What is compliance?
Compliance isn’t as simple as a box-ticking exercise. With so many businesses moving some or all of their business workloads into the cloud in recent years, it is unsurprising that an array of cloud-based security threats have come to light. This calls for stringent compliance procedures to be put in place in order to safeguard the data of your business and the privacy of your customers.
Following a recent audit, Hyve Managed Hosting is pleased to be SOC 2 certified – so, what exactly is involved?
What is SOC 2?
Developed by the American Institute of Certified Public Accountants (AICPA), SOC 2 is an auditing procedure designed for service providers that store customer data in the cloud to ensure that their information security measures are up to standard.
SOC 2 stands for “System and Organisation Controls” and is about putting well-defined policies, procedures, and practices in place and then testing them over a long period of time – not just ticking all the compliance checkboxes. Doing so effectively builds trust with customers and end-users about the secure nature and operation of our company and our cloud infrastructure.
What does the process involve?
Hyve’s audit process involved reviewing the audit scope and developing a comprehensive plan that ensures the day-to-day running of the company and infrastructure falls within this audit scope. This then provided a set of policies and procedures to run the audit – which was conducted over a specified period of 6 months. Each policy and procedure was then tested, covering all aspects from staff and HR through to controls for design and operational effectiveness. This then led to the documentation of the results and delivery of the final report.
SOC 2 defines criteria for managing customer data based on five “trust service principles” – security, availability, processing integrity, confidentiality and privacy.
The security principle refers to the protection of system resources against unauthorized access. Access controls help prevent potential system abuse, theft or unauthorized removal of data, misuse of the software, and improper alteration or disclosure of information.IT security tools such as network and web application firewalls (WAFs), two-factor authentication and intrusion detection are useful in preventing security breaches that can lead to unauthorized access of systems and data.
The availability principle refers to the accessibility of the managed service as stipulated by a contract or service level agreement (SLA). As such, the minimum acceptable performance level for system availability is set by both parties.This principle does not address system functionality and usability but does involve security-related criteria that may affect availability. Monitoring network performance and availability, site failover and security incident handling are critical in this context.
- Processing integrity
The processing integrity principle addresses whether or not a system achieves its purpose – such as delivering the right data, at the right price, at the right time. Accordingly, data processing must be complete, valid, accurate, timely and authorized.However, processing integrity does not necessarily imply data integrity. If data contains errors prior to being input into the system, detecting them is not usually the responsibility of the processing entity. Monitoring of data processing, coupled with quality assurance procedures, can help ensure processing integrity.
Data is considered confidential if its access and disclosure is restricted to a specified set of persons or organisations. Examples may include data intended only for company personnel, as well as business plans, intellectual property, internal price lists and other types of sensitive financial information.Encryption is an important control for protecting confidentiality during transmission. Network and application firewalls, together with rigorous access controls, can be used to safeguard information being processed or stored on computer systems.
The privacy principle addresses the system’s collection, use, retention, disclosure and disposal of personal information in conformity with an organisation’s privacy notice, as well as with criteria set forth in the AICPA’s Generally Accepted Privacy Principles (GAPP).Personal identifiable information (PII) refers to details that can distinguish an individual, such as your name, address, or national/social security number. Some personal data related to health, race, sexuality and religion is also considered sensitive and generally requires an extra level of protection. Controls must be put in place to protect all PII from unauthorized access.
Why is SOC 2 important?
Whilst SOC 2 compliance isn’t a legal requirement for your managed service provider, its role in securing your data cannot be overstated.
At Hyve and Hyve US, we take security seriously, so it is important that our clients can trust that we have taken all necessary measures to protect the information processed in our service offering.
Alongside our Hyve Ltd ISO 27001, ISO 27017 and ISO9001 certifications, the SOC 2 report provides additional verification of our commitment to security and detailed descriptions of the security controls in place at Hyve Managed Hosting.
Do you want to know more about Hyve’s certifications and accreditations? To get in touch today, email email@example.com or call 0800 612 2524.
More articles in Hyve News
- Is it about time the insurance sector embraced the cloud?
- The importance of ISO 27001
- Cloud Security: An Essential Guide
- On premise vs. the cloud: What is the future for the financial sector?
- Is your hosting provider solving your big data problems?
- Is the Middle East cloud market set for rapid growth?
- Hyve Managed Hosting is named by The Sunday Times as one of the fastest growing private companies in the UK
- Can the cloud lead the way on tackling climate change?
- Jon Lucas of Hyve Managed Hosting: 5 Things You Need To Know To Create a Successful App or SaaS
- Is managed private cloud the future?
- World Backup Day 2021
- What is Private Cloud?
- Reshaping the future of remote work
- Why accreditations matter when choosing a hosting provider
- 3 reasons to consider the location of your data
- Is London the new Silicon Valley?
- What is HPC and who uses it?