For organizations of all sizes, industries, and even those that outsource business operations, information security is a major cause for concern. Understandably, the mishandling of data, especially by application and network security providers, has the potential to leave organizations vulnerable to attacks, including data breaches, malware installation, data theft and extortion.
Packetlabs is proud to announce the renewal of our SOC 2 Type II accreditation.
One way to significantly reduce an organization’s vulnerability and, thereby, uncertainty is to adhere to the criteria defined by SOC 2.
What is SOC 2 Type II?
SOC 2 Type II, aka Service Organization Control Type 2, is a rigorous cybersecurity compliance framework developed by the American Institute of Certified Public Accountants (AICPA) that ensures that service providers securely manage and store client data.
What is a SOC 2 report?
Generally speaking, a SOC 2 report exists, across a comprehensive range of users, to meet needs requiring detailed information and assurance regarding the controls at a service organization relevant to security, processing and availability of the systems that an organization uses to process user data as well as the confidentiality and privacy of the information processed by these systems.
The framework specifies criteria to uphold high standards of data security based on five trust service principles: security, availability, processing integrity, privacy and confidentiality.
Distinct from other compliance certifications, like PCI DSS, with standardized requirements, SOC 2 reports are unique to the organization of reference. Every organization should tailor its own controls to comply with one or more of the five “trust service principles” based on their existing business practises and systems. Doing so will ensure that they are in parallel with specific organizations, maximizing trustworthiness.
SOC 2 compliance: the five trust principles
The SOC 2 certification is completed and issued by third-party auditors. These auditors will assess the extent to which a vendor is in compliance with the five trust principles.
Security: The security principle references the protection of system resources against unauthorized access. Adequate access controls aid in the prevention of system abuse, misuse of software, theft, and improper alteration or disclosure of sensitive information. Web application firewalls (WAFs), intrusion detection (such as Canarys), and two-factor authentication are helpful IT security tools for the prevention of security breaches that can lead to unauthorized access to systems and data.
Availability: The availability principle refers to the overall accessibility of systems, services or products as stipulated by a service level agreement (SLA) contract. Understandably, the minimum acceptable performance level for system availability must be set by both parties (service provider and client). In this context, careful monitoring of network performance and availability and security incident handling is crucial.
Processing Integrity: The processing integrity principle refers to whether or not a system delivers the appropriate data at the right time and at the right price. Consequently, data processing must be valid, accurate, timely, authorized and complete. Quality assurance procedures and close monitoring of data processing can help ensure processing integrity.
Confidentiality: To be considered confidential, data must be restricted in its access and disclosure to a specific set of people or organizations. This may include data that is only intended to be accessed by a set of specified company personnel. Encryption is the most prevalent control used to protect confidentiality during data transmission. In concert with rigid access controls, network and application firewalls can be utilized to safeguard data being processed or stored.
Privacy: The privacy principle references the system’s collection, use, retention, disclosure and removal of personal information in compliance with an organization’s privacy notice, as well as with criteria set forth in the AICPA’s generally accepted privacy principles. Controls must be established to protect all personally identifiable information (PII) from unauthorized access. PII refers to details that can be used to identify an individual, such as name, address, and Social Security Number. Other data that is related to health, sexuality, race and religion is also considered sensitive and, more often than not, requires an extra level of security protection.
Adhering to the five trust principles outlined in a SOC 2 report provides customers with assurance and assurance that their data, as well as the information of their own clients, is safe and secure. This is something that Packetlabs takes very seriously.
In obtaining SOC 2 certification, Packetlabs can assure our clients, prospective and current, that not only will we provide industry-superior penetration testing and security consultancy services, but we will do so with a heightened assurance that the controls in place relevant to processing, availability and overall security of user data are there to back it up. If you have any questions regarding the SOC 2 certification or Packetlabs service offerings, please contact us today!