Beacon Review obtains SOC 2 Certification

Beacon Review is proud to be a SOC 2 Type 1 and Type 2 certified organization. This accreditation is the result of exhaustive testing and audit, motivated by our promise to uphold the highest security standards and be of greatest benefit to our customers.

Why is SOC 2 so important?

For organizations of all sizes, industries, and even those that outsource business operations, information security is a major cause for concern. Understandably, since the mishandling of data, especially by application and network security providers, has the potential to leave organizations vulnerable to attacks, including data breach, malware installation, data theft and extortion.

One way to significantly reduce an organization’s vulnerability and uncertainty is to adhere to the criteria defined by SOC 2. SOC 2 is an auditing procedure, developed by the American Institute of CPAs (AICPA), that ensures service providers securely manage data in order to protect the interests of your organization and, more importantly, the privacy of your clients. Further, when considering a healthcare service provider, SOC 2 compliance is considered a mandatory minimum requirement for all security-conscious businesses.

What is a SOC 2 report?

A SOC 2 report exists across a comprehensive range of users, to meet needs requiring detailed information and assurance regarding the controls at a service organization relevant to security, processing, and availability of the systems that an organization uses to process user data as well as the confidentiality and privacy of the information processed by these systems.

SOC 2 defines criteria for managing customer information using five “trust service principles”, namely—Security, Availability, Processing, Integrity, Confidentiality and Privacy.

Distinct from other compliance certifications, SOC 2 reports are unique to the organization of reference. Each complying organization will design its own controls satisfying one or more of the five “trust service principles” based on the systems and processes in place.

Five Trust Principles

The SOC 2 certification is completed and issued by third party auditors. These auditors will assess the extent to which a vendor follows the five trust principles. The five trust principles can be summarized as follows:

Security. The security principle references the protection of system resources against unauthorized access. Adequate access controls aid in the prevention of system abuse, misuse of software, theft, and improper alteration or disclosure of sensitive information.

Availability. The availability principle refers to the overall accessibility of systems, services or products as stipulated by a contract of service level agreement (SLA). Understandably, the minimum acceptable performance level for system availability must be set by both parties (Service provider and client). In this context, careful monitoring of network performance and availability and security incident handling are crucial.

Processing Integrity. The processing integrity principle refers to whether a system delivers the appropriate data at the right time. Consequently, data processing must be valid, accurate, timely, authorized, and complete. Quality assurance procedures, along with close monitoring of data processing can help ensure processing integrity.

Confidentiality. To be considered confidential, data must be restricted in its access and disclosure to a specific set of people or organizations. This may include data that is only intended to be accessed by a set of specified company personnel. Encryption is most prevalent control used for the protection of confidentiality during data transmission. Network and application firewalls, in concert with rigid access controls, can be utilized to safeguard data being processed or stored.

Privacy. The privacy principle references the system’s collection, use, retention, disclosure, and removal of personal information in compliance with an organization’s privacy notice, as well as with criteria set forth in the AICPA’s generally accepted privacy principles. Controls must be placed to protect all personal health information (PHI) from unauthorized access. PHI refers to details that can be used to identify an individual, such as name, address, health information, Social Security Number, etc. Such data is considered sensitive and, more often than not, requires an extra level of security protection.

Summary

With these five trust principles at the heart of the SOC 2 report, certification allows customers with both the confidence and peace of mind in knowing there are adequate controls in place to protect not only their own data but the data of their customers. This is something that Beacon Review takes very seriously. By obtaining SOC 2 certification, Beacon Review assures our current and prospective clients, that not only will we provide industry-superior services, but we will do so with a heightened assurance that the controls in place relevant to processing, availability and overall security of user data are there to back it up. If you have any questions regarding the SOC 2 certification or Beacon Review service offerings, please contact us today!