In 2020 we decided to take the plunge and begin the process of becoming SOC 2 certified.
With a client list that includes leading cybersecurity companies, we’ve always taken information security seriously. This security certification from a third-party service provider requires us to go even further – setting ISS apart from similar agencies.
Becoming SOC 2 certified is a significant process, requiring months of work for our IT team, auditors, and developers. But we believe it’s an important step to keeping our client’s data as secure as possible. Fortunately, after many months of this endeavor, we’re now close to completing it.
What is SOC 2 certification?
Here’s a summary from Digital Guardian:
The core of SOC 2’s requirements is the five trust principles, which must be reflected in the policies and procedures. Let’s enumerate and briefly describe SOC 2’s five trust principles.
- Security: The system must be protected against unauthorized access and data breach. Some security controls are firewalls, 2FA (two-factor authentication) or MFA (multi-factor authentication), and intrusion detection.
- Availability: The system should always be up for use by customers. For this to happen, there must be a process to monitor whether the system meets its minimum acceptable performance, security incident handling, and disaster recovery.
- Processing integrity: Data is accurate and must be delivered on time. This trust principle covers process monitoring and quality assurance.
- Confidentiality: Confidential data—like personally identifiable information (PII), IP content, and financial data—should be handled well. Some practices for maintaining confidentiality are encryption, limiting access controls only to specific persons, and firewalls.
- Privacy: Data must be processed according to the company’s data policies and AICPA’s Generally Accepted Privacy Principles (GAPP). Use 2FA, encryption, and proper access controls.
Issues like data breaches are all too common in the world today. When even major companies like Microsoft fall victim to breaches that expose 250 million live passwords, it shows the scale and difficulty of the task.
Still, it’s a task we take very seriously. The policies and procedures we already have in place mitigate our risks, such as avoiding the storage of highly sensitive information like credit card data, personally identifiable information (PII), or information related to the Personal Information Protection and Electronic Documents Act (PIPEDA) on our servers. But we’re determined to go much further.
A More Secure Future
While it’s been quite a long road to SOC 2 certification, we’re now sitting comfortably in the knowledge that we’ve made the right call. We’re excited to make the official announcement in the coming weeks to reaffirm our commitment to data security and certify our enhanced protections.