SOC 2 Type 1 Primer: Seal's Story
Seal Software is constantly looking to innovate and add more value –not only to our Contract Analytics core offering – but also to how we deliver this solution to our cloud customers.
Seal Cloud Services (SCS) is a consistent and secured SaaS offering where Seal deploys and manages the entire software stack and infrastructure – leveraging the latest automation tools and cloud technology. We have been offering SCS for almost three (3) years now and in the last year have made significant investments in both the technology and the processes around our offering – culminating with the successful completion of our SOC 2 Type 1 audit.
Let’s talk about the difference between SOC 1 & SOC2…
Many people are not familiar with SOC (Service Organization Control) Reporting and the difference between SOC 1 and SOC 2.
SOC 1 is primarily focused on financial reporting controls – typically for public companies, while SOC 2 focuses on a business’s non-financial reporting controls as related to security, availability, processing integrity, confidentiality, and system privacy.
How does a company go through the SOC 2 process?
Let’s talk about some typical things an organization, including Seal, does as it goes through the SOC 2 process. While this list is not exhaustive, it provides a decent sampling of typical activities, including:
1. Build on the right platform. While there are several good choices available on the market, Seal chose to partner with Google. Google Cloud Platform (GCP) offers state of the art performance, security, integrated compliance framework, global Data Center footprint, and industrial strength reliability.
2. Protect your cloud offering with the right technologies to ensure your data is secure. This includes, amongst other technologies, antivirus/malware detection, Intrusion Detection and Prevention (IDS/IPS), Two-Factor Authentication (2FA), and Data Loss Prevention (DLP).
3. Continually focus on known threats and vulnerabilities. Running regular vulnerability scans and penetration tests – remediating when necessary – ARE a must.
4. Ensure the right processes are implemented and controlled to handle data, risks, incidents, changes, etc. Be sure the right processes are in place, so you know how things work within the business. For example:
- How are people on-boarded?
- How are people trained on systems?
- How is confidential data protected?
- How are employees off-boarded upon leaving the company? Are the appropriate procedures in place to support and protect the company and its data?
Technology is both great and necessary, but if you neglect to implement and control solid business processes, you WILL miss the basics.
5. Implement controls in your own IT infrastructure, not just in the cloud. Controls are not just needed in the cloud – you need to implement controls within your own IT infrastructure (e.g., Laptops, Firewalls, Routers, etc.).
6. Identify your risks. An annual Risk Assessment should be performed to identify control areas and/or technology where weak links exist. Once identified, prioritize the weak links – ranking them based on the likelihood and potential business impact – and then execute the necessary action plans to remediate the weak links – knocking them out!
Let’s talk about the word “Certification” …
SOC 2 is NOT a certification. It is an attestation report.
What is an attestation report? For an SOC 2 attestation, the management of a service organization (e.g., Seal) attests that certain controls are in place to meet some, or all, of the AICPA’s SOC 2 Trust Services Criteria. Those controls are an extremely exhaustive list and includes the items listed above, as well as many other controls.
This is not a one and done process, but rather a journey as Seal works on continuous improvements and further compliance in 2018.
If you have questions or comments, please feel free to contact me at firstname.lastname@example.org