As more companies look to vendors to deliver business functions and services in the cloud, they need assurance that vendors maintain effective internal controls to safeguard their intellectual property – their data. And many are expecting those vendors to provide assurance based upon third-party validation that the company meets rigorous standards including System and Organization Controls (SOC®).
SOC is a set of guidelines generated by the American Institute of Certified Public Accountants (AICPA) and developed to ensure security, availability, confidentiality and process integrity of financial organizations. These guidelines are broken into three sections, each focusing on a separate aspect of the overall security posture of the cloud vendor. As part of our commitment to delivering a best-in-class cloud solution to our customers, IDS has invested the time and resources required to meet the requirements outlined in all three areas of SOC reporting.
This accomplishment means IDS has worked with a third-party vendor to validate all appropriate control protocols are in place and working properly to safeguard our client’s data confidentiality. This assessment also helps validate that our internal policies and procedures are protecting our own business operations and verifies our security posture.
What is security posture?
An organization’s security posture is the collective summary of the security status of all software, hardware, services, networks, information, vendors and service providers by IDS.
What does SOC validate?
SOC is broken into three separate areas of focus. The types associated with each set of criteria generally means that the vendor has validated the controls over a longer period of time, not just a single point in time. Below you will find a simplified overview of the different types of SOC reports that IDS received as part of its 2020-2021 audit and assessment.
- SOC 1® Type 2 reporting addresses internal controls over financial reporting and the development of products.
- SOC 2® Type 2 reporting addresses IDScloud controls related to operations and security compliance.
- SOC 3® features a public report of internal controls related to security, availability, processing integrity and confidentiality.
Do these SOC reports mean that IDS is SOC-certified?
No. In fact, that’s a common misconception. No company is ever SOC-certified. SOC is a third-party assessment. That means they work with companies like IDS to audit, perform risk assessments, measure, obtain evidence and report on whether controls are operating effectively – for both the external clients and the internal business operations.
Why is SOC reporting important for cloud-computing?
For IDS specifically, SOC auditors perform onsite and virtual audits and report on the effectiveness of the IDScloud secured finance platform.
More and more companies who outsource their business functions to the cloud and to vendors are making SOC assessment and reporting mandatory. But that’s not why we do it. We invest the time and resources in completing SOC assessments because we care about our clients. They leverage our system entrusting us with the data that supports their business. Our clients trust IDS to protect their business intelligence so it’s important to build that trust and provide transparency on how we do business.
That is our job and our purpose. We provide technology to secured finance businesses that they use to offer financing solutions for their customers. That opens up opportunities for them to invest in new ideas, capitalize on new opportunities and enter new markets. They deserve to work with a partner who they can trust so they can use that time and energy in other areas. And that’s what SOC reports provide – a third-party assessment and validation that all of our controls can be trusted – physical, logical and human.
Speaking of human controls – that’s another area that we take great pride in at IDS. We have incorporated a security posture that takes into account the human factor to ensure individuals at IDS possess integrity and the skillset to protect our client’s information, protect our own business assets and protect against external threat vectors.
Undergoing an SOC assessment is a rigorous process that takes commitment and resources over a long period of time (6 to 12 months in most cases). We see SOC assessment as an investment to strengthen our cloud offering for all our clients.
As more organizations value SOC reporting as part of their third-party risk management efforts, IDS will continue making concerted efforts to build on previous success to provide a best-in-class cloud platform for a full range of secured finance applications.
How often should a company conduct an SOC assessment?
I can only speak for IDS and we’ve been investing in SOC assessments and reports since the inception of IDScloud three years ago. We’ve had our controls audited over a six-month period and are currently rolling into an ongoing annual practice.
Recognizing that a strong security posture is a daily commitment. We have already started the 2021-2022 SOC audit observation to ensure effective cloud security in all procedures and technologies. We also conduct our own periodic internal reviews and spot checks of all our controls. And we do all of this to build and maintain trusting relationships with all our customers.
Craig Debban, Senior Director of IT and Information Security Officer, IDS