We are pleased to announce that Ballast Lane Applications has achieved its SOC2 Type 1 compliance. This milestone is the latest on a journey we embarked on last year together with our SOC2 auditor Schneider Downs which started with a readiness audit and ended with a final compliance audit with lots of intermediate steps to tune our security policies and procedures.
The good news is that we were already following many of the best practices around security - named access, formal onboarding and offboarding of team members from client tools and a variety of practices in our cloud infrastructure. However, the audit helped us identify a couple of areas of improvement and also ways to be better prepared if we were subjected to something bad like a hack or rogue employee.
We would like to share a little bit about what we learned to help the next group that decides to go through this process.
What is SOC 2?
SOC2, pronounced "sock two" and more formally known as Service Organization Control 2, reports on various organizational controls related to security, availability, processing integrity, confidentiality, or privacy.
Organizations that need a SOC 2 report include cloud service providers, SaaS providers, and organizations that store client information in the cloud. A SOC 2 report proves a client's data is protected and kept private from unauthorized users.
A SOC audit can only be performed by an independent CPA (Certified Public Accountant) or accountancy organization. SOC auditors are regulated by and must adhere to specific professional standards established by the AICPA.
SOC 2 reports demonstrate the extensive security and reporting controls that an IT vendor or provider has in place to protect confidential data. SOC requirements are rooted in the five Trust Service criteria:
- Privacy: How data is collected, used, retained, and disclosed as part of its use.
- Confidentiality: Data designated as confidential remains confidential during use.
- Security: Data is protected against unauthorized access, theft, breach, or disclosure.
- Processing Integrity: All data processing systems are complete, valid, accurate, and timely.
- Availability: Data is visible and ready to use as part of a business’s processes.
You can read all about the details here.
What does it mean for BLA and other Service Providers?
Now that we have the required security processes in place, actively promoted, monitored, and enforced by the Security Team which is lead by the CEO and COO who have ultimate responsibility for security at BLA.
The policy includes the following key security life cycle areas:
- Assessment of the business impact resulting from proposed security approaches
- Selection, documentation, and implementation of security controls
- Performance of annual management self-assessments to assess security controls
- Authorization, changes to, and termination of information system access
- Maintenance of restricted access to system configurations, master passwords etc.
- Incident response
In addition, there are specific policies for:
- Personnel Security
- Physical Security and Environmental Controls
- Change Management
- Data Backup and Recovery
- Disaster Recovery and Business Continuity
- System Account Management
- Third-Party Due Diligence
These policies and others have been shared with the entire firm and also a key part of the new employee onboarding process and annual training that all employees are required to take and acknowledge.
Summary
In short, Ballast Lane Applications’s SOC2 Type 1 compliance is one extra reassurance that we are following best practices in handling information security while providing world-class full-stack, full service software design and development services.