Seven questions to Dasseti’s CTO Graham Cambridge on the recent Soc 2 Type 2 certification.
Could you start by explaining what SOC 2 Type 2 certification is, and why it's so significant for Dasseti and our clients?
SOC 2 Type 2 certification is a compliance framework that helps secure client data storage and processing by third-party service providers. It is granted by the American Institute of Certified Public Accountants (AICPA) to companies that follow stringent security standards.
SOC 2 Type 2 certification comprises a detailed evaluation, by an independent auditor, of an organization’s internal control policies and practices over a defined time frame.
The certification ensures that the service provider securely manages client data based on five trust service principles: security, availability, processing integrity, confidentiality, and privacy.
For security-conscious businesses like those of our clients, SOC 2 compliance is a minimal requirement when considering a SaaS provider.
SOC 2 Type 2 certification is significant for our clients because it provides assurance that the company has implemented effective security controls and processes to protect client data. The certification also helps companies to demonstrate their ability to manage data and security processes effectively. By obtaining SOC 2 Type 2 certification, companies can assure their clients that they are committed to protecting their data and privacy.
How does obtaining the SOC 2 Type 2 certification enhance the security and privacy assurances we offer to our clients?
Obtaining the SOC 2 Type 2 certification enhances the security and privacy assurances that a SaaS vendor can provide to its clients in several ways.
Firstly, the certification ensures that the vendor has implemented effective security controls and processes to protect client data based on five trust service principles: security, availability, processing integrity, confidentiality, and privacy.
Secondly, the certification helps companies to demonstrate their ability to manage data and security processes effectively.
Thirdly, SOC 2 Type 2 compliance is a minimal requirement when considering a SaaS provider for security-conscious businesses. By obtaining SOC 2 Type 2 certification, companies can assure their clients that they are committed to protecting their data and privacy.
Could you outline the specific steps we took to meet the stringent requirements of SOC 2 Type 2 certification?
The SOC 2 Type 2 certification process is quite rigorous and assesses the company’s information security practices and procedures over a period that extends from 6 to 12 months. The certification ensures that the service provider securely manages client data based on five trust service principles: security, availability, processing integrity, confidentiality, and privacy.
Specifically:
- Determine the scope of the audit based on our clients’ needs and the Trust Services Criteria (TSC) or trust principles.
- Implement controls that align with the TSC principles.
- Conduct an audit of your internal control policies and practices over a defined time frame.
- Prepare a report that includes the auditor's opinion on the effectiveness of your controls and any identified gaps.
- Address any gaps identified during the audit.
- Obtain the SOC 2 Type 2 attestation to showcase your clients who demand it or to portray your strong security measures to the world.
How did our approach to data security and privacy evolve during the preparation for this certification?
We were already operating to SOC standards and trust criteria, prior to starting the audit period, however we became mindful of the need to ensure we were executing and documenting our processes effectively. This was to ensure we could demonstrate we were operating the highest level, to the required standard in practice.
Why should our clients feel more confident about their data security following our achievement of SOC 2 Type 2 certification?
Clients should feel more confident about their data security when using a company with SOC 2 Type 2 certification because the certification ensures that the company has implemented effective security controls and processes to protect client data based on five trust service principles: security, availability, processing integrity, confidentiality, and privacy. The certification also helps companies to demonstrate their ability to manage data and security processes effectively. SOC 2 Type 2 compliance is a minimal requirement when considering a SaaS provider for security-conscious businesses. By obtaining SOC 2 Type 2 certification, companies can assure their clients that they are committed to protecting their data and privacy.
What are our plans to ensure continuous compliance and improvement in line with SOC 2 Type 2 standards?
Dasseti will ensuring continuous compliance and improvement in line with SOC 2 Type 2 standards by continuing to implement its comprehensive security program that is designed to identify, assess, and mitigate risks to client data.
Specifically:
- Conduct regular risk assessments to identify potential vulnerabilities and threats to client data.
- Implement security controls that align with the Trust Services Criteria (TSC) principles.
- Regularly monitor and test systems and processes to identify any potential vulnerabilities.
- Train employees on the policies and procedures related to data security and privacy.
- Address any gaps identified during the audit and remediate them promptly.
- Conduct regular audits to ensure that the company's security program is effective and up to date.
How do you intend to integrate the learnings from this certification process into our ongoing operational strategies?
Dasseti follows a continuous improvement model, constantly seeking marginal gains in performance. We will adopt audit recommendations, incorporate the latest best practices, and refine policies and procedures to continue to enhance our operational approach.
Chat with a member of our team to learn more about our commitment to security and data privacy.