Being a trusted provider of advanced data intelligence solutions comes with great responsibility. Tignis considers the privacy and security of our customers’ sensitive data to be a business imperative. That is why we recently pursued a company-wide initiative to achieve independent third-party certification of our security controls and their effectiveness.
We chose the System and Organization Controls for Service Organizations (SOC 2) framework, developed by the Association of International Certified Public Accountants (AICPA), to help us solidify and maintain a robust security posture. Successful SOC 2 audits and their resultant reports provide assurance that controls relevant to security, availability, and processing integrity of systems, in addition to the confidentiality and privacy of information processed by these systems, are suitable in both design and operating effectiveness.
Why now? Very simply, we wanted to make sure our security controls are the best they can be and at least as good as our customers’. As scientists, we understand that peer review is critical for validating processes and results. SOC 2 provided an opportunity for independent validation that our processes for handling sensitive customer data are optimized, sustainable, and scalable.
Additionally, some customers with SOC 2 in place are reticent to work with vendors who are not certified. The reason is clear: When everyone sharing data has SOC 2 processes in place, it establishes a level of trust that the data’s privacy and security practices are audited and under control, and it also helps subsequent audits go more smoothly.
Each SOC 2 control establishes that the given security policy exists, who is responsible for its implementation, what happens when the policy comes into play, and how it is documented, thus ensuring a complete audit trail. For example, a code of conduct control establishes the requirement that every new employee sign a code of conduct, who in HR is responsible for getting it signed, that a ticket will be generated and kept open until it is signed, and how it will be documented in the ticketing system.
Compliance steps strengthen data security
Coalfire was chosen to be our SOC 2 auditor, and we agreed to pursue SOC 2 Type II certification, which is more comprehensive and valuable than Type I. Type I validates whether the security controls are in place at a given moment in time. Type II takes it to a whole other level by not only establishing that the controls exist but auditing them over an extended period to ensure they are effective, the policies are followed, and changes are properly documented.
To prepare for the certification audit, we met with Coalfire to review our existing practices and documentation, such as how we onboard and offboard employees, how we ensure our passwords are secure, how we handle physical office keys, and how security events and their fixes are tracked. We were fortunate that our meticulous DevOps team had already instituted many solid security practices.
With Coalfire’s recommendations in mind, we bolstered some existing controls and documentation requirements and also created new ones. Next, an audit of our roughly 200 controls spanned from Feb. 15 to Sept. 15, 2020. By Nov. 2020, we were successfully certified as SOC 2 Type II compliant.
Going forward, we have committed to having internal quarterly meetings, such as a security policy and controls review to make sure we are adhering to our policies and documenting any exceptions, and annual meetings, such as a risk assessment where we imagine potential future threats, weigh the risks, and proactively implement relevant controls. We will also be independently audited at least annually.
Such practices automatically lead to continuous improvement. Regularly reviewing our document trail of identified and corrected incidents facilitates ongoing improvements to our overall security posture.
We expect the growth in demand for SOC 2 compliance throughout industry to continue. For Tignis, it is already having a positive impact on our internal and external oversight, risk management, vendor selection, and customer peace of mind.