By Stela Bordin, Data Protection Office, Swivel Secure
Swivel Secure’s Soc 2 compliance provides the ideal assurance to our clients (and future clients) that their data is safe with us, and with our partners utilising our authentication platform, AuthControl Sentry®.
So what is Soc 2? And why is it important?
There is no law that obliges companies to be SOC 2 compliant. However, in such a competitive market, companies that seek the most impactful insights, SOC 2 Type 2 Reports can provide ideal assurance to current and future customers that their data is safe with your company.
There are several components to becoming SOC 2 compliant, for example, a SOC 2 gap assessment, implementation of identified controls, a SOC 2 audit and a SOC 2 report, that need to be understood before embarking on this journey.
But how could your company achieve and maintain SOC 2 Type 2 compliance?
SOC 2 Type II is awarded to companies by auditors who assess the degree to which they comply with one or more of these five trustworthy principles:
A SOC 2 Type II report focuses on the American Institute of Certified Public Accountant’s (AICPA) trust service principles. The SOC 2 framework is applicable to all technology service providers or SaaS Product companies that store customer data. They are required to ensure that security controls and practices are designed and implemented effectively to safeguard the privacy and security of customer data.
It focuses on the following areas:
Infrastructure: the physical structures, IT and other hardware (networks, facilities, and equipment);
Software: the application programs and IT system software that supports application programs;
People: the personnel (managers, developers, users, and operators) involved in the governance, operation, and use of a system;
Procedures: the automated and manual procedures; and
Data: transaction streams, files, databases, tables, and output used or processed by the system.
What are the benefits?
Furthermore, we can also list other benefits such as:
Valuable insight: A SOC 2 report provides valuable information about an organisation’s risk and security posture, vendor management, internal controls, governance, regulatory oversight and more.
Regulatory compliance: SOC 2 requirements go in sync with other frameworks, including ISO 27001 certification. Thus, achieving compliance with other regulatory standards is significantly easier and can accelerate your organisation’s overall compliance efforts.
Commitment to IT security: SOC2 Type II demonstrates your organization’s strong commitment towards overall IT security. A broader group of stakeholders gain assurance that their data is protected and that the internal controls, policies, and procedures are evaluated against industry best practice.
Marketing differentiator: Although many companies claim to be secure, they cannot prove it without undergoing a SOC2 Audit. Maintaining a SOC 2 Type II report can be a differentiator for an organisation versus those companies in the marketplace that do not have and have not made a significant investment of time and capital in SOC2 Type II compliance.
This is one of the systems of controls provided by Swivel Secure, which furthermore considers the direct and indirect impact of the risks and controls that enterprise-grade MFA & SSO Services management demands.
These, therefore, are probably the most relevant for our users’ internal controls, being intended to mitigate risks related to security, availability, processing integrity, confidentiality or privacy.