Alcide is happy to announce it has successfully completed the SOC (Service Organization Control) 2 Type II examination and reporting process.
With the help of EY, an industry leader and standard setter for SOC reporting, Alcide’s Data Center and Cloud Ops Security Platform has received SOC 2 certification after a 10 month process.
In this post we will explain:
- what is SOC 2
- why we chose to pursue this reporting standard
- what are the different SOC examinations classes and types
- what this journey entailed for Alcide
What is SOC?
Service Organization Controls (SOC) define a standard for managing customer data based on 5 “trust principles”. The standard was developed by the American Institute of CPAs (AICPA) and is different from PCI DSS, which sets it's own rigid but different requirements.
SOC 2 certification is issued by outside auditors and examines if organization’s controls are aligned with the following trust principles:
- Security — the system is protected against unauthorized access. Access control help prevent potential attacks, theft or unauthorized data deletion and disclosure of information.
- Processing Integrity — system processing is complete, accurate, timely and authorized. This principle helps asses if the service functions according to its purpose.
- Availability — the system is functionings and available for use agreed by a contract or service level agreement (SLA). The principle refers to security-related criteria that may affect availability and not system functionality or usability.
- Confidentiality — confidential information is protected as committed while disclosure of this information is restricted to a specified set of persons or organizations. One example could be data intended only for company personnel, such as sensitive financial information.
- Privacy — personal information is collected, retained, disclosed and being used in according to the commitments described in the entity’s privacy notice.
SOC 2 reporting is all about building trust.Trust is achieved by the service organization by delivering in accordance with what was promised and demonstrating transparency across it's business — especially as it pertains to operations and risk management.
To meet SOC 2 reporting standards, vendors must be fair and trustworthy across in all respects to their product's/service's presentation, communication, and end of day value offering.
These internal reports provide organizations, along with regulators, business partners, suppliers, etcetera, important information about how their service provider manages their data.
The Different SOC Certifications
SOC 1 reports provide assurance to financially significant processes only. SOC 2 reports, on the other hand, can provide assurance over non-financially related processes and assurance related to one or more of the five trust services principles. And SOC 3 adds additional focus on specific achievements and actions undertaken to apply the 5 trust principles.
Provides information about controls at a service organization relevant to a user entity’s internal control over financial reporting (restricted use).
Provides information about internal control at the service organization related to security, availability, processing integrity, confidentiality or privacy (restricted use).
Provides information about the service organization’s achievement of the trust services criteria related to security, availability, processing integrity, confidentiality or privacy (general use).
Why We Chose SOC 2 TYPE II Certification
SOC 1 and SOC 2 reports come in two types:
- Type I reports concern policies and procedures that were placed in operation at a specific moment in time.
- Type II reports concern policies and procedures over a specified time period. For this report, systems must be evaluated for a minimum of six months.
The SOC 2 Type II certification is the most comprehensive reporting process within the repertoire of SOC standards. Usually, companies seeking for a security service vendor will find SOC 2 Type II is the most suitable certification.
A company that has achieved SOC 2 Type II certification has proven its service is designed to keep its customers’ sensitive data secure. When it comes to working with cloud-based and related IT services, such performance and reliability is essential and required by regulators and auditors.
Our Journey to Becoming SOC 2 Certified
The pursuit of SOC 2 certification sent Alcide on a journey of 10 months, during which time most of our team members, and most significantly our developers and DevOps personnel, were extremely involved in the process.
Over these 10 months, we implemented additional security measures, strengthened our risk assessment processes, enhanced our threat response availability, and have taken a number of steps to ensure our platform and customers data are always protected in line with industry best practices.
These measures and the experience that underlies them helped us to build trust with our customers as a SaaS security platform company. The process was long and in many ways arduous, but it was also remarkably smooth.
Since our team is constantly looking to improve both professionally and technically, building trust and generating value tend to follow as natural consequences. All told, a profound commitment to excellence from everyone in the company paved the way for us to ace all of the examination criteria.
Alcide’s Cloud Ops Security Platform is officially trustworthy, according to the highest standards, to help companies ensure the security and integrity of their most critical digital assets, while processing and protecting end user data with the greatest care, control, and best practice compliance.