGEMENT

• Add up to 15 vendors to the vendor module, including Drata itself.
• Conduct an example security review for the customer’s Identity Provider (IdP) to illustrate how vendor risk is assessed and documented.
• Provide guidance on maintaining vendor records and aligning them with control requirements in Drata.

• Perform comprehensive security reviews for all vendors beyond the initial example.
• Build custom vendor intake, risk scoring, or tracking workflows.
• Validate the accuracy or completeness of vendor-provided documentation.
• Ongoing management or reassessment of vendor profiles post-implementation.

PERSONNEL SET UP

• Verify that personnel are properly synced and mapped in Drata.
• Identify gaps in setup related to:
• MFA enforcement
• Background check completion
• Multi-domain requirements (e.g. if multiple email domains are in use)
• Guidance on how to resolve identified gaps so personnel-related controls can pass during monitoring and audit.

• Manually updating user records.
• Technical configuration of identity provider or HRIS integrations.
• Ongoing personnel monitoring after implementation is complete.

COMPANY SECURITY PRACTICES

• Verify current endpoint management practices (e.g. use of MDM, Drata Agent, or manual evidence uploading) and provide guidance on best practices and set up.
• Confirm security awareness training practices are in place.

• Deploying or configuring endpoint management tools or training platforms.
• Create or customize security awareness content.
• Manually enroll users in training programs or adjusting their completion statuses.

AUDITOR AND VENDOR RECOMMENDATIONS

• Recommendations and introductions to auditors, pentesting firms, and any other necessary vendors for compliance

• Take introductory calls and procure vendors