DefenseStorm’s SOC 2 and What it Means to YOU
One of the most important ways DefenseStorm demonstrates to its customers the security, confidentiality, availability and processing integrity of the Data Security Platform is by complying with the rigorous SOC 2 framework. SOC stands for ‘Service Organization Controls’ and is governed by the AICPA (American Institute of Public Accountants). A SOC 2 is criteria based and the service organization (e.g. DefenseStorm) can elect to choose four of the five trust services principles (TSPs) that apply. A SOC 2 must have the ‘Security’ trust services principle, and the Service Organization can choose the other principles that apply (Availability, Processing Integrity, Confidentiality and/or Privacy).
DefenseStorm has four Trust Services Principles that apply to its control environment for SOC 2:
- Security. The system is protected against unauthorized access, use, or modification.
- Availability. The system is available for operation and use as committed or agreed.
- Processing integrity. System processing is complete, valid, accurate, timely, and authorized.
- Confidentiality. Information designated as confidential is protected as committed or agreed.
DefenseStorm leadership has taken proactive steps to comply with the SOC 2 framework since the company’s inception in 2015. The company engaged a trusted, and highly experienced, consultant, to help prepare for SOC 2 compliance. In 2015, DefenseStorm successfully obtained the SOC 2 Type 1 Report (Point in Time; Design of Controls) and followed up in 2016 and 2017 obtaining the SOC 2 Type 2 Report (Period of Time; Operating Effectiveness of Controls).
Recognizing the importance of having audit/compliance as a permanent position in the company, DefenseStorm created and staffed a Risk and Compliance position. Having a permanent audit/compliance function on staff, combined with external auditor, Skoda Minotti, to independently validate DefenseStorm’s IT environment, provides management and customer assurance that the IT controls remain strong to:
- properly secure customer data and keep it confidential
- maintain availability of systems
- ensure processing integrity procedures are in place to monitor for data completeness
DefenseStorm’s successful internal implementation and continuous compliance with SOC 2 are based on the following factors:
Corporate Governance & Human Resources
- Strong tone at the top for compliance from executive management; having an internal mantra to ‘always do the right thing’
- Robust corporate and IT policies and procedures as well as enforcement mechanisms for non-compliance
- Execution of Quarterly compliance meetings with department managers
- Rigorous background checks for employees and contractors
- Fostering open communications between departments and employees if / when potential security, system and operational issues arise
Logical and Physical Access
- Strong network, infrastructure, physical and logical access controls of internal systems
- Secure data transmissions into, through and out of the Data Security Platform
- Execution of periodic vulnerability scans and penetration tests over the network and internal systems
- Providing user access based on the ‘Need to Know’ principle
- Utilizing strict engineering software development, testing and implementation principles for the Data Security Platform and
- Executing periodic internal and third party risk assessments
- Automated monitoring of availability and processing integrity
- Continuous monitoring of key IT controls by Guardian and Compliance
Interested in learning more about DefenseStorm’s Data Security Platform? Click Here!