We are pleased to share the news that we recently completed our System and Organization Controls (SOC) 2 Type II audit. The article below explains the purpose of the audit and the requirements we had to meet to obtain it. At HF Software Solutions, we are serious about the security of our data, and passing the SOC 2 audit reflects on the integrity of our product and staff. Most of the information presented can be found at https://secureframe.com.
What is a SOC 2 audit?
The SOC 2 audit is among the highest recognized information security compliance standards. It was developed by the American Institute of CPAs (AICPA) to allow a third-party auditor to validate a service company’s internal controls concerning information security. The SOC 2 Audited Report is the auditor’s opinion on how an organization’s security controls meet the SOC 2 criteria.
Type II vs. Type I
The SOC 2 audit includes two subcategories: Type I and Type II. Both audit reports cover a system’s design controls and operating effectiveness; however, the timeframe varies. A Type I audit looks at a specific point in time, for example, a single day, and affirms that your security systems and controls are working as you’ve set them. A Type II report requires that an organization undergoes rigorous auditing over a more extended period, usually up to 12 months. Type II measures controls in action more accurately, whereas Type I assesses how well you designed controls.
A Type II report delves into the nitty-gritty details of your infrastructure service system. It will examine all of the following components.
- Infrastructure: The physical and hardware components (networks, facilities, and equipment) that support your IT environment and help you deliver services.
- Software: The operating software and programs (utilities, applications, and systems) you use to facilitate data and system processing.
- People: The personnel (managers, developers, users, and operators) involved in the management, security, governance, and operations to deliver services to customers.
- Data: The information (files, databases, transaction stream, and tables) you use or process within the service organization.
- Procedures: The manual or automated procedures that bind processes and keep service delivery ticking along.
SOC 2 Type II Compliance: Definition, Scope, and Why You Need It (secureframe.com)
Why is it important?
Businesses have been moving operations from on-premise software to a cloud-based infrastructure. This change can improve processing efficiency while cutting overhead expenses. However, moving to the cloud means losing tight control over the security of data and system resources. A SOC 2 report assures that your security program is appropriately designed and operates effectively to safeguard your data.
SOC 2’s compliance requirements consist of five trust service principles:
- Processing integrity
What’s required to pass a SOC 2 audit?
To obtain our audited SOC 2 Report, a third-party auditor, Johanson Group, reviewed our internal controls, including policies, procedures, and infrastructure regarding data security, firewall configurations, change management, logical access, backup and disaster recovery, security incident response, and other critical areas of our business. With the help of Secureframe, HF Software Solutions successfully achieved compliance and received an Auditor’s Report demonstrating that our policies, procedures, and infrastructure meet or exceed the SOC 2 criteria.
HF Software Solutions commitment to excellence
SOC 2 is just one aspect of our growing security program. We are committed to continually improving our information security program and retaining an annual SOC 2 audit to ensure we continue supporting our customers’ needs.