When data is the backbone of your business, your top priority is keeping that data safe. Firmex enacts this priority every day through our virtual data room technology. Our customers rely on us to provide a simple and secure data room for M&A, diligence, and litigation. They come to us knowing they can share documents with absolute confidence.
That assurance is now even stronger with our latest compliance report. We’re proud to announce we’ve recently completed a SOC 2 audit. It confirms our data security practices are best in class! It’s a seal of approval that we do a great job protecting information. Firmex customers can rest assured knowing their data is safe.
A lot of thought and work go into SOC 2 compliance principles and audit procedures. Here’s why it matters — both for Firmex and for your organization.
What is a SOC 2 Audit?
The “SOC” in SOC 2 (pronounced like “sock two”) stands for “System and Organization Controls.” It’s a voluntary compliance standard developed by the American Institute of Certified Public Accountants (AICPA). SOC 2 provides a framework and criteria to evaluate the internal controls an organization has in place to manage, control, and secure the data in its care.
Having SOC 2 attestation means that your organization has successfully conducted a globally recognized data compliance audit. Like any standardized exam, there’s an established procedure and a range of testing criteria. Organizations are basically putting their data security objectives and internal security controls under the microscope and having them vetted by data security professionals.
To achieve SOC 2 compliance, an organization engages a third-party accounting firm (one that’s licensed as a Certified Public Accountant, or CPA) to conduct a SOC 2 audit. During the audit, the firm checks whether the organization has the right policies, procedures, and controls in place to handle data effectively. In contrast to cybersecurity assessments that take a deep dive into technical details, SOC 2 security auditing focuses on data risk management across different parts of the operation.
Following the assessment, the third-party firm produces a comprehensive report — and issues the all-important result. Great news for Firmex and Firmex customers: With our SOC 2 report, we have an attestation recognized across North America and beyond.
What are Trust Services Criteria?
Like any school exam, it all comes down to the grading key. That’s what determines top marks. It’s the same with the SOC 2 audit. SOC 2 was developed around a core set of “Trust Services Principles.” These principles break out into a range of criteria called “Trust Services Criteria” (TSC) that evaluators can use to guide their assessments. The TSC are organized into the following five categories.
- Security: These criteria are mandatory and form the basis of every SOC 2 report. Evaluators check to see whether data is safeguarded against unauthorized access, data loss and damage.
- Availability: Auditors make sure data systems are up and running and that users have access to data when they need it.
- Processing Integrity: These criteria focus on data processing accuracy, reliability, and timeliness. Evaluators are focused on data quality, data flows and data reporting.
- Confidentiality: These criteria ensure that information designated as sensitive and confidential stays that way — wherever it is in the system.
- Privacy: Evaluators ensure that personal data is handled with care — in ways that meet regulatory requirements.
To get a thumbs-up on the final SOC 2 report, organizations need to address controls in areas that are important for both the business and its customers. For many organizations, this includes information security, access control, vendor management, system backups, and disaster recovery.
When an organization hits the mark across its key areas, it’s a sign that that data is secure, and systems are robust.
Passing the Test — Year After Year
Achieving SOC 2 compliance is a lengthy process that often takes about a year to complete.
But after that, organizations can’t rest on their laurels. The SOC 2 report is valid for one year. As technology, procedures, and regulations change, so do risks. That means organizations with SOC 2 compliance need to keep reviewing their data processes to make sure they keep up with the times, reflect changing needs and continue to pass muster.
Choosing a Vendor? Look for SOC 2 Attestation
As a virtual data room provider, it’s a fact of life for Firmex to have a globally recognized attestation like SOC 2. Data security is our business after all.
But SOC 2 doesn’t only concern businesses like ours. Knowing what it takes to achieve SOC 2 compliance — and choosing vendors that regularly complete SOC 2 audits — is essential for any organization.
When a vendor is SOC 2-audited, it’s proof of their security credentials. You know you’re dealing with a trustworthy organization that will handle your data carefully.
With that assurance, there’s a spillover effect that benefits your business. When your vendors have the right data safeguards in place, you reduce your risk of data breach, data loss and other compliance concerns. Just by working with companies with SOC 2, you’re strengthening your own information security, access management and disaster recovery processes.
Nothing beats peace of mind. When you work with SOC 2-compliant organizations, you know they’ve got your back on data protection.
To learn more about Firmex security policies and initiatives, visit our security page.
