Information security and data privacy are more important than ever. With a growing number of systems in our work environment, we look for solutions that are secure and manage sensitive data with care. For organizations that provide services to customers, nothing is more critical than being trustworthy. Especially with regard to the processes and handling of a customers’ information.
As part of our ongoing investment in client data privacy and security, Traction Guest is currently undergoing a SOC2 audit performed by qualified evaluators from an independent third-party auditing firm.
SOC has become a critical report when evaluating a service organization. It is a rigorous process wherein a third-party firm conducts an audit that assesses how a company manages data. Now, let us tell you a bit more about what that means.
SOC doesn’t stand for Salt on Crackers or at least not in this context. It means Service Organization Controls.
Service Organization Controls (SOC) are regulations to ensure service providers securely manage client data to protect the interests of both the client’s organization and privacy of their customers. The controls assure that appropriate policies and procedures are in place for data collection and processing and that the company is prepared in case things go haywire.
There are different SOC standards:
A SOC1 report focuses on the financial transactions of a company such as financial statement controls at service organizations.
SOC2 reports on non-financial organizational controls related to security, availability, processing integrity, confidentiality or privacy of a company’s systems. It is based on the existing SysTrust and WebTrust principles and is designed to evaluate an organization’s information systems. Within SOC2 there are two types:
Choosing software requires trust. With the move to cloud computing, a lot of companies are giving up controls for systems that support key business functions. If one of these systems were to go down it could impact the company’s productivity or performance.
While service providers say they are focused on security and reliability, customers often just have to take their word for it. With a third-party party assessment, customers are given reassurance and have a more tangible proof-point when choosing a service provider. SOC demonstrates the focus on security, making sure that companies aren’t just saying it.
We have always put a large focus on security and platform reliability. As our team is growing at a rapid pace, it is important to establish more central controls and procedures that ensure everyone is aligned and clear on how we operate as a company. SOC2 will allow us to formalize and communicate our processes externally and continue to drive our focus on security across everything we do.
So, what does this process look like in practice?
Step 1: Look at all the SOC requirements
Step 2: Hide under your desk
Step 3: Hire a 3rd party to help
Step 4: Decide on the areas of SOC2 to focus on
Step 5: Review the SOC2 requirements for those areas
Step 6: Identify the controls you have in place already for those requirements
Step 7: Identify additional controls you need to put in place to support those requirements
Step 8: Implement those controls
Step 9: Test the controls (Do you remember fire drills from elementary school? Testing the controls is a very important step to ensure the company is prepared in the event of something happening)
Step 10: Fix anything in the controls that were identified during the test
Step 11: Put everything in a box never to look at again
No, no, no. These things evolve over time. It’s important to always have them front of mind.
Step 12: Third-party assessment to ensure the controls are in place
Step 13: Report is written and delivered
YOU DID IT!
Strong security is fundamental to our vision of the company we wanted to build. Investing in SOC2 compliance helps us demonstrate to our customers that we are trustworthy and take security, data protection, and compliance seriously. Traction Guest is in the process of getting SOC2 Type I focused on Security, Availability, and Confidentiality, and is proactively pursuing the Type II report.
Curious? Got questions? Get in touch.
Written by Caitlin Tuba, Data Protection Officer at Traction Guest.