In 2020 we decided to take the plunge and begin the process of becoming SOC 2 certified.
With a client list that includes leading cybersecurity companies, we’ve always taken information security seriously. This security certification from a third-party service provider requires us to go even further – setting ISS apart from similar agencies.
Becoming SOC 2 certified is a significant process, requiring months of work for our IT team, auditors, and developers. But we believe it’s an important step to keeping our client’s data as secure as possible. Fortunately, after many months of this endeavor, we’re now close to completing it.
What is SOC 2 certification?
Here’s a summary from Digital Guardian:
The core of SOC 2’s requirements is the five trust principles, which must be reflected in the policies and procedures. Let’s enumerate and briefly describe SOC 2’s five trust principles.
- Security: The system must be protected against unauthorized access and data breach. Some security controls are firewalls, 2FA (two-factor authentication) or MFA (multi-factor authentication), and intrusion detection.
- Availability: The system should always be up for use by customers. For this to happen, there must be a process to monitor whether the system meets its minimum acceptable performance, security incident handling, and disaster recovery.
- Processing integrity: Data is accurate and must be delivered on time. This trust principle covers process monitoring and quality assurance.
- Confidentiality: Confidential data—like personally identifiable information (PII), IP content, and financial data—should be handled well. Some practices for maintaining confidentiality are encryption, limiting access controls only to specific persons, and firewalls.
- Privacy: Data must be processed according to the company’s data policies and AICPA’s Generally Accepted Privacy Principles (GAPP). Use 2FA, encryption, and proper access controls.
Recent Inside Sales Solutions Exposure
Our decision to become SOC 2 certified was recently validated by a small incident with a server for one of our CRM systems. An Elastic Search Server was unintentionally left unprotected, potentially exposing some prospect data and outdated password information. The error was remedied immediately upon detection and there’s no indication any information was accessed or stolen by bad actors.
Issues like this one are all too common in the world today. When even major companies like Microsoft fall victim to breaches that expose 250 million live passwords, it shows the scale and difficulty of the task.
Still, it’s a task we take very seriously. While we were fortunate the issue with our server has caused no known consequences, it supports the need for stronger security across our industry. The policies and procedures we already have in place mitigate our risks, such as avoiding the storage of highly sensitive information like credit card data, personally identifiable information (PII), or information related to the Personal Information Protection and Electronic Documents Act (PIPEDA) on our servers. But we’re determined to go much further.
A More Secure Future
While it’s been quite a long road to SOC 2 certification, we’re now sitting comfortably in the knowledge that we’ve made the right call. We’re excited to make the official announcement in the coming weeks to reaffirm our commitment to data security and certify our enhanced protections.