Cavirin Blog

Why Earn SOC 2 Certification

“If your company currently uses third party vendors to provide services that include the collection, processing and/or retention of sensitive information, you should consider inquiring into whether they have successfully completed a SOC 2 Type 2 audit, as it helps to ensure a higher standard for protecting your data.” Jeanne Madden, Vice President Operations, ADP Tax Credit Services

THE CHALLENGE

  • Customers and prospects demand a SOC 2 Type II report covering actual effectiveness of your core product systems.
  • Your evidence could reveal a lapse in security which may need to be disclosed.
  • Was your service down for any significant time?
  • Was the data processed effectively?
  • Did your application continually encrypt data over the audited timeframe?
  • External auditors share how well your systems, software, and procedures worked with actual data collected across a specified timeframe.
  • Findings in the report become the subject of conversation with all of your customers. These findings require remediation in order to maintain existing business.
  • In today’s cloud economy, customer due diligence has gone from nice to have to mandate.  

Why earn SOC 2 certification?

Customers demand evidence of reliable controls before placing their trust and dependency on service organizations. One of the most widely accepted ways to earn trust is the AICPA SOC 2 type II report, aka, the TSP 100.  Trust Services Principles (TSP) are a professional attestation containing essential criteria based information for assessing controls. When engaged in reporting, however, determination of suitable and continuous evidence is time consuming and sometimes impossible. Beyond the cost of third party advisory services, the disruption that SOC 2 engagement can heap across your organization is both substantial and avoidable.

Cavirin Security and Compliance offers system based controls mapping to align enterprise technology to the criteria of the TSP 100, making failure and success in IT controls continuously available to this reporting process.

Recently updated with enhanced privacy controls, (released in April of 2016), Trust Principles set out by the AICPA enable companies to limit exposure in reliance on third parties, and is especially necessary when doing business with organizations falling under FISMA and SEC regulation. Third party vendor risk management often prevents business from placing dependency on any MSP, SaaS, IaaS, or PaaS provider who has failed or not yet engaged to successfully complete a SOC 2 report. 

SOC 2 Principles

Leveraging SOC 2 exceptions to optimize environments and pass audits faster

Facing SOC 2 Assessment, organizations often fail due to improper security settings, incorrect configurations, low levels of encryption, or poor policies and procedures. Continuous testing over those controls could have prevented costs in business disruption, time consuming client discussion, or lost business opportunities.

Cavirin’s ARAP™ solution automatically checks system configuration settings across all target environments, reporting against expected system based SOC 2 Illustrative criteria. Review and response to address recommended fix actions allows timely remediation to found problems, and further rewards the business by rapid completion of unnecessarily disruptive SOC 2 audit events.

Cavirin clients gain further advantage through alignment with the AICPA SOC 2 standard. Managing an effective SOC 2 assessment program supports elements in achieving compliance with many other control frameworks including the security aspects of the following laws and mandates:

  • UK Cyber Essentials
  • Federal Information Security Management Act 2001 (US)
  • Gramm‐Leach‐Bliley Act (GLBA) 1999 (US)
  • Federal Financial Inst. Examination Council’s (FFIEC) security guidelines (US)
  • Sarbanes‐Oxley Act (SOX) 2002 (US); State security breach notification laws (e.g. California) (US)

SOC 2 Crosswalk, Audit Once, Comply Many

THE SOLUTION

Cavirin’s Automated Risk Analysis Platform (ARAP™) assists Chief Risk & Security, as well as IT and DevOps leadership with the top challenges they face in meeting HIPAA Security Compliance:

  • Missing patches for operating systems and applications.
  • Monitoring and detecting sensitive data loss (data exfiltration).
  • Locating weak passwords.
  • Lack of logs and audit trails than can conduct forensics to identify and respond to a breach.
  • Security validation for new systems.
  • Missing or outdated anti-malware technology.
  • Encryption of sensitive information in transit.
  • Remediate deficiencies that would otherwise be impossible to manage due to the lack of trained staff maintaining security controls. 

SOC 2 Domains mapped to their evidence in enterprise systems

Compliance in any environment

  • Cloud Native platform supporting 12-factor patterns (things like port binding, logs, concurrency…)
  • A “hyper plane” of integrated “risk assessment” amongst segmented vulnerability domains
  • Works with Private, Hybrid, and Public Clouds and Support AWS, Azure, GCP (Google Cloud Platform)
  • Manages thousands of out-of-box policies, well curated and certified (SCAP, XCCDF, OVAL)
  • Supports most compliance authorities (PCI, HIPAA, NIST, SOC2, FedRamp, CIS Benchmark, DISA, CIS CSC, CSF)
  • Is CIS Certified security content (Multiple OS, Docker, AWS Cloud)
  • Complies with DISA standards in all aspects of delivery and reported results
  • SOC2 Compliance and Cavirin

Continuous Compliance

Cavirin Security and Compliance actively contributes to all major standards and organizations responsible for the mapping of regulatory requirements and the most highly leveraged national and international standards. In addition to organic CIS Benchmarks and DISA STIG NIST based configuration hardening and change management, Cavirin has implemented all assessments with NIST Cybersecurity Framework (CSF) and NIST 800-53 r4 and Appendix J for Privacy. Clients who elect to use multiple policy packs, including ISO/IEC 27002:2013, will benefit by the extended use of multiple frameworks to align Information Security Programs and Policy.

Stay compliant

About Cavirin

Cavirin is transforming the way IT security manages risk. Founded in 2012, Cavirin’s platform is a purpose-built agent-less solution that deploys quickly to on-premises, cloud, and containerized infrastructures, helping organizations reduce complexity, become more agile, and drive dramatic increases in efficiency with their risk and compliance programs. Leveraging continuous visibility and automated assessments, companies are empowered to make the right decisions faster. Cavirin’s Automated Risk Analysis Platform (ARAP) is a security and compliance fabric that provides continuous configuration evaluation with recommendations for alignment to industry standards and best practices, prioritizing systems and risk remediation efforts across complex hybrid IT infrastructures. Offering up-to-the-minute compliance assessments, Cavirin supplies audit ready evidence as measured by every major regulatory, and security best practice framework.

0
0
0
s2sdefault

Cavirin provides security management across physical, public, and hybrid clouds, supporting AWS, Microsoft Azure, Google Cloud Platform, VMware, KVM, and Docker.