Get in touch with us today to find out how can we help you.
Are you sure your software as a service (SaaS) vendors and other third parties are capable of protecting your business’ data?
The fact is that any vendor that has access to your data could potentially put it at risk if they don’t have the right controls and security measures in place.
ICS offers fully certified Service Organization Control (SOC) 2 Type 2 capabilities.
SOC 2 reports provide proof that your third parties comply with control requirements laid out by the American Institute of Certified Public Accountants (AICPA).
A SOC 2 certification is issued by outside auditors based on assessing the extent to which a vendor complies with one or more of the five trust principles based on the systems and processes in place.
A SOC 2 Type 2 Certification provides concrete evidence that you can trust an organization with your data.
SOC 2 compliance is determined by an auditor that assesses companies based on the following five trust principles:
This principle examines how system resources are protected from unauthorized access.
By implementing an extensive range of access control measures, an organization prevents potential system abuse, data theft, improper use of software, and unauthorized alteration or disclosure of information.
Expected access control measures include firewalls, multi-factor authentication, intrusion detection systems, and more.
This principle determines whether the availability of the system, apps, and data is in line with the contract or service level agreement (SLA).
In this case, both you and the other organization set the degree of availability and level of performance.
While this principle is not related to functionality or usability, the security-focused aspects are still critical. The organization must have measures in place to monitor network performance and availability and demonstrate its capability for site failover and security incident management.
This principle is simple—it determines whether or not a system achieves its purpose.
This means it must provide the correct data when requested and at the predetermined price. Furthermore, the delivered data has to be proven complete, valid, accurate, timely, and authorized.
It’s important to note that processing integrity is not data integrity. Data errors are not usually the responsibility of the organization that handles the processing.
Data must be confidential, which, in this context, means its access and disclosure are properly restricted to only a specific group of people or organizations.
This data could include intellectual property, business plans, confidential pricing, and other financial data.
Encryption is a key aspect of this principle. Data must be properly protected both in transit and at rest. This requires encryption services, network and application firewalls, and access controls.
This final principle looks at how the system collects, uses, retains, discloses, and disposes personal information in line with criteria laid out by the AICPA’s generally accepted privacy principles (GAPP).
All Personally identifiable information (PII) must be kept private. This type of information includes any data that refers to details that distinguish a person, such as their name, address, or Social Security number. An organization with access to this data must implement controls to protect all PII from unauthorized access.
Are you sure your IT company can be trusted with your data? Remember, in addition to keeping your systems safe, they also have to be able to secure their own.
It’s especially dangerous when an IT company gets hacked because they often have access to all their clients’ data. In effect, all their clients are hacked as well.
That’s precisely what happened when this IT support provider was recently infected with ransomware—all their clients and 100+ dentistry industry businesses were also infected.
In the end, the IT company had to pay a reported $700,000 ransom, but some clients were left to pay ransoms individually for their own files.
If it could happen to an IT company that works with that many clients, don’t you think it’s possible it could also happen to your IT company? This is why you must carefully consider the companies you’ll entrust your data to.
If you’re going to trust an IT company to look after the security of your data, they should be willing to have their cybersecurity processes audited.
Do they have proof of their cybersecurity credentials? Not every Texas IT company will be able to qualify for a SOC 2 Type 2 certification.
The ICS team knows cybersecurity’s importance for our clients, which is why we work to gain our SOC 2 Type 2 Certification.
Want to see our cybersecurity credentials? All you have to do is ask.