One of the most important ways DefenseStorm demonstrates to its customers the security, confidentiality, availability and processing integrity of the Data Security Platform is by complying with the rigorous SOC 2 framework. SOC stands for ‘Service Organization Controls’ and is governed by the AICPA (American Institute of Public Accountants). A SOC 2 is criteria based and the service organization (e.g. DefenseStorm) can elect to choose four of the five trust services principles (TSPs) that apply. A SOC 2 must have the ‘Security’ trust services principle, and the Service Organization can choose the other principles that apply (Availability, Processing Integrity, Confidentiality and/or Privacy).
DefenseStorm has four Trust Services Principles that apply to its control environment for SOC 2:
- Security. The system is protected against unauthorized access, use, or modification.
- Availability. The system is available for operation and use as committed or agreed.
- Processing integrity. System processing is complete, valid, accurate, timely, and authorized.
- Confidentiality. Information designated as confidential is protected as committed or agreed.
DefenseStorm leadership has taken proactive steps to comply with the SOC 2 framework since the company’s inception in 2015. The company engaged a trusted, and highly experienced, consultant, to help prepare for SOC 2 compliance. In 2015, DefenseStorm successfully obtained the SOC 2 Type 1 Report (Point in Time; Design of Controls) and followed up in 2016 and 2017 obtaining the SOC 2 Type 2 Report (Period of Time; Operating Effectiveness of Controls).
Recognizing the importance of having audit/compliance as a permanent position in the company, DefenseStorm created and staffed a Risk and Compliance position. Having a permanent audit/compliance function on staff, combined with external auditor, Skoda Minotti, to independently validate DefenseStorm’s IT environment, provides management and customer assurance that the IT controls remain strong to:
- properly secure customer data and keep it confidential
- maintain availability of systems
- ensure processing integrity procedures are in place to monitor for data completeness
DefenseStorm’s successful internal implementation and continuous compliance with SOC 2 are based on the following factors:
Corporate Governance & Human Resources
- Strong tone at the top for compliance from executive management; having an internal mantra to ‘always do the right thing’
- Robust corporate and IT policies and procedures as well as enforcement mechanisms for non-compliance
- Execution of Quarterly compliance meetings with department managers
- Rigorous background checks for employees and contractors
- Fostering open communications between departments and employees if / when potential security, system and operational issues arise
Logical and Physical Access
- Strong network, infrastructure, physical and logical access controls of internal systems
- Secure data transmissions into, through and out of the Data Security Platform
- Execution of periodic vulnerability scans and penetration tests over the network and internal systems
- Providing user access based on the ‘Need to Know’ principle
- Utilizing strict engineering software development, testing and implementation principles for the Data Security Platform and
- Executing periodic internal and third party risk assessments
- Automated monitoring of availability and processing integrity
- Continuous monitoring of key IT controls by Guardian and Compliance
Interested in learning more about DefenseStorm’s Data Security Platform? Click Here!