Before working with any technology vendor, ask, “Do you have a SOC 2 report?”
When looking to engage with a technology vendor, one of the first questions you should ask is, “Do you have a SOC 2 report?” A SOC 2 report is a great way to assess the processes and controls that a company has in place to ensure that they can deliver on their promises to you. We know the tremendous effort involved in pursuing a SOC 2 audit and report—we recently went through the process ourselves. As a creator of event apps, we are focused on the highest levels of security in our processes and for our clients’ data. (To read more about event app security, check out Mitra Sorrell’s BizBash article, Is Your Event App Secure?)
(For more info on login security specifically, check out Login Choices Made Simple.)
What is SOC 2? Why should anyone care?
The SOC 2 reporting framework was developed by the American Institute of CPAs, and these Service Organization Control Reports® (SOC) are internal control reports on the services provided by service organizations, like Gather Digital. A SOC 2 report allows clients to see the complete set of controls a vendor has in place—and then to understand how effectively the vendor is executing those controls. For example, a company may promise that it performs background checks on all employees, performs disaster recovery drills every year, and requires all employees to undergo extensive security training. The auditing firm makes sure these efforts actually occur.
An arduous process, but a valuable one
The best way to explain the value of such a process and report is to describe our experience. We engaged an auditing firm in early 2016 to conduct a SOC 2 audit. We were evaluated on three Trust Services Principles: Security, Privacy, and Availability. We outlined a huge spreadsheet of process controls that we rely on to meet the different requirements of each Principle. The auditing firm evaluated us over a six-month period to assure that these documented controls were in place and active, and to identify any control failures.
For example, for the Security Trust Principle, we defined controls that included the fact that third party experts evaluate the security of our native apps, our web-based content management system, and our network and server infrastructure on an annual basis. The auditing firm reviewed and confirmed that this testing occurred and that reports were issued.
We have many controls in place to eliminate any downtime and meet our Service Level Agreements. The auditing firm confirmed these under the Availability Principle. They reviewed our server monitoring tools, as well as the logs and reports from our last disaster recovery and failover test to assure that those tests occurred and were performed successfully.
Preparing for the SOC 2 auditing process was a tremendous undertaking. It gave us an opportunity to review industry best practices, establish controls where the auditing firm and SOC 2 frameworks indicated we could improve, and ensure the controls were producing evidence that could be verified by a third party.
SOC 2: A great way to evaluate a potential partner
Having seen the tremendous value in this process, we always ask to see a potential business partner’s SOC 2 report. If they don’t have one, that’s a sign that the company is not as mature as we’d hope for in a partner. If they can provide a report, it gives us great insight on the controls and processes they have in place to ensure they can deliver. It’s invaluable. So, if you haven’t yet, start asking your vendors for their SOC 2 report! We’re happy and proud to share our SOC 2 report with our clients to provide them the additional assurance they need to rely on us.