What is SOC2?

Service and Organization Controls 2 (SOC2) is an international format accepted for guidelines and reports on cybersecurity risk management. It includes the following components:

Security

the system is protected against unauthorized access (both physical and logical access).

Availability

the system is available for operation and usage in accordance with accepted or agreed liabilities.

The integrity of processing

the data processing inside the system is complete, accurate, timely, and duly authorized.

Confidentiality

the information marked as confidential is protected in accordance with liabilities or agreements.

Privacy

personal data is collected, used, stored, disclosed, and destroyed in accordance with the liabilities provided by the organization's privacy notice.

SOC2 guidelines do not specify which exactly actions should be taken and are, therefore, open to interpretation.
SOC2 describes a basic set of routines and approaches that should be followed by organizations seeking to protect the data and property of their customers.

Why choose vendors that comply with security standards?

When you work with vendors, it is crucial to rely on those who meet the required level of security and have awareness regarding managing and protecting their infrastructure. Otherwise, malicious attackers will be able to use your vendor as a link in the data chain to gain access to your data and assets.

The mere existence of regulations in the company is not enough. Its employees must be clearly aware of them as well as understand the reasons for their existence and what it gives to the client.

soc2

Let’s review the two cases:

B2B field

Oftentimes, products start their life with small, inexpensive, outsourced technical teams that develop MVP for you. Over time, this MVP evolves into a big product and business generating profits. This business is able to solve so complex problems that enterprise clients seek its help and conclude a contract with you.

At this point, in most cases, as a business owner, you will face the fact that a small team chosen at the beginning is not ready to provide a sufficient level of service for a new level of your customers. Since you and your outsourced team are essential links in the workflow chain, the failure to meet enterprise-level standards will jeopardize the whole deal.

B2C field

You own a business and a product that stores a great volume of your customers' personal data. Your business also provides a first-inits-kind solution to the problems of these customers. Contact details and codebase are the most critical assets for you. These recourses should be solely accessed by authorized team members and in no case should be damaged or compromised.

On a merely physical level, small agencies cannot afford a properly organized access control, standardization, and management of the mechanisms used to protect employees’ equipment and infrastructure. Of course, you can specify financial liabilities on your data protection in the contract, but this will only be a fraction of the damage redeemed in case of a leak.

What was done by us to ensure SOC2?

At our company, we initiated a process to standardize and ensure that all devices in the organization undergo permanent monitoring. We use OSquery supported and sponsored by key players in the technical solutions and data protection market:

Service and Organization Controls 2
SOC 2 AWS

The latter ensures compliance of all company systems with the security parameters established by the organization through centralized control and monitoring of their status and settings.

Thanks to this approach, our customers have already closed the two deals with major market players, because we, as their vendors, have confirmed and passed an audit procedure verifying our compliance with SOC2 standards.

This system does not allow us to access the personal files of employees but allows us to regularly conduct security monitoring.
Also, policies and processes were developed within the organization to ensure full control over the availability of passwords and security keys by name.

This way, we established the principles and processes that are essential for a stable and safe operation:

Control over logical and physical access to data aimed at preventing unauthorized authentification.

Management of Change is a controlled process of the organization’s infrastructure and systems attunement aimed at preventing unauthorized changes.

Risk management implies the set of approaches and activities to let an organization regularly identify, eliminate and mitigate risks associated with cybersecurity.

Systematization of work and processes to control and monitor how the company's systems and processes comply with standards. The elimination and response to any deviations from the organization's regulations are also ensured by this.