Here are four practices to consider when creating your IT vendor management policy: 1. Evaluate vendors IT services vendors are generally very good at assuring you their product or service is like oxygen - you can’t live without it! They will throw around a lot of acronyms and buzzwords like “next-gen” in hopes of dazzling you into signing on the dotted line. Resist that temptation for now, and instead create a template with questions to help you do the proper amount of due diligence and select the right vendors.
Passwords are one of the most common targets for hackers, so it’s imperative that your company enforce a strong password policy. This policy will not only define the requirements of the password itself but the procedure your organization will use to select and securely manage passwords.
Confusing SOC 1 and SOC 2 is easy. While both compliance frameworks attest to the controls used within your organization, the frameworks differ in focus. SOC 1 looks at your organization’s financial reporting, while SOC 2 focuses on how you secure and protect customer data. This blog post will focus on exploring the differences between SOC 1 and SOC 2.
It’s easy to focus on cybersecurity threats like social engineering and phishing. However, internal threats, such as human error and disgruntled employees, can be just as dangerous – and are often overlooked. A mature onboarding and termination policy is essential to preventing a data breach. Employees and other internal users were the cause of 60% of data breaches – both intentional and accidental – in 2016. In the world of
A business continuity policy is a critical part of your SOC 2 preparation. An estimated 25% of businesses never fully recover from a major disaster. For small businesses, in particular, it can be difficult to return to normalcy after a significant disruption. Most companies have insurance and emergency funds, but those won’t protect you from failure to provide business functions at an acceptable level to your customers. A business continuity
You’ve gone through the rigorous process of completing your SOC 2 certification. Your policies are thorough, you have airtight procedures, your staff is sufficiently trained, and if anybody so much as sneezes around your datacenter you’ll know about it before someone says, “Gesundheit!” It’s time to kick back in your chair, throw your feet up on the desk and relax, right? But what if a customer sent over an RFI
There are many things to consider and questions to ask yourself when setting up your data center. Should you host your data on-premise or in the cloud? If the data is cloud-hosted, who is responsible for security? Is it the company who owns the data, the cloud provider, or both? for answers to all your SOC2 questions. The data center security policy outlines procedures and information security measures to prevent
A SOC 2 report (Service Organization Control report 2) focuses on the controls a company uses to protect customer data, as well as the operational effectiveness of those controls. A SOC 2 report should not be confused with a SOC 1 report, which focuses on a company’s financial reporting, nor should it be confused with a SOC 3 report, which has similar output to a SOC 2 report but in
You scheduled your on-site SOC 2 testing. While the initial step is complete, there is still a lot of process and time before you’re past the finish line. This post will help plan and manage time expectations and establish a timeline of deliverables - working backward from your SOC audit start date. The Purpose of SOC 2 Audits SOC is a system of service organization controls. SOC stands for “system
There are several different levels of SOC (Service Organization Control) reports and types, so it is easy to get them confused. A SOC 2 Type 1 report looks at an organization’s controls at a point in time concerning its clients’ financial reporting. The SOC 2 Type 2 report measures those same controls over a more extended period. SOC 2 Type 1 builds on the reporting basis of SOC 1 but