Information Security
Last updated: December 2, 2024
SOCi’s Overview of Security Commitment
SOCi, Inc. demonstrates a commitment to security through a multi-faceted approach involving policies, procedures, and technology.
SOCi has implemented a broad and comprehensive set of security controls called The Common Criteria Controls that are consistent with the requirements of the American Institute of CPA’s (AICPA) requirements for “Trust Services Criteria for Security, Availability, Processing Integrity, and Confidentiality”.
Protection of Information Assets
SOCi’s management has implemented information security policies and procedures to ensure the protection of confidential information, providing a comprehensive framework for protecting the confidentiality, integrity, and availability of SOCi’s information assets and resources. This protection extends to SOCi Inc., its employees, and its clients that aim to ensure the effectiveness of information security controls across the organization, recognizing the highly networked nature of the current computing environment.
Roles & Responsibilities
- A Chief Technology Officer (CTO) well-versed in security and responsible for all aspects of technology, including security.
- A Vice President of Information Security and Compliance responsible for all security matters.
- A Security and Compliance Analyst responsible for security and compliance related matters.
- A Principal Security Engineer responsible for security development processes and platform security.
- A Security DevOps Specialist responsible for our security incident and event monitoring system and security operations.
- A Information Security & Privacy Management Committee (ISPMC) overseeing the development and implementation, and effectiveness of information security.
Organizational Controls
- Ongoing Security Awareness Education (SAE) program required for all SOCi staff and contractors.
- Advanced secure coding training required of all engineers.
- Industry-standard best practices related to operations, including change management and application development.
Technical Controls
- Reliance upon Amazon Web Services (AWS) and Google Cloud Platform (GCP) which deploy a highly secure, monitored, and tested infrastructure.
- Ongoing monitoring of systems and infrastructure.
- Vulnerability assessments performed by CREST-certified security assessment firm.
- Use of endpoint protection on workstations to prevent virus and malware infections.
- Backups of all critical systems and a comprehensive disaster recovery capability.
- Use of standard network and system protection including next-generation firewalls and intrusion detection/prevention systems (IDS/IPS).
- Robust identity access management controls to ensure that only authorized individuals have access to data.
- Best in class security incident and event monitoring system “SIEM”.
Encryption Methods
SOCi utilizes strong encryption methods for confidential data that is transmitted internally or externally. SOCi uses a variety of encryption methods for data at rest including but not limited to:
- Whole disk encryption
- Encryption of partition/files
- Encryption of disk drives
- Encryption of personal storage media
- Encryption of backups
- Database encryption
All sensitive data transmission occurs over HTTPS or SSH encrypted protocols. SOCi protects all data from incomplete transmission, mis-routing, unauthorized alteration, unauthorized disclosure, and unauthorized duplication through the use of secure protocols.
SOCi only uses generally accepted non-proprietary encryption algorithms, such as AES3DES or TLS 1.2 (and above).
Strong encryption for transmission of all sensitive data, using Transport Layer Security (TLS).
SOCi’s Compliance with Security Standards
SOCi, Inc. has implemented an Information Security and Privacy Management System (ISPMS) to protect the confidentiality, integrity, availability, and privacy of data entrusted to them.
An annual independent third-party professional assessment of all technical and organizational controls conducted by a qualified third-party auditor, a “System and Organizational Controls Report” SOC 2 Type II.
An annual independent third-party professional assessment and certification against the internal standard ISO 27001:2013.
While requirements vary from industry to industry, all of them are broadly consistent with the stringent controls that SOCi has already established. SOCi verifies these controls using the widely accepted SOC2 standard which can be presented to clients requesting the validation of SOCi’s security posture.
Additionally, these controls can be mapped to other industry-specific requirements as needed. For example, although SOCi is not a “cover entity”, and therefore not itself required to adhere to HIPPA regulations, SOCi demonstrates its alignment with HIPPA controls through its SOC 2 report which includes direct mapping to necessary HIPPA controls. A standard HIPPA Business Associate Agreement (BAA) addendum may be added to your contract upon request.
This approach allows SOCi to demonstrate that while SOCi itself may not be required to adhere to clients’ industry-specific standards, SOCi has the ability to protect its clients’ data consistent with the requirements of specific industry standards and regulations.
To request a copy of SOCi’s SOC 2 report or our ISO 27001 certification (reproduced below), contact your Account Executive or Customer Success Manger. If you have any questions or concerns about SOCi’s security, please contact us at [email protected]
SOCi maintains a security bug bounty program for our systems and applications. For more information or to report a bug, please email [email protected].