Today in ediscovery, it should be no surprise that cyber security is a rising concern among corporate leaders and that IT departments want to know that critical business data is safe and protected. The concern over cyber security is translating into increased pressure for businesses and ediscovery vendors to transparently demonstrate their commitment to security and controls and that is where SOC2 certification comes into play.
Three Tips to Verify the Security of Your Ediscovery Software or Service Provider
- Security is a shared responsibility that requires collaboration and communication amongst application providers, infrastructure providers, and end-users so that all parties are working together to protect data access both logically and physically.
- The application must be Secure by Design, to support granular permissions allowing least privilege where all access is limited to only what is necessary to complete the job. Additionally, the software should be able to provide holistic logging that tracks to the individual user or operator. Data should always be encrypted whether in transit or at rest.
- Organizations should seek third-party verification that their providers are living up to security commitments via SOC 2 report, penetration testing or other measures.
SOC 2 Type 2 Certification
SOC 2 Type 2 certification is an important way for any ediscovery vendor working with larger, enterprise-level companies to be transparent about security practices. This is the same audit report used by companies such as Amazon Web Services (AWS), Google, and Salesforce, etc., to validate the security of infrastructures and services. The recurring audit includes a complete evaluation of a company’s infrastructure, software, people, procedures, and data over a period of time based on the security principles as defined by the American Institute of Certified Public Accountants (AICPA) Trust Services Principles and Criteria. This certification ensures the system has controls in place to protect against unauthorized access (both physical and logical).
The SOC 2 Type 2 report is issued to organizations that have documented controls in place after the effectiveness of the controls have been assessed over a specified period of time. This process makes SOC 2 Type 2 reports more comprehensive and useful to organizations when considering a service provider’s credentials. By achieving SOC 2 Type 2 certification a company has proven that its system is designed to keep its clients’ critical data secure.
To achieve this certification, Zapproved’s policies and practices are reviewed in the following areas:
- Infrastructure: The computing environment, power, HVAC, Internet connectivity, backups and physical security.
- Software: The programs and operating software of a system.
- People: The personnel involved in the operation and use of a system.
- Procedures: The automated and manual procedures involved in the operation of a system
- Data: The information used and supported by the system
When it comes to working with the cloud, performance and reliability are critical for enterprises. As ediscovery teams at enterprise organizations have more stringent data security standards, vendors that are SOC 2 Type 2 compliant can prove they have the people, processes, and systems in place to ensure data security.