The Information Security Certification Challenge
We all deal with information security on a daily basis in both our jobs and our personal lives. Sometimes it makes us feel safe (accessing your banking information over the internet with confidence) and sometimes it makes us feel annoyed (not being able to remember your user name and password when trying to access your banking information over the internet). But few people realize the extent to which companies that protect sensitive data are constantly challenged to evolve with security threats and new security standards.
At VelocityEHS, we work with globally operated companies to provide them with Software as a Service (SaaS) environment, health, safety and sustainability (EHS) systems. These companies rely on us to store and manage sensitive EHS data securely and effectively.
Several years ago, we found that we were being asked more and more to provide current and prospective clients with detailed explanations of our controls and standard operating polices so that they might determine if we were in compliance with their own corporate policies and standards. As you might imagine, providing this type of assurance to our clients one by one was a very time consuming and often tedious and complicated matter. It became a necessity to find an internationally recognized certification. The certification would provide aid and assurance to our clients that confidential and irreplaceable data is handled safely, securely and responsibly.
In 2010, the most widely-recognized auditing standard was the Statement on Auditing Standards No. 70 (SAS 70), developed jointly by the American Institute of Certified Public Accountants (AICPA) and the Canadian Institute of Chartered Accountants (CICA). This certification represented that the organization had been through an in-depth audit of their control objectives and control activities relating to information security. While SAS 70 was driven by the Sarbanes-Oxley requirements for financial reporting of publicly traded companies, it was still the most widely accepted standard for information security. So we initiated a project January 2011 to prepare for our first third-party certification audit.
In June 2011, partway through our audit preparations, SAS 70 was replaced by SSAE 16 (SOC 1 Type 2). This was a little alarming at first but with assistance and some guidance from our auditors we were able to gain a better understanding of the differences and adjust our project to be prepared for an audit under this new standard. Fortunately VelocityEHS had all of the control requirements already in place to provide compliance with this new standard and we were able to stay on track for our 2011 certification. That audit was successful and since then we have been demonstrating our controls by distributing our audit reports to current and prospective client companies. VelocityEHS completed another successful SSAE 16 SOC 1 Type 2 audit in December 2012.
By design, the SOC 1 standard certifies that:
- We have controls in place.
- We use these controls in daily operations consistently.
- We test those controls to ensure they remain effective.
Much like the original management systems standards such as ISO 9001, a major limitation inherent of SOC 1 certification is that a standardized set of policies and controls are not defined but are instead left up to individual companies to determine. This methodology while sound in principle still left a burden on our clients to determine if the controls we have in place were acceptable and/or compliant with their own internally defined corporate security policies. In an effort to overcome the difficulties the decision was made to pursue a new standard of compliance - SOC 2.
The SOC 2 audit process follows a pre-defined framework and set of standards defined by the AICPA Trust Services, Principles, Criteria and Illustrations. Trust Services are defined as a set of professional attestation and advisory services based on a core set of principles and criteria that addresses the risks and opportunities of IT-enabled systems and privacy programs.
The purpose of the SOC 2 audit is to evaluate an organization's information systems as they relate to a set of 5 Trust Principles:
The system is protected, both logically and physically, against unauthorized access.
The system is available for operation and use as committed or agreed to.
System processing is complete, accurate, timely, and authorized.
Information that is designated "confidential" is protected as committed or agreed.
Personal information is collected, used, retained, and disclosed in conformity with the Security.
To put it simply, AICPA and CICA have provided guidance on what the best practices are for information security systems rather than leaving it up to individual companies to define their own. VelocityEHS can now focus on building onto existing solutions with the focus on standardized compliance. This will ensure our IT security and availability standards directly align with our clients who are either certified against the SOC 2 standard or use the framework as a guideline for their internal systems.
VelocityEHS has scheduled our first annual SOC 2 audit for March 2014. Please leave a comment if you have questions about this article or input on IT security. We would be particularly interested to hear your thoughts on what the "next" standard will be. The bar definitely gets moved every 1-2 years so we do not assume SOC 2 will be the last standard we need to certify against!