SOC 2 Compliance explained
SOC 2 compliance is a hot topic in today’s world of technology and cloud computing, and as such, service organizations should take note of 5 important items regarding this specific Service Organization Control (SOC) reporting framework.
Security: The system is protected, both logically and physically, against unauthorized access: The system is available for operation and use as committed or agreed to.
Availability: The system is available for operation and use as committed or agreed to.
Processing Integrity: System processing is complete, accurate, timely, and authorized.
Confidentiality: Information that is designated “confidential” is protected as committed or agreed.
Privacy: Personal information is collected, used, retained, and disclosed in conformity with the commitments in the entity’s privacy notice and with the privacy principles put forth by the government regulatory and/or professional licensing authorities (i.e. American Institute of Certified Public Accountants (AICPA) and the Canadian Institute of Chartered Accountants (CICA).)
SOC 2 compliance is designed for the growing number of technology and cloud computing entities that are becoming common in the world of service organizations.
SOC 3, (much like SOC 2) utilizes the five (5) Trust Services Principles (TSP) as the general framework for conducting this type of engagement. While SOC 2 allows for reporting on any number of the TSPs, SOC 3 requires that all five (5) TSPs be included for issuing a report.
Evizone provides the strongest commercially available system for the secure exchange of files and copy-protected messages.
- All Evizone services are hosted in SSAE 16 SOC 2 certified data centers in order to secure customer information and ensure high availability. Evizone’s security has other components however. Operating in a certified data center is only one component of Evizone’s “defence in depth” strategy. Evizone services utilize multiple layers of encryption and a unique data architecture to ensure that only fully authenticated users with authorization have access to the relevant data. This protects customer data not only from would be cyber thieves but unauthorized internal access as well.
- Evizone Secure Communications (ESC) stores messages and documents in an anonymous fashion. The use of PKI (Public Key Infrastructure) plus SSL provides two encryption layers; ensuring only authorized recipients have the possibility of reading the correspondence. Both customer administrators and Evizone administrators have no access to ESC correspondence. The storage within the ESC service uses software encryption, hardware encryption plus proprietary trade secrets to prevent any unauthorized access.
- Evizone Communications Governance services archive information from multiple sources such as email, SMS, ESC, Bloomberg, Thomson-Reuters and so on. Given that content in the archive serves multiple purposes, such as supervision, compliance and eDiscovery, ECG implements role based security to control access to the archive content. ECG has a sophisticated data storage architecture consisting of an RDBMS, Hadoop® nodes and, if required for regulatory purposes, a WORM device. The data stored in all locations is fully encrypted with tamper detection and a complete audit trail.
- Evizone services enforce the customer’s data retention policy, reducing the amount of information potentially at risk. Evizone’s architecture and automated document destruction processes ensure that customer information is completely destroyed when policy requires.
Evizone’s defence in depth goes far beyond current certification requirements. Contact us and we will be happy to explain how.
What does the name Evizone mean?
The name Evizone is a contraction of “event horizon” – the boundary of a black hole beyond which nothing can escape from within it. Once information is inside Evizone it cannot escape.