Over the last fifteen-plus years, we at Svitla Systems, Inc. have worked with many different customers in widely varying industries. During this time, we have seen information security concerns become universal, though more so in certain industries. This is often because of stricter laws and regulations applicable to the particular industry.
Some examples of these in the United States include:
- Healthcare industry: Health Insurance Portability and Accountability Act (HIPAA).
- Financial services and banking: regulations from the Financial Industry Regulatory Authority (FINRA), the Securities and Exchange Commission (SEC), and the Sarbanes-Oxley Act (SOX), among others.
- Retail and eCommerce: Payment Card Industry (PCI) Data Security Standards (PCI-DSS) compliance requirements.
Also, the European Union (EU) enacted a sweeping data-privacy focused law last year, General Data Privacy Regulation (GDPR), which has an impact well beyond EU countries and is not limited to any specific industry.
None of these specific laws and regulations apply directly to the industry within which Svitla operates, the outsourcing and contract software development industry. Yet all of them impact Svitla through our broad, diverse set of customers and their industries. That is why we consider the entirety of these regulations in our security policies and procedures. Our staff members are knowledgeable about information security regulations, ensuring that our own and our customers’ security postures are maintained properly.
As part of the ongoing effort to continually improve our security posture, each year, Svitla identifies several information security related initiatives as focal points. In 2019 we have three main focus areas:
- “Controls, Policies and Procedures”, addressed in Part 1 of this series;
- “Internal IT Infrastructure”, covered in Part 2; and,
- “New Customer-centric Solutions”, discussed in Part 3.
Controls, Policies and Procedures
Organizations assess their ability to meet the requirements of these laws and regulations through their internal controls. Audits like the American Institute of Chartered Public Accountants’ (AICPA) Service Organization Controls (SOC) and the International Standards Organization (ISO) 27001, are used to document that appropriate controls are in place to protect company assets, including information and data.
The AICPA SOC audits have become widely known, high-profile report structures that help organizations thoroughly demonstrate their control capabilities to their customers, either for the entire organization or a specific system.
There are two kinds of SOC reports:
- SOC 1: applying to financial transaction processors where their work impacts their customer’s financial reporting;
- SOC 2: applying to other organizations, like Svitla Systems, which provide more general services to their customers.
Further, there are two different Types of audits for each SOC report. Type 1 applies at a specific point in time and emphasizes the suitability of the controls in place (“Are you controlling what you need to control?”), and Type 2, which covers a range of time and evaluates the efficacy of the application of the controls (“Are you doing what you said you would?”).
The controls are grouped under five trust principles: privacy, confidentiality, security, availability, and processing integrity. Common controls articulate and work together across these principles to ensure information assets are appropriately protected.
This is a somewhat simplistic view of these audits; for a more complete understanding of the subject, we recommend reading this overview article.
For outsourcing and consulting companies like Svitla Systems, SOC 2 reports help verify the presence and effectiveness of an appropriate control environment in the organization.
Our recent SOC 2 certification report is already available for our customers, upon request. The audit focuses on the trust principles applicable to Svitla’s business operations, primarily security and availability. The SOC 2 certification confirms that the controls implemented by Svitla Systems through its internal processes and procedures were reviewed and updated to correspond the high standards of the SOC audit, which covered a six-month period of time. The updates were communicated through organization-wide training to ensure all associates are aware of and knowledgeable about the policies, procedures, and controls, as well as the purpose for each.
This training was part of our broader ongoing information security training program, which has both online and in-person delivery components, as well as assessments to gauge learning and track completion for all associates. The assessment results also serve as a feedback mechanism to improve future iterations of the training, with the goal of improving associates’ ability to absorb, retain and apply the information.
Another example of a certification that demonstrates the high quality of our internal processes is the ISO 27001 audit, which Svitla will receive in 2020. Both will be available to our clients for review upon request.
Look for our next article, where we will take a closer look at “Internal IT Infrastructure” and discuss the hardware related initiatives and new capabilities it will provide to all of our associates and customers.
Learn more about handling software solutions security needs from Part 2.