Nowadays, more and more organizations rely on software to operate their businesses—and this makes security a vital consideration. The sensitive information that’s stored and transmitted by software applications has to be closely guarded in order to protect against ransomware and cyberattacks, which are more common than ever before.
Per Fortune Magazine: “Governments worldwide saw a 1,885% increase in ransomware attacks, and the healthcare industry faced a 755% increase in those attacks in 2021, according to the 2022 Cyber Threat Report released Thursday by SonicWall, an internet cybersecurity company. Ransomware also rose 104% in North America, just under the 105% average increase worldwide.”
These stats are no joke, which is why Osedea has been committed to staying far ahead of the security curve ever since our inception. And now, as the icing on the cake, we’re proud to announce that as of May 2022, we’re officially SOC 2 Type 2 compliant!
The significance of SOC 2
SOC 2 is one of the most accepted security compliance standards available in North America. It’s also one of the most rigorous certifications that exists, which attests that the business who holds one has worked diligently to instill best practices and they’re serious about maintaining these standards in the future.
Type 1 assesses whether an organization is taking proper security measures at a specific point in time, whereas Type 2 looks at their maintenance over a period of time. Both types are tangible proof that what an organization says they’re doing from an organizational and technical standpoint is actually what’s happening in the background.
The Five Trust Service Principles (TSPs)
In order to gain SOC 2 certification, security standards are assessed in relation to five “Trust Service Principles” (TSPs) established by the American Institute of CPAs. Compliance with the five TSPs means you can trust the organization to deliver to the highest possible standards in terms of the following:
- Security: Data will always be protected against unauthorized access.
- Availability: The systems that are built (which store and process data) will remain online and accessible at all times.
- Confidentiality: All sensitive information will be appropriately categorized as being private, and access to it will be protected.
- Processing integrity: Data processing will be 100% accurate and complete.
- Privacy: Data is handled in a manner that matches the promises made in an organization’s Privacy Policy, protecting them from legal liability.
Our journey to SOC 2 Type 2 compliance
Considering the aforementioned stats on cyberattacks and with so much data being processed by modern enterprises, security is, rightly, a top priority for our clients. We don’t want to put them (or our team) at risk so, in order to give our clients confidence that we have safe, secure and solid processes that protect us and them against data breaches, we knew it was essential for us to undergo the more intensive SOC 2 Type 2 certification. But, compliance isn’t for the faint of heart—it’s a long, involved, and expensive process.
Our first step was to select a security compliance platform that would help us to structure our security processes. We went with Vanta Security, which is a leading SaaS platform that provides a roadmap towards compliance. Their resources, templates for robust policies, checklists, and much more, helped to guide us on our journey.
The good news is that we were already doing a lot of things well, including having a strong code of conduct, using a password manager, using cloud-only services to mitigate vulnerabilities, and more. We had detailed documentation for just about everything already in place.
The most time-consuming task was for us to detail and implement security policies for, what felt like, absolutely everything. There were 15 in total affecting various elements of the enterprise (information security, data classification, asset management, and vendor management policies to name a few). Additionally, we replaced our firewall, improved our security features for end-point detection and response (EDR) to protect the OSEDEA infrastructure and IT park, chose a new antivirus, web filtering, DNS filtering and added a whole bunch of new security features. We introduced routine phishing campaigns to keep staff vigilant, and enhanced our annual security training for team members.
Once our evidence was compiled and uploaded to Vanta, the next step was for us to identify a trusted independent service auditor to audit our processes over a three-month period. We chose the US-based firm BOULAY group to assess whether our processes were compliant with the SOC 2 Type 2 certification. They were scrupulous in their work and asked us to provide supplementary evidence related to the security controls we had in place.
The advantages of working with a SOC 2 Type 2 compliant vendor
Partnering with a software development firm that has been granted SOC 2 Type 2 certification has a direct positive impact on various aspects of business operations. It can offer cost savings and loss prevention, and protection from potential reputational damage that occurs with data leaks or breaches when software is not built to adequate security standards.
Here’s a brief subset of the security measures we have in place at Osedea:
- Mandatory yearly information security training for all team members
- Information security policies in place are read and understood yearly by all team members (physical security, password and secret management policy, business continuity and disaster recovery, cryptography policy, asset management policy, etc.)
- Centrally-managed computer equipment with real-time checks that key system components are active (disk encryption, malware detection, password manager, etc.)
- Mandatory usage of MFA for all applications used (if available)
- Quarterly phishing campaign testing
- Documented quarterly access reviews for all systems in use at Osedea
- Criminal background checks for every new hire
- Offboarding completed within SLA
- Compliance reports checked for critical vendors
- No direct access to deployment/production related artifacts, automation through continuous integration/deployment pipeline
- Source code commit history with traceability to specific contributors and reviewers, allow for "git archeology" and auditing
- Locked “trunk” to prevent manipulation of upstream with code change review by (at least) another team member
We’re thrilled to have completed this lengthy process and been granted our SOC 2 Type 2. Thanks to this new accolade, we look forward to helping our clients feel even more at ease when they choose us to build their custom software or application knowing that we’ve done our due diligence and that we’re taking security practices seriously.
Credit Image: Liam Tucker
