SOC 2 TYPE II CERTIFCATION

Floating Item

ICE is now SOC 2 Type II Certified!

Less than 5% of Service Providers are SOC 2 Certified. Why it is important that yours is!

 

What is a SOC 2 Certification?

SOC 2 is a voluntary compliance standard for a service organization, developed by the American Institute of CPAs (AICPA), which specifies how the organization should manage customer data. The standard is based on the following Trust Service Criteria: security, availability, processing integrity, confidentiality, and privacy.

 

Why is it important to work with a SOC 2 Certified Service Provider?

In today’s cyberthreat-infested landscape, it is imperative that you demand honesty and transparency in how your sensitive data is handled. Information security is a reason for concern for all organizations, including those that outsource key business operations to third-party vendors (e.g., SaaS, cloud-computing providers). Rightfully so, since mishandled data—especially by application and network security providers—can leave enterprises vulnerable to attacks, such as data theft, extortion, and malware installation.

SOC 2 is an auditing procedure that ensures your service providers securely manage your data to protect the interests of your organization and the privacy of its clients. For security-conscious businesses.

Working with a provider who has completed their certification guarantees:

      • They have the required security controls in place to protect your data against known and emerging threats
      • They have set up alerts to detect anomalies and violations across your entire ecosystem easily
      • Besides preventing risk situations, they can quickly repair damage and restore normalcy in case a rare data breach or system failure occurs
      • Many of our clients today have different compliance requirements such as ISO, HIPAA, HI trust, CLIA, GDPR, NIST, and others—and all of these require that the IT service provider be SOC 2 certified.

 

What is the process a company must go through to get certified:

The service organization must undergo an audit by a 3rd party. A SOC 2 audit is an audit of a service organization’s non-financial reporting controls as they relate to the Trust Services Criteria – the security, availability, processing integrity, confidentiality, and privacy of a system. A SOC 2 audit report provides user entities with reasonable assurance and peace of mind that the non-financial reporting controls at a service organization are suitably designed, in place, and appropriately protecting sensitive client data. There are two types of SOC 2 audit reports: SOC 2 Type I and SOC 2 Type II.

Here is a basic SOC 2 compliance checklist, which includes controls covering safety standards:

      1. Access controls—logical and physical restrictions on assets to prevent access by unauthorized personnel.
      2. Change management—a-controlled process for managing changes to IT systems, and methods for preventing unauthorized changes.
      3. System operations—controls that can monitor ongoing operations, and detect and resolve any deviations from organizational procedures.
      4. Mitigating risk—methods and activities that allow the organization to identify risks, as well as respond to and mitigate them while addressing any subsequent business.

 

What is the difference between SOC 2 Type 1 and SOC 2 Type II:

SOC 2 Type 1— Type I describes a vendor’s systems and whether their design is suitable to meet relevant trust principles. It is an attestation of controls at a service organization at a specific point in time. SOC 2 Type I reports on the description of controls provided by the management of the service organization and attests that the controls are suitably designed and implemented.

SOC 2 Type 2— Type II details the operational effectiveness of those systems. It is an attestation of controls at a service organization over a minimum 4-month period. SOC 2 Type II reports on the description of controls provided by the management of the service organization, attests that the controls are suitably designed and implemented, and attests to the operating effectiveness of the controls.

During a SOC 2 Type II audit, the auditor will carry out fieldwork on a sample of days across the testing period to observe how controls are implemented and how effective they are.

As you can see, the key difference between SOC 2 Type I and SOC 2 Type II reports is that Type II reports are conducted over a significantly longer period. This allows Type II reports to attest to control effectiveness, something that is not possible with the shorter Type 1 report, which can only attest to the suitability of design and implementation.

 

The five trust principles explained:

Security

The security principle refers to the protection of system resources against unauthorized access.  Access controls help prevent potential system abuse, theft or unauthorized removal of data, misuse of the software, and improper alteration or disclosure of information. IT security tools such as network and web application firewalls (WAFs), two-factor authentication, and intrusion detection are useful in preventing security breaches that can lead to unauthorized access to systems and data.

Availability

The availability principle refers to the accessibility of the system, products, or services as stipulated by a contract or service level agreement (SLA). As such, the minimum acceptable performance level for system availability is set by both parties. This principle does not address system functionality and usability but does involve security-related criteria that may affect availability. Monitoring network performance and availability, site failover, and security incident handling are critical in this context.

Processing integrity

The processing integrity principle addresses whether or not a system achieves its purpose (i.e., delivers the right data at the right price at the right time). Accordingly, data processing must be complete, valid, accurate, timely, and authorized.However, processing integrity does not necessarily imply data integrity. If data contains errors prior to being input into the system, detecting them is not usually the responsibility of the processing entity. Monitoring of data processing, coupled with quality assurance procedures, can help ensure processing integrity.

Confidentiality

Data is considered confidential if its access and disclosure is restricted to a specified set of persons or organizations. Examples may include data intended only for company personnel, as well as business plans, intellectual property, internal price lists, and other types of sensitive financial information. Encryption is an important control for protecting confidentially during transmission. Network and application firewalls, together with rigorous access controls, can be used to safeguard information being processed or stored on computer systems.

Privacy

The privacy principle addresses the system’s collection, use, retention, disclosure, and disposal of personal information in conformity with an organization’s privacy notice, as well as with criteria set forth in the AICPA’s generally accepted privacy principles (GAPP). Personal identifiable information (PII) refers to details that can distinguish an individual (e.g., name, address, Social Security number). Some personal data related to health, race, sexuality, and religion is also considered sensitive and generally requires an extra level of protection. Controls must be put in place to protect all PII from unauthorized access.

ICE Consulting is an IT and cybersecurity service provider dedicated to helping the Life Science Community grow. For over 25 years we have helped biotech companies scale from startup to commercialization. We are proud members and service providers for the California Life Science (CLS), Biocom, and SoCalBio communities.

 

CLICK THE LINKS BELOW TO LEARN MORE ABOUT OUR SERVICES

ICE CONSULTING'S MANAGED IT SERVICES
ICE CONSULTING'S CYBERSECURITY SERVICES

SCHEDULE A FREE CONSULTATION

International Organization for Standardization (ISO)
ISO compliance is achieved when an organization meets the requirements outlined in a specific standard developed by the International Organization for Standardization (ISO). ISO has developed thousands of standards that cover all areas of business. These ISO frameworks are used by organizations to embed internationally standardized business practices.
×
×
WordPress Popup
Health Insurance Portability and Accountability Act (HIPAA)
Compliance with the U.S. Health Insurance Portability and Accountability Act (HIPAA) requires companies that deal with protected health information (PHI) to have physical, network, and process security measures in place and follow them. HIPPA laws are a series of federal regulatory standards that outline the lawful use and disclosure of protected health information in the United States.
×
×
WordPress Popup
Health Information Trust Alliance (HITRUST)​
The Health Information Trust Alliance (HITRUST) is a non-profit company that delivers data protection standards and certification programs to help organizations safeguard sensitive information, manage information risk, and reach their compliance goals. HITRUST stands out from other compliance frameworks because it harmonizes dozens of authoritative sources such as HIPAA, SOC 2, NIST, and ISO 27001. It is also the only standards development organization with a framework, assessment platform, and independent assurance program, which has helped drive widespread adoption.
×
×
WordPress Popup
Clinical Laboratory Improvement Amendments (CLIA)
Clinical Laboratory Improvement Amendments (CLIA) of 1988 contains the Code of US Federal Regulations that govern any entity that returns patient test results for the purposes of caring for that patient. CLIA ensures that there is a standard of quality associated with test results across laboratory testing performed on specimens from humans such as blood, body fluid, and tissue, for the purposes of diagnosis, prevention, or treatment of disease or assessment of human health. This ensures the accuracy, reliability, and timeliness of laboratory test results regardless of where the test was performed.
×
×
WordPress Popup
National Institute of Standards and Technology (NIST)​
NIST was created to improve U.S. innovation and competitiveness across industries “by advancing measurement science, standards, and technology in ways that enhance economic security and improve our quality of life.”
Today, NIST remains one of the nation’s oldest physical science laboratories with a focus on three core competencies:
1. Measurement science
2. Rigorous traceability
3. Development and use of standards
NIST’s technical contributions to the development of information security standards have saved private industries more than $1 billion and drive consumer and business confidence.
×
×
WordPress Popup
General Data Protection Regulation (GDPR)
The goal of GDPR is to provide more stringent data privacy and security measures and more user-friendly disclosures and reporting on data protection practices. The regulations aim to allow individuals to control the use and storage of their own data, including any personally identifiable information.
×
×
WordPress Popup
Sarbanes-Oxley Act (SOX)​
The Sarbanes-Oxley (SOX) Act of 2002 was passed by the United States Congress into law to cut down on corporations that took part in fraudulent financial reporting. The act was passed on July 30 and its main intention is to protect investors. It’s regularly referred to as the SOX Act of 2002, and it includes strict reforms to previous securities regulations. By mandating these reforms, lawbreakers were now subject to stricter and tougher penalties.
×
×
WordPress Popup
Service Organization Control 2 (SOC 2)​
SOC 2 is coveted and hard to obtain information-security certification, and it demonstrates that an independent accounting and auditing firm has examined an organization’s non-financial reporting control objectives and activities. The auditing firm tests our controls over time to ensure that they are operating securely and effectively. Developed by the American Institute of CPAs (AICPA), SOC stands for Service and Organization Control. It defines criteria for managing customer data based on five “trust services principles” — security, availability, processing integrity, confidentiality, and privacy.
×
×
WordPress Popup