What is SOC 2 Certification?

SOC 2 is a voluntary certification offered by the Association of International Certified Professional Accountants and provides standards centered on the five pillars of the trust services criteria (“TSC”)[1]:

1. Security
2. Availability
3. Processing Integrity
4. Confidentiality
5. Privacy

The standards aren’t rigid rules; rather, they comprise a data security program framework. Organizations seeking SOC 2 certification often implement internal controls customized to their business processes in relation to the TSC. Ultimately, organizations seeking certification must be able to pass an audit conducted by an AICPA-affiliated certified accountant. The audit process includes showing evidence the organization’s program satisfies the TSC.

RIM/IG Meets Data Security Compliance

It’s no secret data security and RIM/IG programs go together like peanut butter and jelly. A sound RIM/IG program aims to protect data, information, and records, ensuring their accessibility, availability, and integrity. It also ensures data, information, and records are defensibly disposed of when no longer needed. An organization can significantly mitigate its risks when it is managing only the information it needs.

Vendor Management

A primary consideration for RIM/IG professionals evaluating vendors is whether data will be protected. This importance is heightened when personal or proprietary data is involved. Vendor vetting considers a list of factors, which typically center around the TSC. Vendors with SOC 2 immediately check boxes, and they often receive priority consideration. Certification immediately demonstrates the vendor’s commitment to the protection of your organization’s data.

SOC 2 Within Your Organization

If your organization manages customer data, it may already have considered or achieved a SOC 2 certification. The TSC likely bring about warm fuzzies for RIM/IG professionals—they can bring to mind the beloved and familiar GARP principles including the principles of “Integrity” and “Availability.”[2] Other GARP principles also align with TSC, including “Protection”, which provides that protection should be provided to “assets that are private, confidential, privileged.”[3]

Confidentiality & Privacy Criteria

Under the TSC, “Confidentiality” is defined to include information that is “protected to meet the entity’s objectives”; if your organization deals with confidential customer data, this is a key standard. “Privacy” as a standard involves personal information that “is collected, used to meet the entity’s objectives.” The privacy sub-criteria elaborates that the “entity limits the use, retention, and disposal of personal information to support the achievement of its objectives related to privacy.” These elements can be easily included in a RIM/IG program.

Under the IG/RIM Umbrella

Whether your organization is preparing for SOC 2 certification or another data security-related certification, or simply wants to ensure the TSC principles are accounted for, your team members can leverage several RIM/IG program components to demonstrate it has the necessary processes, policies, and procedures in place.

Records/Data Inventory

This isn’t a new refrain, but it often bears repeating: You can’t protect information if you don’t know what you have. Organizations are always wise to keep a handle on their records and information by starting and maintaining a comprehensive data inventory. This is often accomplished through an information collection process. Important details should be gathered including location, format, data owner, and privacy or confidentiality classifications. A robust and regularly updated inventory helps organizations manage their information in a number of ways, even beyond protection: It can help support regular defensible disposition, accessibility for litigation and business needs, and greater privacy initiatives.

RIM/IG Policies

A well-drafted records and information management policy, along with corresponding procedures, tends to parallel many of the TSC principles; in particular, they reflect the principles touching on access, retention, and disposal. They can also impact business processes relating to data storage, processing, transfer, and archiving, as well as eDiscovery.

Relatedly, an organization’s record retention schedule policy can help demonstrate the organization has controls in place around limited retention and disposal of records. The TSC expressly mentions data retention and disposal, so this is a key effort—and another area in which RIM/IG professionals can significantly contribute.

Governance

TSC, and the certification process, can even impact and help shape the work of an IG steering committee. The committee is typically composed of stakeholder professionals and experts from the organization, and, according to the Information Governance Body of Knowledge (IBOK),  includes members from privacy and security. Although the TSCs don’t explicitly require governance, they do highlight governance as a good way to demonstrate controls.

Conclusion

Pearl Zhu, in her book 12 CIO Personas, said the purpose of “Information Management is to make sure the right information is shared with the right persons at the right time in the right place.” With that single sentence, Zhu highlighted the multidisciplinary nature of records and information management. She also perfectly connected RIM/IG to information security. Risks surrounding data breaches cannot be understated, and breaches cost organizations more each year. Therefore, it is increasingly important RIM/IG professionals are attuned to data security.

There are many parallels between the TSC framework and RIM/IG objectives, resulting in many opportunities to integrate TSC principles into policies. Evidence of successful implementation into, and enforcement of, relevant internal controls will never be a bad thing.

Ultimately, every organization can benefit from the TSC framework and regardless of whether an organization seeks formal certification, the development of formal TSC framework controls and procedures customized to the organization’s processes goes a long way in protecting your organization’s data while also providing guarantees to prospective business partners. And when evaluating vendors, don’t underestimate the guarantees provided by that official SOC 2 seal.

 Zasio prioritizes the protection of its customer data and is proud to display our SOC 2 certification badge. Ask us how we can help build data security into your RIM/IG program.

[1] 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy, AICPA (2022), https://www.aicpa.org/resources/download/2017-trust-services-criteria-with-revised-points-of-focus-2022.

[2] The Principles®, ARMA (2017), https://www.arma.org/page/principles.

[3] Id.

Disclaimer: The purpose of this post is to provide general education on Information Governance topics. The statements are informational only and do not constitute legal advice. If you have specific questions regarding the application of the law to your business activities, you should seek the advice of your legal counsel.

The post Standby, RIM/IG Professionals: SOC 2 Applies to You, Too! appeared first on Zasio.

Zasio utilizes the Versatile System to provide its suite of records and information management SaaS solutions to customers. With an unqualified opinion for Versatile controls relative to security, Zasio’s SOC 2, Type 2 attestation report demonstrates the company’s commitment to security in delivering its SaaS solutions to customers around the globe.

To comply with SOC2, Zasio had to demonstrate that it had established rigorous policies and procedures in accordance with the Trusted Services Criteria of security.

“Zasio has made information governance security a top priority throughout our organization,” said Kevin Zasio, the company’s founder and president. “Achieving SOC 2 certification is another step in that goal.”

The official audit report provides a thorough review of Zasio’s internal controls, policies, and processes for security. It also reviews Zasio’s processes relating to risk management and vendor due diligence, as well as Zasio’s entire IT infrastructure, software development lifecycle, change management, logical security, network security, physical and environmental security, and computer operations.

The audit examination was conducted in accordance with attestation standards established by the American Institute of Certified Public Accountants. System Organization Control (SOC2) is a technical auditing process performed by an independent auditor who measures the security of an organization’s unique data processing systems, and determines whether effective safeguards and controls are in place

The audit was conducted by Dansa D’Arata Soucia LLP (“DDS”), a full service CPA firm based out of Buffalo, New York. Over the past decade, DDS has built a team of auditors dedicated to understanding the AICPA’s Trust Service Criteria and how properly applying best practices to comply with this set of criteria results in risk mitigation when it comes to protecting sensitive data.

# # #

Founded in 1987, Zasio has more than three decades of experience being at the forefront of records management and information governance. Zasio prides itself in its ability to foster a culture of innovation mixed with long-term thinking, which translates in to offering leading-edge records and information management solutions along with unparalleled support to its customers.

Stay up-to-date on Zasio by following us on linkedIn and by subscribing to our monthly newsletter.

The post Zasio Successfully Achieves SOC 2, Type 2 Certification appeared first on Zasio.