Datacentre Compliance: Why SOC2 Accreditation Matters
SOC2 is an auditing procedure that ensures your service providers securely manage your data to protect the interests of your organization and the privacy of its clients. For security-conscious businesses, SOC2 compliance is a minimal requirement when considering a SaaS provider. Many providers fail to comply with this standard and those that do have a Type I audit, which audits for a specific point in time. However, to successfully pass a Type II audit you must evidence that all operational procedures and controls for hosting and managed IT services were adhered to over a 365-day period.
QuoVadis is currently operating under the SOC2 Type II standard. To comply with this standard, we have policies and procedures in place for areas such as security, data protection, change management control, disaster recovery and data encryption. These processes ensure that clients’ data is being protected to the highest standards dictated by the American Institute of Certified Public Accountants’ (AICPA) and account for:
- Availability. Information and systems are available for operation and use.
- Processing integrity. System processing is complete, valid, accurate, timely, and authorized.
- Confidentiality. Information designated as confidential is protected.
- Privacy. Personal information is collected, used, retained, disclosed, and disposed.
Over the years, the scope of the SOC2 audit has expanded to include both technical controls and how an organization manages risk, making the audit more business and process oriented.
Russell Medway, Chief Operating Officer, who leads the audit process for QuoVadis, is equally focused on team and processes when it comes to prioritizing data security. Whether that’s ensuring job duties are segregated to account for quality assurance, or that the latest encryption standards are being used as a matter of company policy – it’s about defining best practice and documenting implementation in a way that supports your business objectives.
Example best practices for SOC2 compliance include:
- Documenting all company policies and procedures for infrastructure & software management
- Segregating job duties to minimize scope for human error
- Tracking all code and infrastructure changes before & after implementation
- Implementing least privilege access controls
- Ensuring TLS 1.2 as the minimum protocol for encrypted communication
- Demonstrating robust processes for backup and disaster recovery.
Awareness of SOC2 may be low in Bermuda at the current time but this is changing as clients increasingly prioritize data security.
QuoVadis is SOC2 accredited to satisfy the requirements of regulatory authorities such as the Bermuda Monetary Authority and to satisfy our customers’ internal and external compliance and audit requirements. When selecting a datacentre partner, we always recommend that security comes above all else.
For more information about our credentials or to speak with one of our Cloud Hosting consultants, call +1 441 278 2807 or email us.