At Packetlabs, we are pleased to announce we are now SOC 2 Type 1 certified with SOC 2 Type 2 on the horizon by the end of the year. In order to establish the significance of this achievement, we provide an explanation and summary of the certification criteria and its overall implications to our business and, more importantly, our customers.
For organizations of all sizes, industries, and even those that outsource business operations, information security is a major cause for concern. Understandably, since the mishandling of data, especially by application and network security providers, has the potential to leave organizations vulnerable to attacks, including data breach, malware installation, data theft and extortion.
One way to significantly reduce an organization’s vulnerability and thereby uncertainty is to adhere to the criteria defined by SOC 2. SOC 2 is an auditing procedure, developed by the American Institute of CPAs (AICPA), that ensures your service providers securely manage your data in order to protect the interests of your organization and, more importantly, the privacy of your clients. Further, when considering a SaaS provider, SOC 2 compliance is considered a mandatory minimum requirement for all security-conscious businesses.
What is a SOC 2 report?
Generally speaking, a SOC 2 report exists, across a comprehensive range of users, to meet needs requiring detailed information and assurance regarding the controls at a service organization relevant to security, processing and availability of the systems that an organization uses to process user data as well as the confidentiality and privacy of the information processed by these systems.
SOC 2 defines criteria for managing customer data base on a five “trust service principles”, namely—security, availability, processing, integrity, confidentiality and privacy.
Distinct from other compliance certifications, like PCI DSS, with standardized requirements, SOC 2 reports are unique to the organization of reference. In parallel with a specific organizations, business practises, each will design its own controls to comply with one or more of the five “trust service principles” based on the systems and processes in place.
What Are the Five Trust Principles?
The SOC 2 certification is completed and issued by third party auditors. These auditors will assess the extent to which a vendor is in compliance with the five trust principles. The five trust principles can be summarized as follows:
- Security: The security principle references the protection of system resources against unauthorized access. Adequate access controls aid in the prevention of system abuse, misuse of software, theft, and improper alteration or disclosure of sensitive information. Web application firewalls (WAFs), intrusion detection (such as Canarys), and two-factor authentication are helpful IT security tools for the prevention of security breaches that can lead to unauthorized access of systems and data.
- Availability: The availability principle refers to the overall accessibility of systems, services or products as stipulated by a contract of service level agreement (SLA). Understandably, the minimum acceptable performance level for system availability must be set by both parties (Service provider and client). In this context, careful monitoring of network performance and availability and security incident handling are crucial.
- Processing Integrity: The processing integrity principle refers to whether or not a system delivers the appropriate data at the right time at the right price. Consequently, data processing must be valid, accurate, timely, authorized and complete. Quality assurance procedures, along with close monitoring of data processing can help ensure processing integrity.
- Confidentiality: To be considered confidential, data must be restricted in its access and disclosure to a specific set of people or organizations. This may include data that is only intended to be accessed by a set of specified company personnel. Encryption is most prevalent control used for the protection of confidentiality during data transmission. Network and application firewalls, in concert with rigid access controls, can be utilized to safeguard data being processed or stored.
- Privacy: The privacy principle references the system’s collection, use, retention, disclosure and removal of personal information in compliance with an organization’s privacy notice, as well as with criteria set forth in the AICPA’s generally accepted privacy principles. Controls must be place to protect all personal identifiable information (PII) from unauthorized access. PII refers to details that can be used to identify and individual, such as name, address, and Social Security Number. Other data that us related to health, sexuality, race and religion is also considered sensitive and, more often than not, requires an extra level of security protection.
With these five trust principles at the heart of the SOC 2 report, certification allows customers with both the confidence and peace of mind in knowing there are adequate controls in place to protect not only their own data but the data of their customers. This is something that Packetlabs takes very seriously. In obtaining SOC 2 certification, Packetlabs can assure our clients, prospective and current, that not only will we provide industry-superior penetration testing and security consultancy services, but we will do so with a heightened assurance that the controls in place relevant to processing, availability and overall security of user data are there to back it up. If you have any questions regarding the SOC 2 certification or Packetlabs service offerings, please contact us today!